Skip to Main Content

Data security

 

Data Protection

Thank you for visiting our data protection page.

Here at LEAV‚ handling your personal data and privacy with conscious responsibility is important to us. As such‚ it is a personal concern of ours to observe and comply with the provisions of data protection law‚ particularly the EU General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG).

In our Privacy Statement‚ we provide information on how we collect‚ store and process personal data and clarify your rights in regard to your personal data.

This Privacy Statement applies to all services offered by LEAV Aviation GmbH (LEAV) as well as the sale of flight tickets on our website‚ www.leav.com

 

1. What constitutes personal data?

"Personal data" generally refers to all information that pertains to an identifiable living person. This can include:

  • First and last name
  • Private address
  • Date of birth
  • E-mail addresses in which first and last names are visible. Example: johndoe@company.com
  • ID numbers
  • Payment information
  • Location data (e.g. via mobile phones' location functions)
  • IP addresses.

In the following sections‚ we explain which personal data we collect‚ store‚ and/or process.

2. Who is the controller responsible for the data processing?

The controller responsible for the processing of your personal data under data protection law is LEAV Aviation GmbH‚ Von-der-Wettern-Str. 25‚ 51149 Cologne‚ Germany‚ +49 2203 2908491. In cases where the words "we" or "us" are used in this Privacy Statement‚ this refers to the company specified above.

If you have any questions or would like to request further information on the subject of data protection‚ please feel free to contact our Data Protection Officer by e-mail via datenschutz@leav.com at any time.

3. Where do we obtain data from?

We obtain your personal data via our website‚ our Service Centre‚ or our social media channels.

4. What personal data do we process? For what purposes and on what legal basis does this processing take place?

Our website can generally be used without entering your personal data (e.g. your name‚ address or e-mail address). Even in this case‚ however‚ we need to collect and store certain information in order for you to be able to access our website at all. If you use functions offered on our website‚ your personal data will be requested and stored automatically.

We collect and process personal data within the following scope:

 

We process your personal data for the purpose of fulfilling contractual obligations in accordance with Article 6 GDPR‚ e.g.:

  • Issuing flight tickets
  • Sending booking confirmations
  • Performing flight-related services
  • Administration of the check-in process
  • Collecting contact details that are required in order to fulfil the carriage agreement and provide information on the booked flight
  • Preventing and prosecuting criminal offences (e.g. credit card fraud)

 

Cookies and tracking: We use cookies / tracking software in order to make the functionalities of our website as adjustable as possible and thus to contribute to the user-friendliness of navigating our website. Tracking software collects pseudonymised usage data in order to enable unambiguous identification of the browser. Apart from cookies‚ no data is stored on your device in this context.

The legal basis for the use of cookies and tracking is Section 15 (3) of the German Telemedia Act (TMG) / Art. 6 (1)(f) GDPR.

What is a cookie?

A cookie is a small text file that is stored in your web browser when you access our website and serves to activate our website's functions. Cookies make it possible for us to do things like identify your device on future visits to our website and secure your access to the website. They allow the website to store data such as:

 

  • Login details (IP address of the logged-in device‚ login time‚ place from which login is being attempted)
  • Browser type
  • Demographic data (age‚ gender)
  • Data about what you are looking for on the website (which areas you visit and which products/services you are interested in‚ for example).

 

Further objectives for the use of cookies:

  • Ensuring that the website is running efficiently and securely
  • Activating and supporting our security functions in order to help us detect malicious activity on our website
  • Researching‚ analysing‚ and improving products‚ functions‚ and services‚ even when you access our website from other websites‚ applications‚ or devices such as your work computer or your mobile device
  • Recognising repeat visitors to the website and personalising their experience
  • Preventing the need to re-register or fill out information again each time the website is visited
  • Collecting statistical data on the number of users of the website and their use of the website
  • To the extent permitted under the applicable law‚ we may associate the data received by cookies with other information about you from other legal sources (i.e. information about your usage of services‚ your online account‚ etc.)
Please note that essential cookies are necessary in order for our website to function properly‚ and objecting to their use could affect the functionality of the website or its components.

