Privacy Policy

PREAMBLE

This Privacy Policy aims to inform users of the FlixBag platform (hereinafter "the Platform") of the conditions under which their personal data is collected, processed, used, stored and, where applicable, transferred by the company FlixBag, SASU with capital of 1,000 euros, registered in the Trade and Companies Register of Bourg-la-Reine under number [RCS], whose registered office is located at 53 rue Hoffmann, 92340 Bourg-la-Reine (hereinafter "FlixBag" or "the Data Controller").

FlixBag is a digital platform connecting travelers with excess luggage kilos with senders wishing to ship packages internationally at competitive rates. This activity involves processing sensitive personal data, particularly identity, payment and location data.

FlixBag commits to strictly respect applicable regulations regarding personal data protection, in particular Regulation (EU) 2016/679 of April 27, 2016 on the protection of natural persons with regard to the processing of personal data (GDPR), Law No. 78-17 of January 6, 1978 amended relating to data processing, files and freedoms, as well as any local legislation applicable in the Platform's operating countries (European Union, French-speaking African countries, Canada, United States, China, India, Pakistan).

ARTICLE 1 — DEFINITIONS

For the purposes of this Policy, the following terms have the meaning below:

  • "Personal data": Any information relating to an identified or identifiable natural person, directly or indirectly.
  • "Processing": Any operation or set of operations performed on personal data (collection, recording, storage, modification, extraction, consultation, use, communication, deletion).
  • "User": Any natural person using the FlixBag Platform as a Traveler, Sender or Recipient.
  • "Traveler": User making their excess luggage kilos available for package transport.
  • "Sender": User wishing to send a package via the Platform.
  • "Recipient": Person designated by the Sender to receive the package at destination.
  • "Data Controller": FlixBag, SASU, which determines the purposes and means of personal data processing.
  • "DPO": Data Protection Officer, person responsible for ensuring processing compliance.

ARTICLE 2 — DATA CONTROLLER

The controller of personal data collected via the Platform is:

Company nameFlixBag
Legal formSimplified Joint Stock Company (SASU)
Share capital1,000 euros
Registered office53 rue Hoffmann, 92340 Bourg-la-Reine
RCSBourg-la-Reine [Number]
Legal representativeARNAUD KINTOHOU
DPO Emaildpo@flixbag.com
Phone+33 7 46 55 02 99

ARTICLE 3 — DATA COLLECTED

3.1 Data provided directly by the User

During registration, Platform use and transaction completion, FlixBag collects the following data categories:

a) Identification and verification data

  • • Surname, first name, date of birth, nationality
  • • Email address, phone number
  • • Copy of passport or identity document (mandatory scan for Travelers)
  • • Identity photograph (verification badge)
  • • Complete postal address

b) Flight and transport data

  • • Electronic ticket (digital copy)
  • • Booking reference (PNR — Passenger Name Record)
  • • Complete itinerary (origin, destination, stopovers, schedules)
  • • Ticket purchase date, flight date, ticket price
  • • Number of authorized suitcases and available kilos

c) Transactional and financial data

  • • Banking details and payment methods (CB, Apple Pay, Google Pay, KKiaPay, FedaPay, PayDunya, CinetPay)
  • • Transaction history (amounts, dates, statuses)
  • • Information related to payment escrows
  • • Data relating to refunds, penalties and cancellation fees

d) Package-related data

  • • Package type and category (Standard, Premium)
  • • Declared weight, verified weight
  • • Content description, shipping location and destination

3.2 Automatically collected data

  • Connection data: IP address, browser type, operating system, device identifiers
  • Geolocation data: GPS position for party matching and relay point deposit verification
  • Cookies and trackers: browsing data, preferences, usage statistics
  • Flight tracking data: real-time information via Flightradar24 and FlightAware APIs
  • Rating data: star ratings, ranking (1 to 5), "Regular" status

ARTICLE 4 — PROCESSING PURPOSES AND LEGAL BASES

Personal data is processed for the following purposes:

