AnyAirline
Features Pricing loginLogin
Legal

GDPR

These documents describe how AnyAirline Cloud works, how data is processed, and the terms that apply to the service.

GDPR — Information on Personal Data Processing and Exercise of Rights

Service: AnyAirline Cloud Website: https://anyairline.app Effective: 17 May 2026 Last updated: 20 May 2026

This document supplements the Privacy Policy and describes the specific procedural and technical details under Regulation (EU) 2016/679 of the European Parliament and of the Council — GDPR.


1. Data Controller

  • Data Controller: Filip Chudoba, sole trader
  • Company ID (IČO): 09390944
  • Registered office: Tesaříkova 1020/1, 102 00 Prague 10 - Hostivař, Czech Republic
  • E-mail for GDPR requests: [email protected]
  • Data Protection Officer (DPO): Not appointed — appointment is not mandatory for our activities under Art. 37 GDPR.

2. Categories of Data Subjects

We process data of the following categories of individuals:

  • Registered Users (natural persons)
  • Website visitors (limited technical data)
  • Subscribers and credit top-up payers

3. Categories of Processed Data, Purposes and Legal Bases

Data categorySpecific dataPurpose of processingLegal basisRetention period
Identification dataE-mail, username, display name, captain nameAccount management, User identificationArt. 6(1)(b) GDPR — performance of contractDuration of account; longer only where legally required
Authentication dataHashed password, OAuth identifiers (Google, Discord), session tokensLogin and securityArt. 6(1)(b) GDPRDuration of account
Technical dataIP address, User-Agent, timestampsSecurity, rate-limiting, abuse preventionArt. 6(1)(f) GDPR — legitimate interest12 months
Flight dataAirline ICAO, aircraft, departure/destination airport, telemetry (lat/lon/altitude/speed)IFE map functionality, flight statisticsArt. 6(1)(b) GDPR24 months
AnyAirline Connector dataDevice ID, device token hashes, simulator name, last activity timePairing and synchronization with the simulatorArt. 6(1)(b) GDPRDuration of pairing
Workspace and announcement dataFlight/cabin/voice drafts, language choices, read modes, announcement templatesSaving the user's flight setup and generated announcement configurationArt. 6(1)(b) GDPRDuration of account
AI and voice generation dataSource text, final generated text, generated audio/cache files, provider/model/voice identifiers, usage eventsProducing audio, translating/enhancing text, charging credits and showing usage historyArt. 6(1)(b) GDPRDuration of account or until cache cleanup/account deletion; billing-related usage may be retained with billing records
Workshop contentAudio files, metadata, ICAO codes, source URL where enabledSharing community contentArt. 6(1)(b) GDPRDuration of publication; backup/storage copies may persist temporarily for up to 6 months
Payment dataStripe customer ID, subscription ID, billing dataPerformance of the payment contract and accountingArt. 6(1)(b) + (c) GDPR10 years (Act No. 235/2004 Coll., Act No. 563/1991 Coll.)
Security logsLogin, registration, deletion, pairing eventsSecurity, abuse detection, auditArt. 6(1)(f) GDPR12 months
CommunicationsE-mail correspondence with customer supportHandling inquiries and complaintsArt. 6(1)(b) + (f) GDPR3 years

We do not process sensitive data (special categories under Art. 9 GDPR).


4. Processors (sub-processors)

In accordance with Art. 28 GDPR, we use the following contractual processors. We have a data processing agreement (DPA) in place with all of them, or we refer to their standard DPA. Transfers to third countries are secured by Standard Contractual Clauses (SCCs) adopted by the European Commission.

