Trust Center – Welcome to Flight Crew View

FlightCrewView

Flight Crew View Trust Center

Last updated: November 26, 2025

Flight Crew View (“FCV”) is built by a pilot, for crews, and is a product of Flight Crew Apps, LLC. We protect crew schedules, trip details, messages, and account data with modern security controls and a privacy-first approach.

Our pillars

Encryption everywhere (TLS in transit; provider-managed at rest)
No ads or data sales. We never sell your personal data or share your schedule with advertisers.
Least-privilege access to production with MFA
Per-airline isolation (no cross-tenant mixing)
Transparent practices (Trust Center, Privacy Policy, VDP)

What we collect & why (high level)

Account info (name, email, photo, airline): create/manage your account, support.
Schedule & trip data: show schedules, layovers, alerts, stats.
Device & diagnostics (app version, crash/error logs): keep the app stable.
Support messages: answer your questions and improve the product.

We do not sell personal data and we do not share schedules with advertisers. See the full Privacy Policy for details.

Community airport & hotel info

What it is: Crews can submit tips about airports and layover hotels (amenities, nearby food, shuttle/van info, etc.).
Visibility:
- “Global” items (e.g., amenities, nearby restaurants) are visible to crew users across airlines.
- Airline-specific items (e.g., negotiated discounts, van pickup procedures) are scoped to that airline’s users only.
- Friends & Family can see a crew’s scheduled hotel information if shared by the crew. They cannot search the hotel/airport database. Search access is limited to verified airline-linked accounts (ABAC; enforced in the API).
Privacy & rules: Do not include personal data, room numbers, access codes, or information a hotel/airline considers confidential. We may edit or remove submissions that violate policy.
Moderation & takedown: Items can be reported in-app or via support/security email; urgent removals are prioritized. We log who added/edited an item (internal user ID + timestamp).
Use & retention: Content is used only to power FCV features; not sold or shared with advertisers. Items remain until edited/removed; attribution is not shown publicly. If you delete your account, we de-link your identity from past contributions; items may remain if still useful to other crews. Backups age out per our backup policy.
Accuracy note: Community info is for convenience only; verify operational details (e.g., transport timing) with hotel/airline ops.

Quick answers (for crews)

Who can see my schedule? Only you in the app, and those friends and family that you grant access to. Limited support access may occur for troubleshooting, under strict controls.

Can other people see my schedule? Flight Crew View includes an optional Friends feature that lets you share parts of your schedule with specific people you choose. Sharing is opt-in, and you can:

Remove friends or temporarily pause sharing at any time (for example during medical leave).
Choose to hide certain details from friends, such as layover hotels, totals, and crew lists.
FCV never gives your schedule to other users or third parties unless you explicitly share it via Friends or similar features.

How are passwords handled? For Microsoft (Entra) SSO, you sign in on Microsoft’s pages. For all others, we use Firebase Authentication. We never see your passwords and they are never sent to our servers.

Do you store my Flica password?
If you choose to fetch your schedule by logging into Flica in the app, your credentials are stored only on your device in the secure keystore and sent over TLS to the airline site. Credentials are never sent to FCV servers. For ICS or device-calendar sync, no credentials are stored by FCV.

What if I change airlines or close my account? You can export and then close your account; we remove personal data from active systems per the Privacy Policy.

How do I report a security issue? Email security@flightcrewview.com. See our Vulnerability Disclosure Policy (VDP) and security.txt

Technical details (for airline IT & vendor risk)

1) Authentication (SSO & MFA)

SSO (preferred): Microsoft Entra OIDC (tenant-specific) with PKCE; MFA via Conditional Access.
- SSO today uses OIDC; SAML can be evaluated on request.
FCV app sign-in (non-SSO): We use Firebase Authentication for email/password, Apple, and Google sign-in. FCV servers never handle or store app passwords; hashing, storage, and verification are handled by Firebase.
- TOTP is available for non-SSO users.
Flica credentials (for schedule fetch, not FCV login): If a user chooses to fetch their schedule by logging into Flica/portal inside the app, those credentials are stored only on the device in the OS secure keystore (iOS Keychain / Android Keystore) and used to connect directly to the website over TLS. They are never sent to or stored on FCV servers and can be removed at any time in Settings. (Details in §10.)

