Privacy Policy

FlyToChange

Last updated: 25 May 2026

This Privacy Policy explains how we collect, use and protect the personal data of users of the website www.flytochange.club, participants in masterminds, and individual clients using our travel design and themed expedition services. This document has been prepared in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council (GDPR), the Polish Act of 10 May 2018 on the Protection of Personal Data, and the Act of 18 July 2002 on the Provision of Services by Electronic Means.

Table of contents
  1. General provisions and data controller
  2. Use of the website (cookies, forms, contact)
  3. Participation in masterminds (Pillar 1)
  4. Designing individual journeys (Pillar 2)
  5. Themed expeditions (Pillar 3)
  6. Marketing and communication
  7. Your rights and contact
Part I

General provisions and data controller

1. Controller of personal data

The controller of your personal data, processed in connection with your use of the website www.flytochange.club and in connection with the services provided as part of the FlyToChange project, is:

GlobalLCB Limited
Registration number: 76667656
Registered office address: Flat A, 15/F, Hillier Commercial Building, 65-67 Bonham Strand East, Sheung Wan, Hong Kong

Contact for personal data protection matters: info@flytochange.club

By using the website, contacting us or providing us with your data in any other way, you confirm that you have read this Privacy Policy.

2. Scope of this Policy

This Policy covers all the ways in which FlyToChange processes your data. In particular:

  • use of the website www.flytochange.club
  • contact via forms, email or telephone
  • participation in mastermind programmes (Pillar 1)
  • commissioning the design of an individual journey (Pillar 2)
  • taking part in a themed expedition (Pillar 3)
  • marketing communication and newsletter

For each of the above uses, a separate part of this Policy has been provided, describing in detail the categories of data, the purposes, the legal bases, the recipients and the retention period.

Note on the legal classification of our services: FlyToChange provides training services (masterminds, Pillar 1) and individual travel consulting (journey design, Pillar 2, and themed expeditions, Pillar 3). It is not a tour operator or a travel intermediary within the meaning of the Act of 24 November 2017 on Package Travel and Linked Travel Arrangements. Accordingly, FlyToChange is not subject to the obligation to register in the Central Register of Tour Operators and Travel Intermediaries kept by the Marshals of the Voivodeships, and does not hold the bank or insurance guarantee required of tour operators. Each client is responsible for taking out their own travel insurance, in accordance with the provisions of the participation agreement or the travel design agreement.

3. Key terms

Personal data means any information that makes it possible to identify a natural person (e.g. first name, surname, email address, telephone number, passport number).

Processing means any operation performed on personal data (collection, storage, use, sharing, deletion).

GDPR means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data.

Controller is the entity that determines the purposes and means of processing the data (in our case, GlobalLCB Limited).

4. General principles of processing

We process your data in accordance with the following principles:

  • Lawfulness. Every act of processing has a legal basis indicated in Article 6 of the GDPR (or Article 9 for special category data)
  • Purpose limitation. We use the data solely for the purpose for which it was collected
  • Minimisation. We collect only the data that is necessary to achieve the given purpose
  • Accuracy. We take care to keep the data up to date and correct, and we rectify errors
  • Storage limitation. We store the data only for as long as is necessary to fulfil the purpose or as required by law
  • Integrity and confidentiality. We apply technical and organisational measures protecting the data against unauthorised access, loss or disclosure
Part II

Use of the website

5. Technical data collected automatically

While you use the website www.flytochange.club, we automatically collect:

  • the IP address of the device you are using
  • the type of web browser and operating system
  • browser language
  • the date and time of your visit, time spent on individual subpages
  • the address of the page from which you reached us (referrer)
  • clicks and interactions (anonymous, aggregated)

Purpose: ensuring the proper operation of the website, traffic analysis, improving functionality, security.

Legal basis: Article 6(1)(f) of the GDPR (legitimate interest of the controller, operating and improving the website).

6. Contact forms

When you reach out to us via a form on the website (e.g. the consultation form on the planning subpage), we collect the data you have voluntarily provided:

  • first name and surname
  • email address
  • telephone number (optional)
  • the content of your message
  • the context of the enquiry (preferred destination, dates, number of people, budget, if provided)

Purpose: handling your enquiry, responding by email or telephone, and further communication concerning services.

