Privacy policy

This Privacy Policy ("Policy") outlines how the ViaMobi LLP, the company that operates the Worldtransair website and platform ("Worldtransair", "we", "us", or the "Controller") collects, uses, discloses, and protects personal data in connection with its products, services and associated websites (collectively, the "Services").

In providing the Services, Worldtransair engages various third-party service providers who process personal data on its behalf and under instructions (collectively, the "Processors").

This Policy has been prepared in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), the Personal Information Protection and Electronic Documents Act (PIPEDA) of Canada, the Law of the Republic of Kazakhstan No. 94-V "On Personal Data and Their Protection" dated May 21, 2013, as well as other applicable international data protection laws. This Policy ensures the lawful, fair, and transparent processing of personal data and the protection of individuals’ rights and freedoms in all jurisdictions where Worldtransair operates or offers its Services.

The Controller (ViaMobi LLP, operating the Worldtransair platform) processes personal data on lawful bases including consent, the performance of a contract, compliance with legal obligations, and legitimate interests. The Controller appropriates technical, organizational, and legal safeguards that implemented to maintain a high level of data protection and to provide data subjects with enforceable rights and effective remedies, regardless of their place of residence.

This Policy sets out, among other things:

• the categories of personal data we process;
• the purposes and legal bases for processing;
• the parties with whom we may share your personal data;
• the period for which we retain such data;
• your rights under applicable data protection laws.

This Policy applies solely to the processing of personal data by Worldtransair (or on its behalf) through its Services. It does not apply to the independent data processing activities of our customers (e.g. air charter companies, flight departments, aircraft operators, brokers, or other clients) or third-party vendors (e.g. payment processors or booking platforms) that may be linked to or integrated with our Services. We encourage you to review the respective privacy notices of such third parties to understand how they process your personal data.

By accessing or using our Services, you acknowledge that you have read and understood the Policy. Where required by law, we will obtain your explicit consent prior to processing your personal data.

Depending on where you live, you may have specific rights regarding the personal data we process about you. Please refer to the sections below titled "Data Subject Rights" and "Additional Information for California Residents" for more information.

This Policy is publicly available on our website at https://worldtransair.com.

2.1. Personal data provided directly by you

When you use our Services or communicate with us, we may collect the following categories of personal data:

• Identification and contact details: full name, email address, phone number, company name, postal address (including city, region, and postal code).
• Account information: username, login credentials, and preferences associated with your user profile.
• Booking data: details related to charter flight requests and bookings, including flight routes.
• Communication records: content of your messages, inquiries, or correspondence with our customer support, booking department, or other representatives. Such data is processed only for the purpose of responding to your inquiry or managing our contractual relationship, in line with Article 6 GDPR.
• Personal information shared in connection with calls or requests to our technical, maintenance and customer support services.
• Marketing preferences: information about your subscription choices, expressed interests, and interactions with our communications (if applicable).

This Privacy Policy ("Policy") outlines how the ViaMobi LLP, the company that operates the Worldtransair website and platform ("Worldtransair", "we", "us", or the "Controller") collects, uses, discloses, and protects personal data in connection with its products, services and associated websites (collectively, the "Services").

2.2. Personal data collected automatically

When you visit or interact with our Services, we and our third-party providers may automatically collect certain information, which may include:

• Technical and device data: IP address, browser type and version, device type, operating system, time- zone setting, and other diagnostic information.
• Usage data: details about your interaction with our websites and Services, such as pages visited, access dates and times, session duration, clickstream data, and referring URL.
• Cookies and similar technologies: information stored and retrieved from your browser or device to ensure the functionality of the Services, remember user preferences, enhance user experience, perform analytics.
• Session cookies – used to maintain session state and enable functionality.
• Preference cookies – store user preferences and interface settings.
• Security cookies – used to ensure account and platform security.

You have the right to choose to opt out of certain cookies and similar technologies on the site. However, if you choose to refuse or remove cookies and similar technologies, this could affect the availability and functionality of the site.

For more information, please refer to our Cookie Policy at https://worldtransair.com/cookie-policy.

2.3. Personal data obtained from customers and third parties

In connection with the provision of charter services, we may process personal data provided by our customers (air charter companies, operators, or brokers) or their authorized representatives. This may include:

• Flight information: - flight details (origin, destination, schedule, aircraft type, operator, and flight number).
• Company and representative information, including contact details of company representatives involved in booking, contracting, or customer relations.
• Data obtained from third-party providers, such as booking confirmation information, records from booking systems.
• Contact information (e.g., name, email address, phone number and postal address).
• Flight and aircraft information (e.g., origin and destination airports, estimated travel time).
• Other information they choose to provide through the Services (e.g., photographs, security status, rewards number).