You can erase stored cookies at any time or configure your browser settings to refuse the storage of cookies in general.

Google Analytics

This website uses functions of the web analysis service Google Analytics. The provider is Google Inc‚ 1600 Amphitheatre Parkway‚ Mountain View‚ CA 94043‚ USA.

Google Analytics uses so-called "cookies". These are text files that are stored on your computer and enable an analysis of your use of the website. The information generated by the cookie about your use of this website is usually transmitted to a Google server in the USA and stored there.

Google Analytics cookies are stored on the basis of Art. 6 (1) lit. f DSGVO. The website operator has a legitimate interest in analysing user behaviour in order to optimise both its website and its advertising.

IP anonymisation

We have activated the IP anonymisation function on this website. This means that your IP address is shortened by Google within member states of the European Union or in other contracting states of the Agreement on the European Economic Area before being transmitted to the USA. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and shortened there. On behalf of the operator of this website‚ Google will use this information for the purpose of evaluating your use of the website‚ compiling reports on website activity and providing other services relating to website activity and internet usage to the website operator. The IP address transmitted by your browser as part of Google Analytics will not be merged with other Google data.

Browser plugin

You may refuse the use of cookies by selecting the appropriate settings on your browser‚ however please note that if you do this you may not be able to use the full functionality of this website. In addition‚ you can prevent the collection of data generated by the cookie and related to your use of the website (including your IP address) by Google‚ as well as the processing of this data by Google‚ by downloading and installing the browser plugin available at the following link: https://tools.google.com/dlpage/gaoptout?hl=de

Objection to data collection

You can prevent the collection of your data by Google Analytics by clicking on the following link. An opt-out cookie will be set‚ which will prevent the collection of your data during future visits to this website:

Deactivate Google Analytics.

For more information on how Google Analytics handles user data‚ please see Google's privacy policy: https://support.google.com/analytics/answer/6004245?hl=de

Order data processing

We have concluded an order data processing contract with Google and fully implement the strict requirements of the German data protection authorities when using Google Analytics.

Demographic characteristics with Google Analytics

We have concluded an order data processing contract with Google and fully implement the strict requirements of the German data protection authorities when using Google Analytics.

Google Analytics Remarketing

Our websites use the functions of Google Analytics Remarketing in conjunction with the cross-device functions of Google AdWords and Google DoubleClick. The provider is Google Inc‚ 1600 Amphitheatre Parkway‚ Mountain View‚ CA 94043‚ USA. This function makes it possible to link the advertising target groups created with Google Analytics Remarketing with the cross-device functions of Google AdWords and Google DoubleClick. In this way‚ interest-based‚ personalised advertising messages that have been adapted to you depending on your previous usage and surfing behaviour on one end device (e.g. mobile phone) can also be displayed on another of your end devices (e.g. tablet or PC). If you have given your consent‚ Google will link your web and app browsing history to your Google account for this purpose. In this way‚ the same personalised advertising messages can be displayed on every device on which you log in with your Google account. To support this feature‚ Google Analytics collects Google-authenticated IDs of users‚ which are temporarily linked to our Google Analytics data to define and create audiences for cross-device ad targeting. You can permanently object to cross-device remarketing/targeting by deactivating personalised advertising in your Google account; follow this link: https://www.google.com/settings/ads/onweb/. The aggregation of the collected data in your Google Account is based solely on your consent‚ which you can give or withdraw at Google (Art. 6 para. 1 lit. a DSGVO). In the case of data collection processes that are not merged in your Google Account (e.g. because you do not have a Google Account or have objected to the merging)‚ the collection of data is based on Art. 6 (1) lit. f DSGVO. The legitimate interest results from the fact that the website operator has an interest in the anonymised analysis of website visitors for advertising purposes.

Flight booking and passenger data: Our website provides the opportunity for you to book our flights and other services. In order to fulfil the carriage agreement concluded with you‚ we process your personal data on the following legal basis: Article 6 (1)(b) GDPR.

