Privacy Statement

We view data privacy as a fundamental component of doing business. Our Privacy Statement and practices are focused on processing personal data appropriately and lawfully, while providing confidentiality, integrity and availability.

This Privacy Statement applies to www.airhelp.com, other AirHelp domains, and our Mobile App(s), owned and operated by AirHelp’s primary operational entity, i.e. AirHelp Germany GmbH, based at WeWork Warschauer Platz 11-13, in Berlin, Germany. For the purpose of this Privacy Statement, the terms “AirHelp”, “we”, “us”, or “our”, refer to the whole company group or each of the companies as the case may be.

This Privacy Statement represents the full online privacy policy applicable to our activities. The Privacy Statement explains the types of information we collect, how we use, share, and secure the information you provide. It also describes your choices regarding use, access and correction of your personal data.

Your personal data is processed lawfully. Our activities are governed under applicable data privacy and data protection laws (collectively, “Data Protection Laws”) in connection with the services we provide. The particular Data Protection Laws may include, depending on the circumstances, the General Data Protection Regulation (EU) 2016/679 (the “GDPR”), and the Brazilian General Data Protection Law (Lei Geral de Proteção de Dados or LGPD), and other applicable legislation and regulations implementing Data Protection Laws.

AirHelp Germany GmbH is considered to be the data controller as it determines the purposes and means of the processing of personal data.

Definitions

In this Privacy Statement, unless otherwise defined herein, the capitalized terms below shall have the same meaning as in our Terms and Conditions.

Personal data

Personal data means any information relating to an identified or identifiable natural person. Personal data includes all types of information that directly or indirectly identify a person, such as names, date of birth, address, email addresses, telephone numbers etc.

Purpose and legal basis

We detail the scope of data processing, processing purposes and legal bases below. In principle, the following come into consideration as the legal basis for data processing:

Based on Your Consent: We process personal data when we have obtained your consent for a particular processing operation. This ensures that you have direct control over the use of your information in these instances.
For Contractual Fulfillment: The processing of personal data is undertaken when it is necessary for the performance of a contract to which you are a party. This includes situations where you purchase a service from us, as well as pre-contractual measures, such as responding to inquiries about our offerings.
To Comply with Legal Obligations: We process personal data when such processing is required to fulfill a legal obligation to which we are subject. An example of this would be compliance with tax law regulations.
Based on Legitimate Interests: We may process personal data where we have a legitimate interest in doing so, provided that your fundamental rights and freedoms are not overridden. An illustrative example includes the use of cookies that are essential for the technical operation of our website.

Principles

Our Privacy Statement is based on the following data protection principles:

The processing of personal data shall take place in a lawful, fair, and transparent way.
The collection of personal data shall only be performed for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
The collection of personal data shall be adequate, relevant, and limited to what is necessary in relation to the purpose for which they are processed.
The personal data shall be accurate and where necessary, kept up to date.
Every reasonable step shall be taken to ensure that personal data that is inaccurate in regard to the purposes for which it is processed, is erased or rectified without delay.
Personal data shall be kept in a form which permits identification for no longer than it is necessary for the purpose for which the personal data is processed.
All personal data shall be kept confidential and stored in a manner that ensures appropriate security.
Personal data shall not be shared with third parties unless the transfer is necessary in order for AirHelp to deliver the services in the agreement.
You have the right to request access to and rectification or erasure of personal data, or restriction of processing, or to object to processing as well as the right of data portability.

Collection and use of personal data

If you would like to benefit from our services and submit information to us, you may be asked to provide personal data in order for us to operate and improve our business and services. Personal data may be submitted via our website, email, other electronic or software solutions supported by us, our Mobile App(s), postal service, or phone. All personal data is collected in accordance with the applicable Data Protection Laws. We will process personal data only to the extent required for a specified, explicit and legitimate purpose or for a purpose required by law in places where we operate.

We primarily collect personal data such as names, dates of birth, addresses, email addresses, telephone numbers, passports/IDs, and national identification numbers. We collect this personal data for the purpose of delivering our Eligibility Service, Information Service, AirHelp Plus Membership, Compensation Service, and any other Services in accordance with the agreement. This is the core activity of AirHelp as a business.

