This processing is needed to provide the FlightLeague service you request.
Legal
Privacy Policy
Last updated: 19 June 2026. Applies to flightleague.app and the FlightLeague mobile application.
Our privacy promises
We never sell your data
Your flight and profile data is never sold or shared for anyone else's marketing.
No ads or tracking
We don't run third-party ads or behavioural ad-trackers in the app or on the site.
You control what's public
Every flight and post has a visibility setting — keep it private or choose to share it.
Delete anytime
Remove your account and personal data from the app whenever you want.
Encrypted & secured
Data is encrypted in transit and protected with database row-level security.
Delivered DMs are end-to-end encrypted
Allowed direct messages are encrypted on your device before delivery. Blocked drafts and messages voluntarily submitted in a report are handled separately for safety review, as explained below.
AI is optional
AI features are opt-in, and flight-timing estimates use no data that identifies you.
1. Who We Are
FlightLeague is a mobile app and website for pilots, student pilots, travellers, and aviation enthusiasts to log flights and trips, build a profile, view route maps, study, track currency and airline loyalty, and access Pro features.
For UK GDPR and EU GDPR purposes, FlightLeague is the controller for personal data processed through our services unless a separate notice says otherwise. Our public privacy contact is hello@flightleague.app.
2. Scope
This policy covers personal data processed when you visit flightleague.app, create or use a FlightLeague account, use the mobile app, contact us, subscribe to paid features, upload photos or logbook scans, interact with other users, or use AI-assisted features.
It does not cover third-party websites, app stores, payment checkout pages, or services you access outside FlightLeague. Those third parties are responsible for their own privacy notices.
3. Data We Collect
Account and profile data
- Email address, authentication identifiers, login provider, and verification status.
- Name, display name, profile photo, bio, home airport, aviation experience, licence or traveller mode, favourite airline, social handles, and friend code where you provide them.
- Airline loyalty or frequent-flyer programmes you add, including airline, programme name, membership number, status tier, and any notes you record.
- Account settings, privacy preferences, blocked users, reports, and support messages.
Flight, trip, and social data
- Flights or trips you log, including airports, routes, dates, aircraft, airline, seat, duration, distance, notes, photos, currency or recency entries, and other fields you choose to add.
- Bucket-list or wishlist destinations and airports you save.
- Visibility choices such as public or private logging.
- Friend connections, comments, reactions, leaderboard participation, badges, challenges, and activity notifications.
Direct messages (end-to-end encrypted)
- Direct messages are only available between mutual friends. An allowed message is encrypted using your private key and the recipient's public key before it is delivered (NaCl box — X25519 key exchange with XSalsa20-Poly1305 authenticated encryption). The messaging service receives and stores only ciphertext and a random nonce for delivered messages, so FlightLeague cannot ordinarily read their content.
- Photos and voice notes sent in DMs are compressed and encrypted on-device before upload. The files stored on our media CDN are opaque ciphertext; we cannot view or listen to them.
- Your encryption public key is stored in your profile so friends can encrypt messages to you asynchronously. Your private key is stored only on your device (in the OS secure enclave — Keychain on iOS, Keystore on Android). It never leaves your device unencrypted.
- A recovery code is generated when you first enable DMs. Your private key is wrapped under a key derived from that code (scrypt) and the encrypted blob is stored server-side so you can restore your messaging identity on a new device. The recovery code itself is never sent to or stored by FlightLeague's servers. On iOS the recovery code is also backed up to your private Apple iCloud Key-Value Store for silent restore across your Apple devices.
- If you reset your messaging identity, a new keypair is generated. Messages encrypted to the old key cannot be recovered.
- Before delivery, DM text is checked on your device by FlightLeague's local safety system for risks such as pressure, secrecy, grooming, age-boundary concerns, unsafe meetings, scams, threats, harassment, and attempts to exchange sensitive personal or off-platform contact information. This check does not send the conversation to Groq, Gemini, or another external AI provider. The safety system can make mistakes and our messaging rules are intentionally strict to help protect both participants.
