FAIRFERRY – PRIVACY POLICY & COOKIE DECLARATION

Your privacy matters to us. This Privacy Policy explains how we, FairFerry OÜ, as data controller, collect, use and protect your personal data when you use FairFerry.

1. Data Controller Identification

The entity responsible for the processing of your personal data under the General Data Protection Regulation (RGPD) and the Spanish Organic Law 3/2018 on the Protection of Personal Data and Guarantee of Digital Rights (LOPDGDD) is:

• Legal name: FairFerry OÜ
• Registered address: Sepapaja tn 6, 15551 Tallinn, Lasnamäe linnaosa, Harju maakond, Estonia
• Registration code: 17337821 (Estonian Commercial Register, Tartu County Court)
• Management representation: Jan-Hendrik Marquardt (Sole Member of the Management Board)
• Spanish Tax Identification Number (N.I.F.): application pending — file number to follow once issued

Contact for data protection: all privacy-related inquiries and requests to exercise your statutory rights should be directed to legal@fairferry.eu.

FairFerry OÜ is not legally required to appoint a designated Data Protection Officer (DPO) under Article 37 of the RGPD or Article 34 of the LOPDGDD. The contact address above handles all data protection matters and the exercise of your rights.

2. Introduction and Scope of Service

FairFerry operates a digital consumer-rights platform designed to assist ferry passengers in enforcing their rights under Regulation (EU) No 1177/2010. This Privacy Policy applies to users of our Spanish operations, which cover maritime routes departing from or arriving at ports located within Spanish territory.

FairFerry acts as the Data Controller for all personal data processed throughout the lifecycle of a compensation claim. We apply the principle of data minimisation, ensuring that processing is strictly aligned with the recovery of passenger compensation.

This Privacy Policy is provided in English. A Spanish version will follow; until a reviewed Spanish version exists, the English version is binding, after which the Spanish version shall prevail in the event of any discrepancy.

3. Categorisation of Personal Data Collected

In adherence to the principle of data minimisation, FairFerry collects only the information strictly necessary to process your claim.

Contact Data

Full name, email address, and optional phone number.

Identity Data

We collect DNI or passport numbers exclusively at the time of signing the Assignment Agreement. We do not request or store physical or digital images of identity documents during the initial intake process. Copies of identity documents are collected and stored only if the claim is escalated to legal enforcement proceedings.

Travel and Claim Data

Detailed records including ferry route, operator, scheduled and actual travel dates and times, ticket prices, and booking confirmations or ticket copies.

Bank Data

Bank account details (IBAN and account holder name) collected only when a claim has been approved and a payout becomes due. Purpose: performance of the assignment contract — transferring your compensation. Legal basis: Article 6(1)(b) RGPD (contract performance). The IBAN is stored encrypted at the application layer and is automatically deleted 30 days after the payment is confirmed; we never store payment-card numbers.

Technical Data

IP address, browser type, device identifiers, and technical logs necessary for security and operational integrity.

4. Purposes of Processing and Legal Basis

We process your data on the following legal grounds provided by Article 6 of the RGPD:

We do not sell personal data and we do not send marketing communications.

5. Automated Decision-Making (Art. 22 RGPD)

FairFerry uses automated tools to give users an instantaneous, non-binding assessment of claim eligibility based on the travel parameters provided. However, every claim is subject to a final review by a human member of the FairFerry team before any binding legal action is taken. In accordance with Article 22 of the RGPD, FairFerry does not make decisions producing legal effects or significantly affecting the user based solely on automated processing. If you have questions about a decision, contact us at legal@fairferry.eu.

6. Authorized Data Processors

To ensure the technical efficiency of our platform, we engage the following service providers as data processors under Article 28 of the RGPD:

• Supabase – PostgreSQL database management and JWT-based (JSON Web Token) authentication.
• Vercel – web hosting and edge-delivery infrastructure.
• ZohoSign – secure, eIDAS-compliant electronic signing of the Assignment Agreement.
• ZeptoMail – managed delivery of transactional and claim-update emails.
• Xolo OÜ (registration code 12844111) – administrative, registered-office and accounting services.

All processors are bound by Data Processing Agreements (DPAs) and process data exclusively under our instructions.

7. Data Retention and Deletion Policy

FairFerry retains data only for as long as necessary to fulfil the purposes for which it was collected:

• General claim records: retained for up to five (5) years following the conclusion of the claim or the last contact with the data subject, whichever is later, in line with the Spanish statutory limitation period for contractual actions.
• Communication data: retained until claim completion or until a deletion request, whichever is earlier.
• Identity document copies: where copies of DNI or passports are collected for legal escalation, they are deleted following the conclusion of the judicial proceedings or the expiry of the statutory period for appeals, unless retention is required by law.

Data is securely deleted or anonymised when no longer required for the purposes stated in this policy, unless retention is required by law.

8. International Data Transfers

While we prioritise processing within the EU/EEA, certain technical processors may process data in the United States. In such instances, transfers are protected by the EU–US Data Privacy Framework or by Standard Contractual Clauses (SCCs) approved by the European Commission, ensuring a level of protection equivalent to that of the RGPD.

9. Data Subject Rights

As a data subject under the RGPD and LOPDGDD, you have the following rights:

• Access: to obtain a copy of the data we hold about you.
• Rectification: to correct inaccurate or incomplete personal data.
• Erasure (right to be forgotten): to request deletion of data when it is no longer necessary.
• Restriction: to limit the processing of your data under specific conditions.
• Portability: to receive your data in a structured, machine-readable format.
• Objection: to object to processing based on legitimate interests.

To exercise these rights — including requesting deletion of your account and associated data — email legal@fairferry.eu. We respond to all requests within the 30-day window mandated by Article 12(3) of the RGPD.

10. Supervisory Authorities

If you believe FairFerry has failed to protect your data, you have the right to lodge a complaint:

• Lead authority (Estonia): Andmekaitse Inspektsioon (AKI), Tatari 39, 10134 Tallinn, Estonia — www.aki.ee
• Local authority (Spain): Agencia Española de Protección de Datos (AEPD), C/ Jorge Juan 6, 28001 Madrid, Spain — telephone 900 293 183 — www.aepd.es

11. Cookie Declaration

FairFerry uses only essential cookies strictly necessary for the technical operation, security and session management of the platform (for example, the authentication session cookie that keeps you signed in). We do not deploy cookies for analytics, behavioural advertising or social-media tracking. As only strictly necessary cookies are used, no cookie consent banner is required under the LOPDGDD and current AEPD guidelines.

12. Security and Updates

We implement robust technical and organisational measures, including encryption in transit (SSL/TLS), strict access-control protocols, and regular infrastructure audits.

This policy is subject to periodic updates to remain compliant with evolving Spanish and European law. The latest version is always available on our website.