Privacy Policy

1. Introduction and scope

At Pilotflows, a service provided by Tegi S.à r.l.-S. ("we", "our", or "us"), we are committed to protecting your privacy and personal data. This policy explains how we collect, use, disclose, and safeguard information when you use the Pilotflows website, web application, related APIs, and other services we offer (collectively, the "Services"), in compliance with the General Data Protection Regulation (GDPR), applicable Luxembourg data protection law, and other applicable laws.

If you use our Services through a mobile or desktop client that connects to the same platform, this policy applies to that use as well.

2. Controller / company information

Tegi S.à r.l.-S.
15, rue de la Syre
L-5377 Übersyren
Luxembourg
Email: [email protected]

3. Personal information we collect

We collect and process personal information that you provide or that relates to you, including:

• Account information: name, email address, password (stored in encrypted form)
• Profile information: profile picture, date of birth, gender, contact information
• Professional information: certifications, pilot status, organization affiliations
• Contact details: address, phone number, emergency contact information
• Payment information: payment method details processed securely through our payment provider (we do not store full card numbers on our own servers)
• Organization data: company details, VAT ID, organization size
• Documents: certificates and other files you upload

4. Non-personal and technical information

When you use the Services, we automatically collect certain technical and usage information, such as IP address, browser type and version, device information, cookies and similar technologies, login times, feature usage, and preferences. We use this information to operate, secure, and improve the Services, to detect abuse, and to generate aggregated or statistical insights. Where this information does not reasonably identify you, we may treat it as non-personal information; where it can be linked to you, we treat it as personal data as described in this policy.

5. Use and processing of information

We use personal data for purposes including:

• Providing and managing your account and our services
• Processing and managing subscriptions and payments
• Storing and managing your certificates and documents
• Enabling two-factor authentication for account security
• Sending service-related communications and updates
• Managing organization memberships and permissions
• Analyzing platform usage to improve our services
• Ensuring platform security and preventing fraud
• Complying with legal obligations

Legal bases (GDPR)

Where GDPR applies, we rely on one or more of the following legal bases:

• Performance of a contract: processing necessary to provide the Services you request
• Legal obligation: processing required to comply with applicable law
• Legitimate interests: for example improving the Services, ensuring security, and operating our business, where not overridden by your rights
• Consent: where you have given clear consent for specific processing (you may withdraw consent at any time where processing is based on consent)

6. Storage, retention, and international transfers

We implement technical and organizational measures to protect data, including encryption of data in transit and at rest, access controls and authentication mechanisms, two-factor authentication support where enabled, regular backups, and security monitoring. Infrastructure and related processing may be provided by third parties listed in section 7.

We retain your data for as long as necessary to provide the Services, comply with legal obligations, resolve disputes, and enforce our agreements. After account deletion, we may retain certain information where required or permitted by law or for legitimate business purposes (for example fraud prevention or legal claims).

Your information may be processed in countries outside the EU/EEA. Where we transfer personal data to such countries, we use appropriate safeguards such as Standard Contractual Clauses or other mechanisms recognized under applicable data protection law.

7. Third-party service providers

We use trusted third-party services for specific functions:

• Calendly: Scheduling and meeting booking
• Hetzner: Server and infrastructure hosting
• Amazon Web Services (AWS): Cloud infrastructure, object storage (e.g. S3), and related services
• Stripe: Payment processing
• Upstash: Managed Redis, caching, and rate limiting (as used in our stack)
• MongoDB: Database hosting and data store
• SendGrid: Transactional and service email delivery
• Microsoft: Cloud identity, productivity, or related services (e.g. sign-in or integrations via Microsoft or Azure services) where applicable
• Linear: Product and issue tracking, internal workflow

These providers are contractually bound to protect your data and use it only for specified purposes.

8. Information security

We maintain administrative, technical, and physical safeguards designed to protect personal information against unauthorized access, use, alteration, and disclosure. No method of transmission over the Internet or electronic storage is completely secure; you acknowledge that we cannot guarantee absolute security, and you use the Services at your own risk to that extent.

9. Data breach

If we become aware of a breach of security leading to accidental or unlawful destruction, loss, alteration, or unauthorized disclosure of personal data, we will investigate, take reasonable steps to mitigate harm, and notify supervisory authorities and/or affected individuals where required by law or where we otherwise consider notification appropriate based on the risk to your rights and freedoms. We may cooperate with law enforcement and regulators as appropriate.

10. Your rights

Depending on your location and applicable law (including GDPR and applicable Luxembourg law where relevant), you may have the right to:

• Access: obtain confirmation of whether we process your personal data and receive a copy in many cases
• Rectification: request correction of inaccurate or incomplete data
• Erasure: request deletion of your personal data, subject to legal exceptions
• Restriction: request that we limit processing in certain circumstances
• Data portability: receive your data in a structured, commonly used format where technically feasible
• Object: object to processing based on legitimate interests (see also section 11)
• Withdraw consent: where processing is based on consent, withdraw it at any time without affecting the lawfulness of processing before withdrawal
• Lodge a complaint: with a data protection supervisory authority in your country or region

Where Luxembourg law applies, your rights under the GDPR are supplemented by national provisions. In Luxembourg, the supervisory authority is the Commission nationale pour la protection des données (CNPD); see the "Lodge a complaint" bullet above and section 12 for how to reach us.

11. Right to object

Where we process personal data based on legitimate interests, you may object to that processing on grounds relating to your particular situation. We will stop unless we demonstrate compelling legitimate grounds that override your interests or rights, or processing is needed for legal claims.

If we ever use your personal data for direct marketing, you may object to such processing at any time without providing a reason. Service emails about your account, security, or the Services are not considered marketing unless they promote third-party products or optional add-ons beyond core service communications.

12. How to exercise your rights

To exercise any of these rights, contact us at [email protected]. We will not charge a fee for fulfilling GDPR requests unless they are manifestly unfounded or excessive. We will respond within one month where GDPR applies, or as otherwise required by applicable law; that period may be extended by up to two further months for complex requests, in which case we will inform you of the extension.

13. Children's privacy

The Services are not directed at children under 16. We do not knowingly collect personal information from anyone under 16. If you believe a child has provided us with personal data, please contact us and we will take steps to delete such information where required by law.

14. Links to third-party websites and services

The Services may contain links to third-party websites, integrations, or services that we do not operate. This policy does not apply to those third parties. We encourage you to read their privacy policies before providing any information to them.

15. Changes to this policy

We may update this policy from time to time. We will post the updated policy on our website and, where changes are material, notify you through the Services or by email where appropriate. The "Last updated" date at the top reflects the latest revision.

16. Acceptance

By accessing or using the Services, you acknowledge that you have read this policy. If you do not agree, you should not use the Services. Where we rely on consent, we will obtain it separately as required. Continued use of the Services after we post changes to this policy constitutes your acknowledgment of the updated policy, subject to your statutory rights and any additional agreements between us.

17. Contact us

For privacy-related inquiries or to exercise your rights, contact us at: [email protected]

Data Protection Officer
Tegi S.à r.l.-S.
15, rue de la Syre
L-5377 Übersyren
Luxembourg