Privacy Policy

1. Introduction

We take privacy seriously. AeroPrep is built for users in Europe and is operated in accordance with applicable data protection law, including the GDPR.

This Policy applies to:

• Visitors to our website
• Direct individual users of AeroPrep
• Students, instructors, and school administrators using school-managed accounts
• Prospective customers contacting us
• Flight schools and institutional customers

2. Who We Are for Data Protection Purposes

For many processing activities, NEXIEL LIMITED t/a AeroPrep acts as a data controller, meaning we decide why and how personal data is processed.

Where a school uses AeroPrep for student assignment, progress monitoring, internal assessment, or similar educational purposes, the school will often act as controller for that school-defined processing, and AeroPrep will often process relevant personal data on the school's behalf. Depending on the feature and factual setup, AeroPrep may instead act as an independent controller for some data, such as billing, fraud prevention, account security, service logs, and platform analytics, and some arrangements may amount to joint controllership where both parties shape the purposes and means.

Where AeroPrep acts as processor for a school, the relationship should be governed by a written data processing agreement meeting Article 28 requirements.

3. Categories of Personal Data We Collect

We may collect and process the following categories of personal data:

3.1 Account Data

• Name
• Email address
• Password hash or authentication credentials
• Profile image, if provided
• Account role (student, instructor, school admin, super admin)

3.2 Learning and Usage Data

• Question attempts
• Selected answers and correctness
• Bookmarks and notes
• Exam sessions and scores
• Subject progress
• Study streak and activity history
• Assigned exam participation
• Instructor sign-off records
• Reports submitted by users

3.3 School Data

• School name
• Instructor and administrator details
• Student roster information supplied by the school
• Cohort analytics
• School billing and licensing data
• Invitation and enrolment records

3.4 Payment and Billing Data

• Billing name and email
• Plan purchased
• Stripe customer, checkout, invoice, and payment identifiers
• VAT-related billing details where relevant

We do not store full payment card numbers. Payments are processed by Stripe.

3.5 Technical and Security Data

• IP address
• Device fingerprint or device/session identifiers
• Browser type and version
• Operating system
• App/device model
• Login timestamps
• Session logs
• Security and fraud indicators

3.6 Communications Data

• Emails you send us
• Support requests
• Sales enquiries
• School registration enquiries
• Feedback submissions

3.7 Cookie and Analytics Data

• Cookie identifiers
• Session cookies
• Analytics and traffic information
• Marketing attribution or referral information where enabled

3.8 AI and AeroTutor Data

• Questions submitted to AeroTutor (our AI aviation tutor)
• AeroTutor conversation history and feedback ratings
• AI-generated quiz questions and auto-tagged question metadata
• AI-generated blog post topics derived from aggregated, anonymised study patterns

All AI processing is performed on AeroPrep's self-hosted infrastructure using the Qwen 2.5 model. No personal data is sent to third-party AI providers. AeroTutor queries are processed in real time and are not used for model training unless you explicitly opt in via your privacy preferences.

4. How We Collect Data

We collect personal data:

• Directly from you when you sign up, contact us, make a purchase, or use the platform
• From schools that invite or enrol students and instructors
• Automatically through use of the platform, apps, and website
• From payment and infrastructure providers involved in service delivery
• From referral or campaign data where a user arrives via a tracked marketing link

5. Our Purposes and Legal Bases

We process personal data for the following purposes:

5.1 To Provide the Services

We use account, learning, school, and technical data to operate the platform, authenticate users, provide study sessions, store progress, enable school workflows, and display results.

Legal basis: contract; legitimate interests in operating and securing the service.

5.2 To Process Payments and Manage Billing

We use billing and transaction data to sell plans, activate access, issue receipts, manage VAT/tax records, and handle payment disputes.

Legal basis: contract; legal obligation; legitimate interests.

5.3 To Secure the Platform

We use technical and security data to detect fraud, account sharing, abuse, scraping, and unauthorised access.

Legal basis: legitimate interests; legal obligation where applicable.

5.4 To Support Schools

Where schools use AeroPrep, we use school and student data to deliver school dashboards, assigned exams, instructor oversight, reporting, and administrative tools.

Legal basis: contract with the school; processor obligations where we act on school instructions; legitimate interests where we act independently.

