Privacy policy

Effective date: 16 May 2026 · Last updated: 16 May 2026

This Privacy Policy explains what personal data AirVision collects when you use our flight-tracking platform at airvision.live, how we use it, who we share it with, and what rights you have. We comply with the EU General Data Protection Regulation (GDPR) and the Google API Services User Data Policy.

1. Who we are

AirVision is operated by an individual developer based in the Czech Republic. For any privacy-related questions or data-subject requests, contact us at legal@airvision.live. We will respond within 30 days.

2. What data we collect

We only collect what we need to run your account and the platform.

2.1 If you sign up with email and password

  • Email address — used as your login identifier and for service emails
  • Password — stored only as a salted hash; we never see your plaintext password

2.2 If you sign in with Google

When you choose “Continue with Google”, you authorise us to receive the following from your Google account via the Google OAuth flow:

  • Email address (Google scope email)
  • Name (Google scope profile)
  • Google account ID (Google scope openid) — an opaque identifier we use to recognise you across sessions

We do not request access to your Gmail, Drive, Calendar, Contacts, or any other Google service. We only use the three scopes above strictly to create and authenticate your AirVision account. We comply with the Google API Services User Data Policy, including its Limited Use requirements.

2.3 When you complete your profile

  • Username (required, public) — your handle on the platform
  • Display name (optional, public)
  • Country (optional, public) — used for future leaderboard filters

2.4 If you operate a station (future)

If you choose to run an AirVision receiver (Raspberry Pi), we will receive aircraft ADS-B messages and your station's GPS coordinates. Precise coordinates are stored only on your device and on our private aggregation server; the public API returns coordinates fuzzed by ±5 km so your exact location is never disclosed unless you opt-in. Stations are public by default; you can mark them private in your settings.

2.5 Technical and usage data

  • IP address — logged at the edge by our hosting provider for security and abuse prevention; retained 14 days then deleted
  • Browser type and version — for compatibility diagnostics; never linked to your account
  • Error reports (via Sentry) — stack traces and request URLs are recorded when the site crashes; we scrub any precise coordinates before sending

3. Why we use your data (legal basis under GDPR)

  • Performance of a contract (Art. 6(1)(b)) — to create your account, deliver the service, and respond to your support requests
  • Legitimate interest (Art. 6(1)(f)) — to prevent abuse, debug crashes, and improve the platform
  • Consent (Art. 6(1)(a)) — for optional features such as making your profile or stations publicly visible

We do not use your data for advertising, behavioural profiling, or sale to third parties. We do not use it to train AI models.

4. Who we share data with

We use the following sub-processors to operate the service:

  • Supabase (Supabase, Inc., USA — EU project hosted in Frankfurt, Germany) — authentication, database, user profiles. Privacy policy.
  • Cloudflare (Cloudflare, Inc., USA — EU edge presence) — DNS, CDN, hosting, Worker runtime. Privacy policy.
  • Google (Alphabet Inc., USA) — only if you sign in with Google. Google receives the fact that you logged in. Privacy policy.
  • Sentry (Functional Software, Inc. d/b/a Sentry, USA — EU data residency) — optional crash reporting. Privacy policy.

Each sub-processor is bound by a Data Processing Agreement, processes data only on our instructions, and (where based outside the EEA) is covered by Standard Contractual Clauses or an equivalent transfer mechanism.

We may disclose data to law enforcement or regulators when legally required (court order, subpoena, etc.). We will notify you unless the law prohibits us.

5. Where your data is stored

Your account data lives in the European Union (Supabase EU project in Frankfurt, Germany). Static assets and Worker code run on Cloudflare's global edge network, with traffic routed through European points of presence whenever possible.

6. How long we keep your data

  • Account data — until you delete your account. After deletion we keep a 30-day grace period during which you can recover. After that, data is purged.
  • Edge logs / IP addresses — 14 days, then deleted
  • Crash reports — 90 days, then deleted; can be deleted earlier on request
  • Aircraft data (future stations) — aggregated and de-identified; raw messages retained 30 days for replay debugging

7. Your rights under GDPR

You have the right to:

  • Access — request a copy of all personal data we hold about you
  • Rectify — correct inaccurate data (you can edit display name and country in your settings directly)
  • Erase — request deletion (forthcoming via /settings/danger-zone; until that ships, email legal@airvision.live)
  • Restrict processing — ask us to pause certain processing
  • Portability — receive your data in a machine-readable format (JSON export forthcoming)
  • Object — object to processing based on legitimate interest
  • Withdraw consent — for any processing based on consent, at any time, without penalty
  • Lodge a complaint — with your local supervisory authority. The Czech authority is ÚOOÚ.

Request these rights by emailing legal@airvision.live. We may ask you to verify identity. We respond within 30 days.

8. Cookies and similar technologies

We use only the cookies strictly necessary to operate the service. No advertising or analytics cookies. Specifically:

  • Supabase session cookie (sb-*-auth-token) — keeps you signed in. HttpOnly, Secure, SameSite=Lax. Expires when you sign out or after 7 days of inactivity.
  • Cloudflare anti-bot cookie (__cf_bm) — set by Cloudflare to distinguish humans from bots. Session-scoped. Details.

Because these cookies are strictly necessary, no consent banner is required under GDPR.

9. Children

AirVision is not directed at children under 16. If you are under 16, please do not use the service or create an account. If we learn we have collected data from a child under 16 without valid parental consent, we will delete it promptly.

10. International transfers

Some of our sub-processors are based in the United States. Where data is transferred outside the EEA, we rely on the EU Standard Contractual Clauses and, where applicable, the EU-US Data Privacy Framework. You can request a copy of the safeguards in place.

11. Security

We use industry-standard security: TLS 1.3 in transit; AES-256 at rest (via Supabase + R2); passwords hashed with bcrypt; service-role API keys stored as encrypted Cloudflare Worker secrets and rotated regularly. Despite this, no system is 100% secure; in the event of a breach that affects your data we will notify you and the supervisory authority within 72 hours as required by GDPR Art. 33-34.

12. Changes to this policy

We may update this policy as the service evolves. Material changes will be announced via a notice on the site and, where reasonably possible, by email. The effective date at the top of this page indicates when the current version took effect. Previous versions are kept in our GitHub repository for transparency.

13. Contact

For any question about this policy or the data we hold about you: legal@airvision.live.