Privacy policy.

Layover is operated by Billy Redwood, trading as Layover, based in the United Kingdom. For the purposes of UK GDPR and the Data Protection Act 2018, Layover is the data controller of the personal data described in this policy.

You can reach us at privacy@getlayover.app.

We collect only what's needed to run Layover. Today, that's three categories:

We do notconnect to your bank, your airline's payroll system, or your roster system. Everything in Layover is entered by you or generated from what you've entered.

We collect minimal technical data — IP address and browser type — when you load the app, used solely for security and abuse prevention. We use Vercel Analytics for privacy-first, cookieless page view analytics — no advertising trackers or cross-site tracking (see the cookies policy).

Under UK GDPR, every use of your data needs a lawful basis. Ours are:

• Performance of a contract— to provide the service you've signed up for (calculating your pay, storing your duty log, letting you sign in).
• Legitimate interests — to keep the service secure, prevent abuse, and improve how Layover works. We balance this against your privacy and only do what a reasonable person would expect.
• Legal obligation — where the law requires us to retain or disclose data.

While your account is active, we keep your data so the service works. If you delete your account, we delete your personal data within 30 days, except where we're required to retain a record (e.g. for fraud, security, or legal reasons), in which case we keep the minimum we need for the minimum time required.

If you invite a colleague by email, their email address is stored only until they sign up (at which point it is deleted immediately) or for a maximum of 7 days if the invitation is not used.

Backups are rotated and overwritten on a rolling schedule of no more than 35 days.

We don't sell your data. We share it only with the service providers Layover runs on top of, each acting as a data processor under contract with us:

We may also disclose data if compelled by a valid legal request, or to protect the rights, property, or safety of Layover, our users, or others.

Our providers may process data in the EU, the UK, or the US. Where data is transferred outside the UK, we rely on the UK International Data Transfer Agreement (IDTA) or equivalent safeguards (e.g. Standard Contractual Clauses, adequacy decisions). You can request a copy of the relevant transfer mechanism by emailing us.

Under UK GDPR, you have the right to:

• Access — ask for a copy of the personal data we hold about you.
• Rectify — correct anything that's wrong.
• Erase — ask us to delete your data (right to be forgotten).
• Restrict — limit how we use your data.
• Port — receive a copy in a portable format (we offer CSV export from the app).
• Object — to processing based on legitimate interests.
• Withdraw consent— where we rely on consent (currently we don't, but this remains your right).

To exercise any of these, email privacy@getlayover.app. We aim to respond within 30 days.

If you're not satisfied with our response, you can complain to the UK Information Commissioner's Office (ICO) at ico.org.uk.

Data is encrypted in transit (TLS) and at rest. Authentication uses one-time email links — there are no passwords stored on our side. Access to production data is limited to the founder and is reviewed regularly.

No system is unbreakable. If a breach occurs that affects your data, we will notify you and the ICO within 72 hours, as required by law.

Layover is intended for working cabin crew, who are by definition adults. We don't knowingly collect data from anyone under 18. If you believe a child has signed up, please contact us and we'll delete the account.

If we make a meaningful change to how we handle your data, we'll update this page and email you. The “last updated” date at the top reflects the most recent change. Continuing to use Layover after a change means you accept the updated policy.

Privacy questions: privacy@getlayover.app
Everything else: hello@getlayover.app