Privacy Policy

Last updated: 16 March 2026

Aviat-Ed (“we”, “our”, or “us”) is committed to protecting your personal information. This Privacy Policy explains what data we collect, why we collect it, its legal basis, and your rights regarding that data. It applies to all users of the Aviat-Ed platform and is intended to comply with the EU General Data Protection Regulation (GDPR) and the Protection of Personal Information Act 4 of 2013 (POPIA) of South Africa.

1. Who We Are & Contact Details

Aviat-Ed is the responsible party / data controller for personal information collected through this platform.

Email: privacy@aviat-ed.com

Support: aviat-ed.com/support

Information Officer (POPIA): Lukas Stone privacy@aviat-ed.com

2. Data We Collect

When you register and use Aviat-Ed, we collect the following information:

  • Account information — name, email address, password (hashed), and region.
  • Profile data — phone number, timezone, and selected aviation regulatory authority (e.g. EASA, FAA, SACAA).
  • Learning data — course enrolments, question attempts, test scores, module progress, and spaced-repetition memory models.
  • Subscription data — subscription tier, billing status, and Stripe customer/subscription identifiers.
  • Usage data — login timestamps, activity streaks, and last-active dates.
  • Technical data — IP address (used for rate-limiting and security logging only) and browser/device type.

Providing your name and email is mandatory to create an account. All other profile fields (phone, timezone, region) are voluntary and may be updated or removed at any time.

3. Legal Basis for Processing (GDPR Art. 6 / POPIA)

We process your personal data only where we have a lawful basis to do so:

PurposeLegal Basis
Account creation & managementPerformance of a contract (Art. 6(1)(b) GDPR / POPIA s.11(1)(a))
Delivering study sessions & tracking progressPerformance of a contract
Processing subscription paymentsPerformance of a contract
Issuing certificates of completionPerformance of a contract
Sending transactional emails (verification, password reset)Performance of a contract
Security logging, rate-limiting, fraud preventionLegitimate interest (Art. 6(1)(f) GDPR / POPIA s.11(1)(f))
Improving the platform via anonymised analyticsLegitimate interest
Complying with legal obligationsLegal obligation (Art. 6(1)(c) GDPR / POPIA s.11(1)(c))

We do not rely on consent as a legal basis for routine processing. Where we ever introduce consent-based processing, you will have the right to withdraw that consent at any time without affecting the lawfulness of prior processing.

4. Automated Processing & Profiling

Aviat-Ed uses an adaptive learning algorithm (based on the OpenSkill / Trueskill rating system and an Ebisu spaced-repetition model) to personalise the questions you are shown and to estimate your knowledge level across study modules.

This constitutes automated profiling under GDPR Art. 22 and POPIA. However, it does not produce legal effects or similarly significant effects on you — it solely affects the order and selection of practice questions within the platform. You may contact us to request human review of your computed ratings at any time.

5. Data Storage, Transfers & Retention

Your personal data is stored in Google Firebase / Firestore. Google operates infrastructure globally, including within the European Economic Area (EEA) and in South Africa. Where data is transferred outside the EEA or South Africa, Google relies on the European Commission's Standard Contractual Clauses (SCCs) as the transfer mechanism, in compliance with GDPR Chapter V and POPIA Section 72.

Your data does not leave Aviat-Ed for any commercial or marketing purpose. We do not sell, rent, or share your personal data with third parties, except:

  • Stripe — solely to process subscription payments (PCI-DSS compliant).
  • Legal authorities — where required by applicable law.

Your data is retained for as long as your account is active. Upon account deletion, personal data will be erased within 30 days, except where retention is required by law (e.g. financial records).

6. Payment Processing

Subscription payments are handled by Stripe. Aviat-Ed does not store full card details. Stripe processes and stores payment information in accordance with PCI-DSS standards. Only your Stripe customer ID and subscription status are stored in your Aviat-Ed account.

7. Cookies & Local Storage

We use authentication tokens (stored in secure cookies or local storage) solely to keep you logged in. We do not use advertising, tracking, or analytics cookies. No third-party tracking scripts are loaded on the platform.

8. Security

We implement industry-standard security measures including:

  • HTTPS encryption for all data in transit.
  • Firestore security rules restricting each user to their own data.
  • Rate limiting and brute-force protection on all authentication endpoints.
  • Hashed passwords managed by Firebase Authentication.

9. Your Rights

Depending on your jurisdiction, you have the following rights regarding your personal data:

  • Access (GDPR Art. 15 / POPIA s.23) — request a copy of the personal data we hold about you.
  • Rectification (GDPR Art. 16 / POPIA s.24) — correct inaccurate or incomplete data.
  • Erasure (GDPR Art. 17 / POPIA s.24) — request deletion of your account and associated data.
  • Restriction (GDPR Art. 18) — request that we restrict processing of your data in certain circumstances.
  • Portability (GDPR Art. 20) — receive your data in a machine-readable format.
  • Objection (GDPR Art. 21 / POPIA s.11(3)) — object to processing based on legitimate interest.
  • Withdraw consent — where processing is based on consent, withdraw it at any time without penalty.
  • Human review — request human review of any automated profiling decision.

To exercise any of these rights, contact us at privacy@aviat-ed.com. We will respond within 30 days (GDPR) / 30 days (POPIA).

10. Right to Lodge a Complaint

If you believe we have not handled your personal data in accordance with applicable law, you have the right to lodge a complaint with your relevant supervisory authority:

  • EU / EEA users (GDPR): Contact the data protection authority in your EU member state. A full list is available at edpb.europa.eu.
  • South African users (POPIA): Contact the Information Regulator of South Africa at inforeg.org.za or email inforeg@justice.gov.za.

We encourage you to contact us first so we can resolve any concerns directly.

11. Children's Privacy

Aviat-Ed is not directed at children under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with their data without appropriate consent, please contact us and we will delete it promptly.

12. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will update the “Last updated” date at the top of this page. For significant changes, we will notify you by email at least 14 days before the changes take effect. Continued use of the platform after that date constitutes acceptance of the updated policy.

13. Contact Us

For any questions, requests, or concerns regarding this Privacy Policy or your personal data:

Email: privacy@aviat-ed.com

Information Officer (POPIA): Lukas Stone privacy@aviat-ed.com

Support: aviat-ed.com/support

© 2026 Aviat-Ed. All rights reserved. Back to home