Privacy Policy
These documents describe how AnyAirline Cloud works, how data is processed, and the terms that apply to the service.
Privacy Policy
Service: AnyAirline Cloud (hereinafter the "Service" or "Platform") Website: https://anyairline.app Effective: 17 May 2026 Last updated: 20 May 2026
1. Data Controller
The controller of personal data within the meaning of Art. 4(7) of Regulation (EU) 2016/679 of the European Parliament and of the Council (GDPR) is:
- Name of operator: Filip Chudoba, sole trader
- Company ID (IČO): 09390944
- Registered office / address: Tesaříkova 1020/1, 102 00 Prague 10 - Hostivař, Czech Republic
- E-mail: [email protected]
- Data protection contact: [email protected]
(Hereinafter "we", "us" or the "Operator".)
At present we have not appointed a Data Protection Officer (DPO), as the appointment is not mandatory for our activities under Art. 37 GDPR. For any questions regarding data protection, please contact the e-mail above.
2. Scope of This Policy
This Policy describes what personal data we collect, for what purposes we use it, on what legal basis we process it, to whom we transfer it and what rights you have. It applies to all users of the AnyAirline Cloud Platform, including the web interface, the desktop connector ("AnyAirline Connector") and related services.
3. What Data We Collect
3.1 Registration and login data
- E-mail address (3–254 characters) — required
- Password (stored in hashed form via the Supabase provider)
- Display name — optional, max. 160 characters
- Username — 3–24 characters
- When logging in via an OAuth provider (Google, Discord), we obtain the user identifier at the provider, the e-mail and optionally the display name.
3.2 Profile and workspace data
- Captain name (captain_name, max. 80 characters)
- SimBrief username (optional, for importing flight plans)
- Account settings, language and plan preferences
- Flight setup drafts, cabin settings, voice assignments, selected languages, read modes, announcement templates and generated usage history
3.3 Flight data (telemetry)
When using the AnyAirline Connector and aviation module, we process:
- Flight session identifier (session ID)
- Flight data: airline ICAO, aircraft type, departure and destination airport, flight number
- Real-time telemetry: latitude, longitude, altitude, speed, heading, flight phase
- Agent device identifier, simulator name, last activity time
3.4 User-Generated Content (Workshop)
- Audio recordings (boarding music, deboarding music, safety video, airport chime) in MP3/WAV formats
- Accompanying metadata: description, airline/airport ICAO, languages, content type
- Optionally a source URL (for example YouTube), if the import function is available to your account
3.5 AI and voice generation data
When you use cloud voice generation, AI Lite, translation or text enhancement, we may process:
- Announcement source text and final generated text
- Flight and cabin context needed to produce the announcement
- Selected language, voice, voice role, provider/model identifiers and generation status
- Generated audio files, audio/text cache metadata, usage events and credit ledger entries
AI Lite speech generation primarily runs on our server infrastructure. When demand exceeds local AI Lite capacity, AI Lite text and generated audio may be processed on Modal serverless infrastructure as overflow compute. Premium AI speech generation may be sent to ElevenLabs. Text enhancement or translation may be sent to OpenAI when that feature is used or required for the selected language.
3.6 Payment data
Payments are processed by Stripe. We store only:
- Stripe customer ID
- Subscription ID, checkout session ID, payment intent ID and invoice ID
- Subscription status and credit balance
- Auto top-up settings and Stripe payment method identifier
We do not store payment card numbers, CVV or full bank details — these are processed directly by Stripe.
3.7 Technical and operational data
- IP address (from the HTTP request, used for security audit and rate-limiting)
- User-Agent header (browser/application type)
- Request timestamp
- Security events (login, registration, account deletion, AnyAirline Connector pairing) stored in an internal audit log
3.8 Cookies
We use only technically necessary authentication cookies:
| Cookie name | Purpose | Lifetime | Attributes |
|---|---|---|---|
anyairline_access_token | Authenticates the current browser session | Short-lived; normally about 1 hour, depending on the authentication provider | HttpOnly, Secure (HTTPS), SameSite=Strict |
anyairline_refresh_token | Keeps the user signed in and obtains a new access token | Up to 30 days | HttpOnly, Secure (HTTPS), SameSite=Strict |
We do not use third-party analytical or marketing cookies. For these technical cookies, no consent is required under § 89 of Act No. 127/2005 Coll. or the ePrivacy Directive, as they are necessary for the functioning of the logged-in part of the Service.
