Privacy Policy

What Data We Collect

Because air-passenger-rights claims are legal matters that often require proof of identity and flight disruption, we inevitably need a variety of data types.

Identification and Contact Information

When you open a case or create a CompenSky Account we ask for your full name, date of birth, nationality, passport or national-ID number (if it is necessary to prove identity to an airline or a court), mailing address, e-mail address, and preferred contact telephone. If you are filing on behalf of a child or another adult, we will request similar details for that person and rely on you to confirm you have their authorisation to share their data.

Flight and Claim Details

To verify eligibility and pursue your claim we collect booking references (PNRs), airline ticket numbers, flight numbers, airports of departure and arrival, scheduled and actual times, boarding passes, luggage tags, receipts, correspondence you exchanged with the airline, and any supporting documents such as vouchers or meal receipts that show the inconvenience you suffered.

Account and Usage Data

Our website and mobile app capture information about how you interact with the Service: login timestamps, clicks on case-status updates, form submissions, device type, browser type, IP address, and certain cookie or pixel data used to diagnose bugs, improve usability, and protect your account from fraud.

Financial and Payment Data

If compensation is paid out through us—or if we deduct our success fee—we process bank-account details, IBANs, SWIFT/BIC codes, partial card numbers, billing addresses, invoicing information, and payment confirmations. We never store full primary account numbers for credit cards; those are handled by PCI-DSS-compliant payment providers.

Marketing Preferences

Where you choose to receive newsletters, claim-deadline reminders, or promotional materials, we log your opt-in status, the channel you selected (e-mail, SMS, push notification), and the date and time you gave consent. We also keep a record of any subsequent opt-out so that we do not contact you again in error.

Communications and Support Content

Every time you speak with our support team—by phone, chat, or e-mail—the content of that conversation and any attachments you provide are stored in our customer-service platform so that agents can follow your case seamlessly.

We collect these data points directly from you, automatically through cookies or similar technologies, from publicly available or commercial flight-status databases, and—where strictly necessary—from individuals travelling on the same booking, always ensuring that they have agreed to share their data.

Legal Bases for Processing

Under Article 6 of the GDPR—and the corresponding provisions of KVKK—we must have at least one lawful basis to process your data. The core bases we rely on are:

• Contractual Necessity: We cannot check a claim or represent you against an airline without processing your identification, flight, and payment details. When you accept our Terms & Conditions you form a contract with us, and processing these details is indispensable to fulfil that contract.

• Legal Obligation: Bookkeeping rules, tax laws, anti-money-laundering regulations, and court orders oblige us to retain and sometimes disclose certain data.

• Legitimate Interests: We have a commercial interest in providing efficient customer service, preventing fraud, improving our platform, and defending our legal rights. We always balance those interests against your fundamental rights and freedoms.

• Consent: For non-essential cookies, direct marketing, and sensitive data you voluntarily supply (for example, medical certificates that might support your claim), we ask for explicit, revocable consent.

If a different lawful basis applies in a specific jurisdiction—such as “performance of a public task” or “vital interests”—we will invoke it only where the circumstances genuinely justify it.

How We Use Your Data

We use your personal data for purposes that are closely linked to the service you have requested:

• Eligibility Assessment: By parsing your booking reference and disruption details we determine whether your circumstances meet the legal criteria for compensation.

• Claim Preparation and Submission: We compile legal arguments, draft letters, and populate airline and court forms using the Personal Data you provide so that your claim is formally lodged.

• Case Progress Updates: Through the CompenSky Account, by e-mail, and occasionally by SMS or push notification, we update you on every major status change—receipt of acknowledgement from the airline, settlement offers, or court decisions.

• Identity Verification: Before disbursing funds we verify that the recipient bank account belongs to you, thus preventing identity fraud or mis-directed payments.

• Customer Support and Quality Assurance: We may review call recordings or chat transcripts to train staff and ensure your queries are addressed accurately and courteously.

• Platform Maintenance and Analytics: Aggregated, pseudonymised usage data lets us detect technical errors, optimise page-load times, and understand which features clients find most useful.

• Marketing (Optional): If you consent, we will send newsletters about changes in regulation, deadline reminders for future claims, and occasional promotional offers. You can opt out at any time without affecting your pending claim.

We do not engage in fully automated decision-making that produces legal or comparably significant effects on you without meaningful human oversight.

Data Sharing

We never sell or lease your Personal Data to advertisers. We share it only with partners who are indispensable to handling your claim or running our business, strictly on a need-to-know basis and under comprehensive data-processing agreements. Typical recipients include:

• Law Firms and Court Representatives: When litigation is necessary, we forward your case file—including identity documents and correspondence—to external lawyers licensed in the relevant jurisdiction, who act under strict confidentiality.

• Airlines, Alternative Dispute-Resolution (ADR) Bodies, and National Enforcement Bodies: To settle or negotiate your claim we must inevitably exchange certain details, such as flight booking proofs and power-of-attorney documents, with the entities that ultimately decide or pay compensation.

• Payment Service Providers: Our PCI-compliant payment partners receive limited information (e.g., your name, IBAN, amount payable) so that they can process reimbursements and our contingent fee.

• Cloud-Infrastructure Vendors: We host servers, databases, and backups in reputable cloud environments—primarily within the European Economic Area—protected by strong contractual clauses and encryption.

• Consultants, Auditors, and Insurers: Infrequently, we must share certain records with professional advisers or insurers, for example during a statutory audit or in connection with a liability claim.

• Regulators and Law-Enforcement Agencies: Where we are compelled by law, subpoena, or court order, we cooperate by disclosing only the data lawfully requested.

