Privacy Policy

We try to collect as little personal data as we can to run a useful travel-comparison service. Here’s the gist:

• You can browse FrogSky without an account. We don’t require sign-up to search or read content.
• We never see your payment details. Bookings happen on partner sites (airlines, bus carriers, Kiwi.com). Your card and ID never touch our servers.
• Email is the main thing we collect — for newsletter sign-ups, price-watch alerts, and account access. You can unsubscribe and delete your account at any time.
• We use cookies sparingly — mostly for language, light/dark mode, bus-vs-flights mode, A/B test bucket, sign-in session, and privacy-friendly analytics.
• We don’t sell your personal data. Where we share it (mail providers, hosting, analytics, affiliate networks), we share only what’s necessary, under contract.

The rest of this page explains the details. If anything is unclear, email hello@frogsky.com.

FrogSky (“FrogSky,” “we”) is the data controller for personal data processed through frogsky.com and our related products.

Contact: hello@frogsky.com. For privacy-specific requests (access, deletion, complaints), put “Privacy” in the subject line so we route it correctly.

Information you give us

• Email address — when you subscribe to the newsletter, set up a price-watch alert, create an account, or contact support. We use it to deliver the service you asked for.
• Account credentials — if you create an account, we store your email and a salted, hashed password (or, where we offer it, a magic-link verification token).
• Search inputs — the origin, destination, dates, passenger count, and travel mode (bus / flights) you enter into search and price-watch forms. These let us run the search and remember your watched routes.
• Communications — if you email us or reply to a survey, we keep the message so we can follow up.
• Preferences — chosen language (EN / TR / ES), region (US / MX / AU), currency, and travel mode (bus / flights), so the site greets you the same way next time.

Information collected automatically

• Device and connection data — IP address, approximate location from IP (country and region only, used to localize prices and currency), user agent, screen size, language headers, and the page you came from. Our hosting provider may retain access logs for security and abuse prevention.
• Usage data — the pages you view, the searches you run, the deals and partner banners you click, and roughly how long you spend on a page. This is used to understand which features actually help travelers and to find broken pages.
• A/B test bucket — a small identifier that tells us which variant of an experiment we showed you, so we can measure which one works.
• Bot-mitigation signals — for sign-in flows and admin areas, we use Cloudflare Turnstile, which collects browser signals to tell humans from bots. It is designed to avoid third-party tracking cookies.

What we don’t collect

• We don’t collect payment-card details, passport / ID numbers, or passenger documents. Those are entered on the partner’s checkout page, not ours.
• We don’t request precise GPS location. Approximate location comes from your IP only.
• We don’t buy or enrich personal profiles from data brokers.

Where data-protection law requires a legal basis, we rely on:

• Performance of a contract — to give you the Service you asked for (e.g. running a search, sending a price-watch alert, signing you in).
• Consent — for marketing emails, optional analytics cookies, and other clearly-opt-in features. You can withdraw consent at any time.
• Legitimate interests — to keep the Service secure, prevent fraud and abuse, understand product usage, and improve features. We balance this against your privacy rights.
• Legal obligation — e.g. responding to lawful requests, accounting and tax records.

We use a small number of cookies and browser-storage entries:

• Essential — Needed for the site to work. Can't be turned off. (NEXT_LOCALE, fs_mode, fs_region, fs_session, fs_csrf)
• Preference — Remembers small choices so the site greets you the same way next time. (fs_currency, fs_theme, fs_recent_routes)
• Security — Helps us tell humans from bots and protect sign-in flows. (cf_chl_*)
• Analytics — Aggregated usage data to understand which features actually help travelers. (fs_analytics, awc)
• A/B testing — Keeps the experiment variant we show you consistent across visits. (fs_ab_bucket)

Where required by law, we’ll ask for your consent before setting non-essential cookies, and you can change your choice at any time via the on-page banner or your browser settings. The Cookie Policy has the full per-cookie breakdown (provider, lifetime, purpose).

