GDPR
These documents describe how AnyAirline Cloud works, how data is processed, and the terms that apply to the service.
GDPR — Information on Personal Data Processing and Exercise of Rights
Service: AnyAirline Cloud Website: https://anyairline.app Effective: 17 May 2026 Last updated: 20 May 2026
This document supplements the Privacy Policy and describes the specific procedural and technical details under Regulation (EU) 2016/679 of the European Parliament and of the Council — GDPR.
1. Data Controller
- Data Controller: Filip Chudoba, sole trader
- Company ID (IČO): 09390944
- Registered office: Tesaříkova 1020/1, 102 00 Prague 10 - Hostivař, Czech Republic
- E-mail for GDPR requests: [email protected]
- Data Protection Officer (DPO): Not appointed — appointment is not mandatory for our activities under Art. 37 GDPR.
2. Categories of Data Subjects
We process data of the following categories of individuals:
- Registered Users (natural persons)
- Website visitors (limited technical data)
- Subscribers and credit top-up payers
3. Categories of Processed Data, Purposes and Legal Bases
| Data category | Specific data | Purpose of processing | Legal basis | Retention period |
|---|---|---|---|---|
| Identification data | E-mail, username, display name, captain name | Account management, User identification | Art. 6(1)(b) GDPR — performance of contract | Duration of account; longer only where legally required |
| Authentication data | Hashed password, OAuth identifiers (Google, Discord), session tokens | Login and security | Art. 6(1)(b) GDPR | Duration of account |
| Technical data | IP address, User-Agent, timestamps | Security, rate-limiting, abuse prevention | Art. 6(1)(f) GDPR — legitimate interest | 12 months |
| Flight data | Airline ICAO, aircraft, departure/destination airport, telemetry (lat/lon/altitude/speed) | IFE map functionality, flight statistics | Art. 6(1)(b) GDPR | 24 months |
| AnyAirline Connector data | Device ID, device token hashes, simulator name, last activity time | Pairing and synchronization with the simulator | Art. 6(1)(b) GDPR | Duration of pairing |
| Workspace and announcement data | Flight/cabin/voice drafts, language choices, read modes, announcement templates | Saving the user's flight setup and generated announcement configuration | Art. 6(1)(b) GDPR | Duration of account |
| AI and voice generation data | Source text, final generated text, generated audio/cache files, provider/model/voice identifiers, usage events | Producing audio, translating/enhancing text, charging credits and showing usage history | Art. 6(1)(b) GDPR | Duration of account or until cache cleanup/account deletion; billing-related usage may be retained with billing records |
| Workshop content | Audio files, metadata, ICAO codes, source URL where enabled | Sharing community content | Art. 6(1)(b) GDPR | Duration of publication; backup/storage copies may persist temporarily for up to 6 months |
| Payment data | Stripe customer ID, subscription ID, billing data | Performance of the payment contract and accounting | Art. 6(1)(b) + (c) GDPR | 10 years (Act No. 235/2004 Coll., Act No. 563/1991 Coll.) |
| Security logs | Login, registration, deletion, pairing events | Security, abuse detection, audit | Art. 6(1)(f) GDPR | 12 months |
| Communications | E-mail correspondence with customer support | Handling inquiries and complaints | Art. 6(1)(b) + (f) GDPR | 3 years |
We do not process sensitive data (special categories under Art. 9 GDPR).
4. Processors (sub-processors)
In accordance with Art. 28 GDPR, we use the following contractual processors. We have a data processing agreement (DPA) in place with all of them, or we refer to their standard DPA. Transfers to third countries are secured by Standard Contractual Clauses (SCCs) adopted by the European Commission.