PurposeDescriptionLegal basis
User account creation and managementRegistration, identity verification, profile managementContract performance (Art. 6.1.b GDPR)
Traveler / Sender matchingMatching algorithm, proposal displayContract performance (Art. 6.1.b GDPR)
Dynamic pricing (Smart-Pricing)Automated price calculation via PNR/OCR extractionLegitimate interest (Art. 6.1.f GDPR)
Payment and escrow managementSequestration, release, refundsContract performance (Art. 6.1.b GDPR)
Flight tracking and notificationsReal-time tracking, automatic alertsContract performance (Art. 6.1.b GDPR)
Dispute and litigation managementMediation, evidence, profile deactivationLegitimate interest (Art. 6.1.f GDPR)
Rating and rankingStar system, Regular status, 1-5 rankingLegitimate interest (Art. 6.1.f GDPR)
Platform improvementStatistics, behavioral analysis, optimizationConsent (Art. 6.1.a GDPR)
Commercial communicationNewsletters, promotional offersConsent (Art. 6.1.a GDPR)
Legal obligationsTaxation, anti-money laundering, requisitionsLegal obligation (Art. 6.1.c GDPR)

ARTICLE 5 — DATA RECIPIENTS

Personal data may be communicated to the following recipient categories, strictly limited to what is necessary to accomplish the purposes described above:

5.1 Internal recipients

Authorized FlixBag personnel (customer service, technical team, management) within the limits of their respective duties.

5.2 Subcontractors and technical partners

  • • Payment providers: Stripe, Apple Pay, Google Pay, KKiaPay, FedaPay, PayDunya, CinetPay
  • • Identity verification providers (KYC)
  • • Flight tracking API providers: Flightradar24, FlightAware
  • • Cloud hosting and infrastructure services
  • • Partner carriers: Colissimo, UPS, DHL

5.3 Authorized third parties

  • • Judicial, administrative or regulatory authorities upon legal requisition
  • • Other Platform Users strictly within a transaction (information necessary for delivery)

ARTICLE 6 — INTERNATIONAL DATA TRANSFERS

As FlixBag operates internationally (European Union, French-speaking Africa, Canada, United States, China, India, Pakistan), personal data transfers to third countries may occur.

These transfers are framed by the following safeguards, in accordance with Chapter V of the GDPR:

  • • European Commission adequacy decisions for countries recognized as offering adequate protection level (Canada via PIPEDA).
  • • Standard Contractual Clauses (SCC) approved by the European Commission for transfers to the United States, China, India and Pakistan.
  • • Binding Corporate Rules (BCR) when subcontractors have them.
  • • EU-US Data Privacy Framework for certified US providers.

For French-speaking African countries, FlixBag ensures compliance with local regulations regarding data protection, particularly the African Union Convention on Cybersecurity and Personal Data Protection (Malabo Convention) and applicable national laws.

ARTICLE 7 — RETENTION PERIOD

Personal data is retained for a period not exceeding that necessary for the purposes for which it is processed:

Data categoryRetention period
User account dataDuration of contractual relationship + 3 years after last activity
Identity data (KYC)5 years after account closure (anti-money laundering obligations)
Transaction data10 years (accounting and tax obligations)
Flight and PNR dataTransaction duration + 1 year
Tracking and geolocation data6 months after effective delivery
Dispute data5 years after final resolution
Rating/ranking dataDuration of contractual relationship
Cookies and trackers13 months maximum
Marketing data3 years after last contact

At the end of these periods, data is permanently deleted or irreversibly anonymized for statistical purposes.

ARTICLE 8 — DATA SECURITY

FlixBag implements appropriate technical and organizational measures to ensure a security level adapted to the risk, in accordance with Article 32 of the GDPR:

8.1 Technical measures

  • • Data encryption in transit (TLS 1.3) and at rest (AES-256)
  • • Specific encryption of PNR data and uploaded tickets in compliance with GDPR standards
  • • Multi-factor authentication (MFA) for administrator access
  • • Pseudonymization and anonymization of data when possible
  • • Firewall, intrusion detection and prevention systems (IDS/IPS)
  • • Regular penetration testing and security audits
  • • Encrypted backups and disaster recovery plans (DRP/BCP)

8.2 Organizational measures

Access management policy based on least privilege principle, regular staff training on data protection, data breach notification procedures in accordance with Articles 33 and 34 of the GDPR (notification to CNIL within 72 hours and information to data subjects in case of high risk).