We don’t sell personal data. We share it only when needed to run the Service or when required by law:

• Travel partners (Kiwi.com and Booking.com via Awin, airlines, bus carriers, other aggregators) — when you click a result, your browser is redirected to the partner with limited query parameters (route, dates, click-tracking ID for affiliate attribution). We do not pass your email, account, or stored personal data unless you explicitly enter them on the partner’s site.
• Affiliate networks (Awin, etc.) — we share click-tracking identifiers and conversion events so commissions can be attributed correctly. These networks may set their own cookies on the partner site (not on FrogSky). Their processing is governed by their own privacy notices.
• Email service providers — to send transactional emails (account verification, password reset, price-watch alerts) and marketing emails. They process your email address and the message content on our behalf.
• Hosting and infrastructure — our application runtime (e.g. Vercel for the frontend, a managed PostgreSQL provider for the database, Cloudflare for DNS / CDN / bot-mitigation). They process data on our behalf to deliver the Service.
• Analytics — aggregated usage data; configured to minimize personal data and avoid cross-site tracking where possible.
• Legal and safety — if we’re legally required (subpoena, court order, sanctions screening) or need to protect our rights, users, or partners.
• Corporate events — if FrogSky is involved in a merger, acquisition, or asset sale, your data may transfer to the successor under a binding obligation to honor this Privacy Policy or notify you of changes.

FrogSky operates globally. Your data may be processed in countries other than the one you live in — including the United States, the European Union, the United Kingdom, and Türkiye — depending on where our hosting providers, email providers, and team are located.

When we transfer personal data out of the EEA, UK, or other jurisdictions with transfer-restriction rules, we rely on appropriate safeguards (such as the European Commission’s Standard Contractual Clauses, the UK Addendum, or an adequacy decision) and require recipients to protect the data to a comparable standard.

• Newsletter subscriptions — until you unsubscribe, then for a short suppression-list period so we don’t accidentally re-add you.
• Account data — while your account is active, plus a short grace period after you delete it so we can handle final billing or fraud queries (where applicable).
• Price-watch alerts — until the trip date has passed, the alert is cancelled, or you delete the watch.
• Support emails — up to 24 months from the last reply, then deleted or anonymized.
• Server logs — typically up to 30 days, longer if needed to investigate a security incident.
• Analytics — aggregated and retained as long as needed to understand product trends; raw event data is retained for a shorter window.

Where law requires longer retention (for example, financial records), we keep the data for the legally required period and no longer.

Depending on where you live, you may have some or all of the following rights regarding your personal data:

• Access — ask for a copy of the personal data we hold about you.
• Correction — ask us to fix data that’s wrong or out of date.
• Deletion — ask us to delete your data. We’ll do so unless we’re legally required to keep it.
• Portability — receive your data in a structured, commonly used format.
• Restriction or objection — ask us to limit or stop certain processing, including direct marketing.
• Withdraw consent — for processing based on consent, withdraw it at any time. Withdrawal doesn’t affect processing already done.
• Complain to a regulator — e.g. your local Data Protection Authority in the EEA / UK, the KVKK in Türkiye, or the OAIC in Australia. We’d appreciate the chance to address it first — please email us.

To exercise any right, email hello@frogsky.com with “Privacy” in the subject. We may need to verify your identity (usually by confirming you control the email address tied to the data) before we act.

Residents of California (CCPA / CPRA): you have the rights above plus the right to know what categories of personal data we’ve collected, the right to opt-out of any “sale” or “sharing” of personal data (we don’t sell, but you may opt out of cross-context behavioral advertising via the Global Privacy Control signal, which we honor), and the right not to be discriminated against for exercising your rights.

We take reasonable, industry-standard steps to protect your data, including:

• HTTPS / TLS for all connections to the Service;
• salted and hashed password storage (we never store passwords in plain text);
• least-privilege database roles — the runtime account that serves the website cannot access admin tables;
• bot-mitigation (Cloudflare Turnstile) on sign-in and admin flows;
• access controls and audit logging on internal admin tools;
• regular dependency updates and security review of partner integrations.

No system is perfectly secure. If we ever discover a breach affecting your personal data, we’ll notify you and the relevant authorities as required by law.

FrogSky isn’t directed at children under 13 (or the local digital-consent age, where higher). We don’t knowingly collect personal data from children. If you believe a child has given us personal data, email hello@frogsky.com and we’ll delete it.

Browsers send mixed signals here, so the Do-Not-Track header alone isn’t a reliable consent mechanism. We honor the Global Privacy Control (GPC) signal where we’re required to (notably for California residents) by treating it as an opt-out of any cross-context behavioral advertising or “sharing” under California law.

We’ll update this page when our product, partners, or laws change. The “Last updated” date at the top reflects the most recent change. For material changes, we’ll give reasonable advance notice on-site and, where we have your address, by email. Continued use of the Service after changes take effect means you accept the updated policy.

Questions, requests, or complaints about privacy at FrogSky? Email hello@frogsky.com with “Privacy” in the subject. A real person will reply.