Privacy Policy

1. Introduction

We take privacy seriously. AeroPrep is built for users in Europe and is operated in accordance with applicable data protection law, including the GDPR.

This Policy applies to:

• Visitors to our website
• Direct individual users of AeroPrep
• Students, instructors, and school administrators using school-managed accounts
• Prospective customers contacting us
• Flight schools and institutional customers

2. Who We Are for Data Protection Purposes

For many processing activities, NEXIEL LIMITED t/a AeroPrep acts as a data controller, meaning we decide why and how personal data is processed.

Where a school uses AeroPrep for student assignment, progress monitoring, internal assessment, or similar educational purposes, the school will often act as controller for that school-defined processing, and AeroPrep will often process relevant personal data on the school's behalf. Depending on the feature and factual setup, AeroPrep may instead act as an independent controller for some data, such as billing, fraud prevention, account security, service logs, and platform analytics, and some arrangements may amount to joint controllership where both parties shape the purposes and means.

Where AeroPrep acts as processor for a school, the relationship should be governed by a written data processing agreement meeting Article 28 requirements.

3. Categories of Personal Data We Collect

We may collect and process the following categories of personal data:

3.1 Account Data

• Name
• Email address
• Password hash or authentication credentials
• Profile image, if provided
• Account role (student, instructor, school admin, super admin)

3.2 Learning and Usage Data

• Question attempts
• Selected answers and correctness
• Bookmarks and notes
• Exam sessions and scores
• Subject progress
• Study streak and activity history
• Assigned exam participation
• Instructor sign-off records
• Reports submitted by users

3.3 School Data

• School name
• Instructor and administrator details
• Student roster information supplied by the school
• Cohort analytics
• School billing and licensing data
• Invitation and enrolment records

3.4 Payment and Billing Data

• Billing name and email
• Plan purchased
• Stripe customer, checkout, invoice, and payment identifiers
• VAT-related billing details where relevant

We do not store full payment card numbers. Payments are processed by Stripe.

3.5 Technical and Security Data

• IP address
• Device fingerprint or device/session identifiers
• Browser type and version
• Operating system
• App/device model
• Login timestamps
• Session logs
• Security and fraud indicators

3.6 Communications Data

• Emails you send us
• Support requests
• Sales enquiries
• School registration enquiries
• Feedback submissions

3.7 Cookie and Analytics Data

• Cookie identifiers
• Session cookies
• Analytics and traffic information
• Marketing attribution or referral information where enabled

4. How We Collect Data

We collect personal data:

• Directly from you when you sign up, contact us, make a purchase, or use the platform
• From schools that invite or enrol students and instructors
• Automatically through use of the platform, apps, and website
• From payment and infrastructure providers involved in service delivery
• From referral or campaign data where a user arrives via a tracked marketing link

5. Our Purposes and Legal Bases

We process personal data for the following purposes:

5.1 To Provide the Services

We use account, learning, school, and technical data to operate the platform, authenticate users, provide study sessions, store progress, enable school workflows, and display results.

Legal basis: contract; legitimate interests in operating and securing the service.

5.2 To Process Payments and Manage Billing

We use billing and transaction data to sell plans, activate access, issue receipts, manage VAT/tax records, and handle payment disputes.

Legal basis: contract; legal obligation; legitimate interests.

5.3 To Secure the Platform

We use technical and security data to detect fraud, account sharing, abuse, scraping, and unauthorised access.

Legal basis: legitimate interests; legal obligation where applicable.

5.4 To Support Schools

Where schools use AeroPrep, we use school and student data to deliver school dashboards, assigned exams, instructor oversight, reporting, and administrative tools.

Legal basis: contract with the school; processor obligations where we act on school instructions; legitimate interests where we act independently.

5.5 To Communicate With You

We use your contact details to send service emails, account alerts, receipts, password reset messages, support responses, and essential legal notices.

Legal basis: contract; legitimate interests; legal obligation where relevant.

5.6 To Improve the Services

We analyse usage patterns, performance trends, feature use, and technical errors to improve the platform.

Legal basis: legitimate interests. Where required by law for non-essential analytics or marketing cookies, we rely on consent.

5.7 To Comply With Law

We may process and retain personal data to comply with tax, accounting, fraud prevention, legal process, and regulatory obligations.

Legal basis: legal obligation.

6. School Data Protection Roles

This section applies where a school, ATO, DTO, or training organisation uses AeroPrep.

