Privacy Policy

Hopway is a travel planning application operated by Hopway, registered in Dubai Silicon Oasis, Dubai, United Arab Emirates. We are the data controller responsible for your personal data.

We collect the following categories of personal data:

• Account information. Your email address and, if you sign in with Apple or Google, the profile information those services share with us (typically name and email).
• Booking and travel content. The content of booking confirmation emails and travel documents you forward or import into the app. This may include names, flight numbers, dates, reference codes, and other details contained in those documents.
• Location search queries. When you search for a destination or point of interest within the app, your query is sent to the Google Places API to return results. We do not store your precise device location.
• Usage data. Information about how you interact with the Service, including pages visited, features used, and error logs. This is used to improve the Service.
• Device information. Device type, operating system, and app version, collected for compatibility and debugging purposes.

We use your personal data to:

• Create and maintain your account.
• Parse your booking documents and build your travel timeline.
• Retrieve flight status and travel information from third-party data providers.
• Process subscription payments for Hopway Plus.
• Send transactional emails (account confirmation, password reset, subscription receipts).
• Diagnose and fix technical issues.
• Improve and develop new features of the Service.
• Comply with legal obligations.

For users in the European Economic Area and United Kingdom, our legal bases for processing your personal data are:

• Contract. Processing necessary to deliver the Service under our Terms and Conditions (account management, booking parsing, subscriptions).
• Legitimate interests. Service improvement, fraud prevention, and security, where our interests are not overridden by your rights.
• Legal obligation. Where we are required to retain or share data by applicable law.
• Consent. For optional analytics or marketing communications, where we ask for your consent before processing.

We share your data with the following third-party processors as necessary to provide the Service. All processors are bound by data processing agreements and handle your data only on our instructions.

• Convex. Our backend database and serverless infrastructure provider. Your account data, trip timeline data, and booking content are stored and processed on Convex.
• Google (Places API). Location search queries you enter in the app are sent to Google's Places API. Google's privacy practices are governed by the Google Privacy Policy.
• Airlabs. We use Airlabs to retrieve real-time flight status and schedule data. Flight numbers from your bookings may be sent to Airlabs to look up current status.
• PostHog (analytics). We use PostHog (EU region) to understand how the Service is used so we can improve it. On the website PostHog runs in cookieless mode and sets no cookies. When you are signed in, product events are associated with your account identifier so we can measure feature usage; we do not send PostHog your booking content.
• Apple / Google Sign-In. If you choose to sign in with Apple or Google, those services will share limited profile information with us as part of the authentication flow.
• Payment processors. Subscription payments are handled by Apple App Store or Google Play billing. We do not store your payment card details.

We do not sell your personal data to third parties, and we do not share it for third-party advertising purposes.

We retain your account data and trip content for as long as your account remains active. If you delete your account, we will delete your personal data within 30 days except where retention is required by law (for example, financial records related to subscription transactions, which we may retain for up to 7 years).

Anonymised, aggregated usage analytics that cannot be linked back to you may be retained indefinitely.

Depending on where you are located, you may have the following rights regarding your personal data:

• Access. Request a copy of the personal data we hold about you.
• Correction. Ask us to correct inaccurate or incomplete data.
• Deletion. Request deletion of your personal data, subject to legal retention obligations.
• Portability. Receive your data in a structured, machine-readable format.
• Objection. Object to processing based on legitimate interests.
• Restriction. Request that we restrict processing in certain circumstances.

These rights apply to users in the EU/EEA (under GDPR), the UK (under UK GDPR), and the UAE (under UAE Federal Decree-Law No. 45 of 2021 on Personal Data Protection).

Your data may be transferred to and processed in countries outside your country of residence, including the United States (Convex infrastructure) and other locations where our third-party processors operate. Where required, we rely on standard contractual clauses or other lawful transfer mechanisms to safeguard your data.

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, or disclosure. This includes encryption in transit (TLS) and at rest, access controls, and regular security reviews. No transmission over the internet is completely secure, and we cannot guarantee absolute security.

The Service is not directed at children under 16. We do not knowingly collect personal data from children under 16. If you become aware that a child has provided us with personal data, please contact us and we will delete it promptly.

We may update this Privacy Policy from time to time. We will notify you of material changes by email or by a notice within the Service at least 14 days before they take effect. The updated policy will always be available at this page.

If you are in the EU/EEA and believe we have handled your data unlawfully, you have the right to lodge a complaint with your local data protection authority.