Log inSign up

Privacy Notice

Version: 4.0

Effective date: 2 September 2025

Last modified: 2 September 2025

Table of Contents

  • Operation of Flappingo
  • Applicable legislation
  • Summary
  • Identification of the Data Controller
  • What personal data do we collect and how?
  • Purposes and legal basis of data processing
  • Recipients of personal data
  • Duration of data storage
  • Your rights as a Data Subject
  • Cookies and similar technologies (Website)
  • Data security
  • International data transfer
  • Complaint handling
  • Direct marketing
  • Protection of minor's data
  • Third-party websites
  • Other provisions
  • Notice for California residents
  • Notice for EU residents
  • Notice for non-EU residents
1. Operation of Flappingo

Flappingo is a global social platform that enables travellers to provide accommodation, establish connections, organise events and meetings, as well as participate in home exchanges worldwide. The central focus of the platform is community building: Users may connect with one another, arrange meetings across the globe, and share accommodation or exchange homes in an ethical and secure manner. The purpose of the App and the Website (flappingo.com) is to facilitate these interactions while emphasising the responsibility of the Users – the Service Provider ensures only the technical operation of the platform and does not assume liability for meetings between Users, booked accommodations, or for any events, inconveniences, incidents, or disputes related to, or arising from, such interactions.

The Services are initially provided free of charge; however, the Service Provider reserves the right to introduce a membership fee model for certain functions (e.g. home exchange). Access to certain services requires mandatory document verification, which is carried out by a third party; the Service Provider retains only the outcome of such verification and does not store the underlying documents. The use of the platform is subject to ethical guidelines and behavioural rules, the breach of which may result in the suspension or deletion of the User's account. The Services are available worldwide and are not restricted to Users located in Hungary.

2. Applicable legislation

The processing of personal data is governed by the provisions of the United Kingdom General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA 2018). These laws ensure transparent and secure data processing and set out your rights as a data subject. The Service Provider monitors legislative developments and reserves the right to adjust its data processing and terms of use in line with changes in legal requirements.

3. Summary
  • Who processes your personal data?Free Accomm Ltd, e-mail: info@flappingo.com.
  • What personal data do we process? Upon registration: name, age, e-mail address, optionally the result of document validation. During use: messages, events, location data (where permitted by you), feedback, social media data, cookies on the Website.
  • For what purpose do we process your personal data? For the operation of the App, community building, moderation, and enhancing security. The legal basis for processing: performance of a contract, legitimate interest, or consent.
  • To whom do we disclose your personal data? Hosting providers (Supabase, Vercel, Cloudflare R2), validation company (Ondato), payment service provider (Stripe), chat operator (Twilio), newsletter provider (Mailchimp), social media platforms. Your personal data are not disclosed for marketing purposes.
  • How long do we retain your personal data?For as long as necessary for the purposes for which they were collected (e.g. while the account is active), after which your data will be deleted or anonymised.
  • Your Rights:right of access, right to rectification, right to erasure, right to restriction of processing, right to data portability, right to object.
  • Security:Encryption, access restrictions.
  • Age limit:Our Service may only be used by individuals over the age of 18.
  • Changes: Users will be notified of any amendments to this Privacy Notice through the App, on the Website or by e-mail.
4. Identification of the Data Controller

Data Controller: Free Accomm Ltd
Registered Office: F04 1st Floor Knightrider House, Knightrider Street, Maidstone, United Kingdom, ME15 6LU
E-mail: info@flappingo.com
Website: flappingo.com

We are responsible for the processing of your personal data in accordance with the provisions of the United Kingdom General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA 2018). We have not appointed a Data Protection Officer, as we are not required to do so under Article 37 of the UK GDPR and Section 69 of the DPA 2018. For any questions, please contact us by e-mail.

5. What personal data do we collect and how?

Under the use of Flappingo, we may collect the following categories of personal data:

