Privacy policy
Last updated: July 18, 2026
This Privacy Policy explains what FlightSweeper (a product of FinSync LLC, d/b/a Raintree Technology) collects, how we use it, who we share it with, and the rights you have over your data.
1. Information we collect
You give us
- Account data: email address, password hash, name (optional), preferences.
- Passenger data for bookings: name, date of birth, gender, lead contact phone and email. For international itineraries we may also collect passport number, nationality, and expiry as required by the airline or destination country.
- Search inputs: origins, destinations, dates, cabin class, passenger counts.
- Travel-goal watches such as route and destination-set monitoring (Pro feature).
- Support correspondence when you email us.
We collect automatically
- Device and log data: IP address, user agent, request timestamps (for security, fraud prevention, and rate limiting).
- Usage data: pages viewed, sweeps run, anonymous interaction events.
- Cookies and similar technologies: see our Cookie Policy.
We do not collect
- Payment card numbers — payment data is collected directly by our payment processors (Duffel, Stripe) and never touches our servers.
2. How we use information
- To provide the service: run sweeps, issue tickets, manage subscriptions, send receipts.
- To communicate: transactional emails (booking confirmations, schedule changes, account notices) and, with your consent, marketing emails you can unsubscribe from at any time.
- To improve and secure the product: troubleshooting, fraud prevention, abuse detection, analytics.
- To comply with legal obligations.
3. Legal bases (EEA/UK users)
Where the GDPR or UK GDPR applies, we rely on these legal bases: contract (to provide bookings you request), legitimate interests (security, fraud prevention, product improvement, where not overridden by your rights), consent (marketing emails, non-essential cookies), and legal obligation (tax, anti-fraud, regulatory).
4. How we share information
- Airlines and travel suppliers: passenger details and itinerary data necessary to issue the ticket.
- Payment processors: Duffel (for flight payments) and Stripe (for subscriptions).
- Service providers (sub-processors): Resend (transactional email), Neon (Postgres database), Upstash (ephemeral Redis), Vercel (hosting and AI-gateway routing), Anthropic (AI processing of chat-based search inputs, via the Vercel AI Gateway), Google and Apple (authentication, if you sign in with them), and analytics or fraud-detection tools we may add. We require each to use the data only to provide services to us.
- Legal and safety: when required by subpoena, court order, or to protect rights, property, or safety.
- Business transfers: in connection with a merger, acquisition, or sale of assets, subject to this policy.
We do not sell your personal information for money. We do not share personal information for cross-context behavioral advertising.
5. FlightSweeper Connect and AI clients
FlightSweeper Connect lets you authorize an AI client (for example, an FlightSweeper connector inside a third-party AI assistant) to act on your behalf through our agent interface. Authorization uses OAuth 2.0: you sign in on a FlightSweeper page and approve a specific set of scopes. The AI client receives a scoped, short-lived access token and never receives your FlightSweeper password.
- What an authorized client can access: live flight search, quote comparison and refresh, creation of a FlightSweeper-hosted checkout link, owner-scoped booking status, and a non-identifying preferences summary — all limited to your own account and to the scopes you approved.
- What it never receives:passenger PII (name, date of birth, gender, or document numbers), payment card data, decrypted traveler-profile details, or any other user's data. The preferences summary exposes only opaque profile IDs and generated non-PII aliases, never labels or decrypted values.
- Passenger and payment entry stay on FlightSweeper. An AI client can prepare a hosted checkout link but cannot charge a card or issue a ticket. Only you can enter passenger and payment details and confirm purchase on a FlightSweeper-hosted page.
- Sub-processor: when you connect a third-party AI assistant, your requests to that assistant are processed by its operator under its own privacy policy before they reach us; we receive only the search and management inputs its connector sends to our agent interface, which we handle as described in Sections 1 and 2.
- Revocation:you can revoke a connected client's access at any time from your account. Revocation invalidates its tokens, and access tokens are short-lived by design.
6. Security
We take reasonable administrative, technical, and physical safeguards to protect personal information. Passenger PII (name, date of birth, gender, document numbers when collected) is encrypted at rest using AES-256-GCM, with the encryption key held separately from the database. Passwords are hashed. Transport is encrypted via TLS. No system is perfectly secure, and we cannot guarantee absolute security. If we become aware of a breach affecting your personal information, we will notify affected users and applicable regulators as required by law.
7. Retention
- Account data is retained while your account is active and for a reasonable period after closure for tax, fraud, and dispute purposes.
- Booking records are retained for at least seven years to comply with tax and accounting obligations.
- Shareable sweep result links remain accessible for seven days from creation, after which they expire.
- Log and security data is retained for up to 12 months.
- On a verified deletion request, we erase personal data we are not legally required to retain.
8. International transfers
FlightSweeper is operated from the United States. If you access the service from outside the US, your data will be transferred to and processed in the US and in any country where our sub-processors operate. Where required, we rely on Standard Contractual Clauses or other approved transfer mechanisms.
9. Your rights
Depending on where you live, you may have the right to access, correct, delete, or port your personal data, to object to or restrict certain processing, and to withdraw consent. To exercise these rights, email legal@raintree.technology. We will respond within the timeframe required by applicable law (generally 30–45 days). We will not discriminate against you for exercising these rights.
California residents (CCPA / CPRA)
Categories of personal information collected in the last 12 months: identifiers (email, IP), customer records (name, DOB, contact details for bookings), commercial information (purchase history), internet activity (usage), and inferences from the above. We disclose data to the service providers listed in Section 4 for business purposes. We do not sell personal information and do not share it for cross-context behavioral advertising. You may request access, deletion, correction, and limit use of sensitive personal information. You may designate an authorized agent. You may also submit a request via Do Not Sell or Share My Personal Information (also reachable by emailing us).
EEA, UK, and Swiss residents (GDPR / UK GDPR)
In addition to the rights above, you may lodge a complaint with your local supervisory authority. Our legal bases are described in Section 3.
10. Children
FlightSweeperis not directed to children under 13 (or under 16 in the EEA/UK). We do not knowingly collect personal information from children for account creation. When a parent or guardian books travel for a minor passenger, they provide information on the minor's behalf for the purpose of issuing the ticket.
11. Cookies
See our Cookie Policy for details on the cookies and similar technologies we use, and how to manage them.
12. Changes
We may update this policy from time to time. Material changes will be communicated by email or in-product notice. The “Last updated” date at the top of this page reflects the most recent revision.
13. Contact
FinSync LLC (d/b/a Raintree Technology)
c/o ZenBusiness Inc. (Registered Agent), 2520 Venture Oaks Way, Suite 120, Sacramento, CA 95833
Email: legal@raintree.technology