Version: 3.0
Last updated: September 15, 2025
UJET TECHNOLOGIES, INC. ("UJET TECHNOLOGIES, INC.", "we", "our", or "us") provides a premier technology platform for booking private air travel. Our clientele entrusts us with highly sensitive information, and we consider the protection of this data to be a foundational pillar of our business and a critical component of the luxury service we provide.
This Privacy Policy is more than a legal requirement; it is our charter of privacy rights for our users ("you"). It provides a comprehensive, transparent, and legally robust explanation of how we collect, use, secure, and share your Personal Data. It is engineered to meet and exceed the standards of the world's most stringent data protection laws, including the European Union's General Data Protection Regulation (GDPR), the UK's implementation of the GDPR, and the California Consumer Privacy Act, as amended by the California Privacy Rights Act (CCPA/CPRA).
We are committed to the principles of Data Protection by Design and by Default (GDPR Art. 25), meaning that we integrate data protection into our processing activities and business practices from the very beginning.
This policy applies to all Personal Data processed by UJET TECHNOLOGIES, INC. through our website, web and mobile applications, voice services, and all other channels (collectively, the "Services").
Our Role in Your Privacy: For the data you provide to our platform, UJET TECHNOLOGIES, INC. acts as the Data Controller. When we transmit your data to an aircraft operator ("Operator") to fulfill your travel, that Operator also becomes an independent Data Controller. All third-party vendors we engage are contractually bound as Data Processors, acting only on our documented instructions.
Anonymization: The irreversible alteration of Personal Data in such a way that the data subject is not or is no longer identifiable.
Data Controller: The entity that, alone or jointly with others, determines the purposes and means of the processing of Personal Data.
Data Processor: A natural or legal person which processes Personal Data on behalf of the Controller.
Personal Data: As defined in Article 4(1) of the GDPR, any information relating to an identified or identifiable natural person.
Pseudonymization: The processing of Personal Data in such a manner that it can no longer be attributed to a specific data subject without the use of additional information, which is kept separately.
Sensitive Personal Information (SPI) / Special Category Data: Data revealing racial or ethnic origin, political opinions, religious beliefs, health data, genetic or biometric data, and data concerning a person's sex life or sexual orientation. Under CCPA, it also includes government IDs, precise geolocation, and the contents of certain private communications.
We collect Personal Data that is strictly necessary to provide our luxury travel services and to comply with our legal obligations.
Data Category: Identifiers - Specific Examples: Full name, email, phone, postal address, online ID, IP address - Source: You; Your Devices - Purpose: Account creation, communication, service delivery, security - Legal Basis: Art. 6(1)(b) - Contract
Data Category: Government IDs (SPI) - Specific Examples: Passport number/expiry/issuance, Driver's License, KTN - Source: You - Purpose: Aviation security compliance (TSA Secure Flight), customs & immigration - Legal Basis: Art. 6(1)(c) - Legal Obligation; Art. 9(2)(g) - Substantial Public Interest
Data Category: Financial Information - Specific Examples: Billing address, last 4 digits of card, transaction ID - Source: You; Stripe - Purpose: Payment processing, fraud prevention, accounting - Legal Basis: Art. 6(1)(b) - Contract; Art. 6(1)(c) - Legal Obligation
Data Category: Commercial Information - Specific Examples: Flight history, quotes, aircraft preferences, invoices - Source: You; Our Platform - Purpose: Service personalization, business analytics, account management - Legal Basis: Art. 6(1)(b) - Contract; Art. 6(1)(f) - Legitimate Interest
Data Category: Health & Dietary Data (SPI) - Specific Examples: Allergies, medical needs, accessibility requirements, meal preferences - Source: You - Purpose: Passenger safety, in-flight service customization - Legal Basis: Art. 9(2)(a) - Explicit Consent
Data Category: Geolocation Data (SPI) - Specific Examples: Precise GPS coordinates from your mobile device - Source: Your Devices - Purpose: Providing location-based services (e.g., FBO directions) - Legal Basis: Art. 6(1)(a) - Consent
Data Category: Network Activity Data - Specific Examples: Browser type, OS, clickstream data, heatmaps, session replays - Source: Your Devices; Cookies - Purpose: Website optimization, security monitoring, user experience analysis - Legal Basis: Art. 6(1)(f) - Legitimate Interest; Art. 6(1)(a) - Consent (for non-essential cookies)
Data Category: Audio Data - Specific Examples: Voice recordings and transcripts from calls - Source: You (via our voice bot) - Purpose: Fulfilling verbal requests, quality assurance, training - Legal Basis: Art. 6(1)(b) - Contract (fulfilling request); Art. 6(1)(a) - Consent (for recording)
Data Category: Inferences - Specific Examples: Profile of your travel preferences based on past behavior - Source: Our Platform - Purpose: Proactive service suggestions, personalization - Legal Basis: Art. 6(1)(f) - Legitimate Interest
Our authority to process your Personal Data is grounded in the following legal bases under GDPR:
Art. 6(1)(b) - Performance of a Contract: The majority of our processing is necessary to perform our contract with you—from providing a quote to arranging your flight.