5.5 To Communicate With You

We use your contact details to send service emails, account alerts, receipts, password reset messages, support responses, and essential legal notices.

Legal basis: contract; legitimate interests; legal obligation where relevant.

5.6 To Improve the Services

We analyse usage patterns, performance trends, feature use, and technical errors to improve the platform.

Legal basis: legitimate interests. Where required by law for non-essential analytics or marketing cookies, we rely on consent.

5.7 To Comply With Law

We may process and retain personal data to comply with tax, accounting, fraud prevention, legal process, and regulatory obligations.

Legal basis: legal obligation.

5.8 AI Training and Improvement (Opt-In Only)

If you explicitly opt in via your privacy preferences, we may use anonymised versions of your AeroTutor queries to improve our AI tutor's accuracy for aviation-related questions. This processing is entirely optional and does not affect your access to any feature.

If you do not opt in, your queries are used only to generate your response, logged with a one-way hash for abuse prevention, and automatically deleted within 30 days. Users under 18 are never eligible for AI training opt-in, regardless of their preference setting.

Legal basis: consent (Article 6(1)(a) GDPR).

5.9 AI-Powered Blog Content

For users who have opted into AI training, we may aggregate and anonymise common question topics to generate personalised blog posts and study guides via our AI system. This content is published on the AeroPrep blog. No individually identifiable data appears in generated content.

Legal basis: consent (derived from AI training opt-in); legitimate interests.

6. School Data Protection Roles

This section applies where a school, ATO, DTO, or training organisation uses AeroPrep.

6.1 When the School Is the Controller

A school will often be the controller where it decides to:

• Invite students or instructors
• Assign plans or subjects
• Review progress
• Assess readiness
• Generate internal reports
• Use the platform as part of its training programme

In those cases, AeroPrep generally acts as processor for that school-defined processing, subject to the school's instructions and a suitable data processing arrangement.

6.2 When AeroPrep Is an Independent Controller

AeroPrep generally acts as an independent controller for:

• Direct-to-consumer accounts and purchases
• Billing and payment records
• Service security and abuse detection
• Platform-wide product analytics
• Legal compliance records
• Internal business operations

6.3 Possible Joint or Mixed Roles

In some cases, the legal role may be mixed or shared, particularly where both the school and AeroPrep influence the purposes and means of processing for a feature or workflow. The parties should assess actual processing activities rather than rely only on labels in a contract.

6.4 Data Processing Agreement

Where AeroPrep processes personal data on behalf of a school, the parties should have an Article 28-compliant data processing agreement in place. If you are a school customer and need our DPA, contact privacy@aeroprep.eu.

7. Sharing Personal Data

We may share personal data:

• With payment providers such as Stripe
• With cloud hosting, storage, email, authentication, analytics, and security vendors
• With schools, instructors, and administrators where your account is school-managed
• With professional advisers such as lawyers, accountants, and auditors
• With regulators, courts, law enforcement, or tax authorities where required
• In connection with a merger, acquisition, restructuring, or sale of assets

We do not sell personal data to third-party advertisers.

7.1 Sub-Processors

Key sub-processors we use include:

• Hetzner Online GmbH (Germany) — cloud hosting and compute
• Stripe, Inc. (US, EU data processing) — payment processing
• Resend / Amazon SES — transactional email delivery
• Vercel, Inc. (US) — CDN and static asset hosting (if applicable)

We do not use any third-party AI service (e.g. OpenAI, Google, Anthropic) for AeroTutor or any user-data processing. All AI inference runs on our own self-hosted Qwen 2.5 model within our Hetzner infrastructure.

8. International Transfers

Our primary infrastructure is hosted by Hetzner in Germany (EU). All database, AI inference, and vector search processing occurs within the EU.

Limited transfers outside the EEA may occur through sub-processors (e.g. Stripe for payment processing). Where this happens, we rely on:

• European Commission adequacy decisions (where available)
• Standard Contractual Clauses (SCCs) approved by the European Commission
• The sub-processor's certification under an approved framework (e.g. EU–US Data Privacy Framework)

You may request information about specific transfer safeguards by contacting privacy@aeroprep.eu.

9. Data Retention

We retain personal data only for as long as necessary for the purposes described in this Policy, including legal, accounting, security, and support needs.

