navia.

Privacy Policy of Aviya GmbH

Aviya GmbH · As of: April 13, 2026

This privacy policy informs you about how Aviya GmbH processes personal data in the "Navia" app (hereinafter referred to as "Navia" or "app"). The "Navia" app is operated by Aviya GmbH. It is aimed in particular at users in the EU/EEA and takes into account the requirements of the GDPR and the TTDSG.

1. Data Controller

Aviya GmbH ("Aviya," "we")
Rheingaustr. 53, 65201 Wiesbaden
Email: legal@aviyagmbh.com
Authorized representative: Ralph Barthel

2. Data Protection Officer

We have not appointed a data protection officer at this time. You can contact us regarding data protection issues using the contact details provided in section 1.

3. Scope

This privacy policy applies to:

  • the use of the „Navia“ App
  • the functions offered in the App (e.g., user account, flight booking, transmission of data to airlines/service providers, customer support communication)

If you use third-party services via the App (e.g., flight booking, check-in, payments), the privacy policies of these third parties also apply.

4. Aviya's role in the booking process (important note)

Aviya provides an App through which flights are brokered or offered by third-party providers. Aviya is not a party to the contract of carriage; the contract for flight services is concluded between you and the respective airline (and, if applicable, the third-party provider acting as an agent). Aviya acts as the technical App operator and supports the processing (e.g., transmission of necessary data, display of booking information, push notifications).

5. Terms and legal basis

5.1 Personal data

"Personal data" is any information relating to an identified or identifiable natural person.

5.2 Legal bases

We only process personal data if there is a legal basis for doing so, in particular:

  • Art. 6 (1) (a) GDPR – Consent (e.g., optional submission of certain data, consent to certain functions)
  • Art. 6 (1) (b) GDPR – Contract performance (e.g., account, booking processing, support in connection with booked services)
  • Art. 6 (1) (c) GDPR – Legal obligation (e.g., commercial/tax law retention)
  • Art. 6 (1) (f) GDPR – Legitimate interests (e.g., IT security, fraud prevention, defense of legal claims)

If consent is required in connection with the use of technologies on your end device (e.g., for certain tracking/analysis technologies), this is done in accordance with the TTDSG.

6. What data we process (categories)

Depending on the use and functionality of the App, we process the following categories of personal data, among others.

6.1 Account data / Profile data

  • Email address
  • First name, last name
  • Date of birth
  • Gender (if requested/required)
  • Phone number (optional/depending on process)
  • Additional contact or address details (country, city, postal code, address), if required for the respective process

6.2 Data of travel partners (if provided by you)

If you add travel partners, we process (or have third parties process) their data such as:

  • First name, last name
  • Date of birth
  • Gender
  • Title (if necessary)

6.3 Travel documents

Depending on the requirements of the airline/check-in service, travel document data may be required, e.g.:

  • Document type (e.g., passport/ID card)
  • Document number
  • Expiration date
  • Issuing country

6.4 Booking and flight details

  • Booking references (e.g., PNR)
  • Departure/destination (codes)
  • Flight number, airline (marketing/operating carrier)
  • Travel dates (date/time)
  • Seat information (if available in the process)

6.5 Payment and transaction data

Payment processing is carried out by external payment service providers (see section 8).

We do not store any complete payment/card data ourselves. Transaction/accounting data and external payment identifiers (e.g., from Stripe) may be processed in our systems.

6.6 Communication and support data

When you contact support or we contact you in connection with bookings:

  • Content of your messages (e.g., support request)
  • Metadata (time, communication channel)
  • Booking reference (e.g., booking reference), if applicable

6.7 Usage and device data (App operation)

The following data may be processed for the technical operation of the App:

  • Device information (e.g., operating system version, App version)
  • Technical log data (e.g., error/crash logs, if implemented)
  • Timestamps of actions in the App (e.g., login, start of booking).

7. Purposes of processing

We process data for the following purposes in particular:

  1. Provision and operation of the App (technical delivery, stability, security)
  2. Creation and management of a user account
  3. Initiation and processing of bookings (transfer of necessary data to intermediaries/airlines)
  4. Provision of check-in/travel services (if used)
  5. Payment processing (via payment service providers)
  6. Customer service and communication regarding bookings and changes
  7. Fulfillment of legal obligations (e.g., accounting, storage)
  8. Prevention of abuse and fraud, IT security, assertion/defense of claims.

8. Recipients of data / third-party providers

We only pass on personal data if this is necessary (e.g. for booking processing) or if you have given your consent.