2) Authorization & Tenant Isolation

Every authenticated request is authorized by tenant ID (tid) + user ID (oid) (and airline code).
No cross-tenant data mixing; per-airline logical isolation in code and data access patterns.

3) Hosting & Architecture

Production hosted on DigitalOcean (compute/managed db) with Cloudflare in front (CDN/WAF/DDoS).
Managed database, no direct DB exposure to the public internet.
Bastion-less access, admin consoles gated behind Cloudflare Zero Trust.
Cloudflare fronts all public endpoints (CDN/WAF/DDoS). Server and cloud firewalls restrict inbound traffic to required ports only; SSH is limited to a single VPN egress IP.

4) Encryption

TLS 1.2+ for data in transit.
Encryption at rest for databases, object storage, and backups via our cloud providers.

5) Network Security (public)

Cloudflare provides CDN, WAF, geo restrictions, and DDoS mitigation in front of our services.
Server and cloud firewalls restrict inbound traffic to required ports only, and request-level rate limiting is implemented at key endpoints.

6) Access Control (Internal)

Administrative and support consoles are not publicly reachable; they sit behind Cloudflare Zero Trust with SSO and least-privilege access. Admin access requires MFA; privileged actions are logged and reviewed.
Access is audited; contractors operate under NDA and limited scopes.

7) Application Security

Separate dev vs. prod environments.
Automated dependency scanning and update PRs for PHP and mobile app dependencies via GitHub Dependabot; high/critical advisories are prioritized and resolved before release.
Secrets stored as environment secrets/managed config (no client hard-coding).
All client > API calls require authenticated sessions.

8) Logging & Monitoring

We monitor application and API health with structured logs plus Sentry and Firebase Crashlytics. Error reports contain only what we need to diagnose issues (e.g., stack trace, timestamp, app/server release, environment, and limited metadata). We scrub sensitive fields (passwords, tokens, cookies, airline credentials) before anything is sent, and we do not capture full request bodies.
Vendor tools (Sentry/Crashlytics) receive only the pseudonymous internal ID; neither vendor can identify a user from it. We correlate incidents on our side with server logs, Entra sign-in logs (SSO), or Firebase Auth logs (non-SSO).

9) Backups & Disaster Recovery

Backups are for DR only (not used for analytics or routine processing).
Current cadence (mirrors our Privacy Policy): daily backups for 180 days, then monthly backups retained for an extended period and aged out/overwritten.
We perform disaster-recovery restore tests twice per year to a non-production environment.
On restore, we re-apply deletions as soon as practicable. RPO/RTO targets: available on request or as published when finalized.
Fixed retention caps can be implemented where required.

10) Schedule Sources & Credential Handling

Preferred path: We are moving toward SSO/API, ICS import, and device-calendar sync as airlines modernize access.

How users bring schedules into FCV today (user-chosen):
• Airline portal login (Flica/portal): Some crews choose to sign in to their airline portal inside the app to fetch their schedule. In this flow, credentials are used on the device and stored only in the device’s secure keystore (iOS Keychain / Android Keystore). They are not stored on FCV servers and are sent only to the airline’s site over TLS. You can remove them at any time in Settings.
• ICS file import: Users export an .ics file from their airline system and import it into FCV. No credentials are stored by FCV.
• Device calendar sync (e.g., company app > device calendar > FCV): FCV reads events from the device calendar the user has already synced. No airline credentials are stored by FCV.

Respect for network controls: If access moves inside an intranet/VPN, we do not attempt to bypass those controls. We guide users to ICS import or device-calendar sync, and we prefer SSO/API where available.

11) Data Retention & Deletion

Operational logs: 180 days online, may be archived thereafter.
Account & flight logs: retained while the account is active; removed from active systems within 30 days of request or account deletion.

Backups may still contain historic data until they age out; see Privacy Policy for the full language.

12) Third-Party Services (Sub-processors)

12.A) Core infrastructure & security

DigitalOcean

Purpose: App hosting & managed DB
Data: Account profile, schedule data, app API traffic
Notes: Network & service logs processed to operate/secure infra. DB not publicly exposed.