Typical retention periods may include:

• Account data: while your account remains active and for a reasonable period after closure
• Billing and tax records: for the period required by law (typically 6–7 years)
• Security logs: for a limited period appropriate to fraud prevention and incident response (typically 90 days)
• Support records: as needed for service and legal protection
• School-managed records: according to the school contract, our retention schedule, and applicable law
• AeroTutor queries (non-opt-in): automatically deleted within 30 days; only a one-way hash is retained for abuse prevention
• AeroTutor queries (opt-in): retained in anonymised form for AI improvement; raw queries are deleted when you withdraw consent
• AI-generated content: blog posts and study guides derived from aggregated data are retained independently of individual accounts

We may anonymise data so it no longer identifies you and retain anonymised analytics longer.

10. Your Data Protection Rights

Depending on applicable law, you may have rights to:

• Access your personal data
• Correct inaccurate data
• Delete data
• Restrict processing
• Object to certain processing
• Data portability
• Withdraw consent where processing relies on consent — including AI training opt-in, analytics, and marketing preferences. You can do this at any time via your privacy preferences page and the change takes effect immediately
• Lodge a complaint with a supervisory authority

To exercise your rights, contact privacy@aeroprep.eu or use the self-service tools in your Account settings (data export, account deletion, privacy preferences).

If your account is school-managed and the school is the controller for the relevant processing, we may direct your request to the school or work with the school to respond.

11. Children and Younger Users

AeroPrep is designed primarily for student pilots and aviation trainees. We do not knowingly collect personal data from children in violation of applicable law. Where a school creates or manages accounts for younger students, the school is responsible for ensuring it has an appropriate lawful basis and any required permissions.

Users identified as under 18 (based on date of birth or school declaration) are automatically excluded from AI training data collection. The AI training opt-in toggle is hidden for minor accounts and cannot be enabled by the user or school. All other platform features remain available.

Schools that enrol students under 18 must confirm this during the application process. AeroPrep records this flag to apply additional safeguards.

12. Cookies and Similar Technologies

We use cookies and similar technologies for:

• Essential website and login functionality
• Security and fraud prevention
• Preferences and session continuity
• Analytics and performance measurement
• Marketing attribution where enabled

Where required by law, we will ask for consent before placing non-essential cookies. You can manage cookie preferences through our cookie banner or browser settings. Details are in our Cookie Policy.

13. Security

We use appropriate technical and organisational measures to protect personal data, including access controls, encryption in transit, password hashing, logging, monitoring, and role-based restrictions.

No system is completely secure, but we take reasonable steps appropriate to the nature of the platform and the data involved.

14. Data Breaches

If we become aware of a personal data breach, we will assess it promptly and act in accordance with applicable law. Where AeroPrep acts as processor for a school, we will notify the school without undue delay as required by processor obligations under GDPR contracts and law.

15. Marketing Communications

We may send you service-related communications necessary to operate your account. We will send marketing emails only where permitted by law and, where required, with your consent. You can unsubscribe from marketing emails at any time.

16. Third-Party Links and App Stores

Our website or apps may link to third-party sites or services, including app stores, payment pages, and partner sites. We are not responsible for the privacy practices of those third parties.

17. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. If we make material changes, we will update the "Last updated" date and, where appropriate, notify users through the Services or by email.

18. Contact and Complaints

For privacy questions or requests, contact:

19. EU AI Act Statement

AeroPrep uses artificial intelligence within its AeroTutor feature, AI-assisted question generation, auto-tagging, and personalised blog content. We classify these AI systems as limited-risk under the EU AI Act (Regulation (EU) 2024/1689).

• Transparency: Users are clearly informed when they are interacting with an AI system (AeroTutor is labelled as an AI tutor throughout the interface).
• Model: We use the open-weight Qwen 2.5 7B model, self-hosted on our own infrastructure via Ollama. No data is sent to third-party AI providers.
• Human oversight: AI-generated questions require admin review before publication. AI-generated blog posts are marked as AI-generated and undergo compliance checks.
• Data minimisation: AI training data is only collected from users who explicitly opt in. Non-opt-in queries are automatically purged within 30 days.
• No high-risk use: AeroPrep's AI features do not make decisions with legal or similarly significant effects on individuals. Study recommendations and readiness indicators are advisory only.

For questions about our AI systems, contact privacy@aeroprep.eu.