Privacy & GDPR Policy — AviatesAir

01

Data Controller

AviatesAir (“we”, “our”, “the VA”) is the data controller for all personal information collected through this website and associated services. AviatesAir operates as a Virtual Airline Partner on the VATSIM network.

For data-related enquiries, contact us via the Support page.

02

Data We Collect

When you create an account or use our platform we may collect:

Identity data: Full name or callsign alias
Contact data: Email address
Network data: VATSIM CID (if provided)
Flight & operational data: Flight plans, PIREP logs, ACARS transmissions, origin/destination airports, aircraft type, flight durations
Technical data: IP address, browser type, device information, and access logs collected automatically when you use the site
Communications data: Messages sent via our support or contact forms

03

How We Use Your Data

Create and manage your pilot account
Issue and validate your ACARS authentication key
Record and display flight logs and progression statistics
Administer rank, award, and event systems
Communicate service updates and important notices
Submit required audit data to VATSIM in order to maintain our VA Partner status (see §5 below)
Comply with applicable laws and VATSIM network policies

04

Legal Basis for Processing

We process your personal data on the following legal bases under GDPR Article 6:

Consent (Art. 6(1)(a)): For non-essential data processing and marketing communications. You may withdraw consent at any time.
Contract (Art. 6(1)(b)): Processing necessary to provide the virtual airline platform you have registered for.
Legitimate interests (Art. 6(1)(f)): Security monitoring, fraud prevention, and operational analytics — provided these do not override your fundamental rights.
Legal obligation (Art. 6(1)(c)): Where we must comply with applicable law or VATSIM network requirements.

05

Data Sharing & Third Parties

We do not sell your personal data. We share limited data only in the following circumstances:

VATSIM: As a Virtual Airline Partner, we are required to submit flight activity data (callsign, origin/destination, date, pilot count) and organisational details (VA name, website URL, founding date, logo, ICAO callsigns) to VATSIM for audit purposes. This data is stored by VATSIM under their own Privacy Policy.
Infrastructure providers: Hosting, CDN, and database services (e.g. Cloudflare) process data on our behalf under appropriate data processing agreements.
Legal requirements: We may disclose data where required by law or to protect the rights and safety of our users or the public.

06

Data Retention

We retain your personal data for as long as your account is active or as needed to provide our services. Specifically:

Account data: Retained for the lifetime of your account. Deleted within 30 days of a verified account deletion request.
Flight logs: Retained indefinitely as operational records unless you request deletion.
Support communications: Retained for 12 months after resolution, then deleted.
Technical/log data: Retained for up to 90 days for security purposes.
VATSIM audit data: Permanently deleted by VATSIM upon completion of each audit cycle, per their stated policy.

07

Your Rights Under GDPR

If you are located in the European Economic Area (EEA) or United Kingdom, you have the following rights:

Access

Request a copy of the personal data we hold about you.

Rectification

Request correction of inaccurate or incomplete data.

Erasure

Request deletion of your data (“right to be forgotten”), subject to legal retention obligations.

Restriction

Request that we limit how we use your data in certain circumstances.

Portability

Receive your data in a structured, machine-readable format and transfer it to another controller.

Objection

Object to processing based on legitimate interests or for direct marketing purposes.

Withdraw Consent

Withdraw consent at any time where processing is based on consent, without affecting the lawfulness of prior processing.

Lodge a Complaint

Lodge a complaint with your national data protection authority if you believe your rights have been infringed.

To exercise any of these rights, please contact us via the Support page. We will respond within 30 days.

08

Cookies & Local Storage

This website uses browser local storage to remember your consent preference and maintain your login session. We do not use third-party advertising or tracking cookies. The following items may be stored locally in your browser:

aa-gdpr-consent: Stores your acceptance or decline of this privacy notice (persists until manually cleared).
Session token: Used to keep you logged in to the pilot portal. Expires on logout or after inactivity.

09

Security

All traffic between your browser and our servers is encrypted via HTTPS/TLS. We employ industry-standard security practices including hashed password storage, rate limiting, and access controls. However, no method of electronic transmission or storage is 100% secure — we cannot guarantee absolute security.

If you discover a security vulnerability, please report it responsibly through our Support page rather than disclosing it publicly.

10

Contact & Data Requests

For any privacy-related enquiries, data access requests, or to exercise your GDPR rights, please contact us through the Support page.

If you are not satisfied with our response, you have the right to lodge a complaint with your relevant supervisory authority. In the UK this is the Information Commissioner's Office (ICO) at ico.org.uk.

Policy version 1.0 — Last updated 8 April 2026