8.1 Flight brokerage/booking processing

Duffel (flight brokerage/technology partner)

When making a booking, data (e.g., name, contact details, date of birth, travel document details, booking details) may be transferred to Duffel so that the booking can be technically processed or forwarded to the respective airline.

8.2 Airlines

In order to execute the contract of carriage, the necessary data is transmitted to the respective airline (e.g., name, date of birth, travel document data, booking data).

8.3 Check-in / Travel Services

If you use check-in services, the necessary data (e.g., names, booking/flight data, travel document data) may be transferred to Checkin.

8.4 Payment processing

Stripe (payment service provider)

Payment data is transmitted to Stripe for processing.

Important: Our systems regularly store only transaction data and external identifiers (e.g., a Stripe transaction ID), but not complete card/account data.

8.5 Processors

In addition, technical service providers (e.g., hosting, IT operations, support tools) may be used as processors. These processors only process data in accordance with our instructions and on the basis of a contract in accordance with Art. 28 GDPR.

9. Tracking, analytics, advertising (App Store relevant information)

9.1 "Tracking" as defined by Apple/App Store

Apple defines "tracking" as linking user data (e.g., device ID) across third-party apps/websites for advertising purposes or sharing such data with data brokers.

  • Tracking for personalized advertising: [NO]

9.2 Analytics/performance tools

We currently do not use any separate third-party analytics or tracking SDKs that go beyond what is necessary for the operation of the App.

10. App permissions

Depending on the range of functions, the App may request permissions. Processing will only take place if you grant the respective permission, e.g., for push notifications relating to booking or flight changes and service messages.

11. Data transfer to third countries

If recipients (e.g., Stripe or subcontractors) process personal data outside the EU/EEA, we ensure that an adequate level of data protection is in place, e.g., through:

  • EU Commission adequacy decisions, or
  • EU Standard Contractual Clauses (SCC), supplemented by additional measures where necessary.

12. Storage period, deletion, and anonymization

We only store personal data for as long as is necessary for the purposes for which it was collected or for as long as there are legal retention obligations.

12.1 General principles

  • Data from contract/contract initiation: Storage for the duration of the contractual relationship and beyond, if necessary
  • Statutory retention obligations: e.g., commercial and tax law deadlines
  • Enforcement of rights: storage for the assertion/defense of claims (statutes of limitations)

12.2 Deletion upon account deletion

If you delete your account:

  • profile data will generally be deleted or anonymized, unless there are any retention obligations that prevent this
  • certain data may remain in anonymized form (e.g., only year of birth instead of date of birth) or as verification and accounting data

12.3 Payments and Stripe identifiers (e.g., payment_intent_id)

For the traceability of payment processes (e.g., chargebacks, accounting, documentation requirements), it may be necessary to retain transaction data and external payment identifiers (e.g., Stripe payment_intent_id) even after an account has been deleted.

  • The legal basis for this is Art. 6 (1) (c) GDPR (legal obligation) and/or Art. 6 (1) (f) GDPR (legitimate interest in proof/defense).
  • Where possible, we only store the minimum data required (data minimization).

13. Security of processing

We use appropriate technical and organizational measures (TOM) to protect your data, in particular against loss, manipulation, or unauthorized access. These may include, among other things:

  • Access controls and authorization concepts
  • Transport encryption (e.g., TLS)
  • Logging and monitoring of security-related events
  • Data minimization and pseudonymization/anonymization, where appropriate

14. Automated decisions/profiling

Automated decision-making within the meaning of Art. 22 GDPR does not take place as a matter of principle.

15. Your rights

You have the following rights, provided that the legal requirements are met:

  • Access (Art. 15 GDPR)
  • Rectification (Art. 16 GDPR)
  • Erasure (Art. 17 GDPR)
  • Restriction of processing (Art. 18 GDPR)
  • Data portability (Art. 20 GDPR)
  • Objection to processing based on legitimate interests (Art. 21 GDPR)
  • Withdrawal of consent with effect for the future (Art. 7 (3) GDPR)

To exercise your rights, please contact us using the details provided in section 1.

15.1 Identity verification

To prevent misuse, we may ask you for information that enables us to identify you before we provide information or disclose data.

16. Right to lodge a complaint with a supervisory authority

You have the right to lodge a complaint with a data protection supervisory authority, in particular in the Member State of your habitual residence, your place of work, or the place of the alleged infringement.

17. Data of minors

The App is not intended for children under the age of 18. If you believe that we are processing a child's data without the required consent, please contact us so that we can investigate and delete it if necessary.

18. Changes to this privacy policy

We may update this privacy policy, e.g., in the event of changes to the App's functions or the legal situation. We will provide the current version in the App.