Art. 6(1)(c) - Legal Obligation: We are subject to numerous laws, particularly in aviation, that legally compel us to process and share your data (e.g., sharing passenger manifests with the TSA).
Art. 6(1)(a) - Consent: For activities that are not contractually or legally required, we rely on your freely given, specific, informed, and unambiguous consent. This applies to marketing communications, non-essential cookies, and the collection of health or precise geolocation data. You may withdraw consent at any time without penalty.
Art. 6(1)(f) - Legitimate Interests: We process some data for our legitimate business interests. For each of these, we have performed a Balancing Test to ensure that our interests do not override your fundamental rights and freedoms. Our legitimate interests include:
We share your data with a limited set of third parties, under strict contractual controls.
Aircraft Operators: Sharing is essential for flight operations. They receive passenger manifests and service requests. They are independent controllers and are responsible for their own data protection compliance.
Data Processors: We maintain Data Processing Agreements (DPAs) pursuant to GDPR Article 28 with all vendors who process data on our behalf. We conduct due diligence to ensure they meet our high security and privacy standards. This includes:
Governmental and Regulatory Authorities: We are compelled by law to disclose data to bodies like the TSA, CBP, DOT, and international equivalents.
Legal and Professional Advisors: In the event of a dispute or for audit purposes, we may share data with our lawyers, accountants, and insurers under a duty of confidentiality.
Your Personal Data is transferred to, and processed in, the United States. Recognizing the legal complexities of EU-US data transfers following the Schrems II judgment, we have implemented the following safeguards for data originating from the EEA, UK, and Switzerland:
Standard Contractual Clauses (SCCs): We have incorporated the latest European Commission-approved SCCs into our DPAs with relevant vendors and for internal data flows. For UK data, we use the UK's International Data Transfer Agreement (IDTA) or the UK Addendum.
Transfer Impact Assessments (TIAs): For each transfer, we conduct a TIA to assess the level of data protection in the destination country, considering its laws and our processor's practices.
Supplementary Measures: Based on our TIAs, we implement additional technical measures (e.g., enhanced encryption, data segregation), organizational measures (e.g., strict access policies), and contractual promises (e.g., transparency commitments regarding government access requests) to ensure the data is afforded a level of protection essentially equivalent to that in the EU.
Our voice bot uses AI to process your verbal flight requests. Pursuant to GDPR Article 22, we inform you of the following:
The system engages in limited profiling to understand your request based on your words and past travel history.
The system does not make any final, legally significant decisions about you solely based on automated processing. All final booking confirmations, pricing, and contractual agreements are subject to human review and confirmation.
You have the right to request human intervention, express your point of view, and contest any preliminary output from our automated systems.
We deploy a granular cookie consent management platform.
Strictly Necessary Cookies: Always active, as they are essential for site functionality.
Performance, Functional, and Targeting Cookies: Deployed only after you provide explicit, opt-in consent.
Session Replay Technologies (Microsoft Clarity): This technology helps us improve user experience by replaying user sessions. We ensure that sensitive data fields are masked and not captured during these replays. The use of this technology is subject to your consent for performance cookies.
We have implemented a comprehensive information security program with extensive Technical and Organizational Measures (TOMs) aligned with ISO 27001 principles.
Technical Measures:
Organizational Measures: Policies, Training, Incident Response, Vendor Security Reviews
We practice data minimization and have a defined data retention schedule. Data is retained only as long as necessary. Upon the expiry of the retention period, data is either securely and permanently deleted or fully anonymized for use in statistical analysis.
Accountability is central to our privacy program (GDPR Art. 5(2)).
We are dedicated to ensuring you can easily exercise your rights. The specific rights available to you are detailed in the Jurisdictional Addendum below. To exercise any right, please use our Data Subject Rights Portal [LINK] or contact our Privacy Office at privacy@ujetx.com . We will respond within the legally mandated timeframe after verifying your identity.
A. For Individuals in the European Economic Area (EEA), UK, and Switzerland:
B. For Residents of California, USA:
Our services are not directed to individuals under 18. We do not knowingly collect their data. We process data of minors only when provided by a parent/guardian for a flight booking, based on explicit consent and in compliance with COPPA.
This policy is a living document. We will review and update it at least annually or as required by changes in law or our business practices. Material changes will be communicated to you via email or a prominent notice on our website.
For any privacy-related inquiries, to exercise your rights, or to contact our DPO, please use the following channels:
UJET TECHNOLOGIES, INC., a Delaware corporation
Email: charter@ujetx.com
Mailing Address: 8 The Green STE A, Dover, DE, 19901, United States