2. What is GDPR, and what is Wingie doing to comply?
The General Data Protection Regulation (GDPR) is a regulation in EU law on data protection and privacy for all individuals within the European Union, which addresses the export of personal data outside the EU. GDPR is effective as of May 25th, 2018. It replaces national privacy and security law that previously existed within the EU with a single, comprehensive EU-wide law that governs the use sharing, transfer and processing of any personal data that originates from the EU.
Wingie’s policy is to respect all laws that are related to our business, which includes GDPR.
Here are a few things Wingie is committed to doing to ensure our compliance with GDPR:
Where we are transferring data outside of the EU, Wingie commits to having the appropriate data transfer mechanisms in place as required by GDPR.
Wingie commits to follow appropriate security measures and precautions in accordance with GDPR.
Wingie will assist with notifying regulators of breaches and promptly communicate any breaches to customers and users.
We will ensure that employees authorized to process personal data have committed to confidentiality.
We will hold any sub-processors that handle personal data, including our data center partners, to the same data management, security and privacy practices and standards to which we hold ourselves.
Wingie commits to carrying out data impact assessments and consulting with EU regulators where a data impact assessment indicates a high risk associated with processing without an appropriate mitigating strategy.
Where appropriate, we will offer contractual language documenting our commitments to our customers to support their GDPR obligations.
Wingie will assist our customers, insofar as possible, to respond to data subject requests our customers may receive under the GDPR.
3. Does Wingie process personal data?
4. Where does Wingie store and send my data?
5. How does Wingie handle onward transfers of data outside of the EU?
Wingie GmbH is responsible for your personal data, after you use our services. We store your data in Google Cloud servers located in Belgium. Moreover, we may transfer your personal data to other organizations to provide you services. As of May 2018, Enuygun Com Internet Bilgi Hizmetleri AS (“Enuygun”), located in Istanbul, Turkey, is doing the ticketing for Wingie clients, and ticketing data is transferred to their servers in Istanbul. Enuygun uses Flight Company Web Services for booking flights.
6. Do you offer your customers a Data Processing Addendum ('DPA')?
Yes, we do! We respect all GDPR obligations while processing EU personal data. The Wingie Data Processing Addendum is available upon request for all customers to review and use to meet your onward transfer requirements under GDPR. To obtain a copy of your DPA please reach out to email@example.com
7. Can I make changes to the Wingie DPA?
Wingie DPA is an extension of our Customer Agreement and reflects our compliance with GDPR requirements. We are unable to make any changes to our DPA. For more information, please see the Data Processing Addendum.
8. Can I opt out of having my data collected or shared while booking a flight?
Wingie collects your personal information when you use our services. Your data is collected when you use Wingie including:
9. How does Wingie secure my data?
We have implemented our security policy to secure your data, in compliance with GDPR. Your personal data is encrypted while transferring. Moreover, Wingie is compatible with PCI DSS at Level-3, which is a widely accepted standard of policies and procedures intended to optimize security.
11. Does Wingie use sub-processors to further process customer data?
A list of our sub-processors can be found on our Sub-Processors page.
12. Who can I contact with questions regarding GDPR?
Our services are used by millions around the world. We encourage you to review this page first. Most probably your interest will be addressed in this page. However, we understand there may be some circumstances where you may need to directly contact us. For more information, please use the “Contact” section on Wingie.
Wingie is a web based service of Wingie GmbH, Friedrichstr. 171, 10117 Berlin ("Wingie" or "we"), under the address www.wingie.com (hereinafter "Website" or "Service"). Wingie GmbH is an Online Travel Agency (OTA). Further contact information can be found at https://www.wingie.com/impressum.
Wingie takes the protection of your privacy and your personal data very seriously. We act in our customers’ interest and we are transparent about our processing of your personal data. In the following we inform you about the collection, processing and use of your personal data when using our website. Personal data are all data that can be obtained personally from you, e.g. name, telephone number or e-mail address.
