Version 1 - 2025 

Data Protection Information Sheet

(Art. 13,14 EU-GDPR)
 

1. Controllers

The primary data controller under the EU General Data Protection Regulation (GDPR) for the operation of the ticris courier platform and all related courier services and operational activities within the FLYTRIX network is:

FLYTRIX EMEA GmbH
Adlzreiterstr. 11, 83022 Rosenheim, Germany
Email: office@flytrix.com

In the context of your registration, use of the ticris platform, and participation in courier assignments under the Courier Framework Agreement, FLYTRIX EMEA GmbH, Adlzreiterstr. 11, 83022 Rosenheim, Germany and FLYTRIX Americas LLC, 222 N Pacific Coast Hwy, Floor 10, El Segundo, CA 90245, United States of America, jointly determine the purposes and means of processing your personal data. They therefore act as joint controllers within the meaning of Article 26 GDPR and are hereinafter collectively referred to as “FLYTRIX.”

A joint-controller arrangement governs this relationship and ensures that: responsibilities for GDPR compliance and the exercise of your rights are clearly defined; and FLYTRIX EMEA GmbH serves as the primary contact point for EU/EEA-based data-subject requests.

Additionally, FLYTRIX Americas LLC acts as an independent controller under applicable U.S. data-protection laws for processing operations performed in or from the United States- such as platform hosting, communication, documentation, and performance record-keeping on U.S.-based infrastructure - irrespective of the origin or location of a mission.

2. Categories of Personal Data Processed

Personal data is collected primarily when you register or update your courier profile on the ticris platform, and during the performance of courier assignments under the Courier Framework Agreement. Data may also be generated automatically by the system (e.g., location or activity logs) or provided by third parties involved in the same transport chain (for example, clients, subcontractors, or customs and airline representatives).

FLYTRIX collects and processes personal data necessary for the registration, verification, and performance of courier services, as well as for compliance and operational coordination within the FLYTRIX network. Depending on your role, status, and the missions performed, the following categories of data may be processed through the ticris courier platform and other systems:

• Identification Data
  Full name, date of birth, nationality, sex, passport and visa information (including scanned copies and validity dates), frequent flyer memberships, APEC Business Travel Card (ABTC) details, and other travel authorizations.
• Contact and Business Data
  Contact phone numbers, email addresses, postal address, home airport, business type (natural person or entity), and courier availability status.
• Travel and Operational Data
  Vehicle details (make, model, license plate, color), driving license, nearby airports, credit card limit, tracking device information, travel permissions and entry eligibilities, and real-time or historical location data (including map-based location entered or determined through device features). This also includes flight itineraries, mission records, check-in times, handover locations, baggage or cargo details, and operational status information.
• Health and Safety Data *
  Vaccination records (e.g., Yellow Fever, COVID-19, or other mandated immunizations), and any relevant documentation necessary to perform courier services safely and lawfully.
• Financial and Tax Data
  Tax identification numbers (e.g., Tax ID, VAT ID, W9), payment or reimbursement details, invoice and compensation information, and any supporting documentation for tax or compliance purposes.
• Profile and Evaluation Data
  Performance metrics, dependability or reliability assessments, and verification history of submitted documents (including sign-off details). This may also include information on subcontracting, vendor relationships, or customer evaluations.
• Communication Data
  Operational and administrative correspondence exchanged through the ticris platform or via other communication channels such as email, phone, or messaging applications (e.g., WhatsApp, Telegram, email).
• Technical Data (Platform Use)
  Login credentials, account activity, timestamps, and platform-generated metadata required to maintain the integrity and security of your courier profile and assignments.

FLYTRIX may require you to update or verify these details periodically to ensure operational accuracy and legal compliance.

* We only process health data for readiness purposes if you voluntarily provide it. You may withdraw your consent at any time without any consequences.

3. Purposes and Legal Basis for Processing Personal Data

FLYTRIX processes personal data only where necessary for the registration, coordination, and execution of courier services and related administrative or compliance obligations.

Processing takes place in accordance with Articles 6 and 9 GDPR, depending on the category of data and purpose involved.