Furthermore, we collect personal data for other purposes such as statistics, administration and communication, IT and security administration, physical security, authentication and authorization systems, support systems, collaboration of internal projects, and organizational teams and activities.

We purchase flight data from third parties, e.g. information on delayed or canceled flights within a given time etc. This information is non-personal data, which we combine with personal data. This Eligibility Service is only used to inform about the likelihood of having an eligible Claim. We will provide our Compensation Service for Eligible Claims on request.

Insofar as you share personal data of Fellow Passengers with us, you are obligated to ensure that all Fellow Passengers have explicitly given their consent for the sharing of their personal data with our organization, in compliance with data protection regulations. Moreover, you are required to provide the Fellow Passengers with access to our privacy policy to ensure that they are fully informed about the processing of their data by us.

We may ask you for additional information or documents related to Fellow Passengers. If you or Fellow Passenger fail to provide such information and/or documents, we will not be able to offer our services to the respective Fellow Passenger. Consequently, we will be compelled to remove the personal data of that Fellow Passenger from our databases and we will not be able to provide them with our Services.

When contacting us, e.g. by website, e-mail or telephone, the data provided to us (e.g. names and e-mail addresses, phone numbers) will be processed by us in order to answer your questions. The legal basis for the processing is our legitimate interest to answer inquiries directed to us. We delete the data accruing in this context after the storage is no longer necessary or restrict the processing if there are legal retention obligations.

To improve our services and efficiently classify documents, we utilize artificial intelligence (AI) tools, such as AWS Bedrock, to analyze submitted documentation. This processing is conducted based on our legitimate interest in service optimization and/or your consent, where applicable.

Use of personal data

We will use personal data for the purpose it is collected, and keep the data for no longer than necessary for that purpose. We may retain your information for as long as your account is active or as needed to provide services, comply with our legal obligations, or any of the purposes listed above. Access to personal data is strictly limited to personnel of AirHelp and its controlled subsidiaries and affiliates who have the appropriate authorization under a corporate binding agreement with AirHelp, and a clear business need for the data.

User Account Information

When you register and create an account at AirHelp, we collect and process personal data necessary to maintain and manage your user profile. This includes your name, contact information, and authentication credentials. We mainly use this data to provide access to our Services, personalize your experience, and ensure the security of your account.

Automated Processes and Profiling

AirHelp does not rely on automated processing in accordance with the article. 22 p. 1 of the GDPR, and your personal data will not be used for profiling purposes. Your data will not be used for these purposes unless explicitly communicated otherwise, and only with your separate consent.

We may however use our technology and technology from our partners to automate certain processes. This allows us to provide faster and better Services to you.

In order to ensure that these automated processes have no negative or unjustified impact on you, our teams regularly investigate whether they are correct. This concerns legacy and future processes.

Questions about your data and automated processes can be directed to the Data Protection Officer (“DPO”) email: [email protected].

Mobile App

Our Mobile App is ready for download at Apple's App Store and Google's Play Store (hereinafter "Stores"). When users download the Mobile App, the necessary information is transmitted to the stores, i.e. particular user name, e-mail address and customer number of the account, time of download and the individual device identification number. We have no influence on this data collection and are not responsible for it. We process the data only insofar as it is necessary for downloading the Mobile App to the user's mobile device.

Our Mobile App is hosted by Amazon Web Services (AWS). The provider thereby processes the personal data transmitted via the Mobile App, e.g. on content, usage, meta/communication data or contact data. It is our legitimate interest to provide a Mobile App.

Users can open a user account in the Mobile App. We process the data requested in this context to fulfill the respective user contract concluded for the account. The data will be deleted when the purpose for which it was collected no longer applies and there is no obligation to retain it.

Our core service of assessing claims and assisting users in obtaining compensation for travel disruptions such as flight delays, cancellations, train service delays, is also available through our Mobile App. The processing of the data is carried out for the performance of the contract concluded with the respective Mobile App user.