We may ask you to provide the following data when booking a flight or other services on our website or submitting a written request:

  • Title
  • Name (full first and last name as shown on passport)
  • Address
  • E-mail address
  • Telephone number
  • Date of birth
  • Payment information
  • Passport/visa information‚ where relevant
  • Travel preferences (e.g. special requirements)‚ where relevant

If you are booking a flight on behalf of other people‚ we will also need the first and last names of all passengers travelling with you as shown on their passports or personal IDs as well as the e-mail address and telephone/mobile number of at least one of the passengers.

If the booking is paid for via credit card‚ you must enter the cardholder's name‚ card number‚ expiration date and CVC/CVV code (3-digit security code on the back of the card). If you decide to pay via SEPA direct debit‚ we will need the name of the account holder‚ the IBAN‚ the BIC and the account holder's country of residence.

All information and details which are necessary in order to conclude your booking are marked as mandatory fields on our website‚ and your booking cannot be concluded without this information.

Please note that payment information and the browser details of the device used may be forwarded to payment service providers in encrypted form. The legal basis for transmitting this data is Article 6 (1)(c) GDPR.

If your flight was booked through one of our travel partners (tour operators‚ etc.)‚ certain personal data (which has been collected for your booking and is relevant)‚ e.g. your name‚ address‚ e-mail address‚ date of birth or any special needs or requirements you have specified‚ will be forwarded to us so that we can perform the services you have booked in accordance with your expectations.

If you have made a flight booking with us before‚ you can provide specific information‚ such as allergies‚ special dietary requirements‚ your health status‚ handicaps‚ or other individual needs‚ to us directly. We collect and store this information in order to take your needs into account for the booking.

Due to official requirements in the context of pandemic countermeasures‚ further information on subjects‚ such as health or travel history‚ may be requested‚ stored in accordance with statutory requirements and shared with health authorities where necessary (in accordance with Article 9 (2) GDPR). Depending on the legal situation‚ transportation of passengers without the required processing of the provided health data may be prohibited.

Advance Passenger Information (API): In cases of flights to certain destination countries‚ local authorities may require airlines to provide Advance Passenger Information (API) to passengers. The number of such destination countries is steadily increasing‚ and EU Member States may also demand the transmission of passenger data for inbound or outbound flights in the future – in some cases‚ even for flights which are merely flying over the country in question. In cases where API data is necessary but was not fully collected during booking‚ it will be requested at the check-in counter by the responsible personnel.

  • API data includes the following details about the person travelling:
  • Last name
  • First name
  • Biometric data
  • Date of birth
  • Nationality
  • Passport number
  • Gender

In the event that API data is required for the destination country‚ we process this data exclusively in order to transmit it to the authorities of the destination country in question in fulfilment of our legal obligations; the legal basis for this is Article 6 (1)(c) GDPR.

Flight-related e-mails: We may use the e-mail address you provide in order to send you flight-related information or offers via e-mail. Examples of flight-related information can include reminders to check in online and offers to book additional perks for your flight like increased leg room‚ seat reservations and bookings for (additional) luggage online. The legal basis for this is Article 6 (1)(f) GDPR and Section 7 (3) of the German Fair Trade Practices Act (UWG).

LEAV account registration: Our website provides the option for you to register and create a LEAV customer account for yourself. The following mandatory details are requested for registration: First name‚ last name‚ country‚ telephone number‚ e-mail address‚ and a password. Other optional details can also be entered voluntarily. When you access your LEAV account‚ we may request details from among the data already collected in the context of registration (in order to confirm your identity). We process the data contained in your LEAV customer account in order to make this function available to you. The legal basis for this is Article 6 (1)(b) GDPR.

E-mail newsletter: If you are interested in receiving our e-mail newsletter and have signed up for it‚ we may also collect and process other information you have entered in your LEAV customer account in addition to your e-mail address on the basis of your consent. Processing the specified data allows us to compile interesting information‚ campaigns‚ and offers from LEAV for you on an individualised basis and send it to you via e-mail. Your data is not shared with third parties‚ since we use it only for selecting personalised content and sending the e-mail newsletter in accordance with your express consent. The legal basis for this is Article 6 (1)(a) GDPR.