- If the on-device system blocks a draft, it is not delivered and is not added to the end-to-end encrypted conversation. Instead, an unencrypted plaintext copy of that blocked draft is sent immediately to FlightLeague's restricted moderation queue, together with the sender, intended recipient, thread identifier, detected risk categories and scores, model version, timestamp, and any explanation the sender chooses to add. Authorised moderators can read this copy and may dismiss the case, warn the account, restrict messaging, suspend the account, or take other proportionate action.
- If a participant reports a delivered DM, their device may voluntarily upload the reported message and a limited number of preceding messages in plaintext as moderation evidence. Reported evidence is no longer protected from FlightLeague by end-to-end encryption and can be read by authorised moderators. Messages that are neither blocked nor reported remain end-to-end encrypted.
Training, quiz, study, import, export, and AI data
- Lesson progress, quiz answers, XP, generated quiz content, FAA library and handbook study activity, analytics prompts, and training interactions.
- Flashcard decks, study sets, and spaced-repetition study data you generate or save.
- Logbook scan images and extracted flight details when you choose to use AI scanning.
- Flight or logbook data you import, including files you upload and the records extracted from them.
- Profile text you submit, such as names, bio, social handles, and flight notes, which is screened on-device for safety and policy compliance before being saved or shown to others. This check runs locally and the content is not sent to any external AI provider for this purpose.
- Plain CSV, signed CSV, signed PDF, and share-card data generated from your flight records.
- Export verification data, such as verification links, file fingerprints, and certificate metadata, when you choose a signed export. Public verification pages never reveal your signature image.
Subscription and payment data
- Subscription tier, status, expiry, Stripe customer ID, Stripe subscription ID, purchase events, and billing metadata needed to provide Pro features.
- We do not store full card numbers or bank details. Payment details are handled by the payment provider.
Device, technical, and website data
- Device model, operating system, app version, push notification token if you enable notifications, IP address, request logs, security logs, and diagnostic information.
- Local app cache and session data stored on your device to keep the app responsive and maintain login state.
- Approximate or precise location only if a feature requests it and you grant permission. Flight routes created from airport entries are not the same as live device location tracking.
4. How We Use Data
- To create accounts, authenticate users, and keep sessions secure.
- To provide the app's core features, including flight and trip logging, route maps, dashboards, leaderboards, the social feed, currency and loyalty tracking, study tools, imports and exports, notifications, and Pro features.
- To relay encrypted DM ciphertext between friends and to store the encrypted key-backup blob that lets you restore your messaging identity on a new device. We cannot read delivered DM content unless a participant reports it and chooses to share evidence.
- To run on-device DM safety checks, block messages that may breach our messaging rules, submit blocked drafts unencrypted to our restricted moderation queue, review safety cases and participant comments, investigate misuse, and warn, restrict, suspend, or ban accounts where appropriate.
- To screen submitted text such as names, handles, bios, and notes for safety, spam, and policy compliance using on-device checks that do not send this content to external AI providers.
- To process account deletion, privacy requests, support requests, abuse reports, and service notices.
- To detect, prevent, and investigate fraud, security incidents, misuse, spam, scraping, and policy violations.
- To maintain, debug, measure, and improve the service.
- To comply with legal obligations and enforce our terms.
We do not sell your personal data. We do not use your personal data for third-party advertising. We do not make automated decisions that produce legal or similarly significant effects about you.
5. Legal Bases
Under UK GDPR and EU GDPR, we need a lawful basis for each type of processing. The main bases we rely on are:
The basis depends on the feature. You can remove optional content or withdraw permissions where available.
We process this data to protect FlightLeague, users, and the public, balanced against your rights.
Some records must be kept or handled because law, regulators, payment disputes, or courts require it.
We use limited operational data to maintain and improve the service, without selling personal data or using it for third-party advertising.
7. AI Features
Many AI-assisted features are optional. If you use them, the input you provide, such as a logbook photo, flight details, loyalty details, or a study or quiz request, may be sent to an AI provider so the feature can generate an extraction, explanation, quiz, flashcard set, timing assessment, or analytics response.
Screening of certain text you submit, such as your name, social handle, and bio, for safety, spam, and policy compliance is performed on-device before content is saved or shown to others. This processing does not leave your device and is not sent to any external AI provider.
