FAA · Live

Flight Deck

Privacy policy

Last reviewed: May 7, 2026.

This privacy policy describes how The Frequent Flier collects, uses, and shares information about visitors to thefrequentflier.com. It applies to the website and to any tools or content we publish on it. It does not apply to third-party sites we link to — including airline pages, credit card issuer application pages, and partner sites — which are governed by their own policies.

This policy works alongside our terms of use and our affiliate disclosure.

Who runs this site

The Frequent Flier is an independent aviation publication. It is currently operated as an unincorporated individual project based in the United States; it is not yet a registered legal entity. If that changes, this page will be updated to identify the entity directly.

For all questions about this policy, contact hello@thefrequentflier.com.

What information we collect

We try to keep this minimal. The categories below reflect what the live site actually collects today, plus future categories we have specifically planned. The site does not currently support user accounts or public comments.

Server logs

Our backend is hosted on Heroku, a Salesforce subsidiary based in the United States. Standard web request logs are generated for each request and include your IP address, your browser's user-agent string, the path and method of the request, the response status, and the timestamp. These logs are retained per Heroku's platform defaults and are used for security, debugging, abuse prevention, and operational monitoring.

Analytics

Our frontend is hosted on Vercel, also based in the United States. We use Vercel's first-party analytics (@vercel/analytics) and speed insights (@vercel/speed-insights) to understand site traffic and performance. These tools are cookieless. They record aggregate signals such as page views, approximate country and region (derived from IP), referring URL, and anonymized Core Web Vitals. They do not assign persistent identifiers to individual visitors and do not, on their own, allow us to identify you.

We also use Google Analytics 4 (Google LLC, United States) for site traffic measurement. Unlike the Vercel tools, Google Analytics sets first-party cookies (typically _ga and _ga_<container>) that assign a pseudonymous client identifier to your browser, and it collects information including your IP address, user-agent, the pages you view, the referring URL, and engagement signals (session duration, scroll depth, outbound link clicks). Google processes that data on our behalf to produce aggregate audience and behavior reports, and may also process it for its own purposes per Google's privacy policy and the Google Analytics terms.

Information you send us

If you email hello@thefrequentflier.com, we receive whatever information you include — your email address, your name if you sign it, and the contents of your message. We use this information to respond to you and, where reasonable, to improve the site.

Private briefing feedback

Briefing posts may include a private feedback panel. If you use it, we collect the reaction you select, any optional note you choose to submit, the briefing page it relates to, and technical signals used for abuse prevention, delivery, and editorial context. Those signals can include your IP address, browser user-agent, device class, viewport size, browser timezone and locale, and approximate location inferred by Vercel from your IP address, such as city, region, country, and timezone. We store hashed versions of the IP address and user-agent with the feedback record, and server logs may still contain the raw request metadata described above.

This is private editorial feedback, not a public comment system. Do not send sensitive personal information through it.

Browser storage

The site sets one piece of first-party client-side storage: a localStorage entry named tff-theme that records whether you've selected light or dark mode. It lives in your browser only, contains no personal information, and is not transmitted to us. Clearing your browser storage will reset it.

Advertising

The site carries display advertising served by Google AdSense (Google LLC, United States). AdSense sets its own cookies and similar identifiers and may collect information including your IP address, user-agent, the page you're viewing, and signals Google has previously associated with your browser, in order to select ads, cap frequency, and report performance. Google processes that data for its own purposes under its own privacy policy. We receive aggregate revenue and performance reporting from Google; we do not receive your individual ad-targeting profile.

Affiliate-link tracking

The site does not currently contain affiliate links. When affiliate content launches — most likely starting with credit card affiliate links to issuer application pages — clicking one will typically cause the affiliate network (for example, CardRatings, FlexOffers, or an individual issuer program) to set a tracking cookie that lets the destination company attribute a successful action back to The Frequent Flier. Once you reach the destination, that company's privacy policy will control what it collects and how it uses the data. See our affiliate disclosure for the full policy.

