Legal
Privacy Policy
VIPTRACKS — PRIVACY POLICY
Last updated: May 10, 2025
Effective date: May 10, 2025
This Privacy Policy explains how [YOUR COMPANY NAME] ("Company", "we", "us")
collects, uses, and protects information when you use VIPTracks
("Service"). It applies to all users including Free, Pro, Intelligence,
and Enterprise subscribers.
We are committed to being transparent. This document is written in plain
English, not legal boilerplate.
─────────────────────────────────────────────────────────────────
1. TWO TYPES OF DATA WE HANDLE
─────────────────────────────────────────────────────────────────
We handle two very different categories of data, and it's important to
distinguish them:
TYPE A — YOUR PERSONAL DATA
Information about you as a user: your name, email, billing details,
usage patterns. This is subject to standard privacy law protections.
TYPE B — PUBLICLY BROADCAST TRANSPONDER DATA
Positions, flight paths, and voyage logs of aircraft and vessels,
derived from ADS-B and AIS radio signals. This is not personal data
about our users. It is public information about third-party assets.
Different rules apply. See Section 7.
─────────────────────────────────────────────────────────────────
2. INFORMATION WE COLLECT ABOUT YOU (TYPE A)
─────────────────────────────────────────────────────────────────
2.1 Information you provide:
- Name and email address (account registration)
- Payment information (processed by Stripe; we store only the last
4 digits, card type, and expiry date — never the full card number)
- Communications you send us (support emails, feedback)
- Alert preferences and watchlist settings
2.2 Information we collect automatically:
- IP address and approximate location (city-level)
- Browser type, device type, operating system
- Pages visited, features used, time spent
- API call logs (endpoint, timestamp, response code)
- Cookies and similar tracking technologies (see Section 6)
2.3 Information from third parties:
- If you sign in via Google or Apple, we receive your name and
email from that provider
- Payment status and dispute information from Stripe
─────────────────────────────────────────────────────────────────
3. HOW WE USE YOUR INFORMATION
─────────────────────────────────────────────────────────────────
We use your personal data to:
a) Provide and maintain the Service
b) Process payments and manage your subscription
c) Send transactional emails (receipts, password resets, alerts you configure)
d) Send product updates and feature announcements (you can opt out)
e) Respond to support enquiries
f) Detect and prevent fraud, abuse, and Terms violations
g) Comply with legal obligations
h) Improve the Service through aggregated, anonymised analytics
We do not sell your personal data. Ever.
─────────────────────────────────────────────────────────────────
4. LEGAL BASIS FOR PROCESSING (GDPR / UK GDPR)
─────────────────────────────────────────────────────────────────
For users in the EEA, UK, and similar jurisdictions, our legal bases are:
- CONTRACT: Processing necessary to provide the Service you subscribed to
(e.g. billing, account management, delivering data)
- LEGITIMATE INTERESTS: Analytics, fraud prevention, service improvement
— where our interests don't override your rights
- LEGAL OBLIGATION: Compliance with applicable law (e.g. tax records)
- CONSENT: Marketing emails — you can withdraw consent at any time
─────────────────────────────────────────────────────────────────
5. WHO WE SHARE YOUR DATA WITH
─────────────────────────────────────────────────────────────────
We share your personal data only with:
Stripe — payment processing
SendGrid/Resend — transactional email delivery
Railway/Fly.io — cloud hosting (servers process your data)
Cloudflare — CDN and DDoS protection (sees your IP)
PostHog/Plausible — product analytics (anonymised or pseudonymised)
All processors are bound by data processing agreements. We do not share
your data with advertisers, data brokers, or any party for marketing purposes.
We may disclose your data if required by law, court order, or to protect
the rights and safety of the Company or others.
─────────────────────────────────────────────────────────────────
6. COOKIES
─────────────────────────────────────────────────────────────────
We use the following cookies:
ESSENTIAL (cannot be disabled):
- Session cookie: keeps you logged in
- CSRF token: protects against cross-site request forgery
ANALYTICS (opt-out available):
- We use Plausible Analytics, a privacy-friendly tool that does not
use cookies by default and does not track you across sites
- If we add additional analytics, we will update this section and
request consent where required
We do not use advertising cookies or third-party tracking pixels.