  • Registration and profile:
    • Name, e-mail address, age.
    • Encrypted password for secure login.
    • Optionally: profile pictures, bio description, gender, travel preferences (e.g. type of accommodation, dates), interests (e.g. cultural events), references from other Users, travel history, language skills, contact preferences (e.g. messaging habits).
    • Source: provided directly by you during registration or profile editing.
  • Document validation (optional, mandatory for home exchange):
  • Result of verification carried out by a third party (Ondato) (e.g. "verified" status, address, facial recognition). We do not store document data, only the outcome of the verification.
  • Paid service, the cost of which may be passed on to you.
  • Source: Ondato.
  • Communication and usage:
  • Messages, chat content (operated by Twilio).
  • Data relating to events and meetings (e.g. time, location, participants).
  • Location data (if GPS is enabled by you, e.g. for events or searching for accommodation).
  • Feedback and ratings from other Users (e.g. quality of hosting, reliability).
  • Hosting or travel requests, booking history, acceptance/rejection statistics.
  • Source: during use of the App.
  • Social media integration:
  • Publicly available data (e.g. name, profile picture, contact list, shared content), where you connect your account with social media platforms (Facebook, Twitter/X, LinkedIn, Instagram).
  • Source: APIs of social media platforms.
  • Technical data:
  • IP address, device identifier, browser type, operating system, language settings, time zone.
  • Usage statistics (e.g. profiles viewed, clicks, duration of visits).
  • Push notification data (Firebase, e.g. notification preferences).
  • Source: automatic collection.
  • Newsletter:
  • E-mail address, optionally interests (e.g. events, travel offers).
  • Source: provided directly by you when subscribing.
  • Cookies and similar technologies on the Website:
  • See Section 10.

We do not collect special categories of personal data (e.g. health, religious or political views), unless such processing is necessary and you have given your explicit consent to it (UK GDPR Article 9, DPA 2018 Section 10). You remain solely responsible for the accuracy of the personal data you provide.

6. Purposes and legal basis of data processing

We process personal data only to the extent necessary and for the following purposes:

  • Registration and account management:creating and maintaining a profile, ensuring login, identifying the User, managing account settings (e.g. notification preferences).

Legal basis: performance of a contract (UK GDPR Article 6(1)(b)).

  • Enabling community interactions:communication (messages, chat), hosting, home exchange, organising events and meetings, publishing feedback, building community connections (e.g. viewing other Users' profiles).

Legal basis: performance of a contract (UK GDPR Article 6(1)(b)).

  • Enhancing security and trust:document validation for reliable interactions, managing user feedback, community moderation (e.g. filtering inappropriate content), enforcing ethical guidelines (e.g. account deactivation or deletion).

Legal basis: legitimate interest (UK GDPR Article 6(1)(f)) and consent (UK GDPR Article 6(1)(a), in the case of validation).

  • Community building and improving user experience:providing personalised recommendations (e.g. events, accommodation), collecting statistics on platform use, developing new features, optimising user experience.

Legal basis: legitimate interest (UK GDPR Article 6(1)(f)).

  • Membership fee payments (future):processing payments, managing subscriptions, handling billing data.

Legal basis: performance of a contract (UK GDPR Article 6(1)(b)).

  • Direct marketing and newsletters:sending notifications about events, platform updates, offers, targeted communication based on interests.

Legal basis: consent (UK GDPR Article 6(1)(a)).

  • Technical operation and statistics:ensuring platform stability, bug fixing, analysing usage statistics (e.g. traffic trends), identifying technical issues.

Legal basis: legitimate interest (UK GDPR Article 6(1)(f)).

  • Compliance with legal obligations:complaint handling, responding to requests from authorities, pursuing or defending legal claims (e.g. dispute resolution).

Legal basis: legal obligation (UK GDPR Article 6(1)(c)).

You may withdraw your consent at any time (e.g. by unsubscribing from the newsletter) without affecting the lawfulness of processing carried out prior to withdrawal (UK GDPR Article 7(3)).

7. Recipients of personal data

We share personal data with the following categories of data processors:

  • Data processors:
  • Hosting and database:Supabase, Supabase Inc., registered office: 970 Toa Payoh North #07-04, Singapore, website: supabase.com.
  • Hosting:Vercel, Vercel Inc., registered office: 440 North Barranca Avenue, Covina, CA 91723, United States, website: vercel.com.
  • Media storage:Cloudflare R2, Cloudflare Inc., registered office: 101 Townsend St, San Francisco, CA 94107, USA, website: cloudflare.com.
  • Push notifications:Firebase Cloud Messaging, Google LLC, registered office: 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA, website: firebase.google.com.
  • App distribution:Google Play Store, Google LLC, registered office: 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA, website: play.google.com; Apple App Store, Apple Inc., registered office: One Apple Park Way, Cupertino, CA 95014, USA, website: apple.com.
  • Document validation:Ondato, Ondato Ltd, registered office: 11 Cundy Road Custom House, London, United Kingdom, E16 3DJ, web: ondato.com.
  • Payments:Stripe, Stripe Inc., registered office: 510 Townsend Street, San Francisco, CA 94103, USA, website: stripe.com.
  • Chat:Twilio, Twilio Inc., registered office: 101 Spear Street, San Francisco, CA 94105, USA, website: twilio.com.
  • Newsletter:Mailchimp, Intuit Inc., registered office: 675 Ponce de Leon Ave NE, Atlanta, GA 30308, USA, website: mailchimp.com.