| Processor | Processed data | Processing location | Transfer mechanism |
|---|---|---|---|
| Supabase, Inc. | Authentication, primary database (accounts, profiles, drafts, flights, workshop) | EU/USA | DPA + SCC |
| Stripe Payments Europe, Ltd. / Stripe, Inc. | Payments, subscriptions, top-ups and auto top-ups | EU/USA | DPA + SCC + PCI-DSS L1 |
| OpenAI, L.L.C. | AI text enhancement and translation for announcements, when used | USA | DPA + SCC and provider data controls |
| ElevenLabs, Inc. | AI Text-to-Speech generation | USA | DPA + SCC |
| Modal Labs, Inc. | Serverless overflow compute for AI Lite speech generation | USA | DPA + SCC |
| Google LLC | OAuth login, optional source URL import where enabled | EU/USA | DPA + SCC |
| Discord Inc. | OAuth login | USA | DPA + SCC |
| Navigraph (SimBrief) | Flight plan import | EU | API integration based on the User's SimBrief account |
| Hosting provider | Application server operation | EU / EEA where available | Processing agreement |
The current list of sub-processors is included in this document and we update it with each change. We inform Users about the addition of a new sub-processor by e-mail at least 14 days in advance where required.
AI Lite speech generation is performed primarily on our own server infrastructure. When local AI Lite capacity is exceeded, AI Lite text and generated audio may be processed by Modal as serverless overflow compute. Text enhancement or translation may still use OpenAI when that feature is selected or required for the requested language.
5. Rights of Data Subjects and How to Exercise Them
As a data subject, you have the following rights under GDPR. All can be exercised free of charge by e-mail at [email protected].
5.1. Right of access (Art. 15 GDPR)
You may request confirmation as to whether we process your personal data and obtain a copy thereof together with information on:
- the purposes of processing
- the categories of data
- the recipients
- the retention period
- the source of the data
- the existence of automated decision-making
5.2. Right to rectification (Art. 16 GDPR)
You have the right to have inaccurate data corrected or incomplete data completed. Most data (profile, e-mail, name) can be corrected directly in the account settings in the application.
5.3. Right to erasure / "right to be forgotten" (Art. 17 GDPR)
You may request the erasure of your data if:
- it is no longer necessary for the purpose for which it was collected,
- you withdraw consent (if it was the sole basis),
- you raise a justified objection,
- the data has been processed unlawfully,
- it must be erased to comply with a legal obligation.
The account can be deleted in self-service mode in the application via the account endpoint (/auth/account → "Delete account") where server-side account deletion support is enabled. If direct deletion is not available, the application accepts a deletion request and we process it manually.
Erasure cannot be performed for data that we are required by law to retain (in particular billing data for 10 years pursuant to § 35 of the VAT Act).
5.4. Right to restriction of processing (Art. 18 GDPR)
You may request the temporary suspension of processing in the cases described in Art. 18 GDPR (e.g. during verification of the accuracy of data or an objection to processing).
5.5. Right to data portability (Art. 20 GDPR)
You have the right to receive the data you provided to us in a structured, commonly used and machine-readable format (JSON or CSV), and/or to request its transmission to another controller, where technically feasible.
This applies only to data processed on the basis of:
and at the same time processed by automated means.
- consent (Art. 6(1)(a)) or
- contract (Art. 6(1)(b)) GDPR
5.6. Right to object (Art. 21 GDPR)
You may at any time object to processing based on our legitimate interest (Art. 6(1)(f) GDPR — in particular security logs). We will cease processing unless we demonstrate compelling legitimate grounds that override your interests, rights and freedoms.
5.7. Right not to be subject to automated decision-making (Art. 22 GDPR)
We do not carry out decision-making based solely on automated processing that produces legal or similarly significant effects on you.
5.8. Right to withdraw consent (Art. 7(3) GDPR)
If processing is based on consent, you may withdraw it at any time — without affecting the lawfulness of processing carried out before the withdrawal.
5.9. Right to lodge a complaint (Art. 77 GDPR)
You have the right to lodge a complaint with a supervisory authority, in particular:
Office for Personal Data Protection (ÚOOÚ) Pplk. Sochora 27, 170 00 Prague 7, Czech Republic www.uoou.cz [email protected] tel.: +420 234 665 111
6. Procedure for Handling Requests
- Receipt of request — we will confirm receipt of your request by e-mail at [email protected] within 72 hours.
- Identity verification — to protect against abuse, we may require:
- confirmation from the e-mail associated with the account, or
- login to the account and submission of the request via an internal form.