In the Mobile App, we process data in order to provide the user with functions of the Mobile App. These functions include a multimodal travel tracker with interactive map and real-time data, smart journey manager for organizing and managing journeys and multi-leg trips, instant alerts on travel status, platform & gate changes, and schedule updates; simplified claim process for travel disruptions, with detailed journey information, 24/7 customer support and travel insurance assistance. The legal basis for the processing is the usage agreement concluded with the user via the Mobile App. AirHelp reserves the right to expand the Mobile App's functionality, ensuring all new features strictly adhere to Data Protection Laws standards and robust data security measures to protect user data.

When users use our Mobile App, under our legitimate interest we collect and process the data that is technically necessary for us to offer users the functions of our Mobile App and to ensure stability and security.

The data processed to this extent is:

IP address
Date and time of the request
Time zone difference from Greenwich Mean Time (GMT)
Content of the request (concrete interface)
Access status/HTTP status code
Amount of data transferred in each case
Operating system and its interface
Language and version of the operating system

Insofar as information from co-travelers and/or special categories of personal data are processed, the legal basis for the processing is your consent.

With your consent, our Mobile App can provide you with push notifications and automatically retrieve booking and travel information to enhance your experience and accurately assess compensation eligibility under Air Passenger Rights Regulations and other passenger rights regulations. If permission is granted, our Mobile App will securely access your calendar and mailbox to identify such information — scanning calendar entries and emails from known online travel agencies and travel operators.

This scanning and extraction process is performed using Amazon Web Services (AWS) Bedrock (Amazon Web Services EMEA Sàrl, Avenue John F. Kennedy 38, 1855 Luxembourg, Luxembourg), an AI-based tool configured exclusively to detect and extract train and flight-related data, such as booking references, ticket numbers, passenger names, departure and arrival dates, origin and destination, and operator information, while disregarding all other personal content.

All processing occurs within the EU, and AWS acts solely under AirHelp’s instructions, without independent access to personal data. AirHelp remains the data controller and ensures full Data Protection Laws compliance. The legal basis for this processing is your consent, which can be withdrawn at any time. The revocation does not affect the lawfulness of the processing until the revocation. The data will be deleted when the purpose for which it was collected no longer applies and there is no obligation to retain it.

We offer to purchase services via our Mobile App. In the ordering process, we involve service providers, who receive only the personal data required in each case to provide a service, and ensure that these providers adhere to all required data processing safety standards. The processing of the data takes place for the performance of the contract concluded with the respective user.

Single sign-on

Users can log in to your account or Mobile App using one or more single sign-on methods. In doing so, they use the login data already created for a provider. The prerequisite is that the user is already registered with the respective provider. When a user logs in using a single sign-on procedure, we receive information from the provider that the user is logged in to the provider and the provider receives information that the user is using the single sign-on procedure. Depending on the user's settings in his account on the provider's site, additional information may be provided to us by the provider. We have a legitimate interest in providing users with a simple log-in option. At the same time, the interests of the users are safeguarded, as use is only voluntary.

Providers of the offered method(s) are:

Apple Inc., Infinite Loop, Cupertino, CA 95014, USA (Privacy policy: https://www.apple.com/legal/privacy/de-ww/).
Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (Privacy policy: https://policies.google.com/privacy).
Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399 USA (Privacy policy: https://privacy.microsoft.com/de-de/privacystatement).
Meta Platforms Ireland Ltd., 4 Grand Canal Square, Dublin 2, Ireland ("Facebook"). Which data we receive from Facebook is communicated to users by Facebook as part of the registration process. Information about Facebook and the contact details of the data protection officer, as well as further information about how Facebook processes personal data, including the legal basis and the options for exercising rights as a data subject vis-à-vis Facebook, can be found at https://www.facebook.com/about/privacy. We are jointly responsible with Facebook for the data processing taking place through Facebook in the context of the use of the procedure and have concluded a joint responsibility agreement (Art. 26 GDPR) with Facebook. There we have defined the respective responsibilities for the fulfillment of the obligations under the GDPR with regard to joint processing. We are obliged to provide the above information, and Facebook has assumed responsibility for the further data subject rights pursuant to Art. 15-20 GDPR.

Use of Cookies

Our website, Mobile App(s), and our partners use cookies or similar technologies to ensure the best user experience and to analyze trends, administer the website, track users’ movements around the website, and to gather demographic information about our user base as a whole.

