Privacy Notice

Thank you for taking a few minutes to read the Privacy Note ChangeYourFlight, S.L. (hereinafter referred to as CARAVELO, “CVO”, “us”, “we”, “our”, “company”) have put together for the public. Your interest in our website or services is appreciated, as well as your communication with the company by written or oral means. The aggregate of our public and official website ( (“Website”), products and services offered, information shared and communications made from or to you is regarded from now on in this document as the “Service”.

Making you feel confident that your data (“data”, “personal data”, “personal information”) is secure with CVO is very important to us, so we have made this policy available to you. What will you find in this document?

It is very important that all this information is very clear to you, leaving no misunderstandings out in the open.

If you do not agree with this policy, do not visit the Website, engage with any of our products or services, communicate with us or otherwise interact with CARAVELO.

Data we collect about you

The data we collect about customers, users other interested parties (“Users”, “you”) can come from different sources and cover a variety of details about a person or organization. Users shall be duly informed of the treatment conditions, purpose, uses and recipients of the information at the moment in which said information is provided.

User Provided Data

When a User shares personal data with us to achieve one or more purposes detailed later in this document, CVO stores this information and protects it from unauthorized access, corruption, loss or misuse. This is data collected for the indispensable use of the Service or data provided voluntarily by Users to enhance their experience. This data can be: name, date of birth, gender, email address, residence information, mobile or telephone number, passports or other legal means of identification, billing information, or similar. It comprises what is sometimes called “PII” – Personal Identifiable Information. This data can be shared by a User, for example, when using one of our services or when reaching us through customer care. The User is solely responsible for the truthfulness of the provided information.

Automatically Collected Data

When a person or organization makes use of or researches one of the different aspects covered by the Service, information is automatically stored by us. This data may include: IP addresses, cookies, date and time a User has accessed the Service, actions performed by the User, settings preferences, usage, number of suggestions/complaints, time of response, or similar.

Access to the Website may imply the use of cookies. Cookies are small amounts of information that are stored in each User’s navigator in order for the server to remember certain Information that only the server which implemented it shall subsequently read. The cookies, generally, have a limited duration of time. Cookies do not allow the server to reach the User’s phone number, their e-mail address or any other means of contact.

Cookies cannot extract information from the User’s hard drive or steal personal information. The only way for a User’s personal information to become incorporated into a cookie file is for the User itself to provide said information to the server. Users who do not wish to receive cookies or be informed of their recording may configure their navigator to that effect.

Data Shared By Third Parties

As part of the processes needed to carry out the Service, our customers need to share with us their clients’ personal data. In this particular case, our customers act as Data Controllers and CVO acts as Data Processor. The data categories that may be collected to fulfill these particular purposes may include any of the examples given above. Data provided to CVO from third parties receive the same protection standards as data collected directly by us. We will only process data on our customer’s behalf as agreed upon by contract with them.

Other Sources

Data collected from other Users of the Service, business partners or advertising channels, such as code profilers. This data can include: name, email address, company name, job position and professional expertise, mobile or telephone number, or similar.

Data collection purposes

This section gives an explanation on why we need to make use of your data.

To Operate The Service

In order to offer and operate our products or services, we need your personal information. Personal information is used to carry out the basic requirements of the Service and to personalize it to each User in order to give an improved experience, including but not limited to personal and distinct identification, recommendations or personalized experience.

Additionally, Users’ data may be used in tests to make sure we preserve confidentiality and avoid any fraudulent use.

To Develop The Service

Users’ data may be used to continually investigate, analyze, improve and develop our technology services and global experience to our customers and enhance our performance as a provider company. We use the collected data to analyze our behavior and detect trends to get a sense of how the Service is helping Users and the company, and how we might improve our products and services.

To Communicate With You

We can use personal details to reach out to you to communicate any updates, improvements or status of the Service.