Cloudflare

Purpose: CDN, WAF/DDoS, DNS
Data: Encrypted traffic metadata (IP, headers, request timing), no app secrets
Notes: Global edge; used for performance and attack protection.

AWS

Purpose: Encrypted backup storage (DR only)
Data: Encrypted backup archives + storage metadata
Notes: Backups are at-rest encrypted and transferred over TLS; not used for routine processing.

12.B) Identity & authentication

Firebase Authentication / Identity Platform (Google)

Purpose: User auth (email/password, Apple, Google) & token issuance
Data: Email (for email sign-in), display name (if provided), photo (if provided), Firebase UID, auth tokens
Notes: Passwords are hashed & stored by Firebase. We also support OIDC SSO (see below).

Customer-controlled IdP (not our sub-processor):
When an airline enables Microsoft Entra (Azure AD) OIDC, the airline is the IdP/controller. We receive ID tokens/claims to authenticate the user; we do not control the airline’s IdP.

12.C) Analytics & error monitoring

Traceability (no PII in vendors): we tag incidents with an internal user ID in our logs for correlation; vendor tools get only pseudonymous IDs.

Firebase Analytics

Purpose: In-app analytics (stability/usage)
Data: Pseudonymous device/app data (e.g., model, OS, app version, events)
Notes: Used to improve reliability/UX; not used for ads.

Google Analytics (website)

Purpose: Website analytics
Data: Page views, device/browser metadata, IP (by Google)
Notes: Site only; not for in-app ads/retargeting.

Firebase Crashlytics

Purpose: Mobile crash reporting
Data: Stack traces, app version/OS, pseudonymous internal user ID, limited tags
Notes: No passwords/tokens. We avoid PII and scrub sensitive fields.

Sentry

Purpose: Server/API error monitoring
Data: Stack traces, request metadata (method/path/status), timestamps, limited tags, internal user ID
Notes: Sensitive fields (passwords, tokens, cookies, airline creds) are scrubbed before send. Typical retention ~90 days.

12.D) Support & internal operations

Freshdesk

Purpose: Customer support desk
Data: Emails/support content you send us; ticket metadata
Notes: We limit PII and delete/redact when no longer needed.

ClickUp

Purpose: PM / issue tracking
Data: Task descriptions, attachments, ops notes
Notes: We avoid customer PII; if included for troubleshooting, it’s removed/redacted on close.

Slack

Purpose: Internal communications
Data: Internal messages/files/metadata
Notes: We avoid customer PII in chat; any temporary snippets are removed when not needed.

Google Workspace

Purpose: Company email & docs
Data: Email content/attachments you send us
Notes: Used for business comms (support, security).

12.E) Developer tooling (no customer data stored)

Github

Purpose: Source control & CI/CD
Data: Repo metadata, build logs
Notes: We do not store customer data in repos/issues/build logs. GitHub Dependabot and security alerts are used to monitor and update third-party dependencies (no customer data is involved).

12.F In-app messaging (Crew Chat) and notifications

Stream (getstream.io)

Purpose: Real-time chat backend
Data: Message content you send in Crew Chat; your display name and profile photo for in-app display
Notes: Acts as our processor to deliver chat. No advertising/tracking on our behalf.

Firebase Cloud Messaging (FCM)

Purpose: Push notification delivery
Data: Device push token, delivery metadata (e.g., timestamps), and limited notification/data payloads (e.g., title/body or IDs for chat/ops alerts)
Notes: Used to deliver app notifications only. No passwords/tokens. FCM stores undelivered messages briefly until delivered or TTL expiry.

12.G) Payments & app stores

Apple App Store

Purpose: In-app purchases/subscriptions
Data: Transaction metadata handled by Apple
Notes: We don’t see/store card numbers. See Apple privacy policy.

Google Play Store

Purpose: In-app purchases/subscriptions
Data: Transaction metadata handled by Apple
Notes: We don’t see/store card numbers. See Google privacy policy.

