Business Transactions
If the Company is involved in a merger, acquisition or asset sale, Your Personal Data may be transferred. We will provide notice before Your Personal Data is transferred and becomes subject to a different Privacy Policy.

Law Enforcement
Under certain circumstances, the Company may be required to disclose Your Personal Data if required to do so by law or in response to valid requests by public authorities (e.g. a court or a government agency).

Requests from an employing airline (how we handle them)

We disclose user data to an employing airline only when:

1. we are legally required to do so,
2. the user gives explicit, verifiable consent, or
3. if in the future we operate under a written enterprise agreement with that airline that expressly authorizes a narrowly scoped disclosure for a defined investigation.
   • We do not currently operate under any enterprise agreements with this authorization. If this changes, we will update this policy.

When we receive a request, we follow a process such as:

• Verify the requester (identity, role, authority via official channels).
• Require written scope (who, what, date range; no open-ended asks).
• Legal/contract check (ensure a valid basis; decline if not).
• Minimum necessary (only the data needed; no bulk or ongoing access).
• Internal approval (designated security lead/Founder approves; support cannot).
• Secure transfer (encrypted delivery; marked confidential).
• Logging (we record request, basis, scope, and what was disclosed; retained 24 months).
• User notice where lawful; if prohibited, we delay notice until permitted.
• We may decline overbroad, unsupported, or informal requests.

This overview describes our general approach and does not create contractual obligations.

We do not provide passwords or direct system access, and we do not enable real-time monitoring or “backdoor” access.

Other Legal Requirements

The Company may disclose Your Personal Data in the good faith belief that such action is necessary to:

• Comply with a legal obligation
• Protect and defend the rights or property of the Company
• Prevent or investigate possible wrongdoing in connection with the Service
• Protect the personal safety of Users of the Service or the public
• Protect against legal liability

Security of Your Personal Data
The security of Your Personal Data is important to Us, but remember that no method of transmission over the Internet, or method of electronic storage is 100% secure. While We strive to use commercially acceptable means to protect Your Personal Data, We cannot guarantee its absolute security.

Data Retention / Retention of Your Personal Data

• Account and flight logs: We retain your account information and flight log data for as long as your account is active. If you close your account or request deletion, we delete your personal data from our active systems within 30 days.
• Operational logs: Application/security logs are kept on active systems for 180 days and may be archived thereafter.

Backups (disaster recovery only)

• We maintain encrypted backups of our production systems for disaster recovery and security purposes.
• Long-term backups are stored in AWS object storage and remain encrypted at rest; they are not used for active processing, are not readily searchable, and cannot be edited on an individual basis.
• Our current backup schedule is daily backups for 180 days, followed by monthly backups that may be retained for an extended period.
• When you request deletion, your data is removed from active systems; the same data may continue to exist in backup archives until those backups age out and are overwritten. We will not restore a backup solely to delete specific data. If we must restore from a backup (e.g., to recover from an outage), we will re-apply deletion requests to the restored environment as soon as practicable.
• Backups are used only to restore service after an outage or data-loss event; we do not mine or process backup data for analytics or marketing.

Legal holds and obligations

• We may preserve certain records if required by law, regulation, or to investigate security incidents. We minimize what we keep and for how long.

Detailed Information on the Processing of Your Personal Data
Service Providers have access to Your Personal Data only to perform their tasks on Our behalf and are obligated not to disclose or use it for any other purpose.

Analytics
We may use third-party Service providers to monitor and analyze the use of our Service.

• Google Analytics
  • Google Analytics is a web analytics service offered by Google that tracks and reports website traffic. Google uses the data collected to track and monitor the use of our Service. This data is shared with other Google services. Google may use the collected data to contextualise and personalise the ads of its own advertising network.
  • For more information on the privacy practices of Google, please visit the Google Privacy & Terms web page: https://policies.google.com/privacy?hl=en
• Firebase
  • Firebase is an analytics service provided by Google Inc.
  • You may opt-out of certain Firebase features through your mobile device settings, such as your device advertising settings or by following the instructions provided by Google in their Privacy Policy: https://policies.google.com/privacy?hl=en
  • We also encourage you to review the Google’s policy for safeguarding your data: https://support.google.com/analytics/answer/6004245.
  • For more information on what type of information Firebase collects, please visit the Google Privacy & Terms web page: https://policies.google.com/privacy?hl=en

Email Marketing
We may use Your Personal Data to contact You with newsletters, marketing or promotional materials and other information that may be of interest to You. You may opt-out of receiving any, or all, of these communications from Us by following the unsubscribe link or instructions provided in any email We send or by contacting Us.

We may use Email Marketing Service Providers to manage and send emails to You.

Payments
We may provide paid products and/or services within the Service. In that case, we may use third-party services for payment processing (e.g. payment processors).