Legal basis: Article 6(1)(b) of the GDPR (steps taken with a view to entering into a contract) and Article 6(1)(f) of the GDPR (legitimate interest, communication with an interested person).

7. Cookies

The FlyToChange website uses cookies (small text files saved in your browser) in order to ensure proper operation, analyse traffic, deliver personalised content and communication.

Categories of cookies used on our website:

Category Description Basis
Essential Ensure the proper operation of the website (e.g. remembering the session, cookie consent). They cannot be disabled. Legitimate interest (Article 6(1)(f) of the GDPR)
Functional Remember your preferences (e.g. language). They require your consent. Consent (Article 6(1)(a) of the GDPR)
Analytical Help us understand how you use the website (aggregated, anonymous). They require your consent. Consent (Article 6(1)(a) of the GDPR)
Marketing Enable the tailoring of advertisements and remarketing. They require your consent. Consent (Article 6(1)(a) of the GDPR)

Specific cookies used on our website:

Name / Provider Purpose Category Duration
flytochange_cookie_consent
FlyToChange (localStorage)		 Remembering your decision regarding cookie consent Essential Indefinite, until browser data is cleared
Firebase Hosting
Google LLC, United States		 Website hosting, performance delivery (CDN) Essential Session
EmailJS
EmailJS, Estonia		 Sending messages from the contact form Functional Session
Google Maps (iframe on selected subpages)
Google LLC, United States		 Displaying destination maps Functional In accordance with Google's policy
Google Calendar (booking link for meetings)
Google LLC, United States		 Cookies set after switching to the Google Calendar tool Functional (external) In accordance with Google's policy
Google Analytics 4 (planned implementation)
Google LLC, United States		 Website traffic analysis (aggregated, anonymous statistics). Helps us understand how users use the website Analytical _ga: 2 years; _ga_*, _gid: 24 hours
Stripe (online payments, planned implementation)
Stripe Payments Europe Ltd, Ireland		 Handling card payments, fraud prevention, transaction authorisation Essential for payment operations __stripe_mid: 1 year; __stripe_sid: 30 minutes
MailerLite (newsletter, planned implementation)
MailerLite Limited, Ireland		 Sending the newsletter, tracking opens and clicks in messages (when you have subscribed to the newsletter) Functional (subscription) and marketing (campaign analytics) In accordance with MailerLite's policy
Meta Pixel (Facebook/Instagram advertising, planned implementation)
Meta Platforms Ireland Ltd, Ireland		 Measuring advertising effectiveness, remarketing to people who have visited the website, creating lookalike audiences Marketing _fbp: 90 days; _fbc: 90 days
Microsoft Clarity (behaviour analysis, planned implementation)
Microsoft Corporation, United States		 Heatmaps, session recordings (anonymised), analysis of the user's path on the website. All sensitive data is masked Analytical _clck: 1 year; _clsk: 24 hours

Note on planned tools: some of the above tools are currently in the planning phase of implementation. The list is disclosed openly so that, should implementation take place, no update to the Privacy Policy is required. Any tool requiring consent (analytical, marketing) is activated only after your acceptance in the cookie banner.

Your consent: On your first visit we display a cookie banner. You may give consent or reject non-essential cookies. The decision is saved locally in your browser.

Managing cookies in your browser: At any time you may clear cookies or change the settings in your browser. Instructions for popular browsers:

  • Chrome: Settings → Privacy and security → Cookies
  • Safari: Preferences → Privacy → Manage Website Data
  • Firefox: Settings → Privacy & Security → Cookies and Site Data
  • Edge: Settings → Cookies and site permissions

Disabling cookies may cause some functions of the website not to work properly (e.g. the contact form).