4. Purposes and Legal Bases of Processing
| Purpose of processing | Legal basis (GDPR Art. 6) |
|---|---|
| Creation and management of the user account | Art. 6(1)(b) — performance of contract |
| Provision of Platform features (flights, telemetry, workshop) | Art. 6(1)(b) — performance of contract |
| Cloud text, AI Lite and AI voice generation | Art. 6(1)(b) — performance of contract |
| Processing of payments and credits | Art. 6(1)(b) + (c) — contract + legal obligation (accounting) |
| Communication with the user (confirmation e-mails, password reset) | Art. 6(1)(b) — performance of contract |
| Securing the Service, abuse prevention, rate-limiting | Art. 6(1)(f) — legitimate interest |
| Fulfilment of legal obligations (tax, accounting) | Art. 6(1)(c) — legal obligation |
| OAuth login (Google, Discord) | Art. 6(1)(b) — performance of contract |
5. Recipients of Personal Data and Processors
We transfer your data to the following processors (sub-processors), who provide parts of our infrastructure:
| Processor | Purpose | Transferred data | Location | Safeguard |
|---|---|---|---|---|
| Supabase, Inc. | Authentication, database | E-mail, hashed password, profile, drafts, flights, workshop metadata | EU / USA | DPA + Standard Contractual Clauses (SCC) |
| Stripe, Inc. / Stripe Payments Europe, Ltd. | Payments, subscriptions, top-ups | Customer ID, e-mail, payment and billing data | EU / USA | DPA + SCC, PCI-DSS Level 1 |
| OpenAI, L.L.C. | AI text enhancement and translation for announcements, when used | Announcement text, flight context, target language | USA | DPA + SCC and provider data controls |
| ElevenLabs, Inc. | Voice generation (Text-to-Speech) | Announcement text, language, voice selection | USA | DPA + SCC |
| Modal Labs, Inc. | Serverless overflow compute for AI Lite speech generation | Announcement text, language, voice selection, generated audio and technical timing metadata | USA | DPA + SCC |
| Google LLC | OAuth login, optional source URL import where enabled | OAuth identifier, e-mail, source URL/public media metadata | EU / USA | DPA + SCC |
| Discord Inc. | OAuth login | OAuth identifier, e-mail | USA | DPA + SCC |
| SimBrief / Navigraph | Flight plan import (at user's request) | SimBrief username | EU | User's API |
| Hosting provider | Application server operation | Operational logs, IP | EU / EEA where available | Processing agreement |
Transfers to third countries (outside the EEA) take place on the basis of Standard Contractual Clauses approved by the European Commission (Art. 46 GDPR).
AI Lite speech generation is performed primarily on our own server infrastructure. During overflow, AI Lite generation may be delegated to Modal as a serverless compute sub-processor.
We do not sell your data to any third party and we do not transfer it for the marketing purposes of third parties.
6. Retention Period
| Data category | Retention period |
|---|---|
| User account and workspace drafts | For the duration of the account; active local records are deleted when the account is deleted, except where retention is legally required |
| Flight sessions and telemetry | 24 months from the end of the session |
| Generated announcement text, audio cache and usage metadata | For the duration of the account or until cache cleanup/account deletion; billing-related usage records may be kept with billing records |
| Workshop content | For the duration of publication; removed assets are removed from active listings, while backup or storage copies may persist temporarily for up to 6 months |
| Payment and billing data | 10 years (obligation under § 35 of the VAT Act and § 31 of the Accounting Act) |
| Security logs | 12 months |
| Cookies | See table in Art. 3.8 |
After the retention period expires, we delete or anonymize the data.
7. Your Rights under GDPR
As a data subject, you have the right:
- Of access to your data (Art. 15 GDPR)
- To rectification of inaccurate data (Art. 16 GDPR)
- To erasure ("right to be forgotten", Art. 17 GDPR)
- To restriction of processing (Art. 18 GDPR)
- To data portability in a machine-readable format (Art. 20 GDPR)
- To object to processing based on legitimate interest (Art. 21 GDPR)
- To withdraw consent at any time, if it was the basis of processing (Art. 7(3) GDPR)
- To lodge a complaint with a supervisory authority — in the Czech Republic this is the Office for Personal Data Protection (www.uoou.cz, Pplk. Sochora 27, 170 00 Prague 7)
How to exercise your rights
- You can delete your account in the application via the "Delete account" function where server-side account deletion is enabled, or by submitting a request to [email protected].
- You can exercise other rights by e-mail at [email protected].
- We will respond to your request without undue delay and no later than 1 month from receipt (with the possibility of an extension by 2 further months for more complex requests, Art. 12(3) GDPR).
- To verify identity we may require confirmation from the e-mail associated with the account.
8. Automated Decision-Making and Profiling
We do not carry out automated decision-making within the meaning of Art. 22 GDPR that would have legal effects or similarly significantly affect you.
9. Security of Processing
We have adopted appropriate technical and organizational measures, including:
- Encrypted connection (HTTPS / TLS)
- Password hashing
- HttpOnly + Secure + SameSite=Strict session cookies
- Rate-limiting of login attempts
- Audit of security events
- Separated roles and access permissions
In the event of a security incident that would pose a high risk to your rights and freedoms, we will inform you without undue delay (Art. 34 GDPR).
10. Children
The Service is not intended for persons under the age of 16. If we discover that we have processed the data of a child under 16 without verified consent from a legal guardian, we will delete the data immediately.
11. Changes to This Policy
We may update this Policy from time to time. We will inform you of material changes by e-mail or by notification in the application at least 14 days before the change takes effect. The date of the last update can be found in the header of this document.
12. Contact
For any questions, requests or complaints regarding the processing of your personal data, please contact us:
- E-mail: [email protected]
- GDPR requests: [email protected]
This document has been drawn up in accordance with Regulation (EU) 2016/679 (GDPR) and Act No. 110/2019 Coll., on the processing of personal data.