Our use of cookies is governed by our Cookie Policy .

Sharing of personal data

We will only transfer the personal data to third parties under the conditions as listed below:

if you have given consent
if it is for a purpose directly related to the original purpose for which the personal data was collected
if it is necessary for the preparation, negotiation, and fulfilling the agreement with you
if it is required due to legal obligation, administrative, or court order
if it is required for the establishment or protection of legal claims or in defense of court actions
if it is required for responding to lawful requests by public authorities, including to meet national security or law enforcement requirements
if it serves the prevention of misuse or other illegal activities, such as deliberate attacks, to ensure data security

Occasionally we sign up with other companies and business partners, in and outside the European Economic Area, to work on our behalf, such as legal representatives to take Legal Action, or technology companies to enhance our products and services, and we will share necessary information in these cases. Whenever appropriate and if deemed necessary, we shall use AI models within our secure and controlled infrastructure (Amazon Web Services (AWS) Bedrock) to process your personal data maintaining all relevant security standards. The legal basis for doing so is the legitimate interest of the data controller (Art. 6(1)(f) GDPR) with the aim of significantly enhancing the quality and relevance of our services and products.

Before we share personal information, we enter into written agreements with the recipients which contain data protection terms that safeguard your data according to relevant Data Protection Laws.

Service providers will only be permitted to obtain the personal data that they need to deliver their service. We will not disclose personal data to third parties for the purpose of allowing them to market their products or services to you. If you do not want us to share personal data with these companies, please contact the Data Protection Officer (“DPO”) email: [email protected].

Data processing outside the European Economic Area (EEA)

In case of transfer your data to service providers or other third parties located outside the EEA; we ensure the security of your data through several mechanisms:

Adequacy Decisions: For transfers to countries for which the EU Commission has issued an adequacy decision (e.g., Great Britain, Canada, and Israel), the security of the data during transfer is guaranteed (Art. 45 para. 3 GDPR).
EU-US Data Privacy Framework: If data is transferred to service providers in the USA, the legal basis is an adequacy decision of the EU Commission, provided the service provider has certified itself under the EU-US Data Privacy Framework.
Standard Contractual Clauses (SCCs): In other cases, where no adequacy decision exists, the legal basis for data transfer typically relies on Standard Contractual Clauses. These are a set of rules adopted by the EU Commission and are incorporated into our contracts with the respective third party. According to Art. 46 para. 2 lit. b GDPR, SCCs ensure the security of the data transfer. Many of our providers also offer contractual guarantees that go beyond the standard contractual clauses to further protect your data. These may include guarantees related to data encryption or an obligation for the third party to notify data subjects if law enforcement agencies request access to their data.

Security of processing

The security of your personal data is important to us. We will process personal data securely, apply and maintain appropriate and generally accepted standards of technical and organizational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing. Questions about the security of personal data, can be directed to the DPO email: [email protected].

Your data protection rights

You have the right to request access to and rectification or erasure of personal data, or restriction of processing, or to object to processing as well as the right to revoke a given consent and the right of data portability, at any time.

To help us keep personal data updated, we advise you to inform us of any changes or discrepancies.

To view and/or edit personal data, or receive information on how long we intend to retain personal data or other questions related to the access of personal data, or if you would like to request that we provide you with information about whether we hold, or process on behalf of a third party, any of your personal data, please contact the DPO email: [email protected]. We will respond to your request within a reasonable timeframe.

You also have the right to complain to a data protection supervisory authority about the processing of your personal data. Contact details of the data protection supervisory authorities are available at https://www.bfdi.bund.de/EN/Service/Anschriften/Laender/Laender-node.html.

Storage duration

Unless expressly stated in this Privacy Statement, the data stored by us will be deleted as soon as they are no longer required for their intended purpose and no legal obligations to retain data conflict with the deletion. If the data are not deleted because they are required for other and legally permissible purposes, their processing is restricted, i.e. the data are blocked and not processed for other purposes. This applies, for example, to data that must be retained for commercial or tax law reasons.