Our partners act strictly as data processors, and contractual agreements are in place with them in accordance with Article 28 of the United Kingdom General Data Protection Regulation (UK GDPR) and Section 59 of the Data Protection Act 2018 (DPA 2018). For transfers of personal data outside the United Kingdom, appropriate safeguards are applied, such as the International Data Transfer Agreement (IDTA) or on the basis of Adequacy Decisions (UK GDPR Chapter V, DPA 2018 Sections 109–119).

  • Other recipients:
  • Authorities (where required in order to comply with a legal obligation, DPA 2018 Part 3).
  • Social media platforms (Facebook, Twitter/X, LinkedIn, Instagram), if you share content or link your account.
  • Other Flappingo Users, where you share public data (e.g. profile, feedback).

Your personal data will not be disclosed for marketing purposes without your prior consent.

8. Duration of data storage

We retain personal data only for as long as necessary for the purposes for which they are processed (UK GDPR Article 5(1)(e)):

  • Account data:for as long as the account remains active, or as required for the establishment, exercise or defence of legal claims (e.g. dispute resolution). Following deletion, your data may be retained for up to 30 days in backups.
  • Validation result:for as long as the account remains active.
  • Messages and feedback:for as long as necessary for communication or community moderation, after which such data will be deleted.
  • Technical data:for a limited period (e.g. 1 year).
  • Newsletter data:until you unsubscribe.
  • Social media connection data:for as long as the connection remains active.
  • Payment data:for the duration of the transaction (processed by Stripe).

Anonymised data may be used without limitation for statistical purposes.

9. Your rights as a Data Subject
  • Access:You are entitled, upon submitting a request by e-mail (info@flappingo.com), to obtain access to the personal data we process about you. We will inform you whether data processing is taking place, the purposes of the processing, the categories of data concerned, the recipients, the duration of storage, your rights, the available remedies, and the sources of the data (e.g. social media). You may also request a copy of the data in a structured, machine-readable format (e.g. PDF, JSON). The first copy will be provided free of charge; for repeated requests we may charge a reasonable fee (UK GDPR Article 15, DPA 2018 Section 167).
  • Rectification:You are entitled to request the rectification of inaccurate personal data and the completion of incomplete data. For example, you may update your name, e-mail address, or profile data (e.g. bio, preferences). Where necessary, we may require supporting documentation (e.g. copy of an identity document). Until rectification is possible, we will restrict processing and only store the data (UK GDPR Article 16).
  • Erasure ("right to be forgotten"):You are entitled to request the erasure of your personal data if it is no longer necessary (e.g. account deletion), if you withdraw consent (e.g. newsletter), object to the processing, where the processing is unlawful, or where we are required by law to erase the data. We will erase the data unless retention is required by law (e.g. for legal claims, DPA 2018 Section 8). For example, we may erase your profile and messages, but retain data necessary for moderation (e.g. complaints) (UK GDPR Article 17).
  • Restriction:You are entitled to request the restriction of processing if you contest the accuracy of the data (for the period of verification), if the processing is unlawful but you do not request erasure, if we no longer need the data but you require its retention for legal claims (e.g. dispute), or if you object to processing pending our decision. In the case of restriction, we will only store the data, unless you consent to further processing or legal grounds require it (e.g. regulatory proceedings) (UK GDPR Article 18, DPA 2018 Section 8).
  • Data portability:You are entitled to request that the personal data you have provided to us (such as name, e-mail address, profile data, preferences) be received in a machine-readable format (such as JSON or CSV), or to request the transfer of such data to another data controller, where processing is based on consent or a contract and carried out by automated means. This request does not result in the erasure of data, and you may continue to use the platform (UK GDPR Article 20).
  • Objection:You are entitled to object to processing based on legitimate interest (e.g. statistics, moderation, recommendations). We will examine whether there are compelling legitimate grounds (e.g. community safety); if not, we will cease the processing. You may object to processing for marketing purposes at any time, in which case it will be stopped immediately (UK GDPR Article 21).
  • Withdrawal of consent:You may withdraw your consent at any time (e.g. newsletter, validation, social media integration), either by e-mail or within the App settings. The withdrawal does not affect the lawfulness of processing carried out prior to withdrawal (UK GDPR Article 7).