ProcessorProcessed dataProcessing locationTransfer mechanism
Supabase, Inc.Authentication, primary database (accounts, profiles, drafts, flights, workshop)EU/USADPA + SCC
Stripe Payments Europe, Ltd. / Stripe, Inc.Payments, subscriptions, top-ups and auto top-upsEU/USADPA + SCC + PCI-DSS L1
OpenAI, L.L.C.AI text enhancement and translation for announcements, when usedUSADPA + SCC and provider data controls
ElevenLabs, Inc.AI Text-to-Speech generationUSADPA + SCC
Modal Labs, Inc.Serverless overflow compute for AI Lite speech generationUSADPA + SCC
Google LLCOAuth login, optional source URL import where enabledEU/USADPA + SCC
Discord Inc.OAuth loginUSADPA + SCC
Navigraph (SimBrief)Flight plan importEUAPI integration based on the User's SimBrief account
Hosting providerApplication server operationEU / EEA where availableProcessing agreement

The current list of sub-processors is included in this document and we update it with each change. We inform Users about the addition of a new sub-processor by e-mail at least 14 days in advance where required.

AI Lite speech generation is performed primarily on our own server infrastructure. When local AI Lite capacity is exceeded, AI Lite text and generated audio may be processed by Modal as serverless overflow compute. Text enhancement or translation may still use OpenAI when that feature is selected or required for the requested language.


5. Rights of Data Subjects and How to Exercise Them

As a data subject, you have the following rights under GDPR. All can be exercised free of charge by e-mail at [email protected].

5.1. Right of access (Art. 15 GDPR)

You may request confirmation as to whether we process your personal data and obtain a copy thereof together with information on:

  • the purposes of processing
  • the categories of data
  • the recipients
  • the retention period
  • the source of the data
  • the existence of automated decision-making

5.2. Right to rectification (Art. 16 GDPR)

You have the right to have inaccurate data corrected or incomplete data completed. Most data (profile, e-mail, name) can be corrected directly in the account settings in the application.

5.3. Right to erasure / "right to be forgotten" (Art. 17 GDPR)

You may request the erasure of your data if:

  • it is no longer necessary for the purpose for which it was collected,
  • you withdraw consent (if it was the sole basis),
  • you raise a justified objection,
  • the data has been processed unlawfully,
  • it must be erased to comply with a legal obligation.

The account can be deleted in self-service mode in the application via the account endpoint (/auth/account → "Delete account") where server-side account deletion support is enabled. If direct deletion is not available, the application accepts a deletion request and we process it manually.

Erasure cannot be performed for data that we are required by law to retain (in particular billing data for 10 years pursuant to § 35 of the VAT Act).

5.4. Right to restriction of processing (Art. 18 GDPR)

You may request the temporary suspension of processing in the cases described in Art. 18 GDPR (e.g. during verification of the accuracy of data or an objection to processing).

5.5. Right to data portability (Art. 20 GDPR)

You have the right to receive the data you provided to us in a structured, commonly used and machine-readable format (JSON or CSV), and/or to request its transmission to another controller, where technically feasible.

This applies only to data processed on the basis of:

and at the same time processed by automated means.

  • consent (Art. 6(1)(a)) or
  • contract (Art. 6(1)(b)) GDPR

5.6. Right to object (Art. 21 GDPR)

You may at any time object to processing based on our legitimate interest (Art. 6(1)(f) GDPR — in particular security logs). We will cease processing unless we demonstrate compelling legitimate grounds that override your interests, rights and freedoms.

5.7. Right not to be subject to automated decision-making (Art. 22 GDPR)

We do not carry out decision-making based solely on automated processing that produces legal or similarly significant effects on you.

5.8. Right to withdraw consent (Art. 7(3) GDPR)

If processing is based on consent, you may withdraw it at any time — without affecting the lawfulness of processing carried out before the withdrawal.

5.9. Right to lodge a complaint (Art. 77 GDPR)

You have the right to lodge a complaint with a supervisory authority, in particular:

Office for Personal Data Protection (ÚOOÚ) Pplk. Sochora 27, 170 00 Prague 7, Czech Republic www.uoou.cz [email protected] tel.: +420 234 665 111


6. Procedure for Handling Requests

  1. Receipt of request — we will confirm receipt of your request by e-mail at [email protected] within 72 hours.
  2. Identity verification — to protect against abuse, we may require:
  • confirmation from the e-mail associated with the account, or
  • login to the account and submission of the request via an internal form.
  1. Handling — we will respond without undue delay and no later than 1 month from receipt of the request. For more complex requests we may extend the deadline by up to 2 further months (with notice within the first month).
  2. Form of response — we provide responses primarily electronically in the form in which the request was submitted, unless otherwise required.
  3. Cost — handling is free of charge. For manifestly unfounded, repetitive or excessive requests, we reserve the right to charge a reasonable fee or to refuse the request (Art. 12(5) GDPR).