- Handling — we will respond without undue delay and no later than 1 month from receipt of the request. For more complex requests we may extend the deadline by up to 2 further months (with notice within the first month).
- Form of response — we provide responses primarily electronically in the form in which the request was submitted, unless otherwise required.
- Cost — handling is free of charge. For manifestly unfounded, repetitive or excessive requests, we reserve the right to charge a reasonable fee or to refuse the request (Art. 12(5) GDPR).
7. Transfers to Third Countries (outside the EEA)
Some of our processors are based in the United States of America. We ensure the transfer of data by:
- Standard Contractual Clauses (SCCs) approved by European Commission Decision 2021/914
- In some cases under the EU–U.S. Data Privacy Framework, where the given processor is certified
- Additional technical measures (encryption in transit and at rest, pseudonymization where technically feasible)
A copy of the SCCs can be obtained on request at [email protected].
8. Security of Processing (Art. 32 GDPR)
We adopt the following technical and organizational measures:
8.1. Technical measures
- All communication via HTTPS / TLS 1.2+
- Password hashing
- Session cookies with HttpOnly, Secure, SameSite=Strict settings
- Time-limited tokens (short-lived web access cookie, refresh cookie up to 30 days, pairing token 10 minutes)
- Rate-limiting on login and registration endpoints
- Validation of uploaded files (magic bytes, whitelist of extensions, size and length limits)
- Logging of security events with an audit trail
- Regular database backups
- Encrypted storage at sub-processors (Supabase, Stripe)
8.2. Organizational measures
- Principle of least privilege
- Separated access to the production environment
- Regular security code audits (see internal
SECURITY_AUDIT.md) - Confidentiality agreements with persons with access to data
- Rules for the secure handling of secret keys (env variables, never in the repository)
9. Security Breach Notification (Art. 33 and 34 GDPR)
In the event of a security incident involving personal data:
- We will assess the incident within 24 hours of its detection.
- If there is a likely risk to the rights and freedoms of data subjects, we will notify the supervisory authority within 72 hours of detection.
- If the risk is high, we will inform the affected Users directly without undue delay (by e-mail or through the application).
- The notification will contain the nature of the breach, the categories and approximate number of affected persons, contact details, likely consequences and measures taken or proposed.
10. Cookies and Similar Technologies
We use only technically necessary authentication cookies for the login function:
| Cookie name | Purpose | Lifetime | Attributes |
|---|---|---|---|
anyairline_access_token | Authenticates the current browser session | Short-lived; normally about 1 hour, depending on the authentication provider | HttpOnly, Secure, SameSite=Strict |
anyairline_refresh_token | Keeps the user signed in and obtains a new access token | Up to 30 days | HttpOnly, Secure, SameSite=Strict |
For these cookies, consent is not required under § 89 of Act No. 127/2005 Coll. — they are necessary for the functioning of the logged-in part of the Service.
We do not use:
- third-party analytical cookies (Google Analytics, Mixpanel, etc.)
- marketing or advertising cookies
- social network pixels
- fingerprinting technologies
If we introduce analytical cookies in the future, we will request your prior consent via a cookie banner with an option to refuse.
11. Children and Minors
The Service is not intended for persons under the age of 16 in accordance with Art. 8 GDPR and § 7 of Act No. 110/2019 Coll. If we discover that we have processed the data of a child under 16 without verified consent from a legal guardian, we will delete the data immediately.
12. Records of Processing Activities (Art. 30 GDPR)
We keep internal records of processing activities in accordance with Art. 30 GDPR. The records are available to the supervisory authority on request.
13. Changes to This Document
We may update this document in line with developments in legislation or our services. We will inform Users of material changes by e-mail or in the application at least 14 days before the change takes effect.
14. Contact
GDPR requests, inquiries, complaints:
- E-mail: [email protected]
Supervisory authority: Office for Personal Data Protection (ÚOOÚ) Pplk. Sochora 27, 170 00 Prague 7, Czech Republic www.uoou.cz
This document has been drawn up in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (GDPR) and Act No. 110/2019 Coll., on the processing of personal data.