Privacy Policy

AviationAlley is a B2B operations platform sold to flight training centers ("operators"). Operators control the data inside their workspace — trainee records, schedules, compliance items, work orders, invoices. We process that data on their behalf to make the product work. We do not sell it, share it with advertisers, or use it to train AI models.

From the operator and their staff (the people logging in):

• Account details: name, email, role assignment
• Authentication artifacts: hashed password, session tokens
• Activity logs: which records were viewed or edited, by whom, when (the audit trail)

From the operator's training center:

• Trainee records (pilot demographics, certificate/medical numbers, training history)
• Schedule data (bookings, simulators, instructors, classrooms)
• Compliance items, NSP evaluations, maintenance logs, work orders
• Inventory and vendor records
• Invoices and (when configured) wire-transfer references

From browsers + devices:

• Standard server logs: IP address, user agent, request paths, timing
• Strictly-necessary session cookie (required to keep you signed in)

We do not deploy analytics trackers, advertising pixels, or session-replay scripts on the operator workspace at /app/*. Public marketing pages may include privacy-preserving analytics (no cross-site tracking, no personal identifiers).

• To run the product — render schedules, track compliance, send the right invoice to the right account.
• To enforce tenant isolation — every record carries the center it belongs to, so cross-center leakage is impossible by design.
• To produce audit logs — required by FAA Part 142 §142.73 (records).
• To bill the operator for the subscription.
• To send transactional email (password reset, invite, weekly digest) when the operator's settings enable it.

• Staff at the operator's center — only the roles the operator grants. RBAC is enforced at the API layer.
• AviationAlley engineering — strictly to debug, restore data, or respond to support tickets. Access is logged and reviewed.
• Sub-processors (below). No one else.

We use the following processors. Each handles a narrow slice of operator data and is bound by data-processing terms:

• Vercel — application hosting
• Neon / managed Postgres provider — primary database
• Resend — transactional email
• Twilio — SMS reminders (when the operator has it configured)
• Stripe — payment processing (when the operator accepts card payments via Stripe Connect)
• Cloudflare R2 — file storage (logos, work-order attachments)
• Anthropic — AI brief generation (operator-opt-in; only the brief inputs are sent, never raw trainee PII)

Operator data is stored in the United States. Backups are retained for 30 days; production data is retained for the lifetime of the subscription plus 12 months after termination (for compliance evidentiary purposes). Operators can request earlier deletion of their workspace by emailing support@aviationalley.com.

• Export. Any operator can export trainee logbooks (ForeFlight CSV), invoices, and audit logs from the workspace at any time. REST API is also available via the Integrations panel.
• Delete. Operators can delete trainee records, bookings, and most other records from the workspace directly. Some compliance records are retained as required by FAA recordkeeping rules.
• Access logs. Every read + write to a record is captured in the audit trail and visible to OWNER/ADMIN roles.
• Time-limited auditor access. The operator can grant an FAA auditor access that auto-expires after 72 hours — no manual revocation needed.

See the dedicated Security & Trust page for the full posture (encryption in transit + at rest, tenant isolation, vulnerability disclosure, incident response).

The product is sold to commercial flight training centers. We do not knowingly collect data from anyone under 13. If you believe a child's data has been entered, contact us and we'll remove it.

If an operator outside the US uses the product, they understand the data is stored in the United States. We do not currently offer EU or UK data residency.

Depending on your jurisdiction (GDPR, CCPA, etc.), you may have rights to access, correct, port, or delete personal data we hold about you. To exercise them, email support@aviationalley.com. For employees of an operator, route the request through the operator first — the operator is the controller of that data and we act as their processor.

We'll update the "Last updated" date and notify operator admins by email when material changes are made. Continued use after a change constitutes acceptance.

Questions or concerns? support@aviationalley.com.