Kestrelia FR

Privacy policy

Last updated: May 9, 2026 · Compliant with Quebec's Loi 25 + Canada's PIPEDA + EU GDPR

1. Who we are

Kestrelia is a SaaS platform for hyper-personalized flight alerts, operated by NOKARIS Lab, an independent studio based in Gatineau, Quebec, Canada.

Contact: hello@kestrelia.com

2. Data collected (Phase 0 waitlist)

  • Email address — to send confirmation and Phase 0 alerts
  • Locale (FR-CA / EN-CA) — to localize email content
  • IP address — anti-abuse rate-limiting (5 signups / IP / hour)
  • User Agent + Referrer — traffic source analysis
  • UTM parameters — marketing source tracking
  • Survey answers (post-confirmation, optional) — origin airport, destinations, budget, frequency, current solution

3. Hosting (Loi 25 + PIPEDA)

All data is hosted in Canada (AWS ca-central-1). No personal data leaves Canada. Transactional emails are sent via AWS SES (ca-central-1 region).

4. Your rights

Per Loi 25 (Quebec), PIPEDA (Canada's federal Personal Information Protection and Electronic Documents Act) and EU GDPR, you can at any time:

  • Access your data — email hello@kestrelia.com from your registered address
  • Rectify your data — reply to any Kestrelia email
  • Erase your data (right to be forgotten) — endpoint DELETE /waitlist/entry?email=&token= (instructions sent on request)
  • Portability — JSON export on request to hello@kestrelia.com
  • Unsubscribe — 1-click in any email sent

Response delay: max 30 days (Loi 25 article 35 / PIPEDA Schedule 1, principle 4.9).

5. Cookies and analytics

No advertising tracking cookies. For audience measurement we use Umami, an open-source self-hosted analytics tool running on the same Canadian infrastructure — GDPR-compliant by default, no persistent cookies. You can decline analytics via the cookie banner at the bottom of the page.

6. Security

  • HTTPS mandatory (TLS 1.3 via CloudFront)
  • Confirmation tokens: 256-bit random (one-shot rotation after use)
  • IP rate-limiting (5 signups / hour / IP)
  • Cloudflare Turnstile anti-bot on submissions
  • Anti-enumeration: 202 constant-time response (never reveals email registration status)
  • Encrypted DB backups via AWS RDS (7-day retention)
  • Secrets managed by AWS Secrets Manager (auto-rotation)

7. Subprocessors (Loi 25 article 18 / PIPEDA principle 4.1.3)

Kestrelia shares data with the following subprocessors, each under a compliant data processing agreement:

  • Amazon Web Services (AWS) — infrastructure hosting ca-central-1
  • Cloudflare — Turnstile anti-bot (token verification only)
  • Sentry — error tracking (PII scrubbing enabled)

8. Changes

This policy may evolve with the product. Substantial changes will be notified by email to subscribers. The "last updated" date is shown at the top of this page.

9. Complaint — competent authorities

If you disagree with how your data is handled, you can contact:

Commission d'accès à l'information du Québec (CAI) — for Loi 25
575 rue Saint-Amable, Suite 1.10, Quebec (QC) G1R 2G4, Canada
Website: cai.gouv.qc.ca

Office of the Privacy Commissioner of Canada (OPC) — for PIPEDA
30 Victoria Street, Gatineau (QC) K1A 1H3, Canada
Website: priv.gc.ca

← Back to home