Individualised customer communication: We store and process information about personal details in your customer profile‚ your past bookings‚ and your travel preferences in order to make our services more user-friendly with personalised booking processes. The stored and processed data may be used to create default settings which can accelerate and simplify the flight booking or rescheduling process or the purchase of additional services. The legal basis for this is Article 6 (1)(a) GDPR.

Past flight bookings and recommended flights: After logging into your LEAV customer account‚ you will notice that past bookings and flights are displayed on the dashboard. We process the information on past flights and bookings stored in your profile in order to show you recommendations on flight routes you may be interested in. These only constitute recommendations in the interest of simplifying the search for the correct flight destination. As a passenger‚ you always have the option of choosing a route for yourself from the entire LEAV offering.

Contests and participation: In order to be able to offer contests and contact the winners afterwards‚ we store your contact details as well as booking codes and contest codes when you participate in our contests. The legal basis for this is Article 6 (1)(b) GDPR.

Contacting us: In the interest of offering you the best possible service‚ we provide multiple ways for you to contact us. You have the option of contacting us via channels including our Service Centre‚ the contact form‚ e-mail or our social media presences. In this context‚ we collect all data you provide and store it for as long the handling of your request requires. It cannot be ruled out that data may be stored longer than intended after the conclusion of the actual handling of the request in the interest of preserving evidence. The legal basis for this is Article 6 (1)(a‚ b‚ and f) GDPR.

Data analyses: We may analyse your personal data in order to safeguard our legitimate interests and those of third parties and for the following purposes:

  • Ongoing improvement of our business processes
  • Helping with the detection or prevention of fraud and investigating criminal offences
  • Individualising our approach
  • Interest-oriented marketing
  • Ensuring security
  • Asserting legal claims or defence in the context of legal disputes
  • Personalising our communications
  • Audit purposes
  • Risk management

 The legal basis for this is Article 6 (1)(f) GDPR.

 

5. Our principles for processing your data

We process personal data in accordance with the provisions of the EU General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG).

In consideration of the provisions of data protection law‚ we collect and process your data only when the law permits us to do so or when you have granted consent. This also applies in the context of the processing of personal data for advertising and marketing purposes.

We may also collect information on our website which in itself cannot be used to identify you directly. Despite the above‚ however‚ this data may still be considered personal data as defined under data protection law in some cases – particularly in combination with other data. We are also able to collect information on our website with which we can neither directly nor indirectly identify you (e.g. in cases where the information of multiple users or all users of our website is analysed or compiled).

 

6. Discretion and your own duty of care when providing your personal data

 Please exercise discretion and due care at all times when providing your data and make sure to comply with at least the following minimum requirements for the protection of your personal data: Please refrain from including your name‚ address‚ telephone number‚ e-mail address‚ personal ID number‚ date of birth‚ account number‚ health information‚ or other special/sensitive data in the subject lines of inquiries or in file names. To the furthest possible extent‚ please refrain from including payment data‚ other financial information or details‚ health information‚ detailed information on family members or other specific (sensitive) data or excessive information in CVs‚ statements of interest‚ other files or the texts of inquiries‚ e-mails or similar messages you send to us. Please ensure that the remaining personal data is provided only to the extent which is necessary for the purposes for which the letter or inquiry in question is being submitted.

7. Are you obligated to provide your data?

The provision of some mandatory personal details is necessary so that we can offer you the full scope of functions such as registration for a LEAV customer account‚ signing up for our newsletter‚ our online contact form‚ flight bookings and bookings of services or other extras. If you refuse to provide this information‚ we cannot provide the functions and services specified above.

We strive to collect only personal data which is legally required or contractually required in order to conclude an agreement with you. In the event that we request or collect any further personal data in addition to the mandatory information specified above‚ the provision of this additional data is voluntary and not obligatory. Fields for mandatory information are clearly marked to distinguish them from those for optional information.