DM safety classification also runs on-device and is not sent to Groq, Gemini, or another external AI provider. However, if that local classifier blocks a DM draft, the blocked plaintext and associated safety information are sent to FlightLeague's own restricted moderation queue as described in section 8. The classifier can produce false positives, and users can add an explanation for moderators.
Flight timing estimates are always calculated using AI, even if you have turned AI features off. When you log a flight, only the flight's technical details, such as the departure and arrival airports, aircraft type, airline, flight number, route distance, and duration, are sent to the AI provider so it can estimate the expected duration and whether the flight was early, on time, or late. No personal data that identifies you, such as your name, email address, or profile, is sent as part of this calculation.
You are responsible for checking AI output before relying on it. Do not upload content that is highly sensitive, confidential, unlawful, or unrelated to the feature. AI output is not aviation, safety, legal, medical, tax, or professional advice.
8. End-to-End Encrypted Direct Messages
FlightLeague's direct messaging feature uses end-to-end encryption for messages that pass the on-device safety check and are delivered. There are two clearly defined exceptions: drafts blocked before delivery are submitted unencrypted to FlightLeague for safety review, and a participant can voluntarily share delivered messages as plaintext evidence when making a report.
How it works
- Your keypair. When you enable DMs, a unique encryption keypair is generated on your device using NaCl (tweetnacl). Your private key is stored in your device's secure enclave (iOS Keychain or Android Keystore) and never leaves your device in plaintext. Your public key is published to your FlightLeague profile so friends can encrypt messages to you.
- Message encryption. Every allowed message — including text, photos, and voice notes — is encrypted on your device before delivery. The encryption uses X25519 Diffie-Hellman key exchange combined with XSalsa20-Poly1305 authenticated encryption (the NaCl
boxconstruction). For delivered messages, the messaging server receives and stores only ciphertext and a nonce. FlightLeague has no ability to decrypt that content unless a participant later reports and shares it as evidence. - Media attachments. Photos are compressed on-device before encryption. Voice notes are encrypted as recorded. The ciphertext files are uploaded to our media CDN (Cloudflare R2). The CDN stores opaque encrypted bytes with no knowledge of their content.
- Recovery code. Your private key is wrapped under a key derived from a one-time recovery code (scrypt KDF) and the encrypted blob is stored on our servers. If you move to a new device, entering your recovery code re-derives the wrapping key and recovers your messaging identity. The recovery code itself is never transmitted to or stored on our servers.
- iCloud backup (iOS only). On iOS, your recovery code is optionally backed up to Apple's iCloud Key-Value Store. This lets a new iPhone restore your messaging identity silently without you needing to type the code. The iCloud copy is protected by your Apple account. This is a convenience feature — keeping your own copy of the recovery code remains your responsibility.
- Friend-gating. DMs are only available between mutual friends. You cannot receive DMs from strangers.
- On-device safety check. Before a text DM is delivered, a lightweight local model and deterministic safety rules assess the draft and recent conversation context on the sender's device. The check is designed to identify risks including grooming, age misrepresentation or boundary testing, sexual pressure, coercion, secrecy, unsafe meetings, blackmail, violence, hate, harassment, scams, self-harm encouragement, sensitive personal data, and attempts to move conversations off-platform. It can make mistakes, including false positives.
- Blocked drafts. A draft blocked by the safety system is never delivered to the intended recipient and never enters the encrypted conversation. An unencrypted plaintext copy is sent immediately to an admin-only moderation queue with relevant account, thread, time, model, score, and risk-category information. The warning shown in the app explains that the moderation copy is not end-to-end encrypted. The sender can add a comment to provide context or explain why they believe the system made a mistake.
- Reports and moderation evidence. A participant can report a delivered message. When they do, their device can upload the selected message and limited preceding context in plaintext to an admin-only evidence store. Authorised moderators can read blocked drafts, sender comments, and voluntarily reported evidence, and may take proportionate action. Other delivered messages remain encrypted and inaccessible to FlightLeague.
- Identity reset. You can reset your messaging identity at any time, which generates a new keypair. Messages encrypted to the old key cannot be decrypted after a reset.