1. What information we collect about you
1.1 Information you provide to us
1.1.1 Content you provide through bookings
We use your personal data to complete and administer your online flight reservation. When booking for the first time we need information such as name, surname, phone number, email address, date of birth and gender. In addition, we require your payment details, such as bank details or credit card information, with every booking.
When you visit our website, we also store by default the data that your browser transmits to enable you to visit our website, such as: your IP address, the website from which you visit us, the type of browser, and the date and duration of the visit for statistical purposes (see the web tracking section).
1.1.2 Information you provide through our support channels
We provide international customer service 24 hours a day, 7 days a week. Sharing your relevant details, such as reservation information with our customer service staff allows us to respond when you need us.
When you call our call center, your conversation with call center agent will be recorded for the purposes of better service quality and proof of service. Live listening may be done for quality control and training purposes.
When you use our chat support, your conversation with back office agent will be recorded for the purposes of better service quality and proof of service.
Call and chat recordings are kept for a limited amount of time and automatically deleted, unless Wingie has a legitimate interest to keep such recording for a longer period, including for fraud investigation and legal purposes.
1.2 Information we collect automatically when you use the website and/or mobile applications
1.2.1 Your use of the website and/or mobile applications
We keep track of certain information about you when you visit and interact with our website and/or mobile applications. This information includes the features you use; the links and buttons you click on and frequently used search terms. For example, we might find out from usage data that users cannot find an airport with certain search term and we might add a suggestion for that search term.
1.2.2 Device and Connection Information
When using the website, cookies are stored on your computer. Cookies are small text files that are allocated and stored on your hard drive to the browser you use, and that provide certain information to the body that sets the cookie (in this case us). Cookies cannot run programs or transmit viruses to your computer. They serve to make the Internet offer more user-friendly and effective overall.
1.2.4 Web Tracking
18.104.22.168 Use of Google Analytics
(1) Wingie uses Google Analytics, a web analytics service provided by Google Inc. ("Google"). Google Analytics uses so-called "cookies", text files that are stored on your computer and that allow an analysis of the use of the website by you. The information generated by the cookie about your use of this website is usually transmitted to a Google server in the USA and stored there. However, in the event of activation of IP anonymization on this website, your IP address will be shortened by Google beforehand within member states of the European Union or in other contracting states of the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be sent to a Google server in the US and shortened there.
(2) The IP address transmitted by Google Analytics as part of Google Analytics will not be merged with other data provided by Google.
(3) You can prevent the storage of cookies by setting your browser software accordingly; however, please note that if you do this, you may not be able to use all the features of this website to the fullest extent possible.
(4) In addition, you may prevent the collection by Google of the data generated by the cookie and related to your use of the website (including your IP address) as well as the processing of this data by Google using the browser available at the following link Download and install the plug-in: http://tools.google.com/dlpage/gaoptout?hl=de.3
22.214.171.124 Use of Criteo
On Wingie, Criteo GmbH collects and stores anonymized information about the usage behavior on our website. This data is stored in cookies on your computer. Based on an algorithm, Criteo GmbH analyzes the anonymously recorded surfing behavior and can then display targeted product recommendations as personalized advertising banners on other websites (so-called publishers). In no case can this data be used to personally identify you as a visitor to our websites. The collected data will only be used to improve the offer. Any other use or disclosure of this information to third parties will not take place.
1.3 Information we receive from other source
We might receive information about you from other users.
1.3.1 Other users of the website
When you make a reservation for someone else through Wingie, we will request personal information and travel preferences about that individual. You should obtain the consent of other individuals prior to providing us with their personal information and travel preferences, as any access to view or change their information will be available only through your email address. Other users of our website may provide information about you when they submit content through the website. For example, you might be added as a passenger to a flight, as a result, your name, surname, age, gender might be shared with us. This information will be stored as passenger information.
2. How we use information we collect
2.1 To provide the services and personalize your experience
We use information about you to provide the services to you, including to process transactions with you, authenticate you when you log in, provide customer support, and operate and maintain the service.