 

8. Who will receive your data?

Your personal data will be used‚ stored‚ and processed for our own systems and those of our contractors/suppliers and shared with other external providers. These providers may include:

  • Airports and ground handling services‚ so that they can make preparations for you and provide you with the assistance you need.
  • Our technology and data management partners‚ who help us to provide the services we offer.
  • Travel partners‚ e.g. travel agencies.
  • External airline companies‚ in the event that they assist us with the provision of our flights. (The data protection terms and conditions of the respective airline shall apply in such cases.)
  • Service providers we engage for payment processing (intermediaries for card payments‚ SEPA direct debit procedures‚ PayPal) who perform services for us on a separate contractual basis which help us to detect and prevent fraudulent payments and may involve the processing of personal data.
  • Sub-contractors engaged by our service providers with our consent.
  • Government authorities and other institutions acting on the basis of entry regulations‚ police procedures‚ etc.
  • We are legally obligated to share data with immigration authorities in situations including in the context of treaties between the EU and the US/Canada‚ the German Flight Passenger Data Act (FLUGDaG) in cases where EU destination countries have implemented Directive (EU) 2016/681‚ and in the context of EU trade and cooperation agreements‚ including those with the UK.

 

9. Will data be transmitted to third countries outside the EU?

As a general rule‚ the processing of your personal data will take place inside Germany and the EU / the European Economic Area. In some cases‚ however‚ we may also need to share your data with external contractors and send it to countries outside the EU. Companies and providers outside the EU may not be subject to data protection controls with the same scope as those applicable in Germany and the EU.

In the event that the information to be transmitted contains personal data‚ we ensure that the level of data protection is guaranteed by means of appropriate security precautions before transmission to external providers outside the EU. This protection can include the use of EU standard contract clauses as published by government authorities or an independent data protection program approved by regulators that be imposed on contractors / service providers.

For specific travel destinations‚ it is mandatory for airline companies to report certain personal data to government agencies and authorities in Germany and other countries. These authorities can include:

  • Counterterrorism authorities
  • Public health authorities
  • Immigration authorities
  • Security authorities
  • Border control
  • Law enforcement

Although sharing your personal data with the authorities specified above is not always mandatory‚ we have our own scope of discretion regarding the sharing of this information with authorities in order to assist them in the prevention and detection of criminal offences.

 

10. How long will your data be stored with us?

In regard to the storage and deletion of your personal data‚ we comply with statutory obligations (particularly regarding expiration of the purpose of storage) and time limits. Your data is then deleted on a routine basis.

In the context of statutory time limits‚ the standard 3-year limitation period for claims is particularly relevant. In exceptional cases‚ we may retain your data until the end of special statutory retention periods (generally 6 to 10 years but up to 30 years in individual cases) if necessary for the establishment‚ exercise or defence of legal claims.

In this context:

  • Processed data which is related to your flight booking will be deleted after the end of statutory retention periods of a maximum of 10 years at latest.
  • Processed data related to the registration of a LEAV customer account is automatically deleted when the customer account is deleted.
  • Personal log data collected during visits to our website will be deleted within 30 days if no further storage is necessary for purposes stipulated by law.
  • If your data has been processed in connection with an instance of customer communication‚ it will be deleted after a maximum of 5 years (Regulation (EC) No. 261/2004).

Longer retention periods for personal data may also apply in the following cases:

  • When defined as a mandatory requirement under the applicable law (e.g. German Commercial Code‚ German Fiscal Code‚ German Anti-Money Laundering Act).
  • When necessary for backups‚ the proper functioning of the company's information systems‚ or similar purposes.
  • When a justified suspicion of unlawful activity which is the subject of investigations exists.
  • When the company has received complaints regarding the visitor or detected violations committed by the visitor.
When the visitor data in question is necessary for the proper resolution of a dispute‚ complaint or claim.

11. What rights do you have in regard to your personal data?

Data protection law grants you several rights in regard to your personal data. We have summarised these for you below.

