Open
Close
  1. Home
  2. /
  3. Privacy Policy

Privacy & Cookies Policy

Last Updated: February 27, 2026

Airvat (“we”, “us” or “our”) is committed to protecting and respecting the privacy of its customers. This policy sets out the basis on which any personal data we collect from you, or that you provide to us, will be processed when you visit the AIRVAT website at https://airvat.com (“Site”), use the Airvat App (“App”) or use the Airvat service (“Service”).

1. Data Controller and Compliance

  • For the purposes of Regulation (EU) 2016/679 (GDPR) and applicable national laws, the data controllers are:
  • France & Belgium: Airvat EURL, 10 rue de Penthièvre, 75008, Paris, France (SIRET: 90084709600014, TVA FR 50900847096, TVA BE 1013708792).
  • Northern Ireland (UK): Airvat Ltd, 20-22 Wenlock Road, London, N1 7GU, UK (VAT: 312092250).
  • Lead Supervisory Authority: Commission Nationale de l’Informatique et des Libertés (CNIL), France and Information Commissioner’s Office (ICO), in the UK.
  • Data Protection Contact: info@airvat.com

2. Information we may collect about or from you

  • We may collect and process the following data:
  • Information you give us: name, address, email, phone number, passport details, bank account information or other financial information and real-time photographs (selfies) for identity verification (KYC).
  • Information we collect about you: technical information (IP address, login info, browser and device type) and information about your visit (URL clickstream, page interaction).
  • Information we receive from other sources: data from business partners, sub-contractors in technical, payment, and administrative services.

3. Uses made of the information (Legal Basis)

  • We process your data under the following legal grounds:
  • Legal Obligation (Art. 6(1)(c) GDPR): compliance with EU, French (PABLO-O), and Belgian Tax & Customs regulations for VAT refund processing.
  • Explicit Consent (Art. 9(2)(a) GDPR): processing of biometric data (selfies) during KYC. You have the right to request human intervention and a manual review of automated KYC decisions (Art. 22 GDPR).
  • Performance of a Contract (Art. 6(1)(b) GDPR): to provide Tax Free Shopping or VAT Refund services.
  • Legitimate Interests (Art. 6(1)(f) GDPR): Provision of regulated service and compliance with the relevant regulation, fraud protection, service improvement. We ensure your rights are not overridden.

4. Who we share your information with

  • Tax and Customs Authorities: UK’s HM Revenue & Customs (HMRC), French Customs (DGDDI), Belgium’s FPS Finance Authority, and any other relevant EU authorities to fulfill VAT refund obligations.
  • Financial Providers: Revolut, PayPal, and Paysafe - all regulated financial institutions with EMI/Banking licenses and compliant with PCI DSS Level 1.
  • Cloud Infrastructure: Google Cloud Storage (may be located in the USA) with AES-256 encryption at rest. Transfers from the EEA to the USA are protected by the EU-U.S. Data Privacy Framework or Standard Contractual Clauses (SCCs) approved by the European Commission.
  • Business partners, suppliers, and sub-contractors for contract performance or service improvement.
  • Analytics and technical providers for website/App optimisation.
  • Advertisers: aggregated or pseudonymised data only; no identifiable personal data is shared.
  • Legal transfers: e.g., in case of sale of assets or compliance with legal obligations.

5. Where we store your personal data

Data is primarily stored within the EEA. Transfers to the UK are based on the UK-EU Adequacy Decision. Transfers to the USA (e.g., Google Cloud, PayPal) are protected by EU-U.S. Data Privacy Framework or SCCs.

6. Security

  • Data is stored on secure servers with AES-256 encryption at rest.
  • API access is controlled via OAuth 2.0 with least-privilege permissions.
  • Transmission via the internet is at your own risk, but received data is protected via HTTPS and strict security procedures.

7. Data Retention

  • Tax and Customs Records: EU and national laws require retention of transaction and identity data (including passport details) for up to 10 years.
  • Soft Delete: upon erasure requests, restricted archiving (“Soft Delete”, Art. 17(3)(b) GDPR) is applied to comply with legal obligations.

8. Your Legal Rights

  • You have the right to:
  • access, rectify, or request erasure of your data (subject to 10-year retention).
  • lodge a complaint with CNIL (France) or ICO (UK).
  • request data portability in a structured, commonly used format.
  • Contact: info@airvat.com

9. Cookies Policy

  • We use a consent management platform provided by Termly to manage cookie preferences.
  • Non-essential cookies (including analytical and targeting cookies) are deployed only after obtaining your explicit prior consent through our cookie banner. Continued browsing or scrolling does not constitute consent.
  • Strictly necessary cookies are essential for the operation, security, and authentication of the Site and do not require consent.
  • Analytical and targeting cookies are used to measure traffic, analyse usage patterns, and improve functionality. These cookies are activated only upon your affirmative opt-in.
  • You may withdraw or modify your consent at any time via the “Cookie Settings” link available on our website.