Skip to main content

Privacy Policy

Last updated: February 2026

1. Introduction

Welcome to FlyingPointsPro ("we", "us", "our"), accessible at flyingpointspro.com. We are committed to protecting and respecting your privacy. This Privacy Policy explains how we collect, use, store, and disclose your personal data when you use our website and services.

This policy applies to all visitors and users of FlyingPointsPro regardless of location, and has been drafted to comply with the European Union General Data Protection Regulation (GDPR), the United Kingdom General Data Protection Regulation (UK GDPR), the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA), the Australian Privacy Act 1988 (including the Australian Privacy Principles), and the EU ePrivacy Directive.

FlyingPointsPro is an independent service and is not affiliated with, endorsed by, or connected to any airline or loyalty program, including Qantas Airways Limited and the Qantas Frequent Flyer program.

2. Data Controller

FlyingPointsPro is the data controller responsible for your personal data. If you have any questions about this Privacy Policy or our data practices, you can contact us at:

For EU and UK data protection matters, you may also contact our Data Protection Officer (DPO) at [email protected].

3. Data We Collect

We do not require you to create an account to use FlyingPointsPro. The data we collect is limited to what is necessary to provide our services and improve your experience.

3.1 Push Notification Data

If you opt in to push notifications, we collect and store the following information associated with your subscription:

  • Push subscription endpoint(a URL provided by your browser's push notification service)
  • Encryption keys (p256dh and auth keys required by the Web Push protocol to deliver encrypted notifications)
  • Notification category preferences (which deal types you want to receive alerts for)
  • Minimum points threshold (the minimum deal size you want to be notified about)

3.2 User Preferences

We store the following preferences locally on your device and, where applicable, on our servers:

  • Country preference (e.g., Australia, United States, United Kingdom, New Zealand) to display deals relevant to your region
  • Business card preference (whether to include or exclude business credit card deals)

3.3 Cookies and Browsing Data

We use cookies and similar technologies to enhance your experience. For detailed information about the cookies we use, please refer to our Cookie Policy (see Section 13 below). Browsing data we may collect includes:

  • IP address (anonymised where possible)
  • Browser type and version
  • Device type and operating system
  • Pages visited, time spent, and referring URLs
  • Interaction data (clicks, scrolls, feature usage)

3.4 Data We Do Not Collect

We do not collect:

  • Names, email addresses, or phone numbers (unless you contact us directly)
  • Payment or financial information
  • Government-issued identification numbers
  • Sensitive personal data (racial or ethnic origin, political opinions, religious beliefs, health data, sexual orientation, biometric data)

4. Lawful Basis for Processing (GDPR / UK GDPR)

Under the EU General Data Protection Regulation and the UK General Data Protection Regulation, we rely on the following lawful bases for processing your personal data:

  • Consent (Article 6(1)(a)): When you opt in to push notifications or accept cookies, you provide explicit consent for us to process the associated data. You may withdraw consent at any time by unsubscribing from notifications in your browser or device settings, or by managing your cookie preferences.
  • Legitimate Interests (Article 6(1)(f)): We process certain browsing data for our legitimate interests in operating and improving FlyingPointsPro, ensuring security, preventing fraud, and analysing usage patterns. We have conducted a Legitimate Interest Assessment to ensure these interests do not override your rights and freedoms.
  • Legal Obligation (Article 6(1)(c)): We may process data where necessary to comply with a legal obligation to which we are subject.

5. How We Use Your Data

We use the data we collect for the following purposes:

  • Delivering push notifications about deals that match your selected categories, country, and points threshold preferences
  • Personalising content by displaying deals relevant to your chosen country and card preferences
  • Improving our services by analysing aggregated and anonymised usage data
  • Maintaining security and preventing misuse of our services
  • Complying with legal obligations under applicable data protection laws

6. Third-Party Services

We use the following third-party services to operate FlyingPointsPro. Each provider processes data on our behalf and is contractually bound to protect your data:

Supabase (Database Hosting)

We use Supabase to host our database infrastructure. Push notification subscription data (endpoint, keys, preferences) is stored in Supabase-managed PostgreSQL databases. Supabase infrastructure is located in Singapore and the United States. Supabase maintains SOC 2 Type II compliance and implements encryption at rest and in transit.

