At Flyrix, operated by White Rabbit Trading and Consulting Limited ("Company," "we," "us," "our", "White Rabbit"), your privacy is important to us. This Privacy Policy explains what personal data we collect, why we collect it, how we use and protect it, and what rights you have over your information when you use the Flyrix platform ("Service"), available at flyrix.app.
By accessing or using the Service, you acknowledge that you have read and understood this Privacy Policy.
Who We Are
White Rabbit is a company incorporated and operating under the laws of Hong Kong, and is the data controller responsible for the personal data you provide when using Flyrix. The Service is operated globally and is accessible to users worldwide.
Because we serve an international user base, we are committed to upholding data protection standards applicable across multiple jurisdictions, including Hong Kong's Personal Data (Privacy) Ordinance (Cap. 486) ("PDPO"), the EU/UK General Data Protection Regulation ("GDPR"), the California Consumer Privacy Act ("CCPA"), and other regional privacy laws where applicable. The most protective standard will apply to your data based on your location.
If you are a Flyrix customer using our platform to manage your own subscribers and contacts, you act as an independent data controller for your end-users' data. White Rabbit acts as a data processor on your behalf in that context, governed by our Data Processing Agreement (DPA), available upon request.
Data We Collect
We collect only the data that is necessary to provide and improve the Service. This includes:
Account & Identity Data
- Full name and email address
- Password (stored as a one-way encrypted hash)
- Company name (optional)
- Profile photo (optional)
Billing & Payment Data
- Billing address and VAT number (where applicable)
- Payment method details โ processed exclusively by our payment provider; we do not store full card numbers on our servers
- Transaction history and invoices
Usage & Technical Data
- IP address and approximate geographic location (country/city level)
- Browser type, operating system, device type
- Pages visited, features used, session duration
- Error logs and crash reports
Customer & Campaign Data
When you use Flyrix to build funnels, manage campaigns, or send emails, you may upload or import contact lists and related data (e.g., subscriber names and email addresses). This data belongs to you. We process it only on your instruction as described in Section 1.
Communications Data
- Messages you send to our support team
- Survey responses and feedback submissions
How We Collect Data
| Source | Examples |
|---|---|
| Directly from you | Registration forms, billing info, support requests, survey responses |
| Automatically | Cookies, server logs, analytics tools when you use the Service |
| Third parties | Payment processors (e.g., Stripe), OAuth providers (e.g., Google Sign-In) |
Why We Use Your Data
We use your personal data for the following purposes:
- Service delivery: To create and manage your account, process payments, and operate the core features of Flyrix.
- Communication: To send you transactional emails (e.g., invoices, password resets), product updates, and security alerts.
- Customer support: To respond to your inquiries and resolve issues.
- Analytics & improvement: To understand how the Service is used, diagnose bugs, and develop new features.
- Marketing: To send you information about Flyrix features and promotions โ only where you have consented or where permitted by applicable law. You may opt out at any time.
- Security & fraud prevention: To detect and prevent unauthorized access, abuse, and fraudulent activity.
- Legal compliance: To fulfill our legal obligations, such as tax record-keeping and responding to lawful requests.
We do not sell your personal data to third parties.
Legal Basis for Processing
We process your personal data in accordance with the laws applicable to your location. As a Hong Kong-incorporated company operating internationally, the following frameworks apply:
Hong Kong (PDPO) โ All Users
Under Hong Kong's Personal Data (Privacy) Ordinance, we collect personal data only for lawful purposes directly related to our functions and activities, using only as much data as is necessary. All data collection is conducted with your knowledge, and data is not kept longer than necessary.
EEA & UK Users (GDPR / UK GDPR)
If you are located in the European Economic Area or the United Kingdom, we rely on the following legal bases:
| Processing Purpose | Legal Basis |
|---|---|
| Providing the Service and managing your account | Performance of a contract (Art. 6(1)(b) GDPR) |
| Sending marketing communications | Consent (Art. 6(1)(a) GDPR) |
| Analytics, fraud prevention, security | Legitimate interests (Art. 6(1)(f) GDPR) |
| Tax records and legal compliance | Legal obligation (Art. 6(1)(c) GDPR) |
California Users (CCPA / CPRA)
If you are a California resident, we process your personal information in accordance with the California Consumer Privacy Act. We do not sell your personal information. You have the right to know, delete, and opt out of the sharing of your data. See Section 11 for how to exercise these rights.
Other Jurisdictions
For users in other regions (including but not limited to Australia, Canada, Singapore, Brazil, and the UAE), we apply data handling practices consistent with your applicable local privacy laws. Where local law imposes stricter standards, those standards will govern.