12.H) External aviation & weather data (non-personal)

Server-to-server feeds that do not receive your personal data:

FlightAware (Firehose): real-time flight/airport data to enrich flight status. (Inbound only)
FAA (e.g., SWIM/SWIFT): ground delay programs, ground stops, EDCTs, ops notices.
NOAA: METAR/TAF weather observations/forecasts (public domain).
Vaisala Xweather: radar tiles/conditions/forecast. We proxy where feasible; if a tile is loaded directly from Xweather’s CDN, Xweather may see your IP/User-Agent solely to deliver that asset.

12.I) Notes on retention, regions, and transfers

Retention: Error telemetry is retained for a limited period (target ~180 days) and aged out. Backups follow our Backups & DR policy.
Regions: Our production deployment is currently US-based; some vendors operate globally (e.g., CDN edges).
EU/UK: We sign DPAs with sub-processors and rely on EU SCCs and the UK Addendum/IDTA where applicable.

12.J) Minimizing data in third-party tools

We configure vendors to avoid sensitive data:

Scrub passwords, tokens, cookies, and airline credentials from logs and error reports.
Use pseudonymous IDs (no real names/emails) in Crashlytics/Sentry.
Keep support/project tools free of customer data where possible; redact when used for troubleshooting.

13) Aviation & Weather Sources (informational use)

We display aviation and weather information from sources such as FAA SWIFT, FlightAware, NOAA, and Xweather to help crews stay informed. This content is informational only and not for operational decision-making; crews should verify with ATC and their airline’s dispatch/operations. See our Terms and Conditions for details.

14) Compliance & Transfers

We do not currently hold SOC 2/ISO certifications; we follow many aligned best practices and are maturing controls.
We can sign a DPA for enterprise onboarding.
For EU/UK users, we rely on SCCs or equivalent safeguards with vendors where applicable.
Independent security assessment / pentest available on request during enterprise onboarding.

15) Incident Response

We detect, triage, and remediate issues; we keep backups to restore service.
If a breach affects users, we notify impacted parties and, where required, regulators within applicable timelines.
We notify affected users via in-app and email; enterprise contacts receive an incident summary at their designated address.

16) Sensitive Events (Accident/Incident) Handling

When a serious aviation event is credibly reported, Flight Crew View activates a respectful, privacy-preserving response designed to reduce harm and misinformation.

What triggers action
- We act only on credible reports (official airline/authority statements or well-substantiated news). A designated owner reviews and authorizes any changes.
What may temporarily change in the app
- We use a tiered approach, narrowing scope as facts are confirmed:
  - Precautionary: Before the airline is publicly confirmed, temporarily hide all crew lists or friend schedules app-wide.
  - Airline-scoped: When the airline is confirmed, hide crew list and friend visibility for the affected airline.
  - Flight-scoped: When the flight number is confirmed, hide the crew list for the specific flight (and all inbound/outbound) and all friend schedules at that airline to avoid “confirmation by omission.”
  - Individual: After the crew is publicly released, restore all features system-wide, but remove the involved crew from crew lists on the remainder of their schedule.
- We post brief, respectful notices in-app when appropriate.
- These measures are temporary and do not delete friendships or user accounts; normal visibility is restored for non-affected users as official information is published.
- Friend/Family access will be disabled depending on tier. The app checks in with the FCV backend to update the schedule each time a friend/family opens the app. The server will clear the schedule if that crew is included within the scope.
What we don’t do
- We don’t confirm identities. Names are not disclosed by FCV.
- We don’t act on rumor or speculation. We only make changes after credible, verifiable sources.
- We don’t provide backdoor or real-time access to user data.
About timing & freshness:
- Breaking events are chaotic. FCV isn’t an official source, and some views can be stale. There can be a delay between an event, official confirmation, and our awareness. As soon as we have credible confirmation, we apply our tiered restrictions and post an in-app notice reminding crews that app information may be incomplete and to avoid drawing conclusions or making public statements based on what they see in the app.

Disclosures & law enforcement

We only disclose data under a valid legal basis (see our Privacy Policy “Requests from an employing airline / legal requests”). Overbroad or informal requests are declined.

Audit & review

All actions are logged. We conduct a post-incident review to improve safeguards and data freshness.

