Cleared CrewAviation Management

Privacy Policy

Version 3.0

Last updated: February 2026

Table of Contents

  1. Data Controller
  2. Definitions
  3. Scope
  4. Personal Data Categories
  5. Purposes and Legal Bases
  6. Data Recipients
  7. International Transfers
  8. Data Retention
  9. Data Subject Rights
  10. Data Security
  11. Cookies
  12. Contact

1. Data Controller

For users in the European Union, the Data Controller for personal data processing is:

Data Controller (EU)
Cleared Aerospace SRL
Brescia, Italy
Email: privacy@cleared.aero

Platform Operator
Cleared Tech FZE
SRTI Park, Block B-42-139, Sharjah, UAE

Global Distributor
Cleared Aerospace DWC-LLC
Dubai South, UAE

Cleared Aerospace SRL (Italy) operates as:

  • Data Controller for EU user data collected directly (demo requests, accounts, CRM)
  • Data Processor pursuant to Art. 28 GDPR for Client Organization data

Data Protection Officer: dpo@cleared.aero

2. Definitions

TermDefinition
PlatformThe Cleared Crew software, including web, mobile applications and APIs
Client OrganizationFlight school, ATO, Flying Club or air operator using the Platform
End UserPilot, student, instructor or other member of the Client Organization
Personal DataAny information relating to an identified or identifiable natural person
CrewChainCleared's proprietary blockchain for document immutability

3. Scope

This Privacy Policy applies to the processing of personal data of:

  • Visitors to the cleared.aero website
  • Demo requesters who complete contact forms
  • Representatives of Client Organizations
  • End Users (pilots, students, instructors, staff)
  • Vendors and Business Partners

4. Personal Data Categories

4.1 Identification and Contact Data

DataDescription
Full NamePersonal identification
Date of BirthAge and requirements verification
Tax IDTax identification
Email AddressCommunications and access
Phone NumberContact and notifications
Residential AddressLegal documentation

4.2 Professional Aviation Data

DataLegal Basis
Flight License NumberReg. UE 1178/2011
License Type (LAPL, PPL, CPL, ATPL)Reg. UE 1178/2011
Ratings (SEP, MEP, IR, Night, FI)Reg. UE 1178/2011
Flight Hours (total, PIC, Dual, Night, IFR)Reg. UE 1178/2011

4.3 Health Data (Art. 9 GDPR)

Health data is processed exclusively to comply with European aviation regulations (EU Reg. 1178/2011) and is subject to enhanced security measures.

DataLegal Basis
Medical Certificate Class (1, 2, LAPL)Art. 9(2)(b)(g) GDPR
Certificate Expiry DateArt. 9(2)(b)(g) GDPR
Medical LimitationsArt. 9(2)(b)(g) GDPR

4.4 Flight Operational Data

  • Bookings (dates, times, aircraft, routes)
  • Flight Logs (ATL - Aircraft Technical Log)
  • Safety Reports (safety occurrences)
  • Training Briefings and Debriefings

4.5 Financial Data

We process the following financial data:

  • Pilot Account Balance
  • Transaction History
  • Payment References (tokenized Stripe/PayPal IDs)

We never store complete credit card numbers.

4.6 Authentication Data

  • Password (never stored in plain text, Argon2id hash)
  • 2FA Token (TOTP, encrypted secret)
  • Active Sessions (JWT tokens with expiration)

4.7 Blockchain Data (CrewChain)

Blockchain data consists of cryptographic hashes (SHA-256), not plain text personal data. The hash cannot be reversed to obtain the original content without access to the source document.

5. Purposes and Legal Bases

PurposeLegal BasisGDPR Art.
Service deliveryContract performanceArt. 6(1)(b)
Aviation regulatory complianceLegal obligationArt. 6(1)(c)
Health data processingLegal obligation + Public interestArt. 9(2)(b)(g)
Safety Management SystemLegal obligation (EU Reg. 376/2014)Art. 6(1)(c)
IT securityLegitimate interestArt. 6(1)(f)
Direct marketingConsentArt. 6(1)(a)

6. Data Recipients

Personal data may be disclosed to the following categories of recipients:

  • Client Organization - Independent controller for its members' data
  • Amazon Web Services - Sub-processor for hosting (EU-Frankfurt)
  • Stripe Ireland - Sub-processor for payment processing
  • Aviation Authorities (CAA, EASA) - For mandatory regulatory compliance
  • Aviation Safety Authority - For mandatory safety reports (EU Reg. 376/2014)

Data is NOT sold, rented or shared with third parties for marketing, advertising profiling or any other commercial purpose.

7. International Transfers

Data is primarily stored within the European Union:

Data TypeLocationProvider
Primary databaseUE (Frankfurt)AWS
BackupUE (Ireland)AWS
PaymentsUE (Ireland)Stripe
Transactional emailsUSAResend (SCCs)

For transfers to third countries (USA), we adopt Standard Contractual Clauses (SCCs), data encryption and Transfer Impact Assessment (TIA).

8. Data Retention

Data CategoryPeriodLegal Basis
Account and profile dataDuration of relationship + 10 yearsTax obligations
Flight logs (ATL)5 years from aircraft deregistrationReg. UE 1321/2014
ATO training documentation5 years from training completionReg. UE 1178/2011
Safety reportsMinimum 5 yearsReg. UE 376/2014
Access/security logs12 monthsIT security
Blockchain hashesPermanent (immutable)Document integrity

9. Data Subject Rights

Under Articles 15-22 of the GDPR, Data Subjects have the following rights:

Right of Access (Art. 15)

Obtain confirmation of processing and a copy of personal data

Right to Rectification (Art. 16)

Correct inaccurate or incomplete data

Right to Erasure (Art. 17)

Request deletion of data ('right to be forgotten'), within legal limits

Right to Restriction (Art. 18)

Restrict processing in certain circumstances

Right to Data Portability (Art. 20)

Receive data in structured format (JSON/CSV) and transfer to another controller

Right to Object (Art. 21)

Object to processing based on legitimate interest

How to Exercise Your Rights

  • Via Platform: Settings > Privacy > GDPR Requests
  • Email: privacy@cleared.aero
  • PEC: cleared@pec.it

Response Time

We will respond within 30 days of the request (extendable by an additional 60 days in complex cases).

Complaint to Authority

You have the right to lodge a complaint with the Data Protection Authority:

Garante per la Protezione dei Dati Personali
Piazza Venezia 11 - 00187 Roma
Email: protocollo@gpdp.it
Web: www.garanteprivacy.it

10. Data Security

We implement appropriate technical and organizational measures pursuant to Art. 32 GDPR:

Technical Measures

  • Data encryption in transit (TLS 1.3) and at rest (AES-256)
  • Password hashing with Argon2id
  • Two-factor authentication (2FA) available
  • Daily encrypted backups
  • Continuous monitoring and access logging

Organizational Measures

  • Role-based access control (RBAC)
  • Complete audit log of operations
  • Staff security training
  • Periodic penetration testing

For more details, see our Security Policy

11. Cookies

The Platform uses only:

  • Essential technical cookies - Necessary for operation (session, authentication)
  • Preference cookies - To store user settings (language, theme)

No profiling or third-party advertising cookies are used. Cookie Policy

12. Contact

For any questions or requests regarding personal data processing:

General privacy inquiries: privacy@cleared.aero
Exercise of GDPR rights: gdpr@cleared.aero
Data Protection Officer: dpo@cleared.aero
PEC: cleared@pec.it

Cleared Technologies S.r.l.
legal.privacy.controller.address

Related Documents