Applying for a job

We publish vacant positions on our website, on pages linked to the website or on third-party websites. For job applications we use a third party recruitment tool for management purposes.

When applying for a job position at AirHelp personal data will be processed and controlled by AirHelp. We pass on the applicants' data to the responsible employees in the HR department, to our data processors in the area of recruiting and to the employees otherwise involved in the application process.

We ask you to refrain from providing information on political opinions, religious beliefs and similarly sensitive data in the CV and cover letter. They are not required for an application. If applicants nevertheless provide such information, we cannot prevent their processing as part of the processing of the resume or cover letter. Their processing is then also based on the consent of the applicants.

Applications shall not be stored for longer than necessary or shared with any third parties. We process the applicants' data for further application procedures if we are provided with the consent to do so.

Upon your explicit consent, we will use AI notetakers (e.g. Metaview) during interviews to help our team focus on the conversation. This involves processing the names, emails, voice, and video of both employees and candidates. You can opt out from such a solution without affecting your application.

If you wish to access, rectify, or erase personal data, restriction of processing, or to object to processing as well as use the right of data portability, please contact the DPO email: [email protected].

Marketing communications and advertising preferences

Upon consent we are allowed to send marketing communication in the form of emails, SMS (Short Message Service), RSC (Rich Communication Services), and WhatsApp messages. This specific form of consent must be freely given, specific, informed, and unambiguous. These requirements are fulfilled when you opt-in (i.e. actively agree) to receive marketing communication.

We may use your personal data to send you marketing communications which we believe may be of interest to you. These communications may include information about our own products and services as well as products and services offered by our partners and other third parties. For this purpose, we may analyse and profile your data to select basic advertisements, create profiles for personalised advertising, deliver personalised advertisements, and measure the performance and effectiveness of such marketing communications.

Upon your consent, we also send a free newsletter for interested parties. The data provided during registration for the newsletter is processed exclusively for sending it. Your subscription signifies your consent to data processing (Art. 6 para. 1 s. 1 lit. a GDPR). Based on this consent, we can also measure the opening and click-through rates of our newsletters to understand audience relevance.

Under our legitimate interest, we also reserve the right to inform existing customers about our offers via email or other means if they haven't objected.

Upon your consent, we may also process information about how you interact with AirHelp, including your use of our website, account, Mobile App, e-mail communications and Services, in order to tailor offers, recommendations and content to your interests. This includes analysing your interactions with AirHelp to better understand your preferences and to make our marketing communications and content more relevant to you.

You will always have the right to object, on request and free of charge, to the processing of your personal data relating for purposes of direct marketing and profiling activities without having to provide specific justifications. You can unsubscribe from marketing communications and activities via our unsubscribe page, by using the “Unsubscribe” link found in emails received from us, or by contacting us at [email protected]. If you object, your personal data will no longer be processed for direct marketing.

We partner with a third party to display advertising on our website or to manage our advertising on other sites, including social media platforms. Our third-party partner may use cookies or similar technologies in order to provide you advertising based upon your browsing activities and interests. You may opt out of interest-based advertising. Please note that you will continue to receive generic ads.

We use Google services to provide and improve our products and services, including providing you with personalized advertising. Please visit Google's Business Data Responsibility for more information on how Google will use your personal data in that context.

Data processing on social media platforms

We are represented in social media networks in order to present our organization and our services there. The operators of these networks regularly process their users' data for advertising purposes. Among other things, they create user profiles from their online behavior, which are used, for example, to show advertising on the pages of the networks and elsewhere on the Internet that corresponds to the interests of the users. To this end, the operators of the networks store information on user behavior in cookies on the users' computers. Furthermore, it cannot be ruled out that the operators merge this information with other data. Users can obtain further information and instructions on how to object to processing by the site operators in the data protection declarations of the respective operators listed below. It is also possible that the operators or their servers are located in non-EU countries, so that they process data there. This may result in risks for users, e.g. because it is more difficult to enforce their rights or because government agencies access the data.

Due to our legitimate interest, if users of the networks contact us via our profiles, we process the data provided to us in order to respond to the inquiries.

We maintain profiles on the following social media platforms. For detailed information on data processing and privacy, please refer to the respective privacy policies linked below.