Vercel (Website Hosting)

Our website is hosted on Vercel's global content delivery network (CDN). Vercel may process server access logs containing IP addresses, request headers, and browsing data. Vercel's infrastructure spans multiple global regions to serve content from the location nearest to you.

Web Push Services

Push notifications are delivered via your browser's native push service (e.g., Firebase Cloud Messaging for Chrome, Mozilla Push Service for Firefox, Apple Push Notification service for Safari). These services process the push subscription endpoint and encrypted notification payload. We use the VAPID (Voluntary Application Server Identification) protocol for secure server identification.

We do not sell, rent, or trade your personal data to any third party. We do not share your personal data with third parties for their own marketing purposes.

7. Cross-Border Data Transfers

Your data may be transferred to, and processed in, countries outside your country of residence, including the United States and Singapore, where our service providers operate.

7.1 EU/EEA and UK Transfers

Where personal data is transferred from the European Economic Area (EEA) or the United Kingdom to a country that has not received an adequacy decision from the European Commission or UK Government, we ensure appropriate safeguards are in place, including:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • The UK International Data Transfer Agreement (IDTA) or UK Addendum to the EU SCCs
  • Binding Corporate Rules where applicable
  • Transfer Impact Assessments to evaluate the legal framework of the recipient country

7.2 Australian Transfers

Under Australian Privacy Principle 8, before disclosing personal information to an overseas recipient, we take reasonable steps to ensure that the recipient does not breach the Australian Privacy Principles. Our third-party service providers are contractually bound to protect personal information to a standard comparable to the Australian Privacy Act 1988.

8. Your Rights Under GDPR and UK GDPR

If you are located in the European Economic Area or the United Kingdom, you have the following rights under the GDPR and UK GDPR respectively:

  • Right of Access (Article 15): You have the right to request a copy of the personal data we hold about you, along with information about how it is processed.
  • Right to Rectification (Article 16): You have the right to request correction of any inaccurate or incomplete personal data we hold about you.
  • Right to Erasure (Article 17):You have the right to request deletion of your personal data where there is no compelling reason for its continued processing, also known as the "right to be forgotten".
  • Right to Restrict Processing (Article 18): You have the right to request that we restrict the processing of your personal data under certain circumstances, such as when you contest the accuracy of the data.
  • Right to Data Portability (Article 20): You have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit that data to another controller.
  • Right to Object (Article 21): You have the right to object to the processing of your personal data based on legitimate interests, including profiling. We will cease processing unless we demonstrate compelling legitimate grounds.
  • Right to Withdraw Consent: Where processing is based on consent, you may withdraw that consent at any time without affecting the lawfulness of processing carried out prior to withdrawal.
  • Right to Lodge a Complaint: You have the right to lodge a complaint with your local supervisory authority. For the EU, you can find your relevant authority at edpb.europa.eu. For the UK, the supervisory authority is the Information Commissioner's Office (ICO) at ico.org.uk.

To exercise any of these rights, please contact us at [email protected]. We will respond to your request within 30 days, or within the timeframe required by applicable law.

9. Your Rights Under CCPA / CPRA (California)

If you are a California resident, you have the following rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act:

  • Right to Know: You have the right to request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources from which we collected it, our business or commercial purpose for collecting it, and the categories of third parties with whom we share it.
  • Right to Delete: You have the right to request that we delete any personal information we have collected from you, subject to certain exceptions provided by law.
  • Right to Correct: You have the right to request that we correct inaccurate personal information that we maintain about you.
  • Right to Opt-Out of Sale or Sharing:You have the right to opt out of the "sale" or "sharing" of your personal information as those terms are defined under the CCPA/CPRA. We do not sell and do not share your personal information as defined by the CCPA/CPRA.
  • Right to Limit Use of Sensitive Personal Information: We do not collect sensitive personal information as defined by the CCPA/CPRA.
  • Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA/CPRA rights. We will not deny you services, charge you different prices, provide you with a different level or quality of service, or suggest that you will receive a different price or quality of service for exercising your rights.

9.1 Financial Incentives Disclosure

We do not offer financial incentives, price differences, or service differences in exchange for the collection, retention, or sale of personal information. Push notifications are available to all users on an equal basis regardless of the personal information they choose to provide.

