Privacy Policy

Who we are

AviateOps is a US-based software company that provides operations software to flight schools. Throughout this policy, “AviateOps,” “we,” “us,” and “our” refer to AviateOps. “You” refers to the person reading this policy — a flight school owner or dispatcher who runs an AviateOps account, an instructor or student who uses an account that a school runs, or a visitor to our website.

For most of the data your school puts into AviateOps, AviateOps acts as a processor on behalf of the school, which is the controller. For data about you that we collect directly — for example, when you fill out a contact form on our website or email our support team — AviateOps is the controller.

What we collect

We collect five categories of information.

Account information.When you create an AviateOps account or are invited into one, we collect your name, email address, the role assigned to you by your school (owner, dispatcher, instructor, student, renter), and the authentication identifier issued by your sign-in provider — typically a Google account ID, since we use Google single sign-on by default.

Operational data. This is the day-to-day data your school runs on: aircraft tail numbers and configurations, schedules and bookings, Hobbs and tach readings, squawks and maintenance entries, instructor and student names, lesson notes, and audit-log entries that record who did what and when inside the product.

Billing information. When your school pays for AviateOps, payment is processed by Stripe. Stripe collects and stores your card or bank details directly. AviateOps stores only a Stripe customer identifier, the plan and seat count, invoice history, and the billing email and address. We do not see or store full card numbers.

Technical and analytics data. When you use the website or the product, we automatically log IP address, browser type and version, operating system, pages or endpoints visited, timestamps, and referring URL. We use this for security, debugging, and aggregate usage analytics. Aggregate analytics do not identify you individually.

Communications. When you email us, submit a contact form, or message support, we keep a copy of that communication along with your name and email address so we can answer you and so we have a record of the conversation.

How we use it

We use the information we collect to:

• Operate, maintain, and improve the AviateOps product.
• Authenticate users and protect the product against fraud, unauthorized access, and abuse.
• Send transactional email — sign-in links, booking confirmations, account notifications, billing receipts, and critical service alerts.
• Respond to your support requests and communicate with you about your account.
• Bill your school correctly and meet our tax and record-keeping obligations.
• Analyze aggregate usage patterns to understand which features are used and where the product needs work.

We do not sell your personal data. We do not share it with third-party advertisers. We do notuse your data, your school’s data, or your students’ data to train machine learning models.

Who we share it with

AviateOps relies on a small number of sub-processors to run the product. Each one is bound by a written agreement requiring confidentiality and appropriate security.

• Vercel— application hosting and content delivery (US).
• Neon— managed Postgres database (US region).
• Stripe— payment processing and card storage on our behalf.
• Resend— transactional email delivery (sign-in links, receipts, notifications).
• Cloudflare— web application firewall and DDoS protection in front of the product.
• Google— identity provider when you sign in with Google.

We may also disclose information in response to a valid subpoena, court order, or other lawful request, or where we believe in good faith that disclosure is necessary to protect our rights, property, or safety, or that of our customers or the public. Where we are legally allowed, we will notify the affected customer before producing data.

If AviateOps is acquired or merges with another company, your information may be transferred as part of that transaction. We will notify you in advance and give you the chance to delete your data first.

Where data is stored

AviateOps is operated from the United States. Our application servers run on Vercel in US regions, and our primary database runs on Neon in a US region. Email is sent through Resend, and traffic is fronted by Cloudflare. If you access AviateOps from outside the United States, your information will be transferred to and processed in the US. For transfers from the European Economic Area, the United Kingdom, and Switzerland, we rely on the Standard Contractual Clauses approved by the European Commission and, where applicable, the UK Addendum issued by the Information Commissioner’s Office.

How long we keep it

We keep personal data for as long as your account is active, and for the time we reasonably need it after that to:

• Meet US federal and state tax and accounting requirements (typically up to seven years for billing records).
• Support your school’s recordkeeping obligations, including FAA Part 141 records where applicable.
• Defend against legal claims (the relevant statute of limitations).

When your school closes its account, we delete personal data that falls outside these retention windows within 90 days. Backups are overwritten on a rolling schedule and aged out within that same period. Aggregate, fully anonymized data may be kept indefinitely.

Your rights

Regardless of where you live, you can ask us to access, correct, or delete personal data we hold about you, and you can export your school’s operational data as CSV from within the product at any time. To make a request, email hello@aviateops.com. We will respond within 30 days. If you are an instructor, student, or other end user of a school’s AviateOps account, please contact your school first — in most cases the school is the controller of your data and the right place to start.

If you are in the EEA, UK, or Switzerland

Under the GDPR and UK GDPR you have the right to:

• Access the personal data we hold about you.
• Correct inaccurate or incomplete data.
• Erase your data, subject to our legal-retention obligations above.
• Restrict or object to processing we carry out on the basis of legitimate interests.
• Port your data to another provider in a machine-readable format.
• Withdraw consent for any processing that is based on consent (for example, marketing email).
• Lodge a complaint with your local supervisory authority.

Our legal bases for processing are: performance of a contract (to provide the service you signed up for), legitimate interests (security, fraud prevention, aggregate analytics), legal obligation (tax and lawful-process compliance), and consent (where you opt in to marketing).

If you are a California resident

Under the California Consumer Privacy Act and the California Privacy Rights Act you have the right to:

• Know what categories of personal information we collect and the purposes for which we use them — the “What we collect” and “How we use it” sections above provide that information.
• Request a copy of the personal information we hold about you.
• Request that we correct or delete it.
• Limit the use of sensitive personal information — we do not knowingly collect sensitive personal information beyond what is needed to operate the service.
• Opt out of the sale or sharing of personal information for cross-context behavioral advertising. AviateOps does not sell personal information and does not share it for cross-context behavioral advertising, so there is nothing to opt out of.
• Not be discriminated against for exercising any of these rights.

Cookies and tracking

AviateOps uses a small number of first-party cookies that are strictly necessary to operate the product:

• A session cookie that keeps you signed in after authentication.
• A CSRF token that protects state-changing requests from cross-site forgery.
• A small number of functional cookies that remember UI preferences such as your selected date filter.

We do not use third-party advertising cookies or cross-context behavioral tracking. We do not currently respond to “Do Not Track” browser signals because we do not perform the tracking those signals were designed to control.

Children

AviateOps is built for flight schools and their staff and students. Student pilots are commonly 16 or older, and most end users on the platform are adults. AviateOps is not directed to children under 13, and we do not knowingly collect personal information from anyone under 13.

If your school enrolls a student under 13, the federal Children’s Online Privacy Protection Act (COPPA) applies. The school must obtain verifiable parental consent before adding that student’s information to AviateOps, and the school is responsible for keeping that consent on file. If you believe a child under 13 has provided personal information to AviateOps without parental consent, email hello@aviateops.com and we will delete it.

Security

We use administrative, technical, and physical safeguards designed to protect your information from unauthorized access, alteration, disclosure, and destruction — including encryption in transit and at rest, role-based access controls, audit logging, and a small set of vetted sub-processors. No system is perfectly secure, but we treat your data the way we would want ours treated. More detail lives on our Security page.

Changes to this policy

We may update this policy from time to time. When we make material changes, we will notify account administrators by email at least 30 days before the changes take effect. Non-material changes will be reflected by updating the effective date at the top of this page. Continued use of AviateOps after a change takes effect means you accept the updated policy.

How to contact us

Questions about this policy, requests to exercise your rights, or anything else privacy-related:

Email hello@aviateops.com. We reply the same day — usually within the hour during US business hours.