7. Transfers to Third Countries (outside the EEA)

Some of our processors are based in the United States of America. We ensure the transfer of data by:

  • Standard Contractual Clauses (SCCs) approved by European Commission Decision 2021/914
  • In some cases under the EU–U.S. Data Privacy Framework, where the given processor is certified
  • Additional technical measures (encryption in transit and at rest, pseudonymization where technically feasible)

A copy of the SCCs can be obtained on request at [email protected].


8. Security of Processing (Art. 32 GDPR)

We adopt the following technical and organizational measures:

8.1. Technical measures

  • All communication via HTTPS / TLS 1.2+
  • Password hashing
  • Session cookies with HttpOnly, Secure, SameSite=Strict settings
  • Time-limited tokens (short-lived web access cookie, refresh cookie up to 30 days, pairing token 10 minutes)
  • Rate-limiting on login and registration endpoints
  • Validation of uploaded files (magic bytes, whitelist of extensions, size and length limits)
  • Logging of security events with an audit trail
  • Regular database backups
  • Encrypted storage at sub-processors (Supabase, Stripe)

8.2. Organizational measures

  • Principle of least privilege
  • Separated access to the production environment
  • Regular security code audits (see internal SECURITY_AUDIT.md)
  • Confidentiality agreements with persons with access to data
  • Rules for the secure handling of secret keys (env variables, never in the repository)

9. Security Breach Notification (Art. 33 and 34 GDPR)

In the event of a security incident involving personal data:

  1. We will assess the incident within 24 hours of its detection.
  2. If there is a likely risk to the rights and freedoms of data subjects, we will notify the supervisory authority within 72 hours of detection.
  3. If the risk is high, we will inform the affected Users directly without undue delay (by e-mail or through the application).
  4. The notification will contain the nature of the breach, the categories and approximate number of affected persons, contact details, likely consequences and measures taken or proposed.

10. Cookies and Similar Technologies

We use only technically necessary authentication cookies for the login function:

Cookie namePurposeLifetimeAttributes
anyairline_access_tokenAuthenticates the current browser sessionShort-lived; normally about 1 hour, depending on the authentication providerHttpOnly, Secure, SameSite=Strict
anyairline_refresh_tokenKeeps the user signed in and obtains a new access tokenUp to 30 daysHttpOnly, Secure, SameSite=Strict

For these cookies, consent is not required under § 89 of Act No. 127/2005 Coll. — they are necessary for the functioning of the logged-in part of the Service.

We do not use:

  • third-party analytical cookies (Google Analytics, Mixpanel, etc.)
  • marketing or advertising cookies
  • social network pixels
  • fingerprinting technologies

If we introduce analytical cookies in the future, we will request your prior consent via a cookie banner with an option to refuse.


11. Children and Minors

The Service is not intended for persons under the age of 16 in accordance with Art. 8 GDPR and § 7 of Act No. 110/2019 Coll. If we discover that we have processed the data of a child under 16 without verified consent from a legal guardian, we will delete the data immediately.


12. Records of Processing Activities (Art. 30 GDPR)

We keep internal records of processing activities in accordance with Art. 30 GDPR. The records are available to the supervisory authority on request.


13. Changes to This Document

We may update this document in line with developments in legislation or our services. We will inform Users of material changes by e-mail or in the application at least 14 days before the change takes effect.


14. Contact

GDPR requests, inquiries, complaints:

  • E-mail: [email protected]

Supervisory authority: Office for Personal Data Protection (ÚOOÚ) Pplk. Sochora 27, 170 00 Prague 7, Czech Republic www.uoou.cz


This document has been drawn up in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (GDPR) and Act No. 110/2019 Coll., on the processing of personal data.

AnyAirline

Real airline cabin for your flight sim.

Privacy PolicyTerms & ConditionsGDPR