Privacy Policy

Effective Date: February 27, 2026

This Privacy Policy describes how GYRO AI, Inc. ("we," "our," or "us") collects, uses, discloses, and protects your personal information when you visit or use the website heygyro.com (the "Site") and any related services, applications, or platforms (collectively, the "Services"). This policy applies to all users of our Services, including individual consumers and employees of our corporate clients.

By accessing or using our Services, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree, please do not use our Services.

1. Who We Are

GYRO AI, Inc. is a Delaware corporation specializing in automated airline compensation recovery and flight credit identification services powered by artificial intelligence.

  • Registered Name: GYRO AI, Inc.
  • Address: 2578 Broadway #652, New York, NY 10025-5642, United States
  • Email: legal@heygyro.com
  • Website: heygyro.com

For purposes of applicable data protection laws (including the EU General Data Protection Regulation), GYRO AI, Inc. is the data controller for personal information processed through our consumer-facing Services. When we process data on behalf of corporate clients, we act as a data processor under the terms of our service agreements.

2. Information We Collect

a. Personal Information You Provide

  • Full name and contact information (email address, phone number)
  • Flight and travel details (airline, flight number, date, origin, destination, booking reference)
  • Uploaded documents (boarding passes, booking confirmations, receipts, correspondence with airlines)
  • Government-issued identification (passport number, national ID) when required for claim filing
  • Payment and banking information for receiving compensation payouts
  • Communication preferences and language/country settings
  • Any information you provide when contacting our support team

b. Information from Corporate Clients

When our Services are provided through a corporate client (e.g., a company that uses GYRO for employee travel recovery), we may receive employee flight booking data, travel itineraries, and related records as provided by the corporate client under the terms of our service agreement.

c. Automatically Collected Information

  • IP address and geolocation data
  • Browser type, version, and operating system
  • Device type and unique device identifiers
  • Pages visited, clickstream data, and time spent on the Site
  • Referring URL and search terms
  • Cookies, pixels, and similar tracking technologies (see Section 6)

d. Information from Third Parties

  • Flight status and disruption data from airline databases and flight tracking services
  • Regulatory and legal databases for claim eligibility verification
  • Identity verification services when required for claims processing

3. Legal Bases for Processing

We process your personal information based on the following legal grounds under applicable data protection laws:

  • Contractual Necessity: To perform our Services, including analyzing eligibility, filing claims, and processing compensation payments.
  • Legitimate Interests: To improve our platform, prevent fraud, ensure security, and communicate with you about our Services.
  • Legal Obligations: To comply with applicable laws, regulations, court orders, and regulatory requirements.
  • Consent: Where required by law, we obtain your explicit consent before processing your data, particularly for marketing communications and certain cross-border data transfers.

4. How We Use Your Information

  • Analyze your eligibility for airline compensation under applicable regulations (e.g., EU261/2004, DOT, Israeli Tibi Law, Canadian APPR)
  • File, manage, and track compensation claims and flight credit recoveries on your behalf
  • Generate and submit legal documents and regulatory filings
  • Process and remit compensation payments to you or your employer
  • Provide customer support and respond to inquiries
  • Improve, develop, and optimize our platform, AI models, and Services using aggregated and anonymized data
  • Detect and prevent fraud, unauthorized access, and other security threats
  • Comply with legal obligations and respond to lawful requests from authorities
  • Send transactional communications (claim updates, payment confirmations)
  • With your consent, send marketing communications about new features or services

5. How We Share Your Information

We may share your information with the following categories of recipients:

  • Airlines and Regulatory Bodies: To file and pursue compensation claims on your behalf.
  • Corporate Clients: When Services are provided through a corporate client, we share relevant claim status and recovery information with the client in accordance with our service agreement.
  • Partner Law Firms: Only with your consent during the legal escalation process for complex claims.
  • Service Providers: Trusted third parties who assist with hosting, cloud infrastructure, analytics, payment processing, identity verification, and customer support, subject to strict data processing agreements.
  • Government Agencies or Regulators: When required by law, court order, or regulatory requirement.
  • Professional Advisors: Legal, accounting, and insurance advisors as necessary for our business operations.
  • In Connection with Corporate Transactions: In the event of a merger, acquisition, reorganization, or sale of assets, your information may be transferred as part of the transaction, subject to the same privacy protections.

We never sell your personal information to third parties for their own marketing purposes.