* We only process health data for readiness purposes if you voluntarily provide it. You may withdraw your consent at any time without any consequences.

4. Recipients of Personal Data

In the course of providing services and operating the ticris courier platform, your personal data may be shared with various third parties. These recipients fall into two main categories, depending on whether they process data on behalf of FLYTRIX or act as independent controllers.

A. Service Providers Processing Data on Behalf of FLYTRIX (Processors)

FLYTRIX relies on technical and administrative service providers to operate its platform and day-to-day business functions. Depending on the region and responsible entity, these providers may process data within or outside the EU/EEA, including on servers located in the United States.

• Where the processing is managed by FLYTRIX EMEA GmbH, FLYTRIX seeks to conclude data-processing agreements compliant with Article 28 GDPR.
• Where the processing is managed by FLYTRIX Americas LLC, including for EU courier data handled on U.S. systems, the processing is carried out under U.S. law and the contractual terms of the relevant provider.

In such cases, FLYTRIX EMEA GmbH has limited or no control over the provider's data handling beyond the safeguards agreed between the joint controllers.

Examples of such providers include:

• cloud-hosting and platform-operation services supporting ticris;
• identity-verification and document-validation services;
• payment and financial-administration platforms;
• communication and coordination tools;
• IT maintenance and support contractors.

FLYTRIX selects all providers with due care and applies reasonable technical and contractual safeguards, but acknowledges that some processing occurs under foreign legal regimes beyond FLYTRIX EMEA GmbH’s effective control.

B. Independent Third-Party Recipients (Controllers)

Certain data must be shared with third parties that act as independent controllers, determining their own purposes and means of processing.
Such entities include:

• Clients and business partners, receiving courier details and performance information to complete missions;
• Airlines, airports, customs, and immigration authorities, for identification, booking, or entry clearance;
• Public authorities, including law-enforcement, tax, or judicial bodies, where legally required;
• Insurance providers and brokers, for coverage or claims handling;
• Legal advisors, auditors, or regulators, for dispute resolution or compliance matters.

Once data has been shared with such entities, FLYTRIX cannot fully influence or monitor how it is further processed or retained.

C. International Transfers

Because FLYTRIX operates globally, personal data - including data of EU couriers - may be stored or accessed in the United States or other non-EU countries.
Transfers between FLYTRIX EMEA GmbH and FLYTRIX Americas LLC occur under intra-group arrangements and, where applicable, the EU Standard Contractual Clauses (SCCs).

However, when FLYTRIX uses U.S.-based third-party providers, those providers are subject to U.S. jurisdiction and may be legally obliged to disclose data to U.S. authorities.

While FLYTRIX EMEA GmbH and FLYTRIX Americas LLC take reasonable steps to ensure a comparable level of protection, complete equivalence with EU data-protection standards cannot be guaranteed.

See Section 5 for more details on international data transfers and safeguards.

5. International Data Transfers

Because FLYTRIX operates a globally connected courier network and platform (ticris), personal data may be accessed, stored, or processed in countries outside the European Union (EU) and European Economic Area (EEA), including the United States and other locations where operational partners or clients are based.

A. Data Transfers Within FLYTRIX

Personal data may be shared between:

• FLYTRIX EMEA GmbH, Germany, and
• FLYTRIX Americas LLC, United States,

for purposes of operating the ticris platform, assignment coordination, administration, and customer communication.

These transfers enable the joint management of the ticris platform, courier coordination, performance monitoring, customer communication, and mission logistics across time zones.

Transfers between these entities are governed by an intra-group data-sharing arrangement based on the EU Standard Contractual Clauses (SCCs) and the joint-controller arrangement under Article 26 GDPR.

Both entities take reasonable technical and contractual measures to protect data; however, information stored or processed in the United States may be subject to U.S. jurisdiction and public-authority access laws. FLYTRIX acknowledges that full equivalence with EU data-protection standards cannot be guaranteed.

B. Transfers to External Third Parties

Personal data may also be transferred to external systems or partners located outside the EU/EEA where this is necessary to operate the ticris platform and to coordinate FLYTRIX’s global courier network. Such transfers can occur, for example, when:

• couriers access ticris from outside the EU/EEA,
• operational data is exchanges with client or handler systems, or
• third-party tools used for authentication, messaging, or document exchange process information on non-EU infrastructure.