9.2 Categories of Information Collected

In the preceding 12 months, we have collected the following categories of personal information as defined by the CCPA:

CategoryCollectedSold
Identifiers (IP address, device identifiers)YesNo
Internet activity (browsing history, interactions)YesNo
Geolocation data (country-level only)YesNo
Inferences (notification preferences)YesNo
Sensitive personal informationNoNo

To exercise any of your CCPA/CPRA rights, please submit a verifiable consumer request to [email protected]. We will verify your identity before fulfilling your request and will respond within 45 days.

10. Your Rights Under the Australian Privacy Act

If you are located in Australia, your personal information is handled in accordance with the Privacy Act 1988 (Cth) and the 13 Australian Privacy Principles (APPs). Below is a summary of how we comply with each principle:

  • APP 1 (Open and transparent management): This Privacy Policy sets out how we manage your personal information. We keep it up-to-date and freely available.
  • APP 2 (Anonymity and pseudonymity): You can use FlyingPointsPro without identifying yourself. We do not require account creation or any personally identifiable information to access our services.
  • APP 3 (Collection of solicited personal information): We only collect personal information that is reasonably necessary for our services (push subscription data, browsing data, preferences).
  • APP 4 (Dealing with unsolicited personal information): If we receive personal information that we did not solicit and determine it is not reasonably necessary, we will destroy or de-identify it.
  • APP 5 (Notification of the collection): This policy notifies you about the personal information we collect, why we collect it, and how it is used.
  • APP 6 (Use or disclosure): We only use or disclose your personal information for the primary purpose for which it was collected, or for a reasonably expected related secondary purpose.
  • APP 7 (Direct marketing): We do not use your personal information for direct marketing. Push notifications are strictly deal-related and only delivered with your explicit consent.
  • APP 8 (Cross-border disclosure): We take reasonable steps to ensure overseas recipients of your data comply with the APPs (see Section 7.2).
  • APP 9 (Adoption, use or disclosure of government related identifiers): We do not collect, use, or disclose government-related identifiers.
  • APP 10 (Quality of personal information): We take reasonable steps to ensure the personal information we collect and hold is accurate, up-to-date, and complete.
  • APP 11 (Security of personal information): We protect your personal information through encryption in transit (TLS) and at rest, access controls, and regular security reviews (see Section 12).
  • APP 12 (Access to personal information): You have the right to request access to the personal information we hold about you.
  • APP 13 (Correction of personal information): You have the right to request correction of any personal information that is inaccurate, out-of-date, incomplete, irrelevant, or misleading.

10.1 Complaints to the OAIC

If you believe we have breached the Australian Privacy Principles, you may lodge a complaint with us at [email protected]. We will investigate your complaint and respond within 30 days. If you are not satisfied with our response, you may escalate your complaint to the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.

11. Data Retention

We retain your personal data only for as long as is necessary to fulfil the purposes for which it was collected, or as required by applicable law:

  • Push notification subscriptions: Retained for as long as the subscription remains active. When you unsubscribe or when the subscription endpoint becomes invalid (e.g., browser returns a 410 Gone response), the subscription data is deleted within 7 days.
  • User preferences: Country and business card preferences stored locally in your browser are retained until you clear your browser data. Server-side preferences associated with push subscriptions are deleted when the subscription is removed.
  • Browsing data and server logs: Automatically purged after 90 days, unless retention is required for security investigation or legal compliance.
  • Cookie data: Retained according to the expiration period set for each cookie category. See our Cookie Policy for details.

When personal data is no longer required, we securely delete or anonymise it so that it can no longer be associated with you.

12. Data Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. These measures include:

  • Encryption in transit using TLS 1.2 or higher
  • Encryption at rest for database storage
  • Push notification payloads encrypted using the Web Push encryption scheme (RFC 8291)
  • Access controls and the principle of least privilege for database access
  • Row Level Security (RLS) policies on all database tables
  • Regular security reviews and dependency auditing

While we strive to protect your personal data, no method of transmission over the Internet or electronic storage is completely secure. We cannot guarantee absolute security but are committed to implementing best practices to minimise risk.

13. Cookies and ePrivacy

FlyingPointsPro uses cookies and similar storage technologies in accordance with the EU ePrivacy Directive (2002/58/EC) and the UK Privacy and Electronic Communications Regulations (PECR).

13.1 Types of Cookies We Use

  • Strictly Necessary Cookies: Essential for the website to function properly. These do not require consent under ePrivacy rules. Examples include theme preferences and session management.
  • Functional Cookies: Used to remember your preferences (such as country selection and card type preferences) to enhance your experience.
  • Analytics Cookies: Used to collect anonymised data about how visitors use our website, helping us improve performance and user experience.