6. Google API Services User Data

GYRO AI's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

  • Limited Use: We only use data obtained through Google APIs for the purposes described in this Privacy Policy and as authorized by the user. We do not use Google user data for serving advertisements, and we do not sell Google user data to third parties.
  • Scope of Access: We request only the minimum Google API scopes necessary to provide the Recovery Service. This may include access to Gmail (to identify flight booking confirmations and airline correspondence) and Google Calendar (to identify scheduled flights). We do not request access to scopes beyond what is required for our stated functionality.
  • Data Protection for Google User Data: All data obtained through Google APIs is protected using the same security measures described in Section 12 of this policy, including encryption in transit (TLS 1.3) and at rest (AES-256), role-based access controls, and multi-factor authentication for all internal systems that access Google user data.
  • Storage and Retention: Google user data is stored on encrypted servers hosted by SOC 2 Type II and ISO 27001 certified cloud infrastructure providers. We retain Google user data only for the duration necessary to perform the Recovery Service, and delete it within 90 days of claim resolution or when the user revokes access, whichever comes first.
  • No Secondary Use: We do not use Google user data to build user profiles for advertising, market research, or any purpose unrelated to the Recovery Service. We do not combine Google user data with data from other sources for purposes outside the Recovery Service.
  • Sharing Restrictions: Google user data is not shared with third parties except: (i) as necessary to provide the Recovery Service (e.g., sharing flight details with airlines to file claims); (ii) with the user's explicit consent; (iii) as required by applicable law; or (iv) in aggregated, anonymized form that cannot identify any individual.
  • User Control: Users can revoke GYRO's access to their Google data at any time through their Google Account permissions page (myaccount.google.com/permissions) or by contacting us at legal@heygyro.com. Upon revocation, we will delete all Google user data within 30 days, except where retention is required by law.
  • AI/ML Training Disclosure: We do not use Google Workspace user data to train, improve, or develop generalized or non-personalized AI or machine learning models. Any AI processing of Google user data is performed solely to provide the Recovery Service to the specific user who authorized access.

7. Cookies and Tracking Technologies

We use cookies and similar technologies to enhance your experience, analyze usage patterns, and support our Services.

  • Essential Cookies: Required for core Site functionality (authentication, security, session management). These cannot be disabled.
  • Analytics Cookies: Help us understand how visitors interact with our Site (e.g., page views, navigation patterns). We use privacy-respecting analytics tools.
  • Functional Cookies: Remember your preferences (language, region) to provide a personalized experience.

We do not use third-party advertising or behavioral tracking cookies. You can manage cookie preferences through your browser settings or our cookie consent banner. Disabling non-essential cookies will not affect core functionality.

8. AI and Automated Decision-Making

Our Services use artificial intelligence and automated processing to analyze flight data, assess claim eligibility, generate legal documents, and optimize recovery outcomes. These automated processes:

  • Are used to assist, not replace, human decision-making for significant claims
  • Do not produce legal effects or similarly significant effects on individuals without human oversight
  • Are subject to regular accuracy and bias audits

You have the right to request human review of any automated decision that significantly affects you. To exercise this right, contact us at legal@heygyro.com.

9. Payments

All payments are processed through secure, PCI-DSS compliant third-party payment processors. We do not store your full payment card information on our servers. Payment data is encrypted in transit and at rest using industry-standard protocols.

10. Data Retention

We retain your personal information only for as long as necessary to fulfill the purposes described in this policy:

  • Active claim data: Retained for the duration of the claim process plus 90 days following resolution.
  • Completed claim records: Retained for up to 6 years to comply with applicable statutes of limitations and regulatory requirements.
  • Account information: Retained for the duration of your relationship with us, plus 3 years following account closure.
  • Marketing preferences: Retained until you withdraw consent or opt out.
  • Anonymized and aggregated data: May be retained indefinitely for analytics and service improvement purposes.

When data is no longer required, we securely delete or anonymize it in accordance with our data retention schedule.

11. International Data Transfers

Your personal information may be transferred to and processed in countries other than your country of residence, including the United States. When we transfer personal data from the European Economic Area (EEA), United Kingdom, or Switzerland, we ensure appropriate safeguards are in place, including:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Adequacy decisions by relevant authorities
  • Other legally compliant transfer mechanisms as required by applicable law

For more information about our data transfer safeguards, contact us at legal@heygyro.com.