ARTICLE 9 — USER RIGHTS

In accordance with Articles 15 to 22 of the GDPR and Articles 48 to 56 of the amended Data Protection Act, each User has the following rights:

  • Right of access (Art. 15 GDPR): Obtain confirmation that their data is processed and receive a copy.
  • Right of rectification (Art. 16 GDPR): Have inaccurate or incomplete data corrected.
  • Right to erasure (Art. 17 GDPR): Obtain deletion of their data in cases provided by GDPR, subject to legal retention obligations.
  • Right to restriction of processing (Art. 18 GDPR): Obtain processing restriction in certain circumstances.
  • Right to data portability (Art. 20 GDPR): Receive their data in a structured, commonly used and machine-readable format.
  • Right to object (Art. 21 GDPR): Object to processing of their data based on legitimate interest or for marketing purposes.
  • Right to withdraw consent: Withdraw consent given at any time, without retroactivity.
  • Right to define post-mortem directives: Define directives regarding the fate of their data after death (French law).
  • Right relating to automated decision (Art. 22 GDPR): Not be subject to a decision based solely on automated processing, including profiling, producing legal or similar effects. Users can request human intervention regarding the Smart-Pricing algorithm.

These rights can be exercised by email at dpo@flixbag.com or by postal mail to FlixBag's registered office, accompanied by a copy of identity proof. FlixBag commits to respond within one month from receipt of the request. This period may be extended by two additional months considering complexity and number of requests.

In case of difficulty exercising their rights, Users can file a complaint with the Commission Nationale de l'Informatique et des Libertés (CNIL), 3 Place de Fontenoy, TSA 80715, 75334 PARIS CEDEX 07, or with the competent supervisory authority of their country of residence.

ARTICLE 10 — COOKIES AND TRACKERS

FlixBag uses cookies and similar technologies to ensure proper Platform operation, measure audience and personalize user experience. Cookie categories used are:

  • Strictly necessary cookies: Essential for Platform operation (authentication, security, cart). No consent required.
  • Performance cookies: Audience measurement and statistical analysis (e.g., Google Analytics). Subject to consent.
  • Functionality cookies: Preference memorization (language, currency). Subject to consent.
  • Advertising targeting cookies: Personalized advertising delivery. Subject to consent.

Users can manage their cookie preferences at any time via the cookie management banner integrated into the Platform or via their browser settings. Refusing non-essential cookies does not affect access to basic Platform functionalities.

ARTICLE 11 — AUTOMATED PROCESSING AND PROFILING

FlixBag implements automated processing, including:

  • Smart-Pricing algorithm: Automated kilogram price calculation based on flight data, anticipation factor and product category. This processing does not produce a decision significantly affecting Users but determines transaction price.
  • Ranking algorithm: Automatic assignment of score and ranking (1 to 5) based on usage history, cancellations and ratings. This ranking influences display order of Travelers proposed to Senders.
  • Fraud detection: Automated behavior analysis to detect suspicious activities.

In accordance with Article 22 of the GDPR, Users have the right to request human intervention, express their viewpoint and contest the decision with FlixBag customer service.

ARTICLE 12 — MINOR PROTECTION

The FlixBag Platform is exclusively intended for adults (18 years old or age of majority in country of residence). FlixBag does not knowingly collect personal data from minors. If FlixBag discovers that a minor's data has been collected, it will be immediately deleted.

ARTICLE 13 — POLICY MODIFICATION

FlixBag reserves the right to modify this Privacy Policy at any time, particularly to take into account legislative, regulatory or technical developments. Any substantial modification will be notified to Users by email and/or in-app notification at least thirty (30) days before its effective date.

Continued use of the Platform after the modified version takes effect constitutes acceptance of the new Policy.

ARTICLE 14 — CONTACT

For any question regarding this Policy or to exercise your rights, you can contact:

Data Protection Officer (DPO)Judicael AHYI
Emaildpo@flixbag.com
Postal addressFlixBag — DPO, 53 rue Hoffmann 92340 Bourg-la-Reine, France
Phone+33 7 46 55 02 99

Done in Bourg-la-Reine, on 05/02/2026

For FlixBag company

ARNAUD KINTOHOU, President