2.4. Location data

If you enable location-based features, we may collect and use geolocation data from your device to provide location-relevant services. You can enable or disable access to location data through your device settings at any time.

We may combine personal data obtained from different sources in order to maintain accurate records and to improve the quality of our Services.

In addition, the Controller may de-identify (anonymize) and/or aggregate personal data and other information collected through the Services so that it can no longer be used to identify an individual, either directly or indirectly.

This data is not considered personal data under Recital 26 of the GDPR, and therefore the requirements of this Policy regarding the collection, use, disclosure, transfer, and retention of personal data do not apply to it.

The Controller may use and share aggregated or de-identified data for analytical, research, or statistical purposes in accordance with applicable law.

We may collect personal data from publicly available sources, including government registries, industry databases, and professional networks, if necessary to confirm the company's business reputation, contact information, or business status.

Such data is used solely for legitimate business purposes, including verifying and maintaining the accuracy of our records.

The Controller does not process special categories of personal data relating to racial or ethnic origin, political opinions, religious or philosophical beliefs, sexual life or orientation, or criminal convictions and offences.

Personal data is processed in accordance with the principles set out in Article 5 of the GDPR, including those of purpose limitation and data minimization. This means that personal data must be collected for specific, explicit, and legitimate purposes and shall not be processed further in a manner that is incompatible with those purposes. Personal data must also be adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed.

The Controller processes personal data only where a valid legal basis exists under Article 6 of the GDPR, including:

• the performance of a contract to which the data subject is a party or to take steps at the request of the data subject prior to entering into a contract;
• compliance with a legal obligation to which the Controller is a subject;
• the protection of vital interests of the data subject or another natural person, for example, in cases of emergency or imminent threat to life or safety;
• the data subject’s consent to one or more specific purposes;
• the pursuit of the Controller’s legitimate interests, provided that such interests are not overridden by the fundamental rights and freedoms of the data subject.

Where consent is used as a legal basis, the Controller ensures that such consent is freely given, specific, informed, and unambiguous, in line with Article 7 of the GDPR.

• To provide, operate, and maintain our Services, including making them available, responding to requests or enquiries, providing customer support, and managing user accounts (performance of a contract / legitimate interests).
• To process and manage charter booking requests and related services, including facilitating communication and information exchange between customers, operators, affiliates, and third-party vendors through our platform (performance of a contract / legitimate interests).
• To communicate with you regarding our Services, including updates, operational notices, and information about our products and services (performance of a contract / legitimate interests / consent).
• Notifying users of changes to our Services, terms, or policies (legal obligation / legitimate interests).
• Enabling participation in the interactive features of our Services, if chosen by the user (consent).
• To conduct analysis and generate aggregated and anonymized statistics that do not contain personal data, in order to evaluate the effectiveness and improve the quality of the Services (legitimate interests).
• To analyze and personalize the user experience, including through the use of cookies, pixels, and other tracking or analytics technologies related to identifiable user behavior, solely on the basis of the user’s prior consent (consent).
• To improve, innovate and develop the Services and other offerings from the Controller, as well as to create new products and services (legitimate interests).
• To detect, prevent, and address technical or security issues, unauthorized access, misuse of the Services, or violations of applicable laws and terms (legal obligation / legitimate interests).
• To perform audits, internal assessments, compliance checks, testing, troubleshooting, and risk evaluations (legal obligation / legitimate interests).
• To back up systems (including for disaster recovery purposes) and enhance the overall security, integrity and resilience of the Services (legal obligation / legitimate interests).
• To comply with and enforce contractual, legal, and regulatory obligations, including requirements related to aviation, accounting, anti-fraud, and Know Your Customer (KYC) verification, as well as lawful requests from competent authorities such as court orders, warrants, or subpoenas (legal obligation / legitimate interests).
• To carry out identity verification (KYC) of our customers, partners, and their authorized representatives in order to prevent fraud, ensure legal compliance, and maintain the integrity of our platform. This may include collecting and verifying identification documents, company registration details, and contact information. We conduct KYC procedures in accordance with applicable laws and international best practices. The KYC process is performed through a dedicated questionnaire sent to the customer. The data collected through this process are used solely for verification and compliance purposes. Upon successful verification, the customer’s status (e.g., "Verified") may be displayed within the platform interface to indicate completion of the KYC review. KYC information is processed only by authorized personnel and/or trusted third-party service providers under written agreements ensuring confidentiality, data protection, and compliance with GDPR, PIPEDA, the Law of the Republic of Kazakhstan No. 94-V "On Personal Data and Their Protection", and other applicable laws. We comply with applicable KYC (Know Your Customer) and anti-money-laundering (AML) regulations in all jurisdictions where it operates. We collect only the information necessary for verification and compliance purposes and handle such information with the highest degree of confidentiality.
• To conduct internal reviews and assessing compliance with applicable laws, industry standards, and sanctions regulations (legal obligation / legitimate interests).
• To send marketing and promotional communications, such as news, special offers, and updates about our products and services.