International Transfers

Because we serve a global customer base and cooperate with airlines worldwide, some data may be transferred to—or accessed from—countries that have not been deemed to offer an “adequate” level of data protection under EU or Turkish standards. In such cases we rely on one or more of the following safeguards: Standard Contractual Clauses approved by the European Commission, binding corporate rules adopted by service providers, explicit informed consent from you, or, where strictly necessary, derogations permitted under Article 49 GDPR (such as the transfer being necessary for the performance of a contract between you and us). We keep documentary evidence of the safeguards in place and make them available on request.

Data Retention

We keep your Personal Data only for as long as each category is meaningfully required. Case-file documents are typically retained for six years after the claim is closed or the last payment is made, because that window covers the statute of limitation for most passenger-rights disputes and enables us to respond to post-settlement complaints or regulatory queries. Financial records—including invoices and payout confirmations—are normally archived for ten years, reflecting tax and accounting rules. Data tied to your CompenSky Account remains active for as long as your account exists; if you choose to delete it we will scrub or anonymise the relevant data within approximately ninety days once all outstanding claims have reached their final conclusion. Marketing-consent logs are preserved for up to three years from your last interaction so we can demonstrate lawful compliance if asked.

Your Rights

Subject to conditions and exemptions under applicable law, you have the right to:

• Access the Personal Data we hold about you and receive a copy in a commonly used electronic format.

• Rectify inaccurate or incomplete data without undue delay.

• Erase (“be forgotten”) certain data when it is no longer necessary or when your consent has been withdrawn and no other legal ground persists.

• Restrict processing while we verify contested accuracy, or when processing is unlawful and you prefer restriction to erasure.

• Object to processing based on legitimate interests, especially where the purpose is direct marketing.

• Withdraw Consent at any time where consent was the legal basis, without affecting past processing based on that consent.

• Complain to a supervisory authority. In Türkiye this is the Personal Data Protection Authority (“KVKK Board”). In the EEA or UK you may contact your local Data Protection Authority. We encourage you to contact us first so that we can try to resolve your issue swiftly and amicably.

You can exercise your rights by writing to privacy@compensky.com. We will respond within one month or sooner where local law requires it.

Cookies and Similar Technologies

Our website and mobile applications use cookies, pixels, local storage, and software development kits (“SDKs”) to remember your preferences, maintain session security, analyse traffic patterns, and measure the effectiveness of marketing campaigns. Essential cookies load automatically because the site cannot function without them—for example, they keep you logged in or maintain language settings. All other cookies, including analytics and advertising pixels, are loaded only after you have given explicit consent through our cookie-consent banner. You can withdraw that consent at any time by revisiting the banner or adjusting your browser settings. A separate [CompenSky Cookie Policy] explains in detail which categories we use, the lifespan of each cookie, and how to manage them.

Security Measures

CompenSky has implemented a multi-layered security programme that aligns with ISO 27001 best practices. Technical controls include TLS 1.3 encryption for all data in transit, AES-256 encryption for data at rest, Web-Application Firewalls (WAF), real-time intrusion-detection systems, regular penetration tests by certified specialists, and continuous vulnerability scanning. Organisational measures encompass strict access controls governed by the principle of least privilege, mandatory multi-factor authentication for staff, background checks on employees with elevated privileges, secure-coding guidelines for developers, and an incident-response plan that defines how we notify both regulators and affected individuals if a breach poses a high risk to their rights and freedoms.

Children

Our Services are intended for and marketed to adults aged 16 and over. We do not knowingly solicit or process Personal Data from anyone under that age. If you believe we have inadvertently collected a minor’s data, please contact us immediately and we will delete such data without undue delay.

Job Applications

When you apply for a position at CompenSky, we process the CV, cover letter, professional references, interview notes, assessment results, and, where permitted by law, background-check data you or recruitment agencies provide. We use this data solely for recruitment and talent-pooling purposes. Unless you grant permission for a longer retention period, we delete or irreversibly anonymise recruitment files six months after the position is filled or closed, except where a dispute requires us to keep records longer.

Marketing Communications

We love to keep our customers informed about changes in passenger-rights law, new service features, and special promotions, but we will do so only with your explicit approval. Consent can be given by ticking an opt-in box on a web form or in your CompenSky Account settings. Every marketing e-mail includes a clear “unsubscribe” link that immediately removes you from the list. Opting out of marketing does not affect service messages related to your ongoing claims, which we must send to keep you informed.

Accountability and Governance

CompenSky’s senior management has endorsed a formal data-protection governance framework that assigns responsibilities to specific roles, mandates regular training, and requires routine compliance audits. Our DPO reports directly to the board of directors, ensuring independence. We maintain a comprehensive Record of Processing Activities and carry out Data-Protection-Impact Assessments (DPIAs) whenever a processing operation is likely to result in high risk to individual rights—such as implementing a new AI-based document-analysis tool.

Complaints

If you believe we have violated your privacy rights, we encourage you to contact our DPO via privacy@compensky.com. We take every complaint seriously and aim to respond substantively within 30 days. Should you remain dissatisfied, you have the right to lodge a complaint with the KVKK Personal Data Protection Authority in Türkiye or with the supervisory authority in the country where you live or work.

Changes to This Policy

We may update this Policy from time to time to reflect legal developments, new technologies, or improvements in our Services. When we make material changes—meaning changes that significantly affect how we process your Personal Data—we will notify you through a prominent banner on our website, an in-app message, and/or an e-mail at least 30 days before the new version takes effect. We keep an accessible archive of previous versions so that you can review what changed.