Privacy Policy
Privacy policy of Aviator Connect GmbH pursuant to the General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG).
Table of Contents
1. Controller and Contact Information
The controller within the meaning of Art. 4(7) GDPR is:
Aviator Connect GmbH
[PLACEHOLDER] Street Address
[PLACEHOLDER] Postal Code, City, Germany
Commercial Register: [PLACEHOLDER] HRB Number, [PLACEHOLDER] Registration Court
Managing Director: [PLACEHOLDER]
Privacy Contact: privacy@aviator-connect.com
No Data Protection Officer (DPO) has been appointed at this time, as the conditions under Art. 37 GDPR / § 38 BDSG are not met. For all data protection inquiries, please contact us at the email address above.
2. Overview of Data Processing
Aviator Connect is a professional aviation recruitment platform that connects pilots with airlines. We process personal data exclusively for the purpose of operating this platform and facilitating the recruitment process between pilots and airlines.
All data processing occurs within Germany and the European Union. Our server infrastructure, object storage, and email services are all hosted by German providers (see Section 7). There are no international data transfers to countries outside the EU/EEA.
We process personal data in accordance with the General Data Protection Regulation (EU) 2016/679 (GDPR), the German Federal Data Protection Act (BDSG), and the German Telemedia Act (TTDSG).
3. Pilot Data Processing
When pilots register and use our platform, we process the following categories of personal data. The legal basis for all data listed below is Art. 6(1)(b) GDPR (performance of a contract), unless otherwise noted.
3.1 Registration Data
Collected during account creation for identity verification and platform access.
- First name, last name, email address
- Password (stored as a cryptographic hash only)
- Phone number
- Home base, nationalities
- Current role, desired roles, training roles
- Willingness to relocate and preferred relocation regions
3.2 Personal Profile Data
Provided voluntarily to complete the pilot profile.
- Date of birth
- Full address (street, city, state, postal code, country)
- Emergency contact (name, phone, relationship)
3.3 Professional Qualifications
Core professional data for recruitment matching.
- Pilot licenses (type, number, issuing authority, country, issue/expiry dates)
- Aircraft experience (type, total hours, PIC hours, last flown, last landing date)
- Simulator experience (type, hours, training center, session details)
- Instructor ratings and flight school affiliations
- Work experience (job title, company, location, dates, role description)
- Education (institution, degree, field of study, dates)
- Languages and proficiency levels
- Additional qualifications and certifications
3.4 Job Preferences
Used to match pilots with suitable airline opportunities.
- Desired roles, locations, and aircraft types
- Contract type preferences (e.g., permanent, contract)
- Salary expectations (minimum, maximum, currency)
- Availability date
- Notification frequency preferences
3.5 Documents and Files
Uploaded files are stored on Hetzner S3-compatible object storage in Germany.
- Profile photo
- CV / resume
- License documents and certificates
- Qualification documents
Accepted file types: PDF, JPEG, PNG, WebP. Maximum file size: 10 MB.
3.6 Privacy and Visibility Settings
Pilots control how their data is shared with airlines.
- Profile visibility (public, anonymized, or private)
- Contact information visibility
- Direct contact permission
- Experience data visibility
4. Airline Data Processing
When airlines register and use our platform, we process the following data based on Art. 6(1)(b) GDPR (performance of a contract):
- Company name, type, and description
- Headquarters location and website
- Contact person details (name, email, phone, HR contact)
- Fleet and operational information (fleet size, destinations)
- Subscription plan, billing cycle, and payment status
- Search and contact usage (remaining searches and contacts)
- Profile access requests sent to pilots
5. Special Categories of Data — Medical Certificates (Art. 9 GDPR)
Sensitive Personal Data
Medical certificates (Class 1 and Class 2 aviation medicals) constitute health data and are classified as a special category of personal data under Art. 9(1) GDPR. This data is subject to enhanced protections.
Legal Basis
We process medical certificate data exclusively on the basis of your explicit consent pursuant to Art. 9(2)(a) GDPR. You must provide separate, informed consent before uploading any medical certificate data. This consent is tracked and recorded with the following fields:
consent_given— whether consent was providedconsent_given_at— timestamp of consentconsent_version— version of the consent text agreed to
Data Processed
For medical certificates, we process:
- Medical type (Class 1, Class 2)
- Certificate number
- Issuing authority and country
- Issue date and expiry date
- Uploaded document files (stored on Hetzner S3 in Germany)
Automatic Deletion
Medical certificate data is subject to automatic deletion after 360 days from the date consent was given. This automated retention mechanism works as follows:
- At day 330 (30 days before deletion): you receive a warning email notifying you of the upcoming deletion
- At day 360: the medical data and all associated S3 documents are permanently deleted by an automated job
- You may renew consent before deletion to retain the data for another 360-day period
Withdrawal of Consent
You may withdraw your consent to medical data processing at any time. Upon withdrawal, your medical certificate data and associated documents stored on S3 will be deleted promptly. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal.
