Privacy Policy

Effective 11 April 2026

This Privacy Policy explains what personal data Soarlax collects, why we collect it, how we use and share it, and the rights you have over it. By using Soarlax you agree to the practices described below. If you do not agree, do not use the Service.

1. Who we are

Soarlax ("we", "us") is the controller of your personal data for the purposes of applicable data protection law (including the EU/UK GDPR and the California Consumer Privacy Act). You can reach us at support@soarlax.com.

2. Data we collect

• Account data. Email address, display name, password hash, and authentication metadata.
• Tracked route data. Origin, destination, travel dates, cabin, stops, and passenger counts for each route you track. We also store the fare verdicts we generate for them.
• Booking attribution.When you click an outbound "book" link we record the click (timestamp, route, and a click identifier) so we can match a later booking confirmation to the trip.
• Booked-trip records. If you save a booked fare, we store the price, currency, booking date, and any rebook notes you add.
• Payment metadata. Subscription status, plan identifier, renewal date, and billing region. We do not store card numbers or bank details — payments are processed by LemonSqueezy.
• Usage and device data. IP address, user agent, pages viewed, and basic error telemetry (via Sentry) used to keep the Service running.

3. How we use your data

• To run Soarlax and deliver the verdicts you ask for.
• To send transactional emails (alerts, verdict changes, rebook notifications, booking follow-ups, receipts).
• To operate and improve the product — debugging, performance monitoring, abuse prevention, and aggregate accuracy analytics.
• To handle support requests and communicate with you.
• To meet legal obligations (tax, accounting, fraud prevention, and regulatory requests).

4. Legal bases (EU/UK GDPR)

• Contract: running your account, delivering verdicts and alerts, and processing Explorer subscriptions.
• Legitimate interest: debugging, fraud prevention, improving the Service, and aggregating anonymized data for the public accuracy dashboard.
• Consent: any non-essential cookies or optional marketing communications, where required by law.
• Legal obligation: tax, accounting, and responses to lawful requests.

5. Sharing your data

We share data only with processors that help us run Soarlax, and only for the purposes set out above:

• Vercel — application hosting and edge delivery.
• Supabase — database hosting (PostgreSQL).
• LemonSqueezy — subscription billing and invoicing.
• Resend — transactional email delivery.
• SerpApi — live fare data provider (we send it route parameters, never your account identity).
• Sentry — error and performance monitoring.

We do not sell your personal data. We do not share your personal data with advertisers.

6. International transfers

Soarlax runs on a global cloud stack, so your data may be processed in countries outside your own — including the United States and the European Union. Where transfers are made out of the EEA or UK, we rely on approved safeguards (such as the Standard Contractual Clauses) with our processors.

7. Retention

We keep your account data for as long as your account is active and for a reasonable period afterward to handle billing, disputes, and legal obligations. Tracked-route and fare data is kept while the route is active plus up to 24 months to feed the accuracy rollup. Error telemetry is retained for up to 90 days. When retention expires we delete or anonymize the data.

8. Your rights

Depending on your jurisdiction you may have the right to access, correct, delete, export, restrict, or object to the processing of your personal data, and to withdraw consent where processing is based on consent. To exercise a right, email support@soarlax.com from the address on your account. We may need to verify your identity before we act on a request.

EU/UK residents have the right to complain to their local data protection authority. California residents have additional rights under the CCPA — including the right to know, delete, and not be discriminated against for exercising a right.

9. Security

We use industry-standard safeguards — encryption in transit, hashed credentials, least-privilege access, scoped API keys, webhook signature verification, and short-lived OIDC tokens where available. No online service is perfectly secure, but we take this seriously and will notify you if a breach affects your data, as required by law.

10. Children

Soarlax is not directed at children under 16 and we do not knowingly collect data from them. If you believe a child has created an account, email support@soarlax.com and we will remove it.

11. Changes

We may update this Privacy Policy from time to time. If a change is material we will notify you by email and update the effective date above.

12. Contact

Data questions or requests? Email support@soarlax.com.