Privacy Policy

Last updated: April 2026

Introduction

MoonFlight is a product of MoonGroup, a company registered in the Czech Republic. This Privacy Policy explains how MoonGroup ('we', 'us', 'our') collects, uses, stores, and protects your personal data when you use the MoonFlight platform to order e-visa, meet & greet, or VIP lounge services.

As a company registered in the European Union, we are subject to the General Data Protection Regulation (GDPR). We are committed to processing your personal data lawfully, transparently, and only for the purposes described in this policy.

Data Controller

The data controller responsible for your personal data is:

MoonGroup

Libušská 319/126, 142 00 Praha 4 SAPA, Czech Republic

Website: https://moon-group.io

Privacy contact: info@moon-group.io

Personal Data We Collect

We collect the following categories of personal data when you use our services:

  • Identity data: Full name, date of birth, gender, nationality, passport number, passport expiry date, and passport photographs.
  • Contact data: Email address, secondary email address, phone number, postal address, and address in Vietnam.
  • Travel data: Arrival and departure dates, arrival and departure airports, visa type, and travel purpose.
  • Emergency contact data: Emergency contact's full name, relationship to you, phone number, and email address.
  • Payment data: Order reference number. Card and payment details are handled solely by Stripe — MoonGroup never stores or processes your card data.
  • Usage data: Anonymised analytics collected via Google Analytics, only with your explicit consent.
  • Device and traffic data: IP address (automatically truncated by Google Analytics 4), browser type, device type, pages visited, and time and date of access. Collected only when analytics consent is given.

Purposes and Legal Bases for Processing

We process your personal data only for specific, lawful purposes. Each purpose and its legal basis under GDPR is set out below:

  • Delivering the ordered service (e-visa processing, meet & greet, VIP lounge access)

    Article 6(1)(b) — necessary for the performance of a contract

  • Compliance with Vietnamese immigration and visa regulations

    Article 6(1)(b) — necessary for the performance of a contract

  • Processing passport photographs

    Article 9(2)(a) — explicit consent provided at order submission

  • Website analytics (Google Analytics)

    Article 6(1)(a) — consent given via the cookie banner

Children and Minors

Our services are intended for adults. When placing an order that includes personal data of a minor, the adult submitting the order is responsible for ensuring they have the appropriate authority to provide that data. We do not knowingly collect personal data directly from children.

Special Category Data

Passport photographs may constitute biometric data within the meaning of GDPR Article 9. We process this data solely on the basis of your explicit consent, which you provide when submitting your order.

You may withdraw this consent at any time by contacting us at info@moon-group.io. Withdrawal does not affect the lawfulness of processing carried out before withdrawal, but will mean we are unable to process your visa application.

Sharing Your Data

We share your personal data only where necessary to deliver the service you have requested:

  • Vietnamese Government

    As an authorised e-visa service provider, we submit your application data to the Vietnamese immigration authorities on your behalf. This is required to fulfil the e-visa service.

    Please note: Vietnamese immigration authorities issue e-visa approval letters as group documents. Your name, passport number, and date of birth may appear in the same approval letter as other travellers whose applications are processed at the same time.

  • Stripe (payment processing)

    When you proceed to payment, you are redirected to Stripe's hosted payment page. Stripe acts as an independent data controller for payment data. MoonGroup never receives or stores your card details. Please refer to Stripe's Privacy Policy for details.

  • Google (analytics)

    If you have consented to analytics cookies, anonymised usage data is shared with Google Analytics. Google Analytics 4 does not store full IP addresses — your IP is automatically truncated before being logged. You can withdraw consent at any time via the cookie banner.

International Data Transfers

Some of your personal data is transferred outside the European Economic Area (EEA):

  • Vietnam

    Your visa application data is transferred to Vietnamese government systems. Vietnam does not have an EU adequacy decision. This transfer is made under Article 49(1)(b) GDPR — it is necessary for the performance of a contract concluded in your interest, being the visa application you have explicitly requested.

  • Stripe

    Stripe processes payment data subject to its own Data Processing Agreement and Standard Contractual Clauses where applicable.

Data Retention

We retain your personal data for a maximum of two months from the date your order is completed or cancelled.

All sensitive data — including passport information and photographs — is encrypted at rest. Access is strictly restricted to authorised personnel only.

Anonymised aggregate statistics, which contain no personal data, may be retained for longer operational purposes.

Data Security

We implement the following technical and organisational measures to protect your personal data:

  • Encryption of sensitive personal data at rest
  • All data transmitted exclusively over HTTPS
  • Access to personal data restricted to authorised staff only
  • Technical controls to prevent unauthorised access or disclosure

Cookies and Analytics

We use Google Analytics to understand how visitors use our website. Google Analytics uses cookies to collect anonymised usage data.

Google Analytics 4 does not store full IP addresses. Your IP address is automatically truncated before being logged.

Analytics cookies are only set after you have given explicit consent via our cookie banner. You can withdraw consent at any time by accessing cookie settings in the banner.

We do not use any advertising, marketing, or behavioural tracking tools.

Your Rights Under GDPR

As a data subject under GDPR, you have the following rights:

  • Right of access: Request a copy of the personal data we hold about you.
  • Right to rectification: Request correction of inaccurate or incomplete personal data.
  • Right to erasure: Request deletion of your personal data ('right to be forgotten'), subject to any legal obligations we may have to retain it.
  • Right to restriction: Request that we limit how we process your personal data in certain circumstances.
  • Right to data portability: Receive your personal data in a structured, commonly used, machine-readable format.
  • Right to object: Object to processing of your personal data where processing is based on legitimate interests.
  • Right to withdraw consent: Withdraw consent at any time where processing is consent-based. This does not affect the lawfulness of processing carried out before withdrawal.

Exercising Your Rights

To exercise any of the above rights, please contact us at: info@moon-group.io

We will respond within 30 days of receiving your request. For complex or multiple requests, this period may be extended to 90 days — we will notify you of any extension within the initial 30-day period.

Right to Lodge a Complaint

If you believe we have not handled your personal data in accordance with GDPR, you have the right to lodge a complaint with the Czech supervisory authority:

Úřad pro ochranu osobních údajů (UOOU) — www.uoou.cz

Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. The 'last updated' date at the top of this page indicates when the policy was last revised.

We encourage you to review this policy periodically. For material changes affecting consent-based processing, we will seek fresh consent as required by applicable law.