For existing customers, we may rely on legitimate interests as the legal basis for sending electronic communications regarding services similar to those you have previously used, in accordance with applicable law.

You can opt out of receiving such communications at any time, free of charge, by clicking the "Unsubscribe" link included in the footer of any marketing email (consent / legitimate interests).

We process personal data only for the purposes and on the legal bases described in Section 3 of this Policy.

Personal data are used solely to operate, administer, and secure the Services, fulfil contractual and legal obligations, and support legitimate business operations.

Any further processing beyond the original purpose takes place only if it is compatible with the initial purpose or based on a new lawful ground (such as renewed consent).

Automated decision-making or profiling is not conducted, except where necessary for fraud prevention or security purposes and only with appropriate safeguards in line with Article 22 GDPR.

We may disclose personal data only when necessary and under a valid legal basis, in accordance with Articles 13 and 14 of the GDPR, to the following categories of recipients:

• Service providers and processors who support the operation of the Services (for example, IT hosting, payment processing, analytics, email delivery).
• Charter operators, brokers, and partners involved in booking and execution of charter flights.
• Professional advisers, including auditors, lawyers, and consultants bound by confidentiality obligations.
• Public authorities or regulators, when disclosure is required by law or valid legal request (e.g., court order or government agency).
• Successors or acquirers, in the event of a merger, acquisition, or restructuring, provided that equivalent data-protection safeguards are in place.
• Where third parties, including service providers such as cloud or analytics providers (e.g., Google), process personal data on behalf of the Controller, such processing is governed by written agreements or standard contractual terms consistent with Article 28 of the GDPR. These parties are required to maintain confidentiality and to implement appropriate technical and organizational measures to ensure data security. Where a third party acts as an independent controller, such processing is carried out under its own privacy terms and in compliance with applicable data protection laws.
• Verification and compliance providers (KYC / AML service providers) – external entities engaged to perform customer identity verification, screening against sanctions or watch lists, and other due diligence checks. Such providers act as processors under written agreements consistent with Article 28 GDPR and equivalent provisions of applicable laws.

We may transfer personal data to countries outside the European Economic Area ("EEA"), including the United States, when necessary for the operation of the Services, for example when using third-party providers such as cloud hosting, analytics, or communication platform (e.g. Google Analytics, Google Cloud, and related tools).

In such cases, we ensure an equivalent level of data protection through the following safeguards.

Such transfers are carried out in accordance with Chapter V GDPR and rely on recognized transfer mechanisms, primarily the European Commission's Standard Contractual Clauses (SCCs). Where we transfer data to third countries, such as the United States, we ensure that supplementary technical and organizational measures (such as encryption and pseudonymization) are in place to provide a level of protection equivalent to that within the EEA, following a thorough assessment of the specific circumstances of the transfer and the applicable laws of the third country.

Supplementary measures and the assessment of third-country legislation are carried out in accordance with the EDPB Recommendations 01/2020.

For transfers from jurisdictions such as Canada or the Republic of Kazakhstan, the Controller ensures compliance with applicable local data transfer requirements, including obtaining data subject consent where required by law.

We retain personal data only for as long as necessary to fulfil the purposes outlined in this Privacy Policy and to comply with applicable legal, regulatory, accounting, or reporting requirements.

Retention periods are determined based on the following criteria:

• the purpose and nature of the processing;
• the type and sensitivity of the data;
• applicable legal or contractual obligations;
• limitation periods for potential legal claims or the need to protect the Controller’s rights.

Usage and technical data (such as system logs or analytics data) are retained for shorter periods, unless longer retention is necessary for security, troubleshooting, or compliance purposes.

Once personal data are no longer required for the specified purpose or legal obligation, they are securely deleted, anonymized, or pseudonymized.

Worldtransair periodically reviews all categories of personal data to ensure that retention periods remain appropriate and that no data are kept longer than necessary.

Illustrative retention periods:

• Account data: retained for the duration of your account activity and for 3 years after account deletion for security and fraud prevention purposes.
• Transaction and booking data: retained for 7 years to comply with financial, tax, and aviation regulatory requirements.
• Marketing data: retained until you withdraw your consent or opt-out, after which we will only keep a record of your preference to not be contacted.
• Technical and usage data: retained for a shorter period, typically 12-26 months, unless used for security or compliance.
• KYC and verification data: retained for the duration of the business relationship and for a period of 5 years following its termination or as otherwise required by applicable anti-money-laundering and record-keeping laws. Thereafter, the data are securely deleted or anonymized.

