GDPR Compliance
Our commitment to data protection and your privacy rights
Last updated: 28 March 2026
1. Our Commitment to GDPR
FlightsRefunds is fully committed to compliance with the UK General Data Protection Regulation (UK GDPR) and the EU General Data Protection Regulation (EU GDPR). We believe that data protection is a fundamental right and we take our obligations as a data controller seriously.
This page outlines how we ensure compliance with GDPR principles and how we protect your rights as a data subject.
2. Data Controller Information
FlightsRefunds acts as the data controller for all personal data collected through our website and services:
- Business Name: FlightsRefunds
- Address: Derby, UK
- Email: contact@flightsrefunds.com
- Website: https://flightsrefunds.com
3. GDPR Principles We Follow
We adhere to all six principles of GDPR data processing:
πΉ Lawfulness, Fairness and Transparency
We only process personal data where we have a lawful basis to do so. We are transparent about what data we collect, why we collect it, and how we use it. Our Privacy Policy provides full details.
πΉ Purpose Limitation
We collect personal data only for specified, explicit, and legitimate purposes β primarily to process your flight compensation claim. We do not use your data for unrelated purposes without your consent.
πΉ Data Minimisation
We only collect personal data that is necessary for processing your claim. We do not request excessive or irrelevant information.
πΉ Accuracy
We take reasonable steps to ensure that personal data is accurate and kept up to date. You can request correction of inaccurate data at any time.
πΉ Storage Limitation
We retain personal data only for as long as necessary for the purposes it was collected. Our retention periods are clearly outlined in our Privacy Policy.
πΉ Integrity and Confidentiality
We implement appropriate technical and organisational measures to ensure the security of your personal data, including protection against unauthorised access, loss, destruction, or damage.
4. Your GDPR Rights
Under GDPR, you have the following rights regarding your personal data:
π Right of Access
You have the right to request a copy of all personal data we hold about you. We will provide this free of charge within 30 days.
βοΈ Right to Rectification
You have the right to request that we correct any inaccurate or incomplete personal data without undue delay.
ποΈ Right to Erasure
You have the right to request deletion of your personal data where there is no compelling reason for us to continue processing it.
βΈοΈ Right to Restrict Processing
You have the right to request that we restrict the processing of your personal data in certain circumstances.
π€ Right to Data Portability
You have the right to receive your personal data in a structured, commonly used, and machine-readable format.
π« Right to Object
You have the right to object to processing of your data based on legitimate interests or for direct marketing purposes.
5. How to Exercise Your Rights
To exercise any of your GDPR rights, please contact us using one of the following methods:
- Email: contact@flightsrefunds.com β please include "GDPR Request" in the subject line
- Post: FlightsRefunds, Derby, UK
When making a request, please provide:
- Your full name and email address (so we can identify your records)
- Your claim reference number (if applicable)
- A clear description of the right you wish to exercise
- Proof of identity (we may need to verify your identity before processing your request)
We will acknowledge your request within 72 hours and provide a full response within 30 days. In complex cases, this may be extended by a further 60 days, in which case we will notify you.
6. Data Protection Impact Assessments
We conduct Data Protection Impact Assessments (DPIAs) for any new processing activities that may pose a high risk to the rights and freedoms of data subjects. This includes assessments of new technologies, large-scale processing, and systematic monitoring of individuals.
7. Data Breach Procedures
In the event of a personal data breach, we will:
- Notify the Information Commissioner's Office (ICO) within 72 hours of becoming aware of the breach, where required
- Notify affected data subjects without undue delay if the breach is likely to result in a high risk to their rights and freedoms
- Document the breach, its effects, and the remedial actions taken
- Conduct a post-breach review to prevent recurrence
8. International Data Transfers
Where we transfer personal data outside the UK or EU (for example, to airlines in other countries), we ensure appropriate safeguards are in place:
- Adequacy decisions by the UK Government or European Commission
- Standard Contractual Clauses (SCCs) approved by the ICO
- Binding Corporate Rules where applicable
9. Supervisory Authority
Our supervisory authority for data protection is the Information Commissioner's Office (ICO):
- Website: ico.org.uk
- Telephone: 0303 123 1113
- Address: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
You have the right to lodge a complaint with the ICO if you believe your data protection rights have been violated. However, we encourage you to contact us first so we can address your concerns directly.
10. Staff Training
All FlightsRefunds staff who handle personal data receive regular training on data protection laws, our privacy policies, and security procedures. We maintain records of all training activities and conduct annual refresher courses.
11. Updates
This GDPR compliance page is reviewed and updated regularly to ensure continued compliance with data protection regulations. Any changes will be reflected on this page with an updated revision date.