Customer Support

Users’ data is used in our support channels to maintain communication and help you in your particular issues, including technical concerns, assistance, analysis or repairs. Be aware that personal information may be shared among CVO’s team of experts or external partners in the process to support Users and locate problems/solutions.

To Promote Our Services

CVO may collect information from our marketing partners to better understand our current or prospective clients or to personalize our advertising channels, marketing campaigns and offers.

Lawful processing

As an EU based company providing our Service to subjects from all over the world, including EU citizens, we are bound by the General Data Protection Regulation (GDPR), effective 25th May 2018.

According to GDPR Article 6, data treatment is allowed if one of the following situations applies:

We will only use Users’ personal information if they give us explicit consent, to comply with contractual obligations or to fulfill one or more of the mentioned purposes for legitimate reasons (to provide, improve and promote our Service) as long as they are not overridden by Users’ interests, fundamental rights or freedom.

Legitimate reasons include delivering services at the expected quality and continually develop and improve them, processing employee or client data and direct marketing.

Users’ data will be protected with proper safeguards, which may include encryption or pseudonymisation.

Who we share your information with

We do not use personal data to obtain benefits, that is, we do not sell your personal information to third parties. We only share information with third parties to pursue the purposes explained in this document.

As mentioned above, we work with a number of customers that trust their data processing to us under contract. When we are processing this personal information on behalf of them, customers adopt the legal role of Data Controllers and we adopt the legal role of Data Processors. Data Controllers are the sole responsible for your Personal Data, and the collection, storage, and processing of your information is carried on under appropriate data protection standards as detailed in this policy. You may check a list of our customers on the Website and refer to their Privacy Policies for further information.

We may disclose information to the appropriate authorities if we consider it is necessary to comply with a legal or judicial obligation.

User rights and choices

This policy takes into consideration that the data subject may modify or withdraw consent on their data processing permissions.

In order to enforce your rectification, cancellation, objection or access rights, a User can contact us at or through regular mail sent to Carrer de la Diputació 303, 5, 08009; Barcelona, Spain. Please attach your particular request and a document proving your true identity.

Changes will not affect data processing prior to the modification of the User’s consent.

A User may choose to keep some information private and not disclose it to us. In the event of that happening, we cannot guarantee the complete functionality of our Service.

Please note that any rights you wish to enforce regarding personal data shared with us by one of our clients are to be communicated directly to them. If your details are contained in their client data storage and processed by CVO as a Data Processor role, they are regulated by their Privacy Policy and not the present one.

Data protection

We commit ourselves to the protection, preservation and proportional use of any personal data we collect about Users. We perform our Service applying as many measures as possible to ensure the integrity, confidentiality and availability of your information. These measures can include passwords, user access control, encryption, firewalls, or similar. In order to do so, we follow the guidelines of internationally recognized standards regarding information security and data protection such as ISO 27001 and PCI DSS, not to mention the European General Data Protection Regulation.

As part of our protection measures, we encourage and facilitate information security training to our employees. We consider it a key procedure to generate awareness and ultimately ensure that any personal information you have trusted us with is protected from misuse, corruption, loss or unauthorized access.

CVO does not collect any personal data that is not absolutely essential to pursue the purposes mentioned above, and the same premise applies to the duration of the data storage. The company does not keep your information longer than necessary to carry out our purposes and keep our business activities. When your information is no longer necessary to fulfill the purposes, we use the available resources we have to delete or anonymize it, and if that is not possible, we make sure that it is isolated and removed from active use.

To achieve compliance with the GDPR, a Data Protection Officer has been designated. This person will have the following tasks:

As a data subject, you will be communicated of any data breach, its causes and consequences as soon as possible.

Additionally, we commit ourselves to regularly revise and update this policy to increase transparency and meet GDPR requirements. Any amendments made to this Privacy Note will be communicated through the Website, emails or other channels.

Related Documentation

Please read CVO’s Confidentiality Policy for further information on the commitment to the protection of personal information.