We will not store or collect Your payment card details. That information is provided directly to Our third-party payment processors whose use of Your personal information is governed by their Privacy Policy. These payment processors adhere to the standards set by PCI-DSS as managed by the PCI Security Standards Council, which is a joint effort of brands like Visa, Mastercard, American Express and Discover. PCI-DSS requirements help ensure the secure handling of payment information.

• Apple Store In-App Payments
  • Their Privacy Policy can be viewed at https://www.apple.com/legal/privacy/en-ww/
• Google Play In-App Payments
  • Their Privacy Policy can be viewed at https://www.google.com/policies/privacy/

Usage, Performance, and Miscellaneous
We may use third-party Service Providers to provide better improvement of our Service.

• AWS
  • AWS provides long-term encrypted backup storage for our databases and application files (disaster recovery only). AWS may process storage/service log metadata (e.g., object access logs, IP, timestamps) to operate and secure the service. Backups stored with AWS are encrypted at rest and transferred over TLS.
  • The information gathered by AWS is held in accordance with its Privacy Notice: https://aws.amazon.com/privacy/
• ClickUp
  • ClickUp is a project management and issue tracking service operated by Mango Technologies, Inc. (ClickUp).
  • We use ClickUp to manage bugs, feature requests, and support follow-ups. ClickUp may process task/ticket content, comments, attachments, and related metadata.
  • We avoid storing customer personal data in ClickUp; if limited data (e.g., a log snippet or support excerpt) is included to investigate an issue, it is used only for that purpose and deleted or redacted when the task is closed.
  • ClickUp’s Privacy Policy: https://clickup.com/privacy
• Cloudflare
  • Cloudflare is a content delivery and security service (CDN, WAF/DDoS, DNS) operated by Cloudflare, Inc.
  • Cloudflare may collect information from your device and about requests to our Service (e.g., IP address, system configuration, and request metadata) to provide performance and security features.
  • The information gathered by Cloudflare is held in accordance with its Privacy Policy: https://www.cloudflare.com/privacypolicy/
• DigitalOcean
  • DigitalOcean provides our hosting and managed database infrastructure. The service is operated by DigitalOcean, LLC.
  • DigitalOcean may process service logs and related metadata in order to deliver and secure the infrastructure we use.
  • The information gathered by DigitalOcean is held in accordance with its Privacy Policy: https://www.digitalocean.com/legal/privacy-policy
• FreshDesk
  • FreshDesk is a customer support software. The service is operated by Freshworks, Inc.
  • FreshDesk service may collect information from Your Device.
  • The information gathered by FreshDesk is held in accordance with its Privacy Policy: https://www.freshworks.com/privacy/
• GitHub
  • GitHub hosts our private source-code repositories and CI/CD workflows. The service is operated by GitHub, Inc.
  • GitHub may process organization/account identifiers, commit metadata (e.g., author name and email), and build logs to operate the service.
  • We do not store customer personal data in GitHub and instruct staff not to include user data in code, issues, or build logs.
  • The information gathered by GitHub is held in accordance with its Privacy Statement: https://docs.github.com/en/site-policy/privacy-policies/github-privacy-statement
• Google/Firebase
  • We use the following products from Google
    • Google Workspace (email)
    • Google Places
    • Firebase (authentication, tokens, push notifications, analytics, and crash reporting)
  • The information gathered by Google is held in accordance with the Privacy Policy of Google: https://www.google.com/intl/en/policies/privacy/
• Sentry
  • Sentry is an application monitoring and error tracking service operated by Functional Software, Inc. (Sentry). We use Sentry to monitor PHP crashes, errors, and related server logs for diagnostics.
  • Sentry may receive error details and diagnostic information (such as stack traces, request metadata, and IP address) to help us investigate and resolve issues.
  • The information gathered by Sentry is held in accordance with its Privacy Policy: https://sentry.io/privacy/ (Sentry is a registered trademark of Functional Software, Inc.: https://sentry.io/legal/)
• Slack
  • Slack is a team messaging and collaboration service operated by Slack Technologies, LLC (Salesforce).
  • We use Slack for internal communications related to operations and support. Slack may process message content, files/attachments, user profile info, and workspace metadata (e.g., timestamps, channel IDs) to operate the service.
  • We avoid storing customer personal data in Slack; if limited data is temporarily included for troubleshooting, it is used only to provide support and is deleted or redacted when no longer needed.
  • Slack’s Privacy Policy: https://slack.com/trust/privacy/privacy-policy

Crew Chat
Crew Chat is a messaging service that You can use to communicate with other Users in the app. Individual messages are logged, but are not actively monitored or moderated. We use a third-party Service provider to administer that service:

• Stream
  • Stream is a messaging service operated by Stream.io, Inc.
  • Stream service does not collect and use personally-identifiable information on their own; however, we provide your display name and profile photo to display within our Service. Stream also logs all messages as our processor for the sole purpose of delivering Crew Chat.
  • The information gathered by Stream is held in accordance with the Privacy Policy of Stream.io, Inc: https://getstream.io/legal/privacy/