13.2 Managing Cookies

You can control and manage cookies through your browser settings. Most browsers allow you to refuse or delete cookies. Please note that disabling certain cookies may affect the functionality of FlyingPointsPro.

For more detailed information about the specific cookies we use, their purposes, and their retention periods, please refer to our separate Cookie Policy, which will be made available on our website.

14. Do Not Track and Global Privacy Control

We honour the Global Privacy Control (GPC) signal as a valid opt-out request under the CCPA/CPRA. When we detect a GPC signal from your browser, we treat it as a request to opt out of the sale or sharing of personal information.

With respect to other Do Not Track (DNT) signals, there is currently no universally accepted standard for how websites should respond to DNT signals. As such, our website does not currently respond to DNT browser signals beyond the GPC mechanism described above.

15. Children's Privacy

FlyingPointsPro is not directed at individuals under the age of 16. We do not knowingly collect personal data from children under 16. If you are a parent or guardian and believe that your child has provided personal data to us, please contact us at [email protected], and we will take steps to delete such information promptly.

Under the GDPR and UK GDPR, children under 16 require parental consent for the processing of their personal data. Under COPPA (Children's Online Privacy Protection Act) in the United States, children under 13 are protected. We comply with both standards by not targeting or knowingly collecting data from minors.

16. UK GDPR — Specific Provisions

Following the United Kingdom's withdrawal from the European Union, the UK GDPR (the retained version of the EU GDPR as incorporated into UK law by the Data Protection Act 2018) applies to the processing of personal data of individuals in the UK.

  • UK Representative: As FlyingPointsPro does not have an establishment in the UK, if we are required to appoint a UK representative under Article 27 UK GDPR, details of that representative will be published here and communicated to the ICO.
  • UK Adequacy Decisions: We rely on UK adequacy regulations and the UK International Data Transfer Agreement (IDTA) for transfers of personal data outside the UK, where an adequacy decision has not been made.
  • UK Supervisory Authority:The supervisory authority for data protection in the UK is the Information Commissioner's Office (ICO). You may contact the ICO at ico.org.uk/make-a-complaint.
  • Rights under UK GDPR: Your rights under the UK GDPR mirror those outlined in Section 8 above. These include the rights of access, rectification, erasure, restriction, portability, and objection.
  • Automated Decision-Making: We do not carry out automated decision-making or profiling that produces legal effects or similarly significantly affects you.

17. Sale of Personal Data

We do not sell your personal data. We do notshare your personal data with third parties for monetary or other valuable consideration. This applies under all applicable privacy frameworks, including the CCPA/CPRA definition of "sale" and "sharing".

In the preceding 12 months, we have not sold or shared any personal information of any consumer, as those terms are defined under the CCPA/CPRA.

18. How to Exercise Your Rights

Regardless of your location, you may exercise your privacy rights by contacting us at:

Email: [email protected]

Subject line: Privacy Rights Request — [Your Request Type]

When submitting a request, please include:

  • A description of the right you wish to exercise
  • Sufficient information to allow us to verify your identity (note: since we do not require accounts, identification may be based on technical identifiers such as push subscription endpoints)
  • Your country of residence (to determine applicable regulations)

Response times:

  • GDPR / UK GDPR: Within 30 days (extendable by 60 days for complex requests)
  • CCPA / CPRA: Within 45 days (extendable by an additional 45 days)
  • Australian Privacy Act: Within 30 days

You may also exercise certain rights directly without contacting us:

  • Unsubscribe from notifications: Use the Settings page on our website, or disable notifications through your browser or device settings.
  • Delete local data:Clear your browser's local storage and cookies through your browser settings.
  • Manage cookies:Use your browser's cookie management tools to view, block, or delete cookies.

19. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:

  • Update the "Last updated" date at the top of this policy
  • Post a notice on our website for a reasonable period following any material changes
  • Where required by law, obtain your consent before applying material changes to how your personal data is processed

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your data.

20. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data protection practices, please contact us:

FlyingPointsPro

Email: [email protected]

Website: flyingpointspro.com

For EU/UK data protection enquiries, please address your correspondence to the Data Protection Officer at the email address above.

This Privacy Policy was last updated in February 2026. It is effective as of the date of its publication on flyingpointspro.com/privacy.