Privacy Policy
Last updated: 1 March 2026
1. Who we are
“EC261 Claim”, “we”, “us”, or “our” refers to New North Digital B.V., a private limited company incorporated under Dutch law, registered with the Dutch Chamber of Commerce (Kamer van Koophandel) under number 96506792, with its registered office in Groningen, the Netherlands, operating under the trade name EC261 Claim.
We help air passengers exercise their rights under EU Regulation 261/2004 by guiding them through the flight compensation claim process. We are the data controller for the personal data described in this policy.
You can reach us at:
- EC261 Claim
- Oosterhamrikkade 22a
- 9714 BC Groningen, the Netherlands
- Email: info@ec261claim.com
- Website: ec261claim.eu
We are not required to appoint a Data Protection Officer (DPO) under Article 37 of the GDPR. For any privacy-related questions, you can contact us using the details above.
The Dutch Data Protection Authority (Autoriteit Persoonsgegevens) is our lead supervisory authority.
2. What data we collect and why
We only collect data that is necessary to provide our service. Below is a breakdown by category.
2.1 Account information
| Data | Purpose | Legal basis |
|---|---|---|
| First name, last name | Identify you, personalize communications | Contract performance (Art. 6(1)(b) GDPR) |
| Email address | Account login, claim updates, transactional emails | Contract performance (Art. 6(1)(b) GDPR) |
| Password (hashed) | Secure account access | Contract performance (Art. 6(1)(b) GDPR) |
2.2 Claim information
| Data | Purpose | Legal basis |
|---|---|---|
| Flight details (number, date, route, airline) | Assess eligibility, generate claim letters | Contract performance (Art. 6(1)(b) GDPR) |
| Disruption details (type, duration, reasons) | Determine compensation amount and legal basis | Contract performance (Art. 6(1)(b) GDPR) |
| Situation description (free text) | Support the claim in correspondence with the airline | Contract performance (Art. 6(1)(b) GDPR) |
| Booking reference | Identify the booking with the airline | Contract performance (Art. 6(1)(b) GDPR) |
2.3 Billing and payment information
| Data | Purpose | Legal basis |
|---|---|---|
| Name, address, postal code, city, country | Invoice generation, legal correspondence | Contract performance (Art. 6(1)(b) GDPR) / Legal obligation (Art. 6(1)(c) GDPR) |
| Company name, VAT ID (if applicable) | B2B invoicing, EU reverse-charge VAT | Legal obligation (Art. 6(1)(c) GDPR) |
| Payment transaction data (amount, status, method) | Process payments, issue refunds | Contract performance (Art. 6(1)(b) GDPR) |
Payment card details are entered directly on the payment processor’s page and are never stored on our servers.
2.4 Co-passenger data
If you file a claim on behalf of fellow passengers, we collect the following from each co-passenger via a secure authorization portal:
| Data | Purpose | Legal basis |
|---|---|---|
| First name, last name | Identify the passenger in the claim | Contract performance (Art. 6(1)(b) GDPR) |
| Address (optional) | Include in claim documentation if needed | Contract performance (Art. 6(1)(b) GDPR) |
| Digital signature | Legal authorization to act on their behalf | Contract performance (Art. 6(1)(b) GDPR) |
| Email address | Send the authorization link | Contract performance (Art. 6(1)(b) GDPR) |
2.5 Uploaded documents
You may upload supporting documents such as boarding passes, booking confirmations, airline correspondence, and identification documents. These are stored securely and used solely to support your compensation claim.
2.6 Affiliate program data
If you apply to our affiliate program, we collect your name, email, website URL, and a description of how you intend to promote our service. This data is used to administer the partnership.
2.7 Cookie consent records
When you interact with our cookie consent banner, we record your choice (accept/reject/custom), a hashed version of your IP address (SHA-256, truncated), your country code, and a truncated user agent string. This is necessary to demonstrate GDPR-compliant consent management.
2.8 Is providing data mandatory?
Providing your personal data is necessary to use our service. Without it, we cannot create an account, process your claim, or generate correspondence on your behalf. You are never obliged to provide your data, but if you choose not to, we may not be able to provide the service.
3. Legal bases
We process your personal data on the following legal grounds:
- Contract performance (Art. 6(1)(b) GDPR) — Processing that is necessary to provide the service you requested, including claim processing, correspondence generation, payment handling, and account management.
- Legal obligation (Art. 6(1)(c) GDPR) — Processing required by law, such as retaining financial records for Dutch/EU tax purposes and maintaining consent records for GDPR compliance.
- Legitimate interests (Art. 6(1)(f) GDPR) — Processing where we have a legitimate business interest that is not overridden by your rights. Specifically:
- Affiliate referral tracking — to attribute commissions to our partners.
- Fraud and abuse prevention — to protect the integrity of our platform and detect misuse.
- Service improvement — to understand how our platform is used and improve the user experience (only with anonymized or aggregated data).
- Consent (Art. 6(1)(a) GDPR) — Analytics and marketing cookies are only placed after you give explicit consent. You can withdraw consent at any time via the cookie settings in our website footer.
4. Cookies and tracking
4.1 Cookies we set
| Cookie | Purpose | Category | Duration |
|---|---|---|---|
| Authentication cookies | Keep you logged in securely | Necessary | Session |
| Country detection | Determine whether to show the cookie consent banner | Necessary | 24 hours |
| Language preference | Remember your language setting | Necessary | 1 year |
| Affiliate referral | Track affiliate referrals for commission attribution | Functional | 60 days |
4.2 Local storage
| Key | Purpose | Category |
|---|---|---|
| Claim draft data | Save your progress in the claim wizard so you don’t lose your work | Necessary |
| Cookie consent preferences | Remember your cookie choices | Necessary |
| Anonymous visitor ID | Link your consent record (never connected to your identity) | Necessary |
4.3 Analytics and marketing cookies
If you give consent, we use analytics tools to understand how visitors use our website. We implement Google Consent Mode v2, which means:
- Analytics and advertising cookies are blocked by default until you give explicit consent.
