DRAFT — pending review by qualified counsel. This document is a competent first draft compiled by the founder for engineering reference. It is NOT legally binding on any entity or its users until reviewed and approved by a licensed attorney with aviation/AEC experience.

Privacy Policy

Last updated: 2026-05-09

1. What We Collect

We collect the following categories of information:

Authentication Data

Email address, hashed password, authentication metadata — collected via Clerk auth provider.

User-Uploaded Content

PDF files, PNG images, JPEG images of building plans or site documents that you upload for analysis. These are stored in Cloudflare R2 object storage.

Project and Analysis Data

Building coordinates, dimensions, height, tower positions, runway configuration, computed analysis results (ray-cast data, obstruction flags), and generated reports — stored in Supabase PostgreSQL database.

Payment Information

Payment method, billing address, transaction history — processed and stored by Stripe. We do not directly store credit card numbers.

Technical Data

IP address, user agent, browser type, referring URL, pages visited — collected for security, fraud prevention, and error monitoring purposes only. Not used for marketing or tracking beyond what is necessary for service operation.

2. How We Use Your Data

We use your data for the following purposes:

Providing the Service (account authentication, project storage, analysis computation, report generation)
Sending transactional emails (report ready, payment confirmation, account notifications)
Fraud detection and prevention
Debugging and error monitoring via Sentry
Improving Service performance and reliability (aggregate metrics only, no personal data)

We do not sell, rent, or share your personal data with third parties for marketing purposes.

3. Data Processors and Sub-processors

We use the following third-party services to process and store your data on our behalf:

Clerk

Purpose: Authentication provider

Data: Email address, authentication credentials, user profile metadata

Supabase

Purpose: Relational database for projects, analyses, and credentials

Data: Stored projects, analysis results, user accounts, payment records

Cloudflare R2

Purpose: Object storage for uploaded files and generated reports

Data: PDF, PNG, JPEG files (building plans, generated PDF reports)

Stripe

Purpose: Payment processing and billing

Data: Payment method, billing address, transaction history (PCI-DSS compliant)

Resend

Purpose: Transactional email delivery

Data: Email address, transactional message content (e.g., report-ready notification)

Sentry

Purpose: Error monitoring and performance tracking

Data: Error stack traces, user agent, IP address (no personal data or uploaded files intentionally collected)

Plausible Analytics

Purpose: Privacy-friendly analytics for the marketing website

Data: Page views, referring site, general location (country-level only) — NO cookies, NO personal data per Plausible design

4. Data Retention

We retain data as follows:

Uploaded plans and generated reports: 90 days from project creation date. After this period, files are automatically deleted from storage.
Account data (email, profile): Retained for the duration of your account. After account cancellation or deletion, retained for 30 days, then deleted.
Payment records: Retained per applicable tax, accounting, and financial regulations (typically 7 years for IRS compliance).
Project metadata and analysis results: Retained until you delete the project or your account. Deleted accounts cascade-delete all associated data per database constraints.
Technical logs (IP, user agent): Retained for 30 days for security and debugging purposes, then deleted.

5. Cookies and Local Storage

The Service uses the following client-side storage mechanisms:

Clerk session cookie: Essential authentication cookie set by Clerk. Required for login and account access.
Disclaimer dismissal flag: A local storage flag indicating whether you have dismissed the disclaimer banner. Used to prevent repeated display on the same device.

We do not use third-party tracking cookies or analytics cookies on the app domain. The marketing website uses Plausible Analytics, which is cookie-less and privacy-friendly.

6. Your Rights

Depending on your location, you have the following rights:

California Residents (CCPA)

Right to Know: You have the right to know what personal data we collect, use, and disclose.
Right to Delete: You have the right to request deletion of personal data we hold about you (subject to legal exceptions).
Right to Opt-Out: You have the right to opt out of the "sale" of personal data. We do not sell personal data, so this right does not currently apply.
Right to Non-Discrimination: We will not discriminate against you for exercising any of these rights.

EU Residents (GDPR)

Right of Access: You have the right to access your personal data and receive a copy in a portable format.
Right to Rectification: You have the right to correct inaccurate data.
Right to Erasure: You have the right to request deletion of your data ("right to be forgotten"), except where we have a legal obligation to retain it.
Right to Restrict Processing: You have the right to restrict how we use your data.
Right to Portability: You have the right to receive your data in a structured, machine-readable format.
Right to Object: You have the right to object to processing of your data for certain purposes.

To exercise any of these rights, submit a Data Subject Access Request (DSAR) to: schnkyl@gmail.com. We will respond within 30 days of receipt.

7. International Data Transfers

Your data may be stored, accessed, and processed in the United States. If you are located in the European Union or other jurisdiction outside the US, your data may be transferred across national borders.

For EU users: Where required by GDPR, we implement Standard Contractual Clauses (SCCs) or other appropriate safeguards as defined by the European Commission to ensure adequate levels of protection for international data transfers.

8. Children's Privacy

The Service is not directed at individuals under 18 years of age. We do not knowingly collect personal data from minors. If we become aware that we have collected data from a minor without parental consent, we will delete such data immediately. Parents or guardians who believe their minor's data has been collected should contact us immediately at schnkyl@gmail.com.

9. Changes to This Policy

We may update this Privacy Policy periodically to reflect changes in our practices or applicable law. We will post the revised policy here and update the "Last updated" date.

Material changes will be communicated to you via email at least 30 days prior to taking effect. Your continued use of the Service constitutes acceptance of the revised policy.

10. Contact Us

For questions about this Privacy Policy or to submit a Data Subject Access Request, please contact:

Email: schnkyl@gmail.com

Mailing Address: [TBD — see BUILD_LOG.md]