These transfers are limited to what is operationally required to maintain the platform and ensure reliable courier coordination.

Such transfers may be necessary for the provision of ticris platform services and related operational activities, or for the implementation of pre-contractual measures at your request, in accordance with Article 49(1)(b) GDPR.

C. Potential Risks of Third-Country Transfers

When your data is transferred to such countries, the following risks may apply:

Lack of enforceable data subject rights

• No independent supervisory authority to oversee the recipient
• Possibility of access by local authorities without EU-equivalent safeguards
• Limited legal remedies available to you

We provide this information to ensure full transparency and compliance with Art. 13(1)(f) and Art. 14(1)(f) of the GDPR.

6. Retention Periods

Your personal data is stored and processed in connection with your registration and participation on the ticris platform, as well as your operational activities within the FLYTRIX global network. As a general principle, FLYTRIX retains personal data only for as long as it is necessary to operate the platform, coordinate activities, and meet applicable legal, operational, and compliance requirements.
Retention periods are determined by the purpose of processing, statutory obligations, and technical necessity.

A. Active Platform Participation

While your ticris account remains active, FLYTRIX retains personal data required to:

• operate and maintain your courier profile,
• coordinate courier assignments and operational activities,
• ensure communication and service reliability, and
• comply with legal, tax, and aviation-security requirements.

This includes your identification data, contact details, courier profile, operational and location data, and any documentation submitted (for example, passport scans or vaccination records, where applicable). FLYTRIX regularly reviews the relevance of retained information for active couriers to ensure that only data necessary for current operations is maintained in active systems.

B. How to deactivate your account

To request that you ticris Account and associated data be deleted, follow these steps:

1. Send an email from the email address linked to your ticris account to the address below.
2. Use the subject template provided so we can identify and process your request correctly.
3. You will receive a confirmation reply. Account and data deletion will be completed within 30 days of verification

Send your deletion request to: ops@flytrix.com
Suggested subject: Account Deletion Request - ticris.

Note that the ticris is the platform used for operational coordination across all FLYTRIX companies. Without a ticris account, we are unable to assign shipments to you. If you wish to delete your ticris account, we may have to terminate your existing courier contract with us.

C. After Platform Deactivation or Inactivity

Once your ticris account is deactivated, or when you have been inactive for an extended period, FLYTRIX will delete or anonymize the following data:

• Identification Data (Full name, date of birth, nationality, sex, passport and visa information, frequent flyer memberships, APEC Business Travel Card details, and other travel authorizations)
• Contact and Business Data (Contact phone numbers, email addresses, postal address, home airport, business type (natural person or entity), and courier availability status)
• Profile and Evaluation Data (Performance metrics, dependability or reliability assessments, and verification history of submitted documents).
• Health and Safety Data (Vaccination records, and any relevant documentation necessary to perform courier services safely and lawfully)
• Technical Data (Login credentials, account activity, timestamps, and platform-generated metadata required to maintain the integrity and security of your courier profile and assignments)
• Travel and Operational Data (Vehicle details, driving license, nearby airports, credit card limit, tracking device information, travel permissions and entry eligibilities, and real-time or historical location data (including map-based location entered or determined through device features. This includes mission records, check-in times, handover locations, baggage or cargo details, and operational status information). 

We will retain only the data necessary for legal compliance, dispute resolution, or operational recordkeeping.

After these periods expire, personal data is either deleted or anonymized, unless continued retention is legally required.

D. Anonymization and Deletion

Where feasible, personal data that is no longer required for operational or legal purposes is anonymised and may be used only for statistical, analytical, or historical purposes. Data that cannot be lawfully retained or anonymised will be deleted in a secure and traceable manner, in accordance with internal retention and deletion procedures.

E. Couriers Without ticris Platform Participation

If you participate in FLYTRIX operations without maintaining an ongoing courier account (for example, if you accept one-time or occasional assignments), FLYTRIX processes and retains your data only for as long as necessary to complete the relevant operational activity and comply with applicable requirements.