2.2 For research and development
We are always looking for ways to make our website faster, more secure, and more useful to you. We use collective learnings about how people use our website and feedback provided directly to us to troubleshoot and to identify trends, usage, activity patterns and areas for integration and improvement of the website.
2.3 To communicate with you about the services
We use your contact information to send transactional communications via email and within the website, including confirming your purchases, responding to your questions and requests, and providing customer support. We might send you email notifications when several online actions become available, for example online check-in.
2.4 To market, promote and drive engagement with the services.
We use your contact information to send promotional communications that may be of specific interest to you, including by email. These communications are aimed at driving engagement and maximizing what you get out of the website. We also communicate with you about new product offers and promotions. You can control whether you receive these communications as described below under "Opt-out of communications."
2.5 Customer support:
We use your information to resolve technical issues you encounter, to respond to your requests for assistance, to analyze crash information, and to repair and improve the Services.
2.6 For safety and security:
We use information about you and your Service use to verify accounts and activity, to monitor suspicious or fraudulent activity and to identify violations of our policies.
2.7 To protect our legitimate business interests and legal rights:
Where required by law or where we believe it is necessary to protect our legal rights, interests and the interests of others, we use information about you in connection with legal claims, compliance, regulatory, and audit functions, and disclosures in connection with the acquisition, merger or sale of a business.
2.8 With your consent:
We use information about you where you have given us consent to do so for a specific purpose not listed above. For example, we may publish testimonials or featured customer stories to promote the Services, with your permission.
3. How we share information we collect
3.1 Sharing with third parties
We share information with third parties that help us operate, provide, improve, integrate, customize, support and market our website.
3.1.1 B2B Ticketing Agency
We are working with a ticketing agency called Enuygun Com Internet Bilgi Hizmetleri Teknoloji ve Ticaret AS (“Enuygun” or “Consolidator”), located in Istanbul, Turkey, for ticketing purposes. Enuygun is Turkey’s leading Online Travel Agency in flights, with more than 10 million visits and 500.000 flight bookings each month, as of spring 2018. Enuygun is also indirectly related to Wingie GmbH via common shareholders.
With Enuygun, we share data that is needed for ticketing purposes. Enuygun may share data with other parties for ticketing purposes, as detailed in the below items.
We work with airlines directly or via Consolidator to provide their flight services. Airlines fulfil your travel reservations. Airlines are required to access and use your personal information including name, surname, date of birth, gender, email address and phone number. We encourage you to review the privacy policies of airlines whose flights you purchase through Wingie. Please note that airlines also may contact you as necessary to obtain additional information about you, facilitate your travel reservation, or respond to a review you may submit.
3.1.3 Global Distribution Systems:
We work with global distribution systems directly or via Consolidators to provide access to flight services from airlines. Global Distribution Systems access and use your personal information including name, surname, date of birth, gender, email address and phone number. Global Distribution Systems share this information with airlines and airlines fulfil your travel reservations.
3.1.4 Payment System Providers:
We or our Consolidators use card information (cardholder name, card number, and expiration date) for the purpose of completing the flight bookings you conduct on website. We work with payment system providers to process payments for your flight bookings. Your card number, card holder name, card expiration date, card CVV are shared with payment system providers which might include banks and other financial systems.
3.2 Links to Third Party Sites:
3.3 Social Media Widgets:
Our website may include links that direct you to other websites or services whose privacy practices may differ from ours. Your use of and any information you submit to any of those third-party sites is governed by their privacy policies, not this one.
3.4 Third-Party Widgets:
3.5 With your consent:
We share information about you with third parties when you give us consent to do so. websites. For example, with your consent, we may post your name alongside a testimonial.
3.6 Compliance with Enforcement Requests and Applicable Laws; Enforcement of Our Rights:
In exceptional circumstances, we may share information about you with a third party if we believe that sharing is reasonably necessary to (a) comply with any applicable law, regulation, legal process or governmental request, including to meet national security requirements, (b) enforce our agreements, policies and terms of service, (c) protect the security or integrity of our products and services, (d) protect Wingie, our customers or the public from harm or illegal activities, or (e) respond to an emergency which we believe in good faith requires us to disclose information to assist in preventing the death or serious bodily injury of any person.