For specific retention periods applicable to your data, please contact us using the details in Section 6.

Retention periods listed above are illustrative. Detailed retention and deletion schedules are maintained internally and reviewed periodically to ensure compliance with applicable legal and operational requirements.

The Controller ensures appropriate technical and organizational measures to protect personal data, consistent with Article 32 of the GDPR, including:

• TLS encryption;
• Encryption at rest;
• Strict data access controls;
• Pseudonymization and data minimization;
• Employee confidentiality commitments (NDAs);
• Annual risk assessments and DPIAs;
• Consent Management Platform (CMP).

The Controller applies enhanced protection measures for identity and KYC-related data, including document encryption, limited access rights, and secure transmission protocols. Access to KYC information is restricted to authorized personnel subject to confidentiality obligations.

The Controller regularly reviews and updates these measures to ensure continued data security and compliance with applicable regulations.

Under the GDPR individuals whose personal data are processed by Worldtransair are entitled to exercise specific rights regarding their personal information. We ensure that all such rights can be exercised easily and without discrimination.

Depending on your jurisdiction, you may have additional rights under applicable data protection laws, such as CCPA/CPRA or PIPEDA. These rights are described in the regional sections of this Policy.

Subject to applicable law and certain limitations, you have the following rights:

• Right of access: to obtain confirmation whether we process your data and receive a copy of such data.
• Right to rectification: to request correction of inaccurate or incomplete personal data.
• Right to erasure: to request deletion of your personal data where no lawful basis for its retention applies.
• Right to restriction: to request limitation of processing in certain cases.
• Right to data portability: to receive your data in a structured, commonly used and machine-readable format and to transmit it to another controller.
• Right to object: to object, on grounds relating to your particular situation, to processing based on legitimate interests, including direct marketing.
• Right to withdraw consent: you have the right to withdraw your consent to the processing of your personal data at any time, where such processing is based on consent. Withdrawal does not affect the lawfulness of processing based on consent before its withdrawal. You can withdraw your consent free of charge at any time by contacting us via the email address provided in Section 6 of this Policy.
• Right to lodge a complaint: to contact a data-protection authority if you believe your rights have been violated.

You can exercise these rights free of charge, and we will respond without undue delay and within one month as required by Article 12 of the GDPR.

You can exercise any of the above rights by contacting us at info@worldtransair.com and indicating "For the Attention of the Data Protection Officer (DPO)" in the subject line. We may request additional information to verify your identity before fulfilling your request. All verified requests are processed within one month in accordance with Article 12 GDPR.

Our Services are not directed to individuals under the age of 16 (or the age of digital consent in your jurisdiction). We do not knowingly collect or process personal data from minors. If you are a parent or guardian and believe your child has provided us with personal data without your consent, please contact us at info@worldtransair.comi with the subject line "For the Attention of the Data Protection Officer (DPO)". If we become aware that such data has been collected inadvertently, we will promptly delete it.

Worldtransair is operated and provided by ViaMobi LLP (the legal entity registered in the Republic of Kazakhstan, address: 173 Muratbaev Street, Almaty, 050000, Kazakhstan).

If you have any questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us at info@worldtransair.com with the subject line "For the Attention of the Data Protection Officer (DPO)".

If your inquiry concerns data protection matters within the European Economic Area (EEA), you may also contact our Data Protection Officer (DPO) by email info@worldtransair.com with the subject line "For the Attention of the Data Protection Officer (DPO) ".

We may update this Privacy Policy from time to time to reflect changes in legal requirements, technological developments, or our processing practices.

All updates will be published on our website at https://worldtransair.com.

Significant changes that materially affect your rights or how we process personal data will be communicated through a notice on our website or by direct email (where appropriate).

Continued use of our Services after such updates constitutes your acceptance of the revised Policy.

This Policy may be made available in other languages for convenience, however, in the event of any inconsistency or conflict, the English version shall prevail.

Worldtransair does not "sell" and does not "share" personal information for cross-context behavioral advertising as defined under CCPA/CPRA, and processes data solely for business purposes permitted by law. For residents of California, Worldtransair complies with the CCPA and CPRA to the extent applicable.

Under the California Consumer Privacy Act (CCPA/CPRA), California residents have the following rights regarding their personal information:

• Right to Know what personal information we collect, use, and disclose.
• Right to Delete their personal information.
• Right to Correct inaccurate personal information.
• Right to Opt-Out of the sale or sharing of their personal information.

California residents may exercise their rights via the contact details in Section 6. We will process your request in accordance with applicable California law.