Privacy Policy

Last updated: 19 February 2026

1. Introduction

This Privacy Policy explains how we collect, use, store, and protect your personal data when you use the flyRoom platform at app.flyroom.net.

flyRoom is operated by Giorgio Gilestro, sole trader, trading as flyRoom.

ICO registration number: ZC098928

2. Data We Collect

Account data

Name, email address, password (stored as a bcrypt hash — we never store your password in plain text), institution, and country.

Research data

Stocks, genotypes, crosses, flips, labels, notes, and any other content you enter into the Service.

Usage data

Login timestamps, audit trail entries, and feature usage metrics.

Billing data

Payment information is collected and processed by Paddle (our Merchant of Record). We do not store credit card numbers or payment details on our servers.

3. Legal Bases (UK GDPR)

We process your data under the following legal bases:

  • Contract: Account data and research data are necessary to provide the Service you have signed up for.
  • Legitimate interest: Usage data, security logs, and service improvement analytics help us maintain and improve the Service.
  • Consent: Optional features such as AI genotype prediction (which sends genotype strings to OpenRouter for processing) and any marketing emails require your explicit consent, which you may withdraw at any time.

4. How We Use Your Data

  • Provide and operate the Service
  • Authenticate your identity and manage your account
  • Send transactional emails (account verification, flip reminders, notifications)
  • Enforce subscription plan limits
  • Improve the Service based on aggregated, anonymised usage patterns
  • Respond to support requests

5. Data Sharing & Third Parties

The following services are involved in processing or handling data:

Paddle.com Market Limited

Merchant of Record for billing, invoicing, and tax compliance. Receives your email and payment details.

FlyBase

Stock data is sourced from FlyBase public datasets, which are downloaded and stored locally on our servers. No data is sent to FlyBase — all searches are performed against our local copy.

OpenRouter

AI genotype prediction (optional feature, requires your consent). Only genotype strings are sent — no personal data or account information.

Email (self-hosted)

Transactional emails (verification, reminders, notifications) are sent via our own self-hosted mail server. No third-party email provider is used.

We do not sell your personal data to any third party.

6. Collaborator Sharing

When you share stocks with collaborators from other labs, they can see the stock details and your lab name. This sharing is initiated and controlled by you. You can revoke collaborator access at any time.

7. International Transfers

Your data is stored on servers located in Germany (EU).

Paddle may process billing data internationally as part of their payment processing operations. This is covered by Paddle’s own data processing agreement.

Cross-border data flows between the UK and EU are covered by the UK-EU adequacy decision.

8. Data Retention

  • Active accounts: Your data is retained for as long as your account remains active.
  • Deleted accounts: Personal data is deleted within 30 days of account deletion. Anonymised audit logs may be retained for service improvement.
  • Billing records: Retained as required by tax law (typically 6 years).

9. Your Rights

Under UK GDPR, you have the right to:

  • Access — request a copy of the personal data we hold about you
  • Rectification — correct any inaccurate or incomplete data
  • Erasure — request deletion of your personal data
  • Portability — receive your data in a structured, machine-readable format
  • Restriction — request that we limit how we process your data
  • Objection — object to processing based on legitimate interest

To exercise any of these rights, contact us at support@flyroom.net. We will respond within 30 days.

You also have the right to lodge a complaint with the Information Commissioner’s Office (ICO).

10. Cookies

We use a single session cookie for authentication. This cookie is:

  • HTTP-only and Secure (not accessible to JavaScript, transmitted only over HTTPS)
  • Essential for the Service to function (no consent required under cookie regulations)

We do not use any third-party tracking cookies or analytics cookies.

11. Children

The Service is not directed at individuals under the age of 18. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

12. Security

We take reasonable measures to protect your data, including:

  • Passwords hashed with bcrypt
  • All data transmitted over HTTPS (TLS encryption in transit)
  • Multi-tenant data isolation ensuring labs cannot access each other’s data

No system is 100% secure. We encourage you to use a strong, unique password and to export your data regularly as a backup.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you by email of any material changes. The “last updated” date at the top of this page indicates when the policy was last revised.

14. Contact

If you have questions about this Privacy Policy or how we handle your data, please contact us:

Email: support@flyroom.net

If you are not satisfied with our response, you may contact the Information Commissioner’s Office (ICO) at ico.org.uk or by post at: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, United Kingdom.