Part III

Participation in masterminds (Pillar 1)

8. Mastermind participant data

When you apply to take part in a mastermind (a FlyToChange training programme), we collect the following categories of data:

Contact and company data:

  • first name and surname
  • company name and tax identification number (NIP) (masterminds are a B2B training service)
  • company registered office address
  • email, telephone

Travel data of the participant and accompanying persons:

  • first name and surname of all travelling persons
  • date of birth (for accommodation booking and insurance)
  • passport data (number, country of issue, expiry date)
  • flight booking references (if you have arranged them yourself)

Special category data (Article 9 of the GDPR), solely with your consent:

  • allergies and dietary restrictions
  • mobility restrictions and special needs
  • relevant health information affecting safety (e.g. chronic conditions requiring special care at the destination)

Financial data:

  • payment card or account details (handled by the payment operator, not stored by FlyToChange)
  • invoice details

9. Purposes of processing in masterminds

  • Performance of the participation agreement (Article 6(1)(b) of the GDPR)
  • Safety of the participant and the group (Article 6(1)(d) of the GDPR, vital interests)
  • Booking of accommodation, transfers and experiences with local partners (performance of the contract)
  • Handling payments and settlements (Article 6(1)(b) of the GDPR, performance of the contract, and Article 6(1)(c) of the GDPR, legal obligation of the controller arising from accounting and tax regulations)
  • Handling complaints and disputes (legitimate interest)

10. Confidentiality of the mastermind group

A mastermind is a group format based on discretion and trust. Each participant undertakes to maintain full discretion regarding the content of the sessions and the identity of the other participants. Detailed confidentiality rules are set out in the participation agreement.

FlyToChange, as the organiser, undertakes not to disclose the names of participants in any public materials without their explicit, separate consent.

11. Retention period for participant data

We retain the data of mastermind participants for a period of 5 years from the end of the programme, in accordance with the accounting obligation and the limitation period for claims. Special category data (health, dietary, passport) is deleted immediately after the end of the programme, no later than 30 days afterwards.

Part IV

Designing individual journeys (Pillar 2)

12. Data collected as part of journey design

When you reach out to us to plan an individual journey (via the journey-design or planning subpage), we collect:

Basic contact data:

  • first name and surname, email address, telephone number
  • preferred form of contact (email, telephone)

Travel and logistical data:

  • preferred or considered destination
  • travel dates (a range or specific)
  • number of participants (adults, children, accompanying persons)
  • preferred budget
  • travel style and preferences
  • experience from previous journeys (as context for matching)

Participant data: first names, dates of birth, passport data (number, country of issue, expiry date), flight booking references if already available.

Special category data (solely with consent): allergies, mobility restrictions, relevant health information.

Financial data: card details (via the payment operator), invoice details.

13. Purposes and legal bases (journey design)

  • Performance of the journey design commission (Article 6(1)(b) of the GDPR)
  • Communication during planning (performance of the contract)
  • Booking of services with local partners (performance of the contract)
  • Safety of you and your companions during the journey (Article 6(1)(d) of the GDPR, vital interests)
  • Handling payments and settlements (Article 6(1)(b) of the GDPR, performance of the contract, and Article 6(1)(c) of the GDPR, legal obligation of the controller arising from accounting and tax regulations)
  • Handling complaints (Article 6(1)(f) of the GDPR, legitimate interest)
  • Marketing of further offers (Article 6(1)(a) of the GDPR, solely with consent, which you may withdraw at any time)

14. Data recipients in journey design

In order to realise your journey, we pass selected data to the following categories of recipients:

Local partners at the destination:

  • hotels and villas (booking, preferences, arrival time)
  • airport transfers and local transport (time, place, number of people)
  • local guides and experience operators (daily programme, emergency contact)
  • restaurants (preferences, allergies, reservation time)
  • spas and wellness facilities (preferences, any health restrictions)

FlyToChange technical operators:

  • payment operator (Stripe or equivalent)
  • email platform (EmailJS or equivalent)
  • website hosting (Firebase, Google LLC)
  • email and telephone communication tools

Other entities (only where required by law): state authorities (at the request of a court or an authorised body), an insurer (where needed to pay out a benefit), FT2C legal advisers (in the event of a dispute).

We always pass on only the data necessary for the specific service. The hotel does not receive your health data unless it is necessary for safety. The transfer receives the time and number of people, not passport data. The payment operator handles the transaction, and does not know your family's data.