6.1 When the School Is the Controller

A school will often be the controller where it decides to:

• Invite students or instructors
• Assign plans or subjects
• Review progress
• Assess readiness
• Generate internal reports
• Use the platform as part of its training programme

In those cases, AeroPrep generally acts as processor for that school-defined processing, subject to the school's instructions and a suitable data processing arrangement.

6.2 When AeroPrep Is an Independent Controller

AeroPrep generally acts as an independent controller for:

• Direct-to-consumer accounts and purchases
• Billing and payment records
• Service security and abuse detection
• Platform-wide product analytics
• Legal compliance records
• Internal business operations

6.3 Possible Joint or Mixed Roles

In some cases, the legal role may be mixed or shared, particularly where both the school and AeroPrep influence the purposes and means of processing for a feature or workflow. The parties should assess actual processing activities rather than rely only on labels in a contract.

6.4 Data Processing Agreement

Where AeroPrep processes personal data on behalf of a school, the parties should have an Article 28-compliant data processing agreement in place. If you are a school customer and need our DPA, contact privacy@aeroprep.eu.

7. Sharing Personal Data

We may share personal data:

• With payment providers such as Stripe
• With cloud hosting, storage, email, authentication, analytics, and security vendors
• With schools, instructors, and administrators where your account is school-managed
• With professional advisers such as lawyers, accountants, and auditors
• With regulators, courts, law enforcement, or tax authorities where required
• In connection with a merger, acquisition, restructuring, or sale of assets

We do not sell personal data to third-party advertisers.

8. International Transfers

We aim to store and process personal data within the European Economic Area where practical. If personal data is transferred outside the EEA, we will use appropriate safeguards as required by law, such as adequacy decisions or approved contractual protections.

9. Data Retention

We retain personal data only for as long as necessary for the purposes described in this Policy, including legal, accounting, security, and support needs.

Typical retention periods may include:

• Account data: while your account remains active and for a reasonable period after closure
• Billing and tax records: for the period required by law
• Security logs: for a limited period appropriate to fraud prevention and incident response
• Support records: as needed for service and legal protection
• School-managed records: according to the school contract, our retention schedule, and applicable law

We may anonymise data so it no longer identifies you and retain anonymised analytics longer.

10. Your Data Protection Rights

Depending on applicable law, you may have rights to:

• Access your personal data
• Correct inaccurate data
• Delete data
• Restrict processing
• Object to certain processing
• Data portability
• Withdraw consent where processing relies on consent
• Lodge a complaint with a supervisory authority

To exercise your rights, contact privacy@aeroprep.eu.

If your account is school-managed and the school is the controller for the relevant processing, we may direct your request to the school or work with the school to respond.

11. Children and Younger Users

AeroPrep is designed primarily for student pilots and aviation trainees. We do not knowingly collect personal data from children in violation of applicable law. Where a school creates or manages accounts for younger students, the school is responsible for ensuring it has an appropriate lawful basis and any required permissions.

12. Cookies and Similar Technologies

We use cookies and similar technologies for:

• Essential website and login functionality
• Security and fraud prevention
• Preferences and session continuity
• Analytics and performance measurement
• Marketing attribution where enabled

Where required by law, we will ask for consent before placing non-essential cookies. You can manage cookie preferences through our cookie banner or browser settings. Details are in our Cookie Policy.

13. Security

We use appropriate technical and organisational measures to protect personal data, including access controls, encryption in transit, password hashing, logging, monitoring, and role-based restrictions.

No system is completely secure, but we take reasonable steps appropriate to the nature of the platform and the data involved.

14. Data Breaches

If we become aware of a personal data breach, we will assess it promptly and act in accordance with applicable law. Where AeroPrep acts as processor for a school, we will notify the school without undue delay as required by processor obligations under GDPR contracts and law.

15. Marketing Communications

We may send you service-related communications necessary to operate your account. We will send marketing emails only where permitted by law and, where required, with your consent. You can unsubscribe from marketing emails at any time.

16. Third-Party Links and App Stores

Our website or apps may link to third-party sites or services, including app stores, payment pages, and partner sites. We are not responsible for the privacy practices of those third parties.

17. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. If we make material changes, we will update the "Last updated" date and, where appropriate, notify users through the Services or by email.

18. Contact and Complaints

For privacy questions or requests, contact: