GDPR Policy
Version 2.0
Last updated: February 2026
Introduction
This GDPR Policy defines how Cleared Aerospace SRL (Italy) ensures compliance with Regulation (EU) 2016/679 (GDPR) and applicable national data protection laws for users in the European Union.
This document establishes roles, responsibilities and procedures for personal data protection.
Processing Principles
Cleared strictly adheres to the six fundamental GDPR principles (Art. 5):
Lawfulness, Fairness and Transparency
Every processing has a documented legal basis. No deceptive or hidden processing.
Purpose Limitation
Data is collected for specified, explicit and legitimate purposes.
Data Minimization
Only data that is relevant and strictly necessary for the purposes.
Accuracy
Data is accurate and kept up to date. Procedures for timely rectification.
Storage Limitation
Data is kept only for as long as necessary for the purposes.
Integrity and Confidentiality
Appropriate technical and organizational measures for data protection.
Accountability
Cleared not only complies with GDPR principles but can demonstrate it through:
- Records of processing activities (Art. 30)
- Documented policies and procedures
- Staff training records
- Consent registry with timestamps
- Data Processing Agreements with all processors
- Documented Data Protection Impact Assessments (DPIA)
- Periodic audit reports
- Breach register
Roles and Responsibilities
Data Controller
Cleared Aerospace SRL (Italy) is Data Controller for EU users for:
- Directly collected data (visitors, CRM leads, employees)
- Data of Client Organization representatives
Data Processor
Cleared Aerospace SRL is Data Processor for:
- End user data of Client Organizations (pilots, students, etc.)
Data Protection Officer (DPO)
The DPO is responsible for monitoring GDPR compliance, providing advice and cooperating with the Supervisory Authority.
DPO Contact: dpo@cleared.aero
Data Subject Rights
We handle Data Subject requests according to documented procedures:
| Right | GDPR Article | Response Time |
|---|---|---|
| Access | Art. 15 | 30 days |
| Rectification | Art. 16 | 30 days |
| Erasure | Art. 17 | 30 days |
| Restriction | Art. 18 | 30 days |
| Portability | Art. 20 | 30 days |
| Objection | Art. 21 | Immediate |
Handling Procedure
- Request receipt (confirmation within 24h)
- Data Subject identity verification
- Request execution
- Formal response within 30 days
Exceptions
Some rights may be limited when:
- Processing is necessary for legal obligations (e.g., aviation records)
- Required for establishment or defense of legal claims
- Necessary for public interest reasons (e.g., aviation safety)
- Data is on blockchain (immutable by design)
Consent Management
Consent collected by Cleared meets GDPR requirements:
Valid Consent Requirements
- Freely given: No prejudice if refused
- Specific: Separate consent for each distinct purpose
- Informed: Clear information before collection
- Unambiguous: Clear affirmative action (non-pre-ticked checkbox)
Withdrawal of Consent
Consent can be withdrawn at any time through account settings or by contacting us directly. Withdrawal does not affect the lawfulness of prior processing.
Privacy by Design and by Default
Cleared integrates data protection from the design of every system:
- Proactive, not reactive approach
- Privacy as the default setting
- Privacy embedded in design, not added later
- Full functionality without compromising privacy
- End-to-end security for the entire lifecycle
- Visibility and transparency of processes
- Respect for the user and Data Subject centricity
Data Protection Impact Assessment (DPIA)
We conduct DPIAs for processing that may present high risks to Data Subjects' rights and freedoms.
When Required
- Systematic evaluation of personal aspects (profiling)
- Large-scale processing of sensitive data
- Systematic monitoring of public areas
- Use of new technologies with high risks
DPIAs Conducted by Cleared
- Aviation medical certificate management
- Safety reports with personal data
- Blockchain for documents (immutability)
- Aircraft GPS tracking (if active)
Data Breach Management
In case of a personal data breach, we follow a rigorous procedure:
| Severity | Authority Notification | Data Subject Notification |
|---|---|---|
| Low (no risk) | No | No |
| Medium (risk) | Yes (within 72h) | No |
| High (high risk) | Yes (within 72h) | Yes (immediate) |
Handling Process
- Breach detection
- Severity assessment
- Containment and remediation
- Notification (if required)
- Documentation in Breach Register
- Post-incident review and improvements
Data Processor Management
Before entrusting processing to an external Processor, we verify security guarantees and GDPR compliance.
Data Processing Agreement (DPA)
Every Data Processor signs a DPA containing:
- Subject matter, duration, nature and purpose of processing
- Obligation to process only on documented instructions
- Confidentiality obligations for personnel
- Security measures (Art. 32 GDPR)
- Conditions for sub-processors
- Assistance to Controller for Data Subject rights and DPIA
- Return or deletion of data at termination
- Audit rights
Current Sub-Processors
| Provider | Service | Location |
|---|---|---|
| Amazon Web Services | Hosting | EU (Frankfurt) |
| Stripe Ireland | Payments | EU (Ireland) |
| Resend | USA (SCCs) | |
| Vercel | Frontend | USA (SCCs) |
International Transfers
Personal data may be transferred outside the EEA only with appropriate safeguards.
Safeguards Adopted
- Standard Contractual Clauses (SCCs): Implementing Decision (EU) 2021/914
- Supplementary Measures: End-to-end encryption, key control in EU
- Transfer Impact Assessment (TIA): Assessment of third country legislation
Training and Awareness
All staff receive data protection training:
- Initial training on joining (2h)
- Mandatory annual refresher (1h)
- Specialized training for IT, Development and Support
Contact
For questions about GDPR compliance:
Data Protection Officer: dpo@cleared.aero
Privacy Office: privacy@cleared.aero
GDPR Requests: gdpr@cleared.aero
Garante per la Protezione dei Dati Personali
www.garanteprivacy.it