Privacy Policy — Airfield Directory

Effective date: 14 August 2025

Airfield Directory is a non‑commercial Open Data platform. This notice explains how we handle personal data under the EU GDPR in a concise, understandable form.

1) Data we process

Login / account via OAuth

  • Sign in with Google: When you sign in, Google provides: first & last name, email address, language, profile avatar URL, and Google user ID. Your first/display name may appear publicly with your PIREPs/comments.
  • Login with Amazon: When you sign in, Amazon provides: full name, email address and Amazon user ID. Your first name may appear publicly with your PIREPs/comments.
  • Sign in with Apple: When you sign in, Apple provides: name, email address and Apple user ID. This data can be anonymized via Apples standard mechanisms during the first login.
  • Telegram bot: When you link your account via the Telegram bot (@AirfieldDirectoryBot), Telegram provides: Telegram user ID, username (if set), first name, and language preference. Your first name may appear publicly with PIREPs submitted via Telegram.

Your email is stored but never published.

Avatar processing. Your profile picture is fetched from your OAuth provider or Gravatar, processed (resized, converted), and cached locally. Avatars are refreshed periodically (up to every 30 days).

Public contributions. PIREPs, comments, and other submissions are public and licensed under CC BY‑SA 4.0 (irrevocable). Please do not include personal data of third parties in your submissions; such content may be removed.

Optional tailsign. If you add a Aerops registered tailsign and are logged in, we send your tailsign and the airfields you view to Aerops to fetch personalized prices. Opt‑out by removing the tailsign or logging out.

Telegram bot usage. When you interact with our Telegram bot (@AirfieldDirectoryBot), we receive your commands and messages (including PIREP text you compose). This data is processed to provide bot functionality and is subject to Telegram's Standard Privacy Policy for Bots.

Imported historical data. We import public PIREPs from partner platforms (EuroGA, You-Fly). Original author names and import metadata are retained for attribution purposes.

Audit data. We record which user created or modified content for security and audit purposes.

Usage & device data. Standard logs (IP address, user‑agent, timestamps, requested URLs) for security and diagnostics.

Cookies. Only essential cookies (e.g., session cookies for login). No tracking or advertising cookies.

2) Purposes and legal bases

  • Operate the Service (authentication, sessions, publishing your contributions). Legal bases: performance of contract/Terms; legitimate interests.
  • Publish your contributions publicly under CC BY‑SA 4.0. Legal bases: consent (you choose to post); legitimate interests in running an open data project.
  • Aerops personalized prices when you add a tailsign and view airfields while logged in. Legal basis: your consent (optional feature).
  • Translations and summaries of public content via AWS Comprehend (language detection) and OpenAI (translation). Legal bases: legitimate interests; consent insofar as you choose to submit public content.
  • Notifications via email for PIREP submissions and updates. Legal basis: legitimate interests in providing service.
  • Security & abuse prevention (rate‑limiting, fraud/spam prevention, diagnostics). Legal bases: legitimate interests; legal obligations.
  • Service improvement using anonymous/aggregated analytics. Legal basis: legitimate interests.

We do not sell personal data and we do not run ads.

3) Storage and recipients

  • Hosting: Amazon Web Services (AWS), region eu‑central‑1 (Frankfurt, Germany).
  • Google: OAuth sign‑in.
  • Amazon: OAuth sign‑in.
  • Apple: OAuth sign‑in.
  • Honeybager: error monitoring (only in case of errors).
  • Telegram: bot interactions when you use the Telegram bot.
  • Aerops: receives tailsign + airfields viewed + arrival/departure times (if provided) when you are logged in and have added a tailsign.
  • OpenAI / AWS Comprehend: may process public user content to detect language and generate translations/summaries.
  • Windy: receives airfield coordinates and your IP address when fetching webcam data.

We may disclose data if required by law or to protect rights, safety, and the Service.

4) International transfers

Although AWS hosting is in the EU (eu-central-1), some processors (e.g., Apple, Google, Amazon, OpenAI, Windy) may process data outside the EEA. If you don't want that, don't use the Service.

5) Retention

  • Account data: retained while your account is active and for a reasonable period afterward for security and recordkeeping.
  • Public contributions (PIREPs/comments): intended to be public and persistent under CC BY‑SA 4.0, including your first name (if correctly designated with your Google, Amazon or Apple account), a SHA256 hash of your email (can be used for gravatar) and potentially a link to your avatar. You can delete them from our interface, but prior copies may remain elsewhere and the license remains in force.
  • Server logs: retained for security and diagnostics.
  • Cached third-party data: pricing and webcam information cached for performance.
  • Backups: may persist temporarily and are not routinely edited.

6) Your rights (GDPR)

You can access, rectify, erase (subject to the public and irrevocable nature of CC‑licensed content), restrict or object to certain processing, and request data portability.
Where processing relies on consent (e.g., tailsign sharing with Aerops), you may withdraw consent at any time (e.g., remove the tailsign). This does not affect prior lawful processing.
To exercise rights, contact info@airfield.directory. You can also lodge a complaint with your local authority or with the Office of the Commissioner for Personal Data Protection (Cyprus).

7) Security

We use appropriate technical and organizational measures to protect data against unauthorized access, alteration, disclosure, or destruction. No method is 100% secure; please secure your Google/Amazon/Apple/Telegram account and devices.

8) Children

The Service is not for users under 18. Do not use the Service or submit personal data if you are under 18.

9) Changes

We may update this Policy. The “Effective date” shows the latest version. Continued use after changes means you accept the updated Policy.

Controller & Contact ("we", "us", "our"): Thomas Witt Ltd, Spyrou Kyprianou, 84, 4004 Limassol, Cyprus — info@airfield.directory