15. Transfer of data outside the European Economic Area

Most of our destinations are located in countries that are third countries in relation to the EEA, for which the European Commission has not issued an adequacy decision:

  • Vietnam (East Asia)
  • Thailand (East Asia)
  • Indonesia, including Bali (East Asia)

Some destinations are within the EEA and are automatically safe:

  • France (EU)
  • Italy (EU)

Legal basis for the transfer to third countries: we distinguish two types of recipient:

  • Partners at the destination (hotel, transfer, restaurant, medical care in an emergency): the transfer is necessary for the performance of the travel contract concluded with you (Article 49(1)(b) of the GDPR) and takes place with your explicit consent given by acceptance of this Privacy Policy (Article 49(1)(a) of the GDPR). Without this we are unable to deliver a journey to a destination outside the EEA.
  • Technology service providers (payments, email, analytics): the transfer is based on the Standard Contractual Clauses (SCCs) adopted by the European Commission.

Informed consent, transfer risks: before giving consent you should be aware that the standards of personal data protection in the listed Asian countries may differ from those in the EEA. Specific risks:

  • local state authorities may have broader access to data than in the EU
  • enforcement of your GDPR rights (access, rectification, erasure) may be more difficult vis-à-vis local partners
  • the level of protection depends on the specific partner at the destination (hotel, transfer, restaurant)
  • in the event of a dispute, the applicable law may require claims to be pursued before a court in the destination country

These risks are inherent in the nature of travel to these countries. By choosing to travel, you accept them knowingly. If you prefer to avoid transferring data to Asia, we can propose destinations within the EEA (France, Italy, Greece, Spain, Portugal).

Scope of the transfer: solely the data necessary to provide the specific service at that destination (hotel booking, transfer, restaurant reservation, medical care in an emergency). Special category data (health, allergies) is transferred only where it is necessary for safety and solely to an entity obliged to protect it.

Protective measures: with technology service providers outside the EEA we enter into the Standard Contractual Clauses (SCCs) adopted by the European Commission. Partners at the destination are selected from entities that meet data protection standards analogous to the GDPR, and we share with them only the data necessary for their part of the service.

16. Retention period (journey design)

Category of data Retention period
Consultation correspondence without a contract being concluded 12 months from the last contact
Client data after a completed journey 5 years (accounting obligation plus limitation period for claims)
Special category data (health, dietary, passport) Deleted immediately after the end of the journey, no later than 30 days afterwards
Post-journey communication (feedback, further contacts) Until consent is withdrawn or 3 years without contact
Newsletter or marketing data Until consent is withdrawn
Invoice and accounting data 5 years from the end of the financial year (Article 74 of the Accounting Act)

17. Children's data

If your journey includes children under the age of 16, we process their data (first name, date of birth, any allergies and special needs) solely on the basis of the consent of a parent or legal guardian. We delete children's data immediately after the end of the journey, no later than 30 days afterwards.

18. Image and marketing materials

After a completed journey, the client may receive discreet photographs documenting their stay, intended for personal use. The use of a client's image in FlyToChange marketing materials (website, social media, brochures) requires separate, explicit consent given in writing. The absence of such consent does not limit the client's right to receive personal photographs. Discretion is the foundation of the FlyToChange brand.

Part V

Themed expeditions (Pillar 3)

19. Themed expeditions and their nature

FlyToChange themed expeditions are group trips centred around a specific theme (e.g. "3 volcanoes in Indonesia", "The culinary tradition of southern Italy"). They combine elements of a mastermind (a small group, a facilitator) with individual planning (a programme tailored to the theme).

From a data processing perspective, they combine features of Pillar 1 (Part III) and Pillar 2 (Part IV).

20. Processing rules for themed expeditions

For themed expeditions we apply, as appropriate, the provisions of Part III (participant data, group confidentiality) and Part IV (recipients at the destination, transfer outside the EEA, special category data, retention, children, image).

Part VI

Marketing and communication

21. Newsletter and marketing materials

If you have subscribed to our newsletter or consented to receiving marketing communication, we process the following data:

  • email address
  • first name (if provided)
  • history of contacts with the brand (which journeys interested you)

Purpose: sending the newsletter, information about new masterminds, themed expeditions, editorial essays, special offers.