Error monitoring

When the site encounters a JavaScript error in your browser session — for example, a tool like the mileage calculator throwing an unexpected exception — the page sends a small diagnostic report to our backend so we can fix the bug. Each report includes the error name, message, and JavaScript stack trace; the path and query string of the page where it happened; and your browser's user-agent string. The report is sent over HTTPS to our own backend (we do not currently use Sentry or another third-party error-monitoring service); the backend forwards a redacted summary to our internal Slack workspace and stores a hashed form of your IP address with the record for abuse prevention. Reports are retained for a limited operational window and then deleted.

Planned future categories

The site is pre-launch. The following categories may become applicable as features ship; each is planned and not yet active, and this policy will be updated before any of them go live:

  • Additional advertising partners. Beyond Google AdSense, we may add other programmatic ad networks or direct-sold sponsorships over time.
  • User accounts. If we add accounts, we will collect what's required to create and operate them and disclose those categories then.
  • Third-party error-monitoring services. If we move error reporting to a service such as Sentry or an equivalent, we will update this policy before sending data to it.

Why we process this information

For visitors in the European Economic Area, United Kingdom, or Switzerland, the GDPR requires us to identify a lawful basis under Article 6 for each category of processing.

  • Server logs: Article 6(1)(f), legitimate interests in security, debugging, and abuse prevention.
  • Vercel analytics and speed insights: Article 6(1)(f), legitimate interests in understanding aggregate traffic and performance. These tools are cookieless and do not identify individuals.
  • Google Analytics 4: Article 6(1)(f), legitimate interests in understanding aggregate site traffic, content performance, and reader behavior so we can improve the site. Google processes the data described in the Analytics section above on our behalf. Visitors who do not want Google Analytics cookies set can opt out via the Google Analytics Opt-out Browser Add-on, a browser tracking-protection extension, or by declining cookies in their browser settings.
  • Information you email us: Article 6(1)(b), to take steps at your request, and 6(1)(f), legitimate interests in correspondence and recordkeeping.
  • Private briefing feedback: Article 6(1)(f), legitimate interests in receiving reader corrections, understanding which coverage is useful, improving editorial quality, and preventing abuse.
  • Error monitoring: Article 6(1)(f), legitimate interests in detecting, diagnosing, and fixing bugs that affect site reliability.
  • Advertising cookies (Google AdSense): Article 6(1)(a), consent — gathered through Google's AdSense Privacy & messaging consent management platform (CMP). Visitors in the EEA, UK, or Switzerland are shown the consent prompt, built on the IAB Transparency and Consent Framework, before advertising cookies are set, and can consent, decline, or manage choices for individual ad partners through that prompt. Affiliate-tracking cookies are not yet present on the site; when affiliate content launches, the same consent flow will apply to them.
  • Future accounts: Article 6(1)(b), to provide an account-based service.

Who we share data with

We share data only with the categories of third parties listed below. We do not sell personal information for monetary consideration.

Hosting and infrastructure

  • Vercel Inc. (United States) hosts the frontend and provides analytics and performance insights.
  • Heroku (Salesforce, Inc., United States) hosts the backend and produces the request logs described above.
  • Slack Technologies, LLC (United States) receives private briefing feedback alerts so we can see reader reactions and corrections promptly.

Both are bound by their own data-processing terms.

Advertising, analytics, and affiliate partners

  • Google LLC (United States) serves display advertising via Google AdSense and provides site analytics via Google Analytics 4. Google processes the data described in the Advertising and Analytics sections above for its own purposes, in accordance with Google's privacy policy.

The site does not currently work with any affiliate networks; credit card affiliate networks are listed under "Future third parties" below.

Future third parties (planned, not yet active)

  • Credit card affiliate networks (e.g., CardRatings, FlexOffers, and individual issuer programs) and the destination issuers will receive a click signal and any further data per their own policies, once affiliate content launches.
  • Additional programmatic ad networks or direct-sold sponsorships
  • Error-monitoring services (e.g., Sentry or equivalent)

We will not enable these in production without updating this policy and, where required, providing notice and a consent mechanism.