4. How we store and secure information we collect
4.1 Information storage and security
We use cloud data hosting service providers in Belgium to host the information we collect, and we use technical measures to secure your data. While we implement safeguards designed to protect your information, no security system is impenetrable and due to the inherent nature of the Internet, we cannot guarantee that data, during transmission through the Internet or while stored on our systems or otherwise in our care, is absolutely safe from intrusion by others.
4.2 How long we keep information
Keeping information time depends on the type of information, as described in further detail below. After such time, we will either delete or anonymize your information or, if this is not possible (for example, because the information has been stored in backup archives), then we will securely store your information and isolate it from any further use until deletion is possible.
4.2.1 Account information
We retain your account information for as long as your account is active and a reasonable period thereafter in case you decide to reactivate your account.
4.2.2 Information you share on the website for ticketing purposes
We retain your information you share for ticketing purposes for as long as we are legally obliged to.
4.2.3 Marketing information
If you have elected to receive marketing e-mails from us, we retain information about your marketing preferences for a reasonable period of time from the date you last expressed interest in our website. We retain information derived from cookies and other tracking technologies for a reasonable period of time from the date such information was created.
5. How to access and control your information
You have certain choices available to you when it comes to your information. Below is a summary of those choices, how to exercise them and any limitations.
5.1 Your choices
You have the right to request a copy of your information, to object to our use of your information (including for marketing purposes), to request the deletion or restriction of your information, or to request your information in a structured, electronic format. Below, we describe the tools and processes for making these requests. You can exercise some of the choices by the links available at footer of the website. For all other requests, you may contact us as provided in the Contact Us section below to request assistance.
5.2 Delete your information
We may need to retain certain information for record keeping purposes, to complete transactions or to comply with our legal obligations.
5.3 Opt out of communications
You may opt out of receiving promotional communications from us by using the unsubscribe link within each email, updating your email preferences within your Service account settings menu, or by contacting us as provided below to have your contact information removed from our promotional email list or registration database. Even after you opt out from receiving promotional messages from us, you will continue to receive transactional messages from us regarding our website.
5.4 Turn off cookie controls
5.5 Send “Do Not Track” Signals
Some browsers have incorporated "Do Not Track" (DNT) features that can send a signal to the websites you visit indicating you do not wish to be tracked. Because there is not yet a common understanding of how to interpret the DNT signal, our website does not currently respond to browser DNT signals. You can use the range of other tools we provide to control data collection and use, including the ability to opt out of receiving marketing from us as described above.
5.6 Data Portability
Data portability is the ability to obtain some of your information in a format you can move from one service provider to another (for instance, when you transfer your mobile phone number to another carrier). Depending on the context, this applies to some of your information, but not to all of your information. Should you request it, we will provide you with an electronic file of your basic account information and the information.
This Data Processing Addendum (DPA) forms part of the Agreement between the Customer and Wingie, and applies to the extent that Wingie processes Personal Data on behalf of Customer in the course of providing services. This DPA does not apply where Wingie is the Controller.
The electronic agreement between customer and Wingie for the provision of the services to customer.
An entity that determines the purposes and means of the processing of Personal Data.
1.3. Data Protection Law
All data protection and privacy laws applicable to the processing of Personal Data under the Agreement, including, where applicable, EU Data Protection Law.
1.4. EU Data Protection Law
Prior to 25 May 2018, Directive 95/46/EC of the European Parliament and of the Council on the protection of individuals with regard to the processing of Personal Data on the free movement such data; and (ii) on and after 25 May 2018, Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data (General Data Protection Regulation) (“GDPR”).
1.5. Personal Data
Any information related with an identified or identifiable person.
1.6. Personal Data Breach
Accidental or unlawful destruction, loss, alteration, unauthorized disclosure of data, or access to Personal Data.
An entity that processes Personal Data on behalf of Controller.
