Legal

Privacy Policy

// Last updated: March 2026 · Applies to: flightleague.app & FlightLeague app

FlightLeague is a pre-launch product operated by a sole trader (see Section 01 for full details). This policy applies to our landing page, waitlist, and the future app. We are the data controller for all personal data described below. If something here is unclear, email us at hello@flightleague.app — we'll reply in plain English.

// Contents

01Who we are
02Data we collect
03Legal basis for processing
04How we use your data
05Third-party processors
06Data retention
07International transfers
08Your rights
09Exercising your rights
10Cookies & tracking
11Security
12Children
13Changes to this policy
14Contact & complaints

Who we are

FlightLeague is operated as a sole trader business, trading under the name FlightLeague. We operate the website at flightleague.app and the FlightLeague mobile application (coming soon). We are building a social aviation platform for pilots and aviation enthusiasts.

As a sole trader, there is no registered company number. The business is operated by a private individual based in the United Kingdom. In accordance with GDPR Article 13 and the ICO's guidance for sole traders, the full legal name of the data controller is withheld from public display but is available on request — please email hello@flightleague.app with the subject line "Data Controller Identity Request" and we will respond within 5 business days.

For the purposes of the UK GDPR and EU GDPR, FlightLeague is the data controller — meaning we determine why and how your personal data is processed. All enquiries relating to this policy should be directed to hello@flightleague.app.

Data we collect

Currently (waitlist phase)

Your email address — provided voluntarily when you sign up to the waitlist
Timestamp of your signup
Basic server logs (IP address, browser type) retained for up to 30 days for security purposes

When the app launches (anticipated)

Account information — name, profile photo, aviation experience level
Flight log data you choose to enter — routes, aircraft type, flight hours, airports
Social content — posts, comments, and reactions you create within the app
Usage data — features used, screens visited, session duration
Device information — device model, operating system version, app version, crash reports
Location data — only if you grant permission and only to the extent needed for flight-related features

We do not collect sensitive personal data (as defined under GDPR Article 9) such as health, racial or ethnic origin, political opinions, or biometric data. We will update this policy before the app launches with full detail on app-phase processing.

Legal basis for processing

Under GDPR Articles 6 and 9, we are required to identify a legal basis for each type of processing. The table below explains ours:

Storing your waitlist email address

Consent

You actively submit your email and agree to receive updates. You can withdraw this consent at any time by emailing us.

Sending a waitlist confirmation email

Consent

Triggered by the same act of signing up. This is a one-time transactional message.

Notifying you when FlightLeague launches

Consent

The purpose for which you joined the waitlist. You can withdraw consent at any time.

Security logging (IP, server logs)

Legitimate Interest

We have a legitimate interest in protecting our systems and users from abuse and fraud. Logs are retained for 30 days only.

App account & core features (post-launch)

Contract

Processing necessary to provide the service you sign up for. Without this we cannot operate your account.

Product improvement & analytics (post-launch)

Legitimate Interest

We have a legitimate interest in understanding how the app is used to improve it. You may opt out of analytics at any time in app settings.

How we use your data

We use the data we collect only for the purposes set out below. We do not use your data for automated decision-making or profiling that produces legal or similarly significant effects.

To send a one-time confirmation that you joined the waitlist
To notify you when FlightLeague launches and provide priority early access
To detect, prevent, and respond to fraudulent, abusive, or illegal activity
To comply with legal obligations we are subject to

We will never sell, rent, or trade your personal data to any third party for their own marketing or commercial purposes. If this ever changes, we will notify you and obtain fresh consent before doing so.

Third-party processors

We share limited personal data with the following third-party processors who act on our instructions and are bound by data processing agreements:

Supabase

We use Supabase (Supabase Inc.) to store waitlist data. Our database is hosted in the EU (Ireland region). Supabase is SOC 2 Type II certified. Data is encrypted at rest (AES-256) and in transit (TLS 1.2+). Supabase Privacy Policy →

Resend

We use Resend (Resend Inc.) solely to deliver transactional emails (e.g. your waitlist confirmation). Your email address is transmitted to Resend only for this purpose and is not retained by Resend beyond delivery. Resend Privacy Policy →

Vercel

Our website is hosted on Vercel (Vercel Inc.). Vercel may process server-side request logs including IP addresses. These are subject to Vercel's own data retention policies. Vercel Privacy Policy →

We do not use any other third-party processors at this time. We will update this section before the app launches.

Data retention

We only keep your data for as long as necessary for the purpose it was collected:

Waitlist email addresses — retained until 12 months after the app's public launch, or until you ask us to delete your data, whichever comes first
Server and security logs — automatically deleted after 30 days
App account data (post-launch) — retained for the duration of your account, plus up to 90 days following deletion to allow for recovery and to comply with legal obligations

When retention periods expire, data is securely deleted or anonymised. You can request early deletion at any time — see Section 09.