If you have questions about this process, contact security@flightcrewview.com

17) Logbook API & Third-Party Logbook Tools

FCV offers a Logbook API that lets pilots connect third-party logbook apps to their own FCV account.
Access is logbook-only: it is for importing, normalizing, and exporting a pilot’s own flight history. It is not for flight planning, dispatch, weather/NOTAM briefings, or any other operational decision-making.
Third-party apps must use our OAuth-style flow (no password or passkey capture) and can only access flights for the FCV account that authorized them.
Pilots can revoke a logbook app’s access at any time from within FCV, which invalidates its tokens.
Commercial logbook partners must comply with our Logbook API Access Policy (security controls, branding/non-affiliation, pricing transparency, and operational-use prohibition). We may suspend or revoke access if they don’t comply.
See our Logbook API Access Policy (tap here) for details.

18. Schedule Sharing (“Friends”) Feature

The Friends feature is an optional, user-controlled sharing mechanism between individual FCV users.
- A user must explicitly add a friend before any schedule information is shared. There is no automatic sharing with other users or airlines.
Users can:
- Temporarily suspend sharing (e.g., during medical leave or other periods when they do not want their schedule visible), and
- Configure sharing to exclude specific fields, such as layover hotels, totals, and crew lists.
Airline staff and third parties do not gain any additional access through Friends; it is solely peer-to-peer sharing between end users, governed by the user’s own choices.
These controls are enforced by the FCV backend; revoking or pausing sharing takes effect on the server, not just in the UI.

18) Vulnerability Disclosure (VDP)

See our Vulnerability Disclosure Policy (VDP) and security.txt
Report potential issues to security@flightcrewview.com.
Good-faith testing safe harbor, coordinated disclosure, no bounty at this time.

19) For Airline IT: SSO Onboarding

Protocol: Microsoft Entra OIDC (tenant-specific).
You provide: tenantId, clientId (and secret if confidential client); allow redirect https://<your-prod-auth-domain>/__/auth/handler.
We configure: issuer https://login.microsoftonline.com/<tenantId>/v2.0, scopes openid profile email offline_access.
Claims: We request email (or preferred_username) plus basic profile claims. We can adapt to your tenant’s claim availability.
Conditional Access (BYOD ask): Require MFA for our enterprise app; do not require compliant device / approved client.
Test setup: 1–2 test users (non-admin), app assignment, and tenant-wide admin consent (if applicable).
Lead time: typically < 1 business day once IDs are provided.
Timeline for SSO enablement: ≤ 1 business day after we receive the above, ending with a browser/app smoke test (sign-in succeeds and maps to the right tenant in FCV).
Deliverable: Users can sign in to FCV with your Entra ID. No schedule data connection is implied by SSO alone.
Rollback: Remove app assignment or revoke consent at any time.

20) For Airline IT: Data / Schedule Ingestion Onboarding

SSO authenticates the user; schedule data requires one of the following (chosen with the airline/user):

ICS import (user-exported from Flica): 1-3 days once the format is confirmed.
Device calendar sync (e.g., airline app > device calendar > FCV): 2-4 weeks for QA and user guidance.
API / direct integration: typically 2–4 weeks (depends on API docs, environments, scopes, and test data).

21) Customer Responsibilities (BYOD)

End users: Keep OS/app updated; enable device lock; report lost devices promptly.
Airlines: Enforce MFA via Conditional Access for the FCV enterprise app.
If a device is lost, Log Out All Devices from Settings > Flight Crew View account; we also revoke push tokens on logout/reinstall.

22) Roadmap / In Progress

Fixed backup-retention cap and lifecycle rules.
Documented RPO/RTO.
Key-rotation cadence and change tracking.
Status page (public uptime/incidents) under consideration.
Origin allowlisting to Cloudflare IP ranges and Authenticated Origin Pulls (mTLS); automated IP sync against Cloudflare’s published lists.

23) Contacts

Support: support@flightcrewview.com
- faq: help.flightcrewview.com
Security: security@flightcrewview.com
- (VDP & security.txt)
DPA / Enterprise: contact support or security to request our brief.

Change Log

2025-11-26: Added information about VDP, “Friends” schedule sharing, FCV Logbook API, Accident/Incident Handling, and how we handle Community airport & hotel info.

2025-11-22: Initial public version