Facebook: Operated by Meta Platforms Ireland Ltd., Ireland. Privacy Policy. As joint controllers, we recommend contacting Facebook directly for data subject requests. You can object to data processing via ad settings: Facebook Ad Settings.
Instagram: Operated by Meta Platforms Ireland Ltd., Ireland. Privacy Policy.
TikTok: Operated by TikTok Technology Limited, Ireland. Privacy Policy.
Pinterest: Operated by Pinterest Inc., USA. Privacy Policy. Object to data processing via ad settings: Pinterest Privacy Policy (scroll to ad settings).
YouTube: Operated by Google Ireland Limited, Ireland. Privacy Policy.
X (formerly Twitter): Operated by Twitter Inc., USA. Privacy Policy. Object to data processing via ad settings: X Personalization Settings.
LinkedIn: Operated by LinkedIn Ireland Unlimited Company, Ireland. Privacy Policy. Object to data processing via ad settings: LinkedIn Ad Settings.

Customer surveys

From time to time, under our legitimate interest, we conduct customer surveys to get to know our customers and their wishes better. In doing so, we collect the data requested in each case. We delete the data when the results of the surveys have been evaluated.

Fraud prevention

After uploading the bank details and/or other necessary documentation, a verification of your identity and other details with a valid identification document is carried out through our KYC (Know Your Customer) procedure.

During the process, photo and, if necessary, video recordings of your identification document will be made. Particular attention will be paid to integrity, authenticity, and security features.

Specifically, the following personal data will be processed internally:

General personal data: first and last name, gender, personal identification code or number, date of birth, nationality and citizenship, location (street, city, country, postal code);
Identification document data: type of document, issuing country, number, expiration date, MRZ (Machine Readable Zone), information embedded in the document's barcode (may vary depending on the document), security features;
Facial image data: photos of the face (including selfie images) and photo or scan of the face on the identification document, videos, audio recordings;
Biometric data: facial features;
Contact information: address, email address, phone number, IP address;
Technical data: information about the date, time, and activity in the services; IP address and domain name; software and hardware attributes (camera name and type); general geographic location (e.g., city, country) of the individual's device;
Unique identifier (Applicant ID) created solely for the connection between the individual and their personal data within the information system;
Personal data provided additionally by the individuals.

As part of the identity verification process, we also screen your information, including payment and bank account information against sanction lists, Politically Exposed Persons (PEP) lists, and watchlists.

The processing is conducted under AirHelp’s legitimate interest to use the identity verification process to prevent frauds in the context of our services and protect our customers from fraudulent actions. Any biometric data is processed under your consent which can be revoked at any time with future effect, e.g., by emailing [email protected].

Responsibility

The Privacy Statement is under the responsibility of our Legal Team, who have the overall responsibility to ensure compliance. The DPO is ensuring compliance with the Privacy Statement on a daily basis and is involved in all issues related to the protection of personal data.

We are responsible for and will at any given time be able to demonstrate compliance with the Data Protection Laws as well as our principles set out in this Privacy Statement. We shall maintain records of processing activities under our responsibility containing the information required by the Data Protection Laws and where applicable make the records available to the supervisory authority on request.

Any inquiries concerning this Privacy Statement can be directed to the DPO email: [email protected].

Complaint

You have the right to file a complaint concerning our processing of your personal data. All queries and complaints shall be handled in a timely manner by the DPO in accordance with internal procedures. Complaints can be submitted to the DPO email: [email protected].

In the unlikely event that you consider that our processing of your personal data infringes any Data Protection Laws, you may also lodge a complaint with a relevant supervisory authority.

Changes to this Privacy Statement

This Privacy Statement may be updated from time to time, e.g. due to modifications of relevant legislation or changes to our corporate structure. If any material changes are made, you will be notified by email or by means of notice on the website prior to the change becoming effective. We encourage you to periodically review this page for the latest information on our privacy practices.

Contact

AIRHELP GERMANY GmbH
c/o WeWork
Warschauer Platz 11-13
10245 Berlin
Germany

Email: [email protected]

Updated: 10 April 2026
Version PP1.26