International data transfers

Your data is primarily stored within the European Economic Area (EEA). However, some of our third-party processors (Supabase, Resend, Vercel) are US-based companies.

Where personal data is transferred outside the EEA or UK, we ensure appropriate safeguards are in place, including:

Standard Contractual Clauses (SCCs) approved by the European Commission
Transfers to processors who participate in recognised adequacy frameworks

You can request a copy of the relevant transfer safeguards by contacting us at hello@flightleague.app.

Your rights

Under the UK GDPR and EU GDPR, you have the following rights in relation to your personal data. These rights apply in most circumstances — we will always tell you clearly if a limitation applies.

Right of Access (Article 15)

You can request a copy of all personal data we hold about you, along with information about how we use it, who we share it with, and how long we keep it.

Right to Rectification (Article 16)

If any data we hold about you is inaccurate or incomplete, you can ask us to correct it. We will do so within one month.

Right to Erasure / "Right to be Forgotten" (Article 17)

You can ask us to delete your personal data. We will do so unless we are required to retain it by law or to defend a legal claim. Erasure requests are processed within 30 days.

Right to Restriction of Processing (Article 18)

In certain circumstances (e.g. if you contest the accuracy of data, or object to processing), you can ask us to pause processing while the matter is resolved.

Right to Data Portability (Article 20)

Where processing is based on your consent or a contract, you can request a machine-readable copy of your data (CSV or JSON) to transfer to another service.

Right to Object (Article 21)

You can object at any time to processing based on legitimate interests. You can also object to direct marketing at any time — we will stop immediately with no questions asked.

Right to Withdraw Consent (Article 7)

Where we process your data based on consent, you can withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.

Rights Related to Automated Decision-Making (Article 22)

We do not currently use automated decision-making or profiling that produces significant effects on individuals. If we introduce this in future, we will update this policy and notify you.

Exercising your rights

To exercise any of the rights listed above:

Email us at hello@flightleague.app with the subject line "Privacy Request"
Tell us which right(s) you wish to exercise and what data the request relates to
We may ask you to verify your identity before processing the request

We will respond to all valid requests within one calendar month. In complex cases we may extend this by a further two months — we will inform you if this applies. There is no charge for making a request.

If you are unhappy with how we handle your request or your data, you have the right to lodge a complaint with your national data protection authority. In the UK this is the Information Commissioner's Office (ICO). In Ireland it is the Data Protection Commission (DPC). We encourage you to contact us first so we can try to resolve the issue directly.

Cookies & tracking

Our landing page at flightleague.app does not use cookies, local storage for tracking purposes, or any third-party analytics scripts. We do not use Google Analytics, Meta Pixel, Hotjar, or any similar tracking tools.

When the app launches, we may introduce essential cookies (required for login sessions) and optional analytics. We will implement a cookie consent mechanism compliant with UK GDPR and the Privacy and Electronic Communications Regulations (PECR) before doing so.

Security

We take appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, or disclosure. These include:

Encryption at rest (AES-256) and in transit (TLS 1.2+) for all stored data
Access controls — only authorised personnel can access personal data
Row-level security policies on our database restricting direct data access
Regular review of third-party processor security practices

No system is completely secure. If you believe your data has been compromised, please contact us immediately at hello@flightleague.app. In the event of a data breach that poses a risk to your rights, we will notify you and the relevant supervisory authority within 72 hours as required by GDPR Article 33.

Children

FlightLeague is not directed at children under the age of 13 (or under 16 in jurisdictions where that is the applicable age for consent under GDPR). We do not knowingly collect personal data from children.

If you are a parent or guardian and believe your child has submitted personal data to us without your consent, please email hello@flightleague.app and we will delete the data promptly.

Changes to this policy

We may update this policy as our product evolves or as the law changes. We will indicate the date of the most recent revision at the top of this page.

For significant changes — particularly those that affect how we use your data or your rights — we will notify waitlist members by email at least 14 days before the changes take effect, giving you the opportunity to withdraw consent if you wish.

Continued use of our services after changes take effect constitutes acceptance of the updated policy.

Contact & complaints

For any privacy-related questions, data requests, or complaints:

Email: hello@flightleague.app
Subject line: "Privacy Request" for data requests, "Privacy Complaint" for complaints
We aim to respond to all enquiries within 2 business days

If you are not satisfied with our response, you have the right to escalate your complaint to the relevant supervisory authority:

UK: Information Commissioner's Office (ICO) — ico.org.uk
EU/Ireland: Data Protection Commission (DPC) — dataprotection.ie
EU (other): Contact your local national data protection authority