International Data Transfers
White Rabbit is incorporated in Hong Kong, and your personal data may be stored and processed in Hong Kong or in other countries where our service providers operate. By using the Service, you acknowledge that your data may be transferred to and processed in countries outside your country of residence, which may have different data protection laws.
Safeguards for EEA / UK Users
When transferring personal data from the EEA or UK to countries not recognized as providing an adequate level of protection (including Hong Kong at present), we rely on appropriate transfer mechanisms such as:
- Standard Contractual Clauses (SCCs) approved by the European Commission;
- The UK International Data Transfer Agreement (IDTA) where applicable;
- Other legally recognized safeguards under GDPR Chapter V.
Hong Kong Data Export
Under the PDPO, we take all practicable steps to ensure that personal data transferred outside Hong Kong is protected to a standard at least comparable to that provided under Hong Kong law, in accordance with Data Protection Principle 3.
You may request details of the safeguards applicable to any specific international transfer by contacting us at the address in Section 15.
Data Retention
We retain your personal data only for as long as necessary to fulfill the purposes described in this Privacy Policy, or as required by law.
- Active accounts: Data is retained for the duration of your account.
- Deleted accounts: We delete or anonymize personal data within 90 days of account deletion, except for data we are legally required to retain (e.g., financial records and invoices, which are kept for 7 years in accordance with applicable commercial and tax regulations).
- Support communications: Retained for up to 3 years to resolve future disputes.
- Analytics data: Aggregated and anonymized after 24 months.
When personal data is no longer needed, we securely delete or anonymize it.
Security
We take the security of your personal data seriously and implement appropriate technical and organizational measures to protect it against unauthorized access, loss, disclosure, or destruction. These measures include:
- Encryption of data in transit (TLS/HTTPS) and at rest;
- Secure password hashing using industry-standard algorithms;
- Access controls and role-based permissions within our team;
- Regular security reviews and vulnerability assessments;
- Incident response procedures and breach notification protocols.
No method of transmission over the internet or electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your data, we cannot guarantee absolute security. In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will notify you and the relevant supervisory authority as required by law.
Your Rights
Depending on your location, you have specific rights regarding your personal data. We honor these rights for all users globally, in accordance with GDPR (EEA/UK), CCPA (California), PDPO (Hong Kong), and comparable international frameworks.
Right of Access
Request a copy of the personal data we hold about you.
Right to Rectification
Request correction of inaccurate or incomplete data.
Right to Erasure
Request deletion of your personal data ("right to be forgotten").
Right to Restriction
Request that we limit how we process your data in certain circumstances.
Right to Portability
Receive your data in a structured, machine-readable format.
Right to Object
Object to processing based on legitimate interests or for direct marketing.
Automated Decisions
Not to be subject to solely automated decisions with significant effects.
Withdraw Consent
Withdraw consent at any time where processing is based on consent.
California Residents (CCPA / CPRA)
You additionally have the right to know what categories of personal information we collect and how they are used, to opt out of any sale or sharing of your personal information (we do not sell personal information), and to non-discrimination for exercising your privacy rights.
How to Exercise Your Rights
To submit a request, email us at [email protected] with "Data Subject Request" in the subject line. We will respond within 30 days (or sooner where required by local law). We may need to verify your identity before processing your request.
Children's Privacy
The Service is not directed to individuals under the age of 18. We do not knowingly collect personal data from children. If you become aware that a child has provided us with personal data without parental consent, please contact us immediately at [email protected] and we will take steps to delete such information.
Third-Party Links & Integrations
The Service may contain links to third-party websites or integrate with external services. This Privacy Policy applies only to Flyrix. We are not responsible for the privacy practices of third-party sites or services. We encourage you to review the privacy policies of any third parties you interact with through or alongside the Service.
Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will notify you by email or by posting a prominent notice on our website, and update the "Effective Date" at the top of this page.
Your continued use of the Service after the updated Privacy Policy takes effect constitutes your acceptance of the changes. If you do not agree, you must stop using the Service.
Contact & Data Protection
For any questions, requests, or concerns regarding this Privacy Policy or how we handle your personal data, you may contact us at:
White Rabbit โ Privacy Team
Hong Kong ยท We aim to respond to all privacy-related inquiries within 5 business days.
If you wish to exercise a specific data subject right (access, erasure, portability, etc.), please include "Data Subject Request" in the subject line of your email and describe your request clearly so we can handle it promptly.