─────────────────────────────────────────────────────────────────
7. PUBLICLY BROADCAST TRANSPONDER DATA (TYPE B)
─────────────────────────────────────────────────────────────────
7.1 What it is. The flight paths, positions, speeds, and headings of
aircraft and vessels displayed on the Service are derived from ADS-B
and AIS signals. These are radio transmissions broadcast on public
frequencies, required by aviation and maritime law.
7.2 Legal basis for publication. Publishing publicly broadcast radio signal
data is lawful in most jurisdictions. Courts in the United States have
upheld this (see FlightAware LLC v. FAA). The EU's GDPR Article 85
provides a journalism and public interest basis where applicable.
7.3 Individuals named in connection with assets. Where we associate an
aircraft or vessel with a named individual (based on public corporate
registrations, press reports, or other public sources), we rely on
legitimate public interest, specifically the accountability of
individuals whose wealth and influence has significant societal impact,
as our legal basis.
7.4 Your rights regarding transponder data. If you are an individual
named on our platform and wish to dispute the accuracy of ownership
attribution, contact privacy@viptracks.com. We will review and
correct factual errors.
7.5 Asset suppression. We offer a paid service to delay or suppress
visibility of specific assets. See our Terms of Service, Section 7,
and contact privacy@viptracks.com.
7.6 What we do not publish. We do not publish: real-time positions of
aircraft operating under military or government security exemptions;
data we have reason to believe poses a direct and credible safety risk;
positions of assets whose operators have established a valid legal right
to suppression in their jurisdiction.
─────────────────────────────────────────────────────────────────
8. DATA RETENTION
─────────────────────────────────────────────────────────────────
Your account data: Retained while your account is active
After deletion: Anonymised or deleted within 30 days
Payment records: 7 years (legal/tax obligation)
Support communications: 2 years
API logs: 90 days rolling
Transponder position data: Indefinitely (public record archive)
─────────────────────────────────────────────────────────────────
9. YOUR RIGHTS
─────────────────────────────────────────────────────────────────
Depending on your location, you may have the right to:
ACCESS — request a copy of the personal data we hold about you
RECTIFICATION — ask us to correct inaccurate data
ERASURE — ask us to delete your account and personal data
PORTABILITY — receive your data in a machine-readable format
OBJECTION — object to processing based on legitimate interests
RESTRICTION — ask us to pause processing in certain circumstances
OPT-OUT — unsubscribe from marketing at any time
To exercise any right, email privacy@viptracks.com. We will respond
within 30 days. We may need to verify your identity before actioning requests.
For EEA/UK users: if you are unsatisfied with our response, you have the
right to lodge a complaint with your local data protection authority
(e.g. ICO in the UK, or your national DPA in the EU).
─────────────────────────────────────────────────────────────────
10. INTERNATIONAL TRANSFERS
─────────────────────────────────────────────────────────────────
Our servers are located in [e.g. EU / United States]. If you are located
in the EEA or UK and your data is transferred outside those regions, we
rely on Standard Contractual Clauses (SCCs) or equivalent safeguards
approved by the relevant authority.
─────────────────────────────────────────────────────────────────
11. CHILDREN
─────────────────────────────────────────────────────────────────
The Service is not directed at anyone under 18. We do not knowingly collect
personal data from minors. If you believe we have done so in error, contact
us and we will delete it promptly.
─────────────────────────────────────────────────────────────────
12. SECURITY
─────────────────────────────────────────────────────────────────
We implement appropriate technical and organisational measures to protect
your data, including:
- Encryption in transit (TLS 1.2+)
- Encryption at rest (AES-256)
- API key hashing (bcrypt)
- Regular dependency audits
- Role-based access controls for staff
- Annual penetration testing (planned)
No method of transmission over the internet is 100% secure. We cannot
guarantee absolute security, but we take it seriously.
─────────────────────────────────────────────────────────────────
13. CHANGES TO THIS POLICY
─────────────────────────────────────────────────────────────────
We will notify you by email of any material changes to this policy at least
14 days before they take effect. The "Last updated" date at the top of this
document will always reflect the current version.
─────────────────────────────────────────────────────────────────
14. CONTACT
─────────────────────────────────────────────────────────────────
Data controller: [YOUR COMPANY NAME]
Address: [REGISTERED ADDRESS]
Email: privacy@viptracks.com
For urgent matters or suspected data breaches: legal@viptracks.com