Privacy Policy
Last updated: 9 July 2026 · DRAFT — pending review by legal counsel
1. Who we are
This website, lufthof.com (the “Site”), is operated by Blackcat Capital Inc., 9 Duke Street, St. Catharines, Ontario L2R 5W1, Canada — an Ontario (Canada) corporation operating as “Lufthof” (“Lufthof”, “we”, “us”). For the purposes of the EU General Data Protection Regulation (GDPR), we are the controller of personal information described in this policy. For Canadian law, we are the organization accountable under the Personal Information Protection and Electronic Documents Act (PIPEDA) and, where applicable, Quebec’s Act respecting the protection of personal information in the private sector.
Privacy contact: privacy@lufthof.com. Our designated privacy officer (Quebec: person in charge of the protection of personal information) is John Muratori.
2. What we collect
- Enquiry and booking details you give us — name, email address, the journey or vehicle you are interested in, dates, delivery location, and anything you write in the message field, together with subsequent correspondence.
- Technical data — when you visit the Site our hosting provider (Cloudflare, Inc.) processes your IP address, browser information and request logs as strictly necessary to deliver the Site securely and defend against abuse.
We do not collect payment details through this Site. We do not buy, sell or trade personal information.
3. Why we use it, and on what legal basis
- Responding to your enquiry or booking request — necessary to take steps at your request before entering a contract (GDPR Art. 6(1)(b)); under PIPEDA, purposes a reasonable person would consider appropriate, with your consent.
- Arranging and performing your journey or rental — performance of a contract (Art. 6(1)(b)).
- Occasional news by email — only if you tick the optional box (consent, Art. 6(1)(a); express consent under Canada’s Anti-Spam Legislation). Every message includes an unsubscribe link, and you can withdraw at any time.
- Site security and abuse prevention — our legitimate interests (Art. 6(1)(f)) in operating a safe website.
- Legal obligations — retaining records where tax, accounting or other laws require it (Art. 6(1)(c)).
4. Cookies and similar technologies
We deliberately run this Site without analytics, advertising or cross-site tracking of any kind, which is why you do not see a cookie banner. The only cookies that may be set are strictly necessary security cookies placed by our infrastructure provider Cloudflare (for example __cf_bm, used for bot mitigation, lifetime under 30 minutes). Such strictly necessary cookies are exempt from consent requirements under the ePrivacy rules. Web fonts are served by Bunny Fonts (BunnyWay d.o.o., EU), a service designed for GDPR compliance which states that it does not log or store visitor IP addresses. If we ever introduce analytics or marketing cookies, we will first update this policy and implement a consent mechanism.
5. Who we share it with
- Cloudflare, Inc. — website hosting, content delivery and security (processor).
- BunnyWay d.o.o. (Bunny Fonts, EU) — delivery of web fonts; receives the technical request data needed to serve the font files and states that it does not log or store visitor IP addresses.
- Google LLC — our email is handled through Google’s email services; enquiry details reach us as email (processor).
- Partner operators — where a rental or experience is fulfilled by a licensed partner fleet or local supplier (hotels, restaurants, event providers), we share the details needed to deliver what you booked.
- Professional advisers and authorities — where necessary for legal compliance, insurance or the defence of legal claims.
6. International transfers
We are based in Canada, which the European Commission recognises as providing adequate protection for personal data handled under PIPEDA. Some of our processors (Cloudflare, Google) are U.S. companies certified under the EU–U.S. Data Privacy Framework and/or bound by Standard Contractual Clauses. Where personal data leaves the EEA, the UK or Canada, we rely on these safeguards.
7. How long we keep it
- Enquiries that do not lead to a booking — deleted no later than 24 months after our last exchange.
- Booking records — kept for 7 years to meet tax, accounting and insurance obligations.
- Marketing consents — until you withdraw, or after 24 months without any interaction from you.
8. Your rights
Depending on where you live, you have the right to access the personal information we hold about you; to have it corrected or completed; to have it deleted; to restrict or object to our processing of it; to receive it in a portable format; and to withdraw any consent at any time without affecting prior processing. Quebec residents additionally benefit from rights under Law 25, including the right to ask that dissemination of their information cease. To exercise any right, email privacy@lufthof.com — we respond within 30 days.
You may also complain to a supervisory authority: in the EU, your local data protection authority; in Canada, the Office of the Privacy Commissioner of Canada; in Quebec, the Commission d’accès à l’information.
9. Other things you should know
- The Site is not directed at children and we do not knowingly collect information from anyone under 18.
- We do not use automated decision-making or profiling that produces legal or similarly significant effects.
- We take reasonable technical and organisational measures to protect personal information, including encryption in transit (TLS) and access limited to those who need it.
10. Changes and contact
We will post any changes to this policy on this page with a new “last updated” date. Questions and requests: privacy@lufthof.com, or by post to Blackcat Capital Inc., 9 Duke Street, St. Catharines, Ontario L2R 5W1, Canada.