Procedure for handling data subject requests: Requests may be submitted by e-mail (info@flappingo.com) or by post. The applicant will be identified (e.g. with account data, and where necessary, an identity document). We will respond to requests within one month; in complex cases this may be extended by up to two additional months, n which case you will be notified in advance (DPA 2018 Section 167). For unfounded, excessive or repetitive requests we may charge a reasonable fee or refuse the request (UK GDPR Article 12(5)). All decisions will be provided in writing, including information about available remedies. Requests will be recorded for internal audit purposes. In the event of disputes, we will consult with the ICO.

We do not apply automated decision-making or profiling (UK GDPR Article 22).

  • 10. Cookies and similar technologies (Website)

On the Website we use cookies and similar technologies (e.g. pixel tags, web beacons, local storage) for operation of the Website, to improve the user experience, and for statistical and marketing purposes. Cookies are small data packages stored by your browser, which may be returned to our Website during subsequent visits. Cookies help the Website function, improve navigation, save preferences, and analyse usage patterns.

Types of cookies used on the Website:

  • Necessary cookies:Essential for the basic operation of the Website, e.g. login and session management. Without these cookies, the Website cannot function properly.
  • Functional cookies:Used to improve the user experience, e.g. saving language settings and preferences.
  • Analytical cookies:Used to collect anonymous statistics on the use of the Website, e.g. number of visits and pages viewed.
  • Marketing cookies:Used to display targeted advertisements, e.g. through social media integration or newsletter campaigns.

List of cookies used on the Website

Source of cookie

Name of cookie

Function of cookie

Expiry of cookie

Flappingo

session_id

Storing login status

End of session

Flappingo

lang_pref

Saving language preferences

1 year

Google Analytics

_ga

Collecting visitor statistics

2 years

Mailchimp

_mcid

Collecting visitor statistics

1 year

Legal basis of processing

  • Necessary cookies:legitimate interest (UK GDPR Article 6(1)(f)), as they are essential for the operation of the Website.
  • Functional, analytical and marketing cookies:consent (UK GDPR Article 6(1)(a)), which is requested upon the first visit to the Website through a cookie notification banner.

Duration of processing

The expiry times of cookies are indicated in the table above. You may delete cookies at any time in your browser settings, but this may affect the functioning of the Website.

Method of processing

Cookies are stored electronically through the browser. You may change cookie preferences at any time via the cookie settings panel on the Website, where you can enable or disable non-essential cookies. Necessary cookies cannot be disabled, as the Website cannot function without them.

Third-party cookies

We may also use cookies from third parties (e.g. Google Analytics, Mailchimp) for analytical and marketing purposes. The processing of these is governed by the privacy notices of the respective third parties (see Section 16).

11. Data security

We apply appropriate technical and organisational measures to protect your personal data (UK GDPR Article 32, DPA 2018 Section 66), for example:

  • Encryption:during data transmission (HTTPS, TLS) and storage (encrypted databases).
  • Access restriction:access is granted only to authorised staff members, based on role-based permissions.
  • Regular checks:security audits, penetration tests, software updates.
  • Incident management:prompt response to data protection incidents (see below).

How do we protect your data? Flappingo treats the protection of your personal data as a priority and applies appropriate technical and organisational measures against loss, unauthorised access, theft, alteration or destruction of data. However, internet and e-mail data transmission can never be entirely risk-free; therefore, please exercise caution when sharing personal information. We do not accept liability for the circumvention of security settings of the Services or third-party websites, nor for content or communication recording carried out by Users using third-party tools without prior consent. Our Services are not intended for children (under 18 years of age).

The App is of a community nature, and communication between Users (e.g. messages, feedback) may involve risks. Do not share sensitive data, as we do not assume liability for interactions taking place within the platform.

12. International data transfer

Personal data may be transferred to the United States (e.g. Supabase, Vercel, Cloudflare R2, Stripe, Mailchimp, Firebase), as well as to other countries, for example to Ondato's global servers. During such transfers, the International Data Transfer Agreement (IDTA) or other safeguards compatible with the United Kingdom General Data Protection Regulation (UK GDPR) are applied (UK GDPR Chapter V, DPA 2018 Sections 109–119). Ondato is headquartered in the United Kingdom but uses global servers, which are likewise protected by the IDTA.

13. Complaint handling

As an intermediary platform, we do not assume liability for interactions between Users (e.g. accommodation-related issues). However, we do accept complaints in cases of breaches of the Community Guidelines (e.g. inappropriate behaviour, fraud). Complaints may be submitted by e-mail to the managing director at: info@flappingo.com. All complaints will be investigated within 30 days, and, where necessary, moderation measures will be taken (e.g. warning, account deactivation, deletion). If you are not satisfied with our response, you may contact the ICO (see point 17).

