Privacy Policy

Last updated: 16 May 2026

1. Data Controller

Olsahuset AS, organisation number 926 978 470, Bømlavegen 998, 5443 BØMLO, Norway, is the data controller for personal data collected through the Go Flights platform. Contact: napanbecom@gmail.com.

2. Data We Collect

When you use this platform we collect:

  • Passenger names, dates of birth, nationalities, and title
  • Contact details: email address and phone number
  • Booking details: booking reference, Duffel order ID, flight details, travel dates
  • Payment metadata: Stripe payment intent ID, session ID, amount, currency, and status. We do not store card numbers or CVV codes — these are handled directly by Stripe.
  • Support request contents and correspondence
  • Technical and audit logs: booking status transitions, admin actions, webhook events, and operational alert records

3. Why We Process Your Data

We process your personal data to:

  • Create and manage your flight booking
  • Process payments and refunds via Stripe
  • Issue tickets through our flight distribution provider (Duffel)
  • Send booking confirmations, itinerary updates, and support replies
  • Handle cancellations, changes, and refund requests
  • Comply with Norwegian legal, accounting, and tax obligations (e.g. bookkeeping records required under Norwegian law)
  • Prevent fraud, security incidents, and abuse

4. Service Providers (Sub-Processors)

To provide our service, we share data with the following providers:

  • Duffel and operating airlines — flight content and order management. Passenger names, dates of birth, nationality, and contact details are transmitted to Duffel and forwarded to the operating airline to create your ticket.
  • Stripe — payment processing. Stripe processes card payments per PCI DSS standards. Their privacy policy applies to data they hold.
  • Supabase — database hosting for booking, payment, and operational records.
  • Resend — transactional email delivery (booking confirmations and notifications).
  • Sentry — application error monitoring. Stack traces and request metadata may be captured; a PII sanitizer is active to minimise personal data in error reports.
  • Vercel — application hosting and edge delivery. HTTP request metadata and IP addresses may be processed.
  • UptimeRobot — external uptime monitoring of the health endpoint.

5. Data Retention

We retain personal data for as long as necessary for the purposes described above. Booking records, payment metadata, email logs, and related data are retained for up to five (5) years to satisfy Norwegian accounting and tax obligations, support dispute handling, prevent fraud, and meet any applicable legal or regulatory requirements. We delete or anonymise personal data when it is no longer needed, unless a legal obligation, ongoing dispute, or operational requirement requires longer retention. Technical and security logs are kept only as long as needed for security, debugging, fraud prevention, and audit purposes.

6. International Data Transfers

Our service providers may process your data in countries outside Norway and the European Economic Area (EEA). We rely on the data protection frameworks and transfer mechanisms offered by each provider (such as EU Standard Contractual Clauses where applicable) to protect your data in such transfers.

7. Your Rights

Under the General Data Protection Regulation (GDPR) and Norwegian personal data law, you have the right to:

  • Access — request a copy of the personal data we hold about you
  • Correction — request that inaccurate or incomplete data be corrected
  • Deletion — request that we delete your personal data where we have no legal obligation to retain it
  • Restriction — request that we restrict processing in certain circumstances
  • Objection — object to processing based on our legitimate interests
  • Portability — receive your data in a structured, machine-readable format where technically feasible
  • Complaint — lodge a complaint with the Norwegian Data Protection Authority (Datatilsynet) at datatilsynet.no

To exercise any of these rights, contact us at napanbecom@gmail.com. We aim to respond within 30 days. Some rights may be limited where legal retention obligations apply.

8. Changes to This Policy

We may update this privacy policy from time to time. The current version will always be available at this address.

9. Contact

For privacy-related enquiries, contact napanbecom@gmail.com or visit our Support page.