12. Data Security and Protection Mechanisms for Sensitive Data

We implement comprehensive administrative, physical, and technical safeguards to protect all personal information, with enhanced protections for sensitive data (including government-issued identification, payment information, and data obtained through third-party API services such as Google APIs):

a. Technical Safeguards

  • Encryption in Transit: All data transmitted between your device and our servers is encrypted using TLS 1.3. All internal service-to-service communications are encrypted.
  • Encryption at Rest: All stored personal data is encrypted using AES-256 encryption. Encryption keys are managed through a dedicated key management service with automatic key rotation.
  • Access Controls: Role-based access controls (RBAC) ensure that only authorized personnel can access sensitive data on a need-to-know basis. All access to sensitive data is logged and auditable.
  • Authentication: Multi-factor authentication (MFA) is required for all internal systems that handle sensitive data. We enforce strong password policies and session management controls.
  • Network Security: Our infrastructure is protected by firewalls, intrusion detection and prevention systems (IDS/IPS), and network segmentation to isolate sensitive data processing environments.
  • Vulnerability Management: We conduct regular vulnerability scans and annual penetration testing by independent third parties. Critical vulnerabilities are remediated within defined SLA timeframes.

b. Administrative Safeguards

  • Security Policies: We maintain written information security policies and procedures that are reviewed and updated at least annually.
  • Employee Training: All employees and contractors who handle personal data receive security awareness training upon onboarding and at least annually thereafter.
  • Confidentiality Agreements: All employees and contractors are bound by confidentiality and non-disclosure agreements.
  • Background Checks: Background checks are conducted for personnel with access to sensitive data.
  • Vendor Management: Third-party service providers who process sensitive data on our behalf are subject to security assessments and are contractually required to maintain equivalent security standards.

c. Physical Safeguards

  • Our cloud infrastructure is hosted by SOC 2 Type II and ISO 27001 certified providers with physical access controls, 24/7 surveillance, and environmental protections.
  • We do not store sensitive data on local devices or removable media.

d. Incident Response

  • We maintain a documented incident response plan that includes procedures for detection, containment, investigation, notification, and remediation of security incidents.
  • In the event of a data breach involving sensitive data, we will notify affected individuals and relevant authorities within 72 hours as required by applicable law (see Section 6.4 regarding Google user data).

While we strive to protect your information using industry-leading security measures, no method of electronic transmission or storage is 100% secure. If you believe your account has been compromised, please contact us immediately at legal@heygyro.com.

13. Your Rights

Depending on your location, you may have the following rights regarding your personal information:

  • Right of Access: Request a copy of the personal data we hold about you.
  • Right to Rectification: Request correction of inaccurate or incomplete data.
  • Right to Erasure: Request deletion of your personal data, subject to legal retention obligations.
  • Right to Restrict Processing: Request limitation of how we process your data in certain circumstances.
  • Right to Data Portability: Receive your data in a structured, commonly used, machine-readable format.
  • Right to Object: Object to processing based on legitimate interests or for direct marketing purposes.
  • Right to Withdraw Consent: Where processing is based on consent, withdraw at any time without affecting prior processing.
  • Right to Non-Discrimination: Exercise your privacy rights without receiving discriminatory treatment.
  • Right to Human Review: Request human review of significant automated decisions (see Section 8).

Exercising Your Rights

To exercise any of these rights, contact us at: legal@heygyro.com. We will respond to verified requests within 30 days (or as required by applicable law). We may need to verify your identity before processing your request.

U.S. State Privacy Rights

If you are a resident of California, Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, or other states with comprehensive privacy laws, you may have additional rights including the right to opt out of the sale or sharing of personal information, the right to limit use of sensitive personal information, and the right to appeal a decision regarding your privacy request. We do not sell personal information. To submit a request, contact legal@heygyro.com.

14. Children's Privacy

Our Services are not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected data from a child under 18, we will take steps to promptly delete such information. If you believe a child has provided us with personal information, please contact us at legal@heygyro.com.

15. Third-Party Links and Services

Our Site may contain links to third-party websites, services, or applications. We are not responsible for the privacy practices of these third parties. We encourage you to review their privacy policies before providing any personal information.

16. Do Not Track Signals

Our Site respects Do Not Track (DNT) browser signals. When we detect a DNT signal, we disable non-essential tracking and analytics cookies for that session.

17. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will notify you by email (if we have your email address) or by posting a prominent notice on our Site at least 30 days before the changes take effect. Your continued use of the Services after the effective date of any changes constitutes your acceptance of the revised policy.

18. Contact Us

If you have questions, concerns, or complaints about this Privacy Policy or our data practices, please contact us at:

GYRO AI, Inc.
2578 Broadway #652
New York, NY 10025-5642
United States
Email: legal@heygyro.com

If you are located in the EEA or UK and are not satisfied with our response, you have the right to lodge a complaint with your local data protection supervisory authority.