Editorial framework — pending lawyer review

This document is an editorial framework drafted for GA Flight's transparency needs. It must be reviewed and validated by a lawyer specialised in digital law before any commercial use. Values in square brackets [...] are to be completed by the editor after company registration.

Privacy

Privacy Policy

GA Flight processes personal data in compliance with the GDPR. This policy explains what data we collect, why, how long we retain it, and what rights you can exercise.

Data controller

The data controller for personal data is GA Flight, whose contact details are listed in the legal notice. General contact: support@gaflight.com.

Data Protection Officer (DPO)

Délégué à la protection des données en cours de désignation. Pour toute demande relative à vos données personnelles, contactez support@gaflight.com.

Data collected

We collect strictly the data necessary for the purposes described below. No data is collected without your knowledge.

Data categories

  • Identity and contact: first name, last name, email address, role, organisation. Collected via forms (demo, contact, trial signup).
  • Account data: user identifier, hashed password (Argon2id, never stored in plain text), preferences, session tokens.
  • Aviation operational data: flight logs, ratings, medical validity dates, instruction hours. Entered by flight schools and their students within their operations.
  • Billing data: Stripe customer identifiers, invoices, payments, subscription status. Bank card details never transit through our servers (PCI DSS via Stripe).
  • Technical data: IP address (hashed for public logs), user agent, timestamps, request identifier. Used for security and abuse prevention.

Purposes and legal bases

Processing is based on one of the following GDPR article 6 legal bases.

  • Performance of contract: service provision, billing, support — basis: article 6.1.b.
  • Legitimate interest: service security, fraud prevention, internal statistics — basis: article 6.1.f.
  • Legal obligation: retention of accounting records, anti-money laundering — basis: article 6.1.c.
  • Consent: marketing communications, non-essential cookies — basis: article 6.1.a. You can withdraw your consent at any time.

Retention period

Data is retained only for the duration strictly necessary for the purpose.

  • Active account: for the entire subscription duration + 30 days after termination to allow data export.
  • Accounting and billing: 10 years from the close of the fiscal year (French Commercial Code article L123-22, French Tax Procedures Book article L102B).
  • Signed audit trail (Ed25519 audit chain): retained according to subscription tier (Foundation 30 days, Operations 365 days, Network 7 years). These logs do not contain personal data: they track actions on resources.
  • Technical logs: 90 days maximum for data containing non-hashed IP addresses.
  • Marketing prospecting: 3 years from the last contact.

Your rights (GDPR chapter III)

You have the following rights regarding your personal data. To exercise them, write to support@gaflight.com. A response is provided within one month maximum.

  • Right of access (article 15)
  • Right to rectification (article 16)
  • Right to erasure (article 17)
  • Right to restriction of processing (article 18)
  • Right to data portability (article 20)
  • Right to object (article 21)

You also have the right to lodge a complaint with the French data protection authority (CNIL): www.cnil.fr.

Sub-processors

GA Flight uses the following sub-processors. All are bound by Data Processing Agreements (DPAs) ensuring GDPR compliance. Transfers outside the EU are governed by the European Commission's standard contractual clauses (GDPR article 46).

  • Stripe Payments Europe Ltd. — payment processing (Ireland, EU). Data: customer identifiers, invoices, payments.
  • Resend — transactional email delivery (EU/US, standard contractual clauses). Data: email address, notification content.
  • Upstash — rate limiting (Redis, EU). Data: hashed IP addresses, request counters.
  • IONOS SARL — web hosting (France).
  • Sentry (Functional Software, Inc.): error monitoring (US, standard contractual clauses). Anti-PII configuration: passwords, tokens, and card numbers are filtered before transmission.

Transfers outside the EU

Data is hosted in the European Union (France and Ireland). Some technical sub-processors (Sentry, Resend depending on configuration) may process metadata in the United States. These transfers are governed by the standard contractual clauses adopted by the European Commission (decision 2021/914).

Security

Technical and organisational measures: TLS 1.3 in transit, AES-256 at rest for secrets, password hashing via Argon2id, strict multi-tenant isolation, cryptographically signed audit logging (Ed25519), systematic access token rotation, refresh token reuse detection.

For a full technical breakdown of our security engineering controls, see the Security Whitepaper.

Cookies

See the dedicated cookie policy.

Last updated: April 2026.

Legal and trust

Legal NoticeTerms of ServiceCookie PolicyContact