6. Legal Bases for Processing (Art. 6 & Art. 9 GDPR)
The following table summarizes the legal bases under which we process your personal data:
| Legal Basis | Processing Activities |
|---|---|
| Art. 6(1)(b) GDPR Contract performance | Account registration and management, pilot profile creation and maintenance, airline search and recruitment features, profile access requests, job matching, document storage |
| Art. 9(2)(a) GDPR Explicit consent | Processing of medical certificates (Class 1, Class 2 aviation medicals) — health data requiring separate explicit consent |
| Art. 6(1)(f) GDPR Legitimate interests | Platform security (CSRF protection, input validation), fraud prevention (disposable email blocking), server logging |
| Art. 6(1)(c) GDPR Legal obligation | Retention of billing and tax records pursuant to HGB §257 and AO §147 |
7. Recipients and Sub-Processors
All sub-processors are based in Germany. No personal data is transferred to countries outside the EU/EEA.
| Sub-Processor | Service | Location |
|---|---|---|
| NETCUP GmbH | Web hosting, server infrastructure | Germany |
| Hetzner Online GmbH | S3-compatible object storage (documents, images) | Germany |
| Strato AG | Transactional email delivery (SMTP) | Germany |
Other Recipients
Airlines may receive pilot profile data based on the pilot's visibility settings. Airlines can only view full profile details (including contact information) if the pilot has set their profile to "public" visibility or if the pilot has approved a specific profile access request from that airline. Anonymized profiles do not reveal identifying personal data.
8. Data Retention Periods
| Data Category | Retention Period | Basis |
|---|---|---|
| Active account data | Duration of active account | Art. 6(1)(b) — contract |
| Medical certificates | 360 days from consent date, then automatically deleted | Art. 9(2)(a) — explicit consent + automated retention job |
| Profile access requests | Until expiry date; status set to "expired" thereafter | Art. 6(1)(b) — contract |
| After account deletion | All personal data cascade-deleted (profile, licenses, medicals, documents, CVs, sessions, OTPs) | Art. 17 — right to erasure |
| Billing and tax records | 10 years after end of fiscal year | HGB §257, AO §147 |
| JWT authentication tokens | 7 days (cookie expiry) | Technical necessity |
| Email verification OTPs | 24 hours | Technical necessity |
| Search history (localStorage) | Until user clears; max 50 entries; client-side only | Functional |
| Server logs | [PLACEHOLDER] | Art. 6(1)(f) — legitimate interest |
10. Your Rights as a Data Subject
Under the GDPR, you have the following rights regarding your personal data:
Right of Access (Art. 15 GDPR)
You can request confirmation of whether we process your personal data and, if so, obtain a copy of that data along with information about the processing.
Right to Rectification (Art. 16 GDPR)
You can request the correction of inaccurate personal data or the completion of incomplete data.
Right to Erasure (Art. 17 GDPR)
You can request the deletion of your personal data. When you delete your account, all personal data is cascade-deleted, including your profile, licenses, medical certificates, documents, CVs, sessions, and OTPs.
Right to Restriction of Processing (Art. 18 GDPR)
You can request that we restrict processing of your data in certain circumstances, such as when you contest the accuracy of the data.
Right to Data Portability (Art. 20 GDPR)
You can request your personal data in a structured, commonly used, and machine-readable format for transfer to another controller.
Right to Object (Art. 21 GDPR)
You can object to processing based on legitimate interests (Art. 6(1)(f) GDPR). We will cease processing unless we demonstrate compelling legitimate grounds.
Right to Withdraw Consent (Art. 7(3) GDPR)
Where processing is based on consent (e.g., medical certificates), you may withdraw your consent at any time. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.
Right to Lodge a Complaint (Art. 77 GDPR)
You have the right to lodge a complaint with a supervisory authority. The competent supervisory authority is: [PLACEHOLDER — supervisory authority based on company registered address]
To exercise any of these rights, please contact us at privacy@aviator-connect.com. We will respond to your request within one month in accordance with Art. 12(3) GDPR. This period may be extended by a further two months where necessary, taking into account the complexity and number of requests.
11. Data Security Measures
We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, pursuant to Art. 32 GDPR. The following measures are currently in place:
- Encryption in transit: All data is transmitted over TLS/HTTPS
- Password hashing: Passwords are never stored in plaintext; only cryptographic hashes are stored
- CSRF protection: Cross-site request forgery tokens on all state-changing requests
- JWT authentication: Stateless authentication with token expiry (7-day lifetime)
- File upload validation: Strict type whitelist (PDF, JPEG, PNG, WebP) with 10 MB size limit
- Disposable email blocking: Registration from known disposable email domains is rejected
- Input validation: Server-side and client-side validation using Zod schemas
- German infrastructure: All servers and storage are hosted in Germany by NETCUP, Hetzner, and Strato
12. Obligation to Provide Data
Registration data (name, email, password) is required for account creation. Without this data, you cannot use the platform.
Additional profile data (professional qualifications, work experience, job preferences, documents) is voluntary. However, providing this data improves your visibility to airlines and the quality of recruitment matching.
Medical certificate data is entirely voluntary and requires separate explicit consent. You are under no obligation to provide medical data, and declining to do so will not affect your ability to use other platform features.
13. Changes to This Privacy Policy
We may update this privacy policy from time to time to reflect changes in our data processing practices, legal requirements, or platform features. When we make material changes, we will notify you via email or through a prominent notice on the platform.
The effective date at the top of this policy indicates when it was last revised. We encourage you to review this policy periodically. Your continued use of the platform after changes have been communicated constitutes your acknowledgment of the updated policy.
Questions About Data Protection?
For any questions regarding this privacy policy or the processing of your personal data, please contact us.