This includes retention for:

• processing and documentation of the assignment,
• meeting legal, regulatory, and tax obligations (e.g., invoicing, customs, aviation-security compliance), and
• establishing or defending potential legal claims.

If no further missions are assigned or foreseeable, FLYTRIX periodically reviews whether continued retention remains necessary and deletes or anonymizes the data when no longer required.

7. Your Rights

A. Rights under the GDPR

As a data subject under the EU General Data Protection Regulation (GDPR), you have the following rights with regard to the processing of your personal data, as provided in Articles 12 to 21 GDPR:

• Right of access (Art. 15 GDPR): You have the right to obtain confirmation as to whether or not personal data concerning you is being processed, and, where that is the case, access to the personal data and related information. We maintain internal evaluation records to support service quality. While you may request access to your personal data, certain internal assessments may be partially redacted to protect internal business interests or the confidentiality of other individuals under Article 15(4) GDPR.
• Right to rectification (Art. 16 GDPR): You have the right to obtain the correction of inaccurate personal data concerning you, or to have incomplete data completed.
• Right to erasure (Art. 17 GDPR): In certain circumstances, you may request the deletion of your personal data, for example if the data is no longer necessary for the purposes for which it was collected, or if you withdraw your consent (where applicable).
• Right to restriction of processing (Art. 18 GDPR): You may request that we restrict the processing of your personal data under specific conditions, such as if you contest the accuracy of the data or object to its processing.
• Right to data portability (Art. 20 GDPR): Where processing is based on consent or contract and carried out by automated means, you have the right to receive your personal data in a structured, commonly used, and machine-readable format and to have it transmitted to another controller where technically feasible.
• Right to object (Art. 21 GDPR): Where your data is processed on the basis of our legitimate interests (Art. 6(1)(f) GDPR), you have the right to object to such processing on grounds relating to your particular situation, unless we can demonstrate compelling legitimate grounds to continue processing.
• Right to withdraw consent (Art. 7(3) GDPR): Where processing is based on your consent (e.g. health-related data required for specific travel destinations), you may withdraw that consent at any time. The withdrawal does not affect the lawfulness of processing based on consent before its withdrawal.

To exercise any of the above rights, you may contact us at:

Email: office@flytrix.com

We may need to verify your identity before responding to your request. We will process your request without undue delay and in any case within one month, in accordance with Article 12 GDPR.

B. Important Note on Rights and Third-Country Data Transfers

Please note that some of your personal data may be transferred to, or accessed by, independent third-party controllers (e.g. clients, airlines, public authorities) located outside the EU/EEA, particularly in countries that do not provide an adequate level of data protection within the meaning of Art. 45 GDPR.

Once transferred, those independent recipients may process your data under their own legal regimes and policies. In such cases, your ability to exercise these rights under Articles 15–21 GDPR in relation to independent recipients may be restricted under applicable local laws, and FLYTRIX cannot guarantee that those third-country recipients will fulfill your request (e.g. for access, rectification, or erasure).

Where applicable, we will apply appropriate safeguards in accordance with Art. 46 GDPR when transferring data to such recipients. However, we remain transparent that full enforcement of your GDPR rights cannot always be ensured outside the EU/EEA.

We will assist you in asserting your rights to the extent possible under applicable law.

8. Right to Lodge a Complaint

If you believe that your personal data is being processed unlawfully or that your data protection rights have been violated, you have the right to lodge a complaint with a supervisory authority, in particular in the EU Member State of your habitual residence, place of work, or place of the alleged infringement (Art. 77 GDPR).

In Germany, the competent authority is:

Bayerisches Landesamt für Datenschutzaufsicht (BayLDA)
Promenade 27, 91522 Ansbach, Germany
Website: www.lda.bayern.de

9. Automated Decision-Making

We do not use automated decision-making, including profiling, within the meaning of Article 22 GDPR that would produce legal effects or similarly significant consequences for you.

10. Contact and updates to this notice

For all data protection matters, including exercising your rights or requesting further information, please contact:

Email: office@flytrix.com

Any updates will be provided via email.