International data transfers

The Frequent Flier is operated from the United States, and our hosting providers are also based in the United States. If you visit the site from outside the United States — including from the European Economic Area, the United Kingdom, or Switzerland — your information will be processed in the United States, which has different data-protection laws than your home jurisdiction.

Cookies and similar technologies

We set only one piece of first-party client-side storage: the tff-theme localStorage entry described above, which records your light/dark mode choice and is technically not a cookie.

The cookies you encounter on the site today are set by third parties:

  • Google Analytics 4 sets first-party analytics cookies (typically _ga and _ga_<container>) that assign a pseudonymous identifier to your browser for traffic measurement.
  • Google AdSense sets advertising cookies and similar identifiers on pages where ads are served, for ad selection, frequency capping, and reporting.

Affiliate-network tracking cookies will appear once affiliate content launches; see "Affiliate-link tracking" above.

For visitors in the EEA, UK, and Switzerland, we use Google's AdSense Privacy & messaging consent management platform (CMP) to present a consent prompt — built on the IAB Transparency and Consent Framework — before advertising cookies are set. Visitors can consent, decline, or manage choices for individual ad partners through that prompt.

For California residents and visitors in other US states with comparable privacy laws, the rights described in the "Your rights" section below apply. To exercise those rights — including opting out of any sharing of your personal information, requesting deletion, or any other right granted by your state's law — email hello@thefrequentflier.com, and we will respond within the timeframe required.

How long we keep data

  • Server logs: retained per Heroku's platform defaults, then rotated and deleted on Heroku's schedule.
  • Vercel analytics data: retained per Vercel's defaults; aggregated and not tied to individual visitors.
  • Google Analytics data: retained per the property's configured retention window in Google Analytics, then aggregated or deleted by Google per its terms.
  • Error monitoring reports: retained for a limited operational window for debugging and abuse prevention, then deleted.
  • Email correspondence: retained for as long as is reasonably useful to maintain the conversation and any related records, then deleted on a routine basis.
  • Private briefing feedback: retained for as long as reasonably useful for editorial review, abuse prevention, and coverage planning, then deleted or archived on a routine basis.

Your rights

If you are in the EEA, UK, or Switzerland

The GDPR gives you the right to access, rectify, erase, port, restrict, and object to processing of your personal data, and to withdraw any consent you have previously given. You also have the right to lodge a complaint with your national supervisory authority.

If you are a California resident

The CCPA and CPRA give you the right to know what personal information we collect, to delete it, to correct it, to opt out of any sale or sharing of it, to limit use of sensitive personal information, and not to be discriminated against for exercising these rights. Because we run programmatic display advertising via Google AdSense, the data flow involved may be considered "sharing" for cross-context behavioral advertising under California law. California residents who wish to exercise opt-out, deletion, correction, or other CCPA rights should email hello@thefrequentflier.com, and we will respond within the timeframe required by California law. We do not sell personal information for monetary consideration.

How to exercise your rights

Email hello@thefrequentflier.com with the right you want to exercise and enough information for us to identify the data in question. We will respond within the timeframe required by the applicable law.

Children

The Frequent Flier is not directed at children under 13 (per the US Children's Online Privacy Protection Act) or under 16 (per the GDPR's child-specific provisions). We do not knowingly collect personal information from anyone in those age groups. If you believe we have inadvertently collected such information, email hello@thefrequentflier.com and we will delete it.

Changes to this policy

We may update this policy. When we do, the "last reviewed" date at the top of the page will change. If a change is material — for example, the addition of a new third-party processor or a new category of data we collect — we will note it on the site for a reasonable period before it takes effect.

Contact

For any privacy question or to exercise any of the rights described above, email hello@thefrequentflier.com.