Right to data access

 

You have the right to be provided with information in accordance with Article 15 GDPR as well as the right to request access to personal data. The information provided in this context pertains to your personal data which has been provided to us and stored.

In the event that we are required to provide personal information to you (or someone acting on your behalf)‚ it will be provided free of charge.

Please note that we may ask you for proof of identity or booking details that could help us to find your personal data. In the case of a third person acting on your behalf‚ we will additionally need to receive advance written confirmation bearing your signature attesting that the person in question is authorised to submit a request and receive the data.

We reserve the right to refrain from providing copies of personal data to you in cases where these also contain the personal data of other people or when other legal reasons not to provide this information apply. Once you have submitted the request and we have received all information necessary in order to begin your data search (including proof of identity)‚ we will respond within the defined period of 30 days.

 

Right to object

Pursuant to Article 21 GDPR‚ you have the right to object to the processing of personal data pertaining to you on the basis of a legitimate interest at any time by sending us an e-mail or letter via the e-mail address or postal address specified in the Privacy Statement.

In the event that you have objected to the processing of your personal data on the basis of a legitimate interest‚ we will interrupt processing until the matter has been resolved.

Data processing may be continued despite your objection for the following reasons:

  • The processing serves the purpose of the establishment‚ exercise and/or defence of legal claims.
  • We have legitimate reasons for the processing that override your rights‚ freedoms and interests.

If you would like to revoke your consent to the processing of personal data for direct marketing purposes‚ you can do so at any time and this processing will be halted.

Your consent to the processing of information in regard to allergies‚ special dietary requirements‚ your health status‚ disabilities or other individual needs can also be revoked. However‚ please note that the services specified above that you have requested will then be partially or even fully impossible for us to provide. If you would like to revoke your consent despite this fact‚ please contact you@leav.com.

Right to erasure or restriction of processing of personal data

Certain circumstances may give you the option to have your personal data removed from our systems (Article 17 GDPR). To do so‚ please send an e-mail or letter to the relevant recipient as specified in this Privacy Statement.

In the event that we have no lawful reasons to continue the processing or retention of your personal data‚ we will respect your "right to be forgotten".

Pursuant to Article 18 GDPR‚ you can also request the restriction of processing of your personal data for the following reasons:

  • You have objected to the processing and our investigation of the matter has not yet concluded.
  • The manner in which your data is being processed is unlawful in your view.
  • You are insisting that we retain information in connection with court proceedings.

Processing of your data may continue despite this restriction only with your consent or on the basis of a legal obligation.

Relevant legal obligations in this context may include:

  • Retention purposes in connection with court proceedings
  • Rights of retention for the protection of other companies
  • Retention purposes for the protection of other/additional people

The legal basis for the restriction of processing of personal data is Article 18 GDPR.

Further rights
  • As a data subject‚ you also have the right to rectification of incorrect or incomplete data in accordance with Article 16 GDPR and
  • to data transferability in accordance with Article 20 GDPR

If you would like to exercise these rights or file a complaint‚ please feel free to contact us via e-mail at any time at datenschutz@leav.com. The postal address is:

LEAV Aviation GmbH Data Protection Team

Von-der-Wettern-Str. 25

51149 Cologne

You also have the right to file a complaint with a competent supervisory authority for data protection in accordance with Article 77 GDPR in conjunction with Section 19 BDSG. The supervisory authority responsible for LEAV is the State Commissioner for Data Protection and Freedom of Information of North Rhine-Westphalia‚ Kavalleriestr. 2-4‚ 40213 Düsseldorf‚ Tel.: 0211/38424-0‚ Fax: 0211/38424-999‚ E-mail: poststelle@ldi.nrw.de.

 

12. Questions on data access and the subject of data protection in general

If you have any further questions on processing‚ erasure‚ access‚ data portability‚ objection or other topics in regard to your personal data‚ please feel free to contact our Data Protection Officer at any time via: datenschutz@leav.com.

Changes to this Privacy Statement

We reserve the right to update or modify this Privacy Statement from time to time.

Cologne‚ Germany‚ last updated: 9 May 2023