The legal basis for processing DM delivery metadata (sender, recipient, timestamp, ciphertext, and the encrypted key-backup blob) is contract — it is necessary to deliver the messaging service you request. The legal basis for the on-device safety check, blocked-draft moderation queue, reported evidence, investigation, and account enforcement is our legitimate interest in protecting users, preventing abuse, enforcing our rules, and maintaining a safe service. Where applicable, we balance that interest against users' privacy rights and provide a way to add context or challenge a mistaken block.
9. Retention
- Account and profile data is kept while your account exists.
- Flight, trip, photo, comment, reaction, friend, loyalty, bucket-list, training, quiz, and study data is kept while your account exists unless you delete it earlier or change visibility where available.
- Direct message ciphertext, nonces, and encrypted media are kept while your account exists or until you delete individual conversations. Encrypted key-backup blobs are kept while your account exists so you can restore your messaging identity on a new device. Because messages are end-to-end encrypted, deleting a conversation removes it from the server; the other participant's copy on their device is not affected.
- Unencrypted blocked DM drafts, safety scores and labels, sender comments, and participant-reported plaintext evidence are retained only for as long as reasonably necessary to review the case, enforce our rules, protect users, handle appeals or disputes, meet safeguarding and legal obligations, and establish or defend legal claims. Access is restricted to authorised moderators and service administrators.
- Deleted accounts are removed from active systems as soon as reasonably practical. Backups and security logs may persist for a limited period before automatic expiry.
- Payment, invoice, dispute, tax, and legal records may be kept for the period required by law or needed to resolve claims.
- Security and server logs are kept only as long as needed for security, debugging, abuse prevention, and legal protection.
Where we no longer need identifiable data, we delete it or anonymise it.
10. Your Rights
Depending on your location and the circumstances, you may have the following rights over your personal data:
You can request a copy of personal data we hold about you and information about how we use it.
You can ask us to correct inaccurate or incomplete personal data.
You can ask us to delete personal data where we no longer need it or where another legal ground applies.
You can ask us to pause certain processing while a concern is reviewed.
You can object to processing based on legitimate interests, including certain analytics or improvement uses.
You can request a portable copy of data you provided where the right applies.
You can withdraw consent for optional features where consent is the legal basis.
You can contact the ICO in the UK or your local data protection authority in the EU or EEA.
To exercise your rights, email hello@flightleague.app with the subject "Privacy Request". We may need to verify your identity before acting on the request. We aim to respond within one calendar month unless the request is complex or an extension is legally permitted.
You can also delete your account from the app settings where available. Some data may need to be retained where required for legal, security, payment, or dispute reasons.
If you are in the UK, you can complain to the Information Commissioner's Office. If you are in the EU or EEA, you can contact your local data protection authority.
11. Security
We use technical and organisational measures designed to protect personal data, including authenticated access, database row-level security, encrypted transport, provider access controls, and limited administrative access.
Delivered direct messages are end-to-end encrypted using NaCl box (X25519 + XSalsa20-Poly1305). Your private key is held only on your device and is never transmitted to our servers in plaintext. The messaging service stores ciphertext for delivered messages. This protection does not apply to a draft blocked and submitted unencrypted for moderation, or to delivered messages a participant voluntarily reports and shares as plaintext evidence.
No online service is completely secure. If you believe your account or data has been compromised, contact us immediately at hello@flightleague.app.
12. Children
FlightLeague is not directed to children under 13. Users under 18 should use the service only with permission from a parent or guardian. We apply stricter contact-information and safety controls to help protect younger users in DMs. These controls can make mistakes, and blocked drafts may be reviewed by authorised moderators as described above. If you believe a child has provided personal data without appropriate permission, email us and we will take appropriate action.
13. Changes
We may update this policy as FlightLeague changes or legal requirements evolve. We will update the date above and, for material changes, provide reasonable notice where required.
14. Contact
Privacy contact: hello@flightleague.app
Operator: FlightLeague, operated by a UK-based sole trader. Formal legal identity and an appropriate service address are available on request where there is a legitimate legal need.
Please include enough detail for us to identify your account or request, but do not send unnecessary sensitive information.