Legal basis: Article 6(1)(a) of the GDPR (your consent) plus Article 10(2) of the Act of 18 July 2002 on the Provision of Services by Electronic Means.

Withdrawal of consent: you may withdraw your consent at any time. In every message you will find an "Unsubscribe" link. You may also write to us at info@flytochange.club to request removal from the list.

22. FlyToChange social media

We maintain a presence on social media (Instagram, LinkedIn). When you follow our profiles, comment or interact, the data is processed in accordance with the privacy policies of the respective platforms (Meta, LinkedIn). FlyToChange is a joint controller of data with regard to fan page statistics.

We do not use social media to automatically collect user data beyond what the platform itself enables.

Part VII

Your rights and contact

23. Rights under the GDPR

Regardless of the category of data, you have the rights arising from the GDPR:

  1. The right of access to your data (you may request a copy at any time)
  2. The right to rectification of inaccurate or incomplete data
  3. The right to erasure of data (the "right to be forgotten")
  4. The right to restriction of processing (e.g. for the duration of verification)
  5. The right to data portability to another controller in a machine-readable format
  6. The right to object to processing (especially for marketing and legitimate interest)
  7. The right to withdraw consent at any time (without affecting the lawfulness of prior processing)
  8. The right to lodge a complaint with the supervisory authority: the President of the Personal Data Protection Office, ul. Stawki 2, 00-193 Warsaw

24. How to exercise your rights

In order to exercise any of the above rights, please contact us:

info@flytochange.club

We respond within 30 days of receiving your request. In particularly complex cases, the deadline may be extended by a further two months, of which we will inform you within the first month.

Exercising your rights is free of charge. We may charge a reasonable fee only in exceptional situations (manifestly unfounded or excessive requests).

25. Data security

We apply adequate technical and organisational measures protecting your data against unauthorised access, loss, alteration or disclosure. In particular:

  • communication via the website takes place over an encrypted HTTPS connection
  • passport data is stored solely in encrypted form
  • access to the data is granted only to authorised persons
  • we regularly review and update our security procedures
  • each local partner receives only the data necessary for its part of the service

26. Changes to the Privacy Policy

FlyToChange reserves the right to update this Privacy Policy in response to legal, technological or service-related changes. The current version is always available on this page, with the date of the last update visible at the beginning of the document. We also notify you of significant changes by email (if we have such contact details for you).

27. Contact

In any matter related to the protection of your personal data or to this Privacy Policy:

Persons responsible for data protection at FlyToChange:

Adam and Marta, co-founders of FlyToChange. We work together on every aspect of the company, including the security and privacy of our clients' data.

Email: info@flytochange.club

Website: www.flytochange.club

We respond to all requests personally, within 30 days.

28. Governing law and jurisdiction

This Privacy Policy is governed by the law of the Controller's registered seat. With regard to the protection of personal data, the following apply:

  • Regulation (EU) 2016/679 of the European Parliament and of the Council (GDPR)
  • The Act of 10 May 2018 on the Protection of Personal Data (Journal of Laws 2018, item 1000, as amended)
  • The Act of 18 July 2002 on the Provision of Services by Electronic Means
  • The Act of 12 July 2024, Electronic Communications Law (with regard to cookies)

Disputes concerning the processing of personal data: are resolved by the President of the Personal Data Protection Office (ul. Stawki 2, 00-193 Warsaw) as the supervisory authority, or by the common court having jurisdiction in accordance with Polish personal data protection regulations.

Disputes arising from commercial contracts (mastermind participation agreement, travel design agreement) are resolved in accordance with the governing law indicated in the relevant agreement, which may be Polish law or the law of the Controller's registered office (see Part I, section 1).

Mediation and out-of-court dispute resolution: a consumer has the right to make use of out-of-court methods of handling complaints and pursuing claims, including:

  • mediation conducted by the voivodeship inspector of the Trade Inspection
  • the European Commission's ODR (Online Dispute Resolution) platform, available at https://ec.europa.eu/consumers/odr
  • the assistance of the district (municipal) consumer ombudsman

The Privacy Policy enters into force on the date of publication.