14. Direct marketing

You may subscribe to our newsletter (provided through Mailchimp), in which we provide information about events, platform updates and offers. You may unsubscribe at any time via the link located in the footer of the newsletter or by contacting us at info@flappingo.com (UK GDPR Article 21(2)–(3)). We do not send unsolicited marketing messages.

15. Protection of minor's data

The App is available only to individuals over the age of 18. We do not knowingly collect data relating to minors (DPA 2018 Section 205). If we become aware that a minor has registered, their account will be deleted without undue delay.

16. Third-party websites

The App and the Website may contain links to third-party websites (e.g. social media, Stripe, Ondato, Google Analytics, Mailchimp). We have no control over their data processing practices, and we kindly ask you to read their respective privacy notices.

17. Other provisions

Record-keeping obligation:We maintain records of our data processing activities, including purposes, data, recipients and retention periods (UK GDPR Article 30).

Data protection incident:In the event of a personal data breach (e.g. unauthorised access, data loss), we act in accordance with UK GDPR Articles 33–34 (taking into account DPA 2018 Sections 67–68). We notify the Information Commissioner's Office (ICO) within 72 hours where a breach is likely to result in a risk to the rights and freedoms of individuals. Data subjects will be informed without undue delay if the risk is considered high. We keep a record of each incident, its effects and the measures taken.

Amendments:We reserve the right to amend this Notice unilaterally. Users will be informed of such amendments via the App, on the Website or by e-mail. In the case of significant changes (e.g. new purposes of processing), we will notify you in advance and, where necessary, seek your consent.

Remedies:If you are dissatisfied with our data processing, you may lodge a complaint with the Information Commissioner's Office: Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF, UK, website: www.ico.org.uk, telephone: +44 303 123 1113 (DPA 2018 Part 6). You may also seek judicial remedy before the courts of the United Kingdom (DPA 2018 Sections 167–169).

18. Notice for California residents

This supplementary privacy notice for California residents provides information under the California Consumer Privacy Act of 2018 (CCPA) about how we have collected, used and shared your personal data through the Services over the past 12 months. For further details, please see the sections "What personal data do we collect and how?" and "Purposes and legal basis of data processing" regarding the sources and categories of personal data collected, as well as the section "Recipients of personal data" regarding disclosures.

Rights of California residents:

  • Information:You may access details regarding the use and sharing of your personal data.
  • Access:You may request a copy of your personal data.
  • Deletion:You may request the deletion of your personal data.
  • Opt-out of sale:Flappingo does not sell personal data, and provides guidance on limiting online tracking in the cookies section.

Limitations:

The CCPA may restrict the exercise of certain rights; For example, in responding to a request, we will not disclose sensitive personal data, the personal data of other consumers, or trade secrets. We will only comply with deletion requests in certain circumstances.

Obligations:

You may exercise the prescribed rights without discrimination. Requests for access or deletion may be submitted by e-mail to info@flappingo.com or by post. A request may also be submitted by an authorised agent, but we must verify the agent's identity and authority in accordance with the provisions of the CCPA.

19. Notice for EU residents

This supplementary privacy notice for data subjects in the European Union (EU) provides information under the General Data Protection Regulation (GDPR) about how we process your personal data where Flappingo acts as the data controller. For further details, please see the sections "What personal data do we collect and how?" and "Purposes and legal basis of data processing." As Flappingo is established in the United Kingdom, the United Kingdom General Data Protection Regulation (UK GDPR) applies, which offers protections similar to the GDPR, but we ensure that EU residents are afforded their full rights under the GDPR.

Flappingo has appointed DataRep as its data protection representative in the EEA and UK. You may contact DataRep by e-mail (flappingo@datarep.com), via online form (https://www.datarep.com/data-request), or by post at DataRep's addresses (see DataRep's website for details).

Rights of EU residents:

  • Access:You may request a copy of your personal data; we may charge a reasonable fee for additional copies.
  • Erasure and rectification:You may request erasure or rectification of your data, but we may retain certain data for legitimate business purposes (e.g. fraud detection, security).
  • Objection:You may object to the processing of your personal data.
  • Restriction:You may request the suspension of processing, e.g. to verify accuracy or examine grounds.
  • Data portability:You may request your data in a structured, machine-readable format.

Limitations:

The exercise of rights is not unlimited; for example, we may retain data where required by legal obligations. Requests are handled by e-mail, within one month.

20. Notice for non-EU residents

If you are located outside the United States and the European Union, please note that your personal data may be transferred to and processed in the United States and other countries. By using the Services, you acknowledge and consent to the transfer, processing and storage of your personal data as described in this Privacy Notice.

 

Contact: info@flappingo.com