Any offered service provided by Wingie to Customer pursuant to the Agreement.
Any processor engaged by Wingie or any member of its group of companies that processes Personal Data pursuant to the Agreement. Sub-processors include third parties.
2.1. Role of the Parties
2.2. Wingie Processing of Personal Data
2.3. Processing of Personal Data Details
Unless customer requests deletion of Personal Data, the maximum duration of processing is 2 years. With customer permission, Wingie may process Personal Data longer.
3.1. Use of Sub-Processors
Wingie engages Sub-processors to provide certain services on its behalf. Sub-processors are given details on the Wingie. Wingie will be responsible for any acts, errors, or omissions of its Sub-processors that cause Wingie to breach any of Wingie’s obligations under this DPA.
4. SECURITY MEASURES
4.1. Security Measures
Wingie will implement and maintain appropriate technical and organizational security measures to protect against Personal Data Breaches and to preserve the security and confidentiality of Personal Data processed by Wingie on behalf of Customer in the provision of the Services. The Security Measures are subject to technical progress and development. Wingie has the right to update of modify the Security Measures which do not result in the degradation of the overall security of the Services purchased by the Customer.
Wingie restricts its personnel from processing Personal Data without authorization, unless required to so by applicable law, and will ensure that any person authorized by Wingie to process Personal Data is subject to an obligation of confidentiality.
5. PERSONAL DATA FLOW
Personal data flow is given below:
6. PERSONAL DATA BREACH RESPONSE
Upon becoming aware for a Personal Data Breach, Wingie will notify Customer without undue delay and will provide information relating to the Personal Data Breach as reasonably requested by Customer.
7. AUDIT REPORTS
Wingie audits its compliance against data protection, information security and PCI DSS standards on a regular basis. Such audits are conducted by Wingie’s internal authorized team or by third party auditors. Upon Customer’s written request, and subject to obligations of confidentiality, Wingie will make available to Customer a summary of its most recent relevant audit report, so that Customer can verify Wingie’s compliance with this DPA.
8. DATA TRANSFERS
Wingie may transfer and process Personal Data to provide its services.
9. DELETION OF DATA
Wingie will delete Personal Data by customer request unless it is dependent on any law. Deletion of Data may take 90 days. Personal Data may to be have restored by Sub-Processors of Wingie due to any law regulation.
9.1. Data Protection Requests
9.2. Customer Requests
Wingie will cooperate with Customer, if we receive any request from customers. Wingie will provide Customer’s Personal Data to customer.
9.3. Legal Disclosure Requests
9.4. Data Responsible
Any related question may be asked directly to the Data Responsible. Related information is given below:
Name: Fatmanur Çetin
Phone: +49 301 208 5757
Address: Wingie GmbH, Friedrichstr. 171, 10117, Berlin, Deutschland
Any conflict between this DPA and any privacy-related provisions in the Agreement, the terms of this DPA will prevail.
10.2. Modification and Supplementation
Wingie may modify the terms of this DPA, in circumstances such as,
i. If required to do so by a supervisory authority or other government or regulatory entity,
ii. If necessary to comply with Data Protection Law
iii. To implement or adhere to standard contractual clauses, approved codes of conduct or certifications, binding corporate rules, or other compliance mechanisms
Wingie will provide notice of such changes to Customer, and the modified DPA will become effective.
|Thirt Party Service / Vendor||Purpose||Entity Country||Website|
|Euromessage||e-Mail Service Provider||Turkey||https://www.euromsg.com/|
|Google Analytics||Marketing Analytics & Measurement||USA||https://www.google.com/analytics/|
|Google Cloud Platform||Data Hosting||USA||https://cloud.google.com/|
|Google Optimize||Website, AB Testing & Personalization Solutions||USA||https://www.google.com/analytics/optimize/|
|Mailchimp||e-Mail Service Provider||USA||https://mailchimp.com/|
|Power BI||Business Intelligence||USA||https://powerbi.microsoft.com/|
|Turkcell||SMS Service Provider||Turkey||https://www.turkcell.com.tr/|