- If you reject cookies or don’t consent, no analytics or marketing data is collected.
- You can change your cookie preferences at any time via the cookie settings link in our website footer.
5. Who we share data with
We share personal data only when necessary to provide our service or comply with the law. We do not sell your data. We may disclose your data to the following categories of recipients:
| Category | Data shared | Purpose | Location |
|---|---|---|---|
| Airlines | Passenger names, flight details, claim details, uploaded evidence | Pursuing your compensation claim | Varies by airline |
| Payment processor | Email, payment amount, claim reference | Processing payments securely | European Union |
| Email service provider | Email address, name, claim-related content included in emails | Sending transactional and service-related emails | EU/US (certified under EU-US Data Privacy Framework) |
| Hosting and infrastructure providers | All data necessary for platform operation (database, file storage, website delivery) | Hosting and operating the platform | EU / Global CDN |
| Analytics provider (consent only) | Anonymized usage data | Understanding how visitors use the website | EU/US (certified under EU-US Data Privacy Framework) |
| EU VAT validation service | VAT ID number (if provided) | Validating EU VAT numbers | European Union |
We have data processing agreements in place with all processors. Upon request, we can provide the names of the specific processors we use.
6. International data transfers
Some of the service providers we work with are established outside the European Economic Area (EEA). Where personal data is transferred outside the EEA, we ensure an adequate level of protection through one or more of the following safeguards:
- The recipient is certified under the EU-US Data Privacy Framework (adequacy decision by the European Commission).
- Standard Contractual Clauses (SCCs) approved by the European Commission under Article 46(2)(c) GDPR.
- The recipient is located in a country that has received an adequacy decision from the European Commission.
You may request a copy of the applicable safeguards by contacting us.
7. How long we keep your data
We follow a tiered data retention policy to minimize the personal data we hold:
| Data | Retention period | Reason |
|---|---|---|
| Draft claims (not paid) | 60 days after last activity | Allow users to resume; delete if abandoned |
| Inactive paid claims (DIY) | Up to 6 months of inactivity, then closed | Balance service obligation with data minimization |
| Uploaded documents (boarding passes, IDs, etc.) | 90 days after claim closure | No longer needed once the claim is resolved |
| Communication content (email bodies) | 90 days after claim closure | Content cleared; metadata (dates, subjects) kept for audit |
| Passenger contact details (email, address) | 90 days after claim closure | No longer needed; names kept with authorization |
| Passenger authorization documents | 7 years after claim closure | Proof of consent; aligned with financial record retention |
| Payment and invoice records | 7 years after claim closure | Dutch/EU tax law (fiscal retention obligation) |
| Claim audit trail (events log) | 7 years (anonymized) | Legal and operational audit requirements |
| User account data | Until you request deletion | You remain our customer; needed for login and claim access |
Before documents are deleted (90 days after closure), we send you a notification email with the option to download a summary of your claim.
8. Your rights
Under the GDPR, you have the following rights regarding your personal data:
- Access (Art. 15) — Request a copy of the personal data we hold about you.
- Rectification (Art. 16) — Ask us to correct inaccurate data or complete incomplete data.
- Erasure (Art. 17) — Ask us to delete your personal data, subject to legal retention obligations.
- Restriction (Art. 18) — Ask us to temporarily stop processing your data in certain circumstances.
- Data portability (Art. 20) — Receive your data in a structured, machine-readable format.
- Object (Art. 21) — Object to processing based on legitimate interests. We will stop processing unless we have compelling legitimate grounds.
- Withdraw consent (Art. 7) — Where we process data based on consent (e.g., analytics cookies), you can withdraw it at any time without affecting the lawfulness of prior processing.
To exercise any of these rights, email us at info@ec261claim.com. We will respond within 30 days. If we need more time, we will inform you of the reason and the extension (up to two additional months).
You also have the right to lodge a complaint with the Dutch Data Protection Authority:
- Autoriteit Persoonsgegevens: autoriteitpersoonsgegevens.nl
9. Data security
We take appropriate technical and organizational measures to protect your personal data, including:
- All data is transmitted over HTTPS (TLS encryption in transit).
- Passwords are hashed and never stored in plain text.
- Database access is restricted through row-level security policies — users can only access their own data.
- Uploaded documents are stored in a private storage environment with access controls.
- Administrative access is limited to authorized staff with role-based permissions.
- IP addresses in consent records are hashed before storage.
- Automated data retention processes delete sensitive data after defined periods.
10. Automated decision-making
Our system performs an automated eligibility check when you submit your flight details. This assessment determines whether your flight disruption likely qualifies for compensation under EU Regulation 261/2004 and estimates the compensation amount. This is based on publicly available flight data (route distance, disruption type, notice period) and does not involve profiling. No decision with legal or similarly significant effects is made solely on the basis of automated processing. You are free to proceed with your claim regardless of the automated assessment.
11. Children
Our service is not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it.
12. Changes to this policy
We may update this privacy policy from time to time. We will notify you of significant changes by email or by displaying a notice on our website. We recommend that you review this policy periodically.
13. Contact us
If you have questions about this privacy policy or how we handle your data, please contact us:
- EC261 Claim
- Oosterhamrikkade 22a
- 9714 BC Groningen, the Netherlands
- Email: info@ec261claim.com
- Website: ec261claim.eu/contact
Ready to claim your compensation?
Check your eligibility in 2 minutes. Pay only if you want to proceed.
Check Your Flight