AnyAirline
Features Pricing loginLogin
Legal

Privacy Policy

These documents describe how AnyAirline Cloud works, how data is processed, and the terms that apply to the service.

Privacy Policy

Service: AnyAirline Cloud (hereinafter the "Service" or "Platform") Website: https://anyairline.app Effective: 17 May 2026 Last updated: 20 May 2026


1. Data Controller

The controller of personal data within the meaning of Art. 4(7) of Regulation (EU) 2016/679 of the European Parliament and of the Council (GDPR) is:

  • Name of operator: Filip Chudoba, sole trader
  • Company ID (IČO): 09390944
  • Registered office / address: Tesaříkova 1020/1, 102 00 Prague 10 - Hostivař, Czech Republic
  • E-mail: [email protected]
  • Data protection contact: [email protected]

(Hereinafter "we", "us" or the "Operator".)

At present we have not appointed a Data Protection Officer (DPO), as the appointment is not mandatory for our activities under Art. 37 GDPR. For any questions regarding data protection, please contact the e-mail above.


2. Scope of This Policy

This Policy describes what personal data we collect, for what purposes we use it, on what legal basis we process it, to whom we transfer it and what rights you have. It applies to all users of the AnyAirline Cloud Platform, including the web interface, the desktop connector ("AnyAirline Connector") and related services.


3. What Data We Collect

3.1 Registration and login data

  • E-mail address (3–254 characters) — required
  • Password (stored in hashed form via the Supabase provider)
  • Display name — optional, max. 160 characters
  • Username — 3–24 characters
  • When logging in via an OAuth provider (Google, Discord), we obtain the user identifier at the provider, the e-mail and optionally the display name.

3.2 Profile and workspace data

  • Captain name (captain_name, max. 80 characters)
  • SimBrief username (optional, for importing flight plans)
  • Account settings, language and plan preferences
  • Flight setup drafts, cabin settings, voice assignments, selected languages, read modes, announcement templates and generated usage history

3.3 Flight data (telemetry)

When using the AnyAirline Connector and aviation module, we process:

  • Flight session identifier (session ID)
  • Flight data: airline ICAO, aircraft type, departure and destination airport, flight number
  • Real-time telemetry: latitude, longitude, altitude, speed, heading, flight phase
  • Agent device identifier, simulator name, last activity time

3.4 User-Generated Content (Workshop)

  • Audio recordings (boarding music, deboarding music, safety video, airport chime) in MP3/WAV formats
  • Accompanying metadata: description, airline/airport ICAO, languages, content type
  • Optionally a source URL (for example YouTube), if the import function is available to your account

3.5 AI and voice generation data

When you use cloud voice generation, AI Lite, translation or text enhancement, we may process:

  • Announcement source text and final generated text
  • Flight and cabin context needed to produce the announcement
  • Selected language, voice, voice role, provider/model identifiers and generation status
  • Generated audio files, audio/text cache metadata, usage events and credit ledger entries

AI Lite speech generation primarily runs on our server infrastructure. When demand exceeds local AI Lite capacity, AI Lite text and generated audio may be processed on Modal serverless infrastructure as overflow compute. Premium AI speech generation may be sent to ElevenLabs. Text enhancement or translation may be sent to OpenAI when that feature is used or required for the selected language.

3.6 Payment data

Payments are processed by Stripe. We store only:

  • Stripe customer ID
  • Subscription ID, checkout session ID, payment intent ID and invoice ID
  • Subscription status and credit balance
  • Auto top-up settings and Stripe payment method identifier

We do not store payment card numbers, CVV or full bank details — these are processed directly by Stripe.

3.7 Technical and operational data

  • IP address (from the HTTP request, used for security audit and rate-limiting)
  • User-Agent header (browser/application type)
  • Request timestamp
  • Security events (login, registration, account deletion, AnyAirline Connector pairing) stored in an internal audit log

3.8 Cookies

We use only technically necessary authentication cookies:

Cookie namePurposeLifetimeAttributes
anyairline_access_tokenAuthenticates the current browser sessionShort-lived; normally about 1 hour, depending on the authentication providerHttpOnly, Secure (HTTPS), SameSite=Strict
anyairline_refresh_tokenKeeps the user signed in and obtains a new access tokenUp to 30 daysHttpOnly, Secure (HTTPS), SameSite=Strict

We do not use third-party analytical or marketing cookies. For these technical cookies, no consent is required under § 89 of Act No. 127/2005 Coll. or the ePrivacy Directive, as they are necessary for the functioning of the logged-in part of the Service.


4. Purposes and Legal Bases of Processing

Purpose of processingLegal basis (GDPR Art. 6)
Creation and management of the user accountArt. 6(1)(b) — performance of contract
Provision of Platform features (flights, telemetry, workshop)Art. 6(1)(b) — performance of contract
Cloud text, AI Lite and AI voice generationArt. 6(1)(b) — performance of contract
Processing of payments and creditsArt. 6(1)(b) + (c) — contract + legal obligation (accounting)
Communication with the user (confirmation e-mails, password reset)Art. 6(1)(b) — performance of contract
Securing the Service, abuse prevention, rate-limitingArt. 6(1)(f) — legitimate interest
Fulfilment of legal obligations (tax, accounting)Art. 6(1)(c) — legal obligation
OAuth login (Google, Discord)Art. 6(1)(b) — performance of contract

5. Recipients of Personal Data and Processors

We transfer your data to the following processors (sub-processors), who provide parts of our infrastructure:

ProcessorPurposeTransferred dataLocationSafeguard
Supabase, Inc.Authentication, databaseE-mail, hashed password, profile, drafts, flights, workshop metadataEU / USADPA + Standard Contractual Clauses (SCC)
Stripe, Inc. / Stripe Payments Europe, Ltd.Payments, subscriptions, top-upsCustomer ID, e-mail, payment and billing dataEU / USADPA + SCC, PCI-DSS Level 1
OpenAI, L.L.C.AI text enhancement and translation for announcements, when usedAnnouncement text, flight context, target languageUSADPA + SCC and provider data controls
ElevenLabs, Inc.Voice generation (Text-to-Speech)Announcement text, language, voice selectionUSADPA + SCC
Modal Labs, Inc.Serverless overflow compute for AI Lite speech generationAnnouncement text, language, voice selection, generated audio and technical timing metadataUSADPA + SCC
Google LLCOAuth login, optional source URL import where enabledOAuth identifier, e-mail, source URL/public media metadataEU / USADPA + SCC
Discord Inc.OAuth loginOAuth identifier, e-mailUSADPA + SCC
SimBrief / NavigraphFlight plan import (at user's request)SimBrief usernameEUUser's API
Hosting providerApplication server operationOperational logs, IPEU / EEA where availableProcessing agreement

Transfers to third countries (outside the EEA) take place on the basis of Standard Contractual Clauses approved by the European Commission (Art. 46 GDPR).

AI Lite speech generation is performed primarily on our own server infrastructure. During overflow, AI Lite generation may be delegated to Modal as a serverless compute sub-processor.

We do not sell your data to any third party and we do not transfer it for the marketing purposes of third parties.


6. Retention Period

Data categoryRetention period
User account and workspace draftsFor the duration of the account; active local records are deleted when the account is deleted, except where retention is legally required
Flight sessions and telemetry24 months from the end of the session
Generated announcement text, audio cache and usage metadataFor the duration of the account or until cache cleanup/account deletion; billing-related usage records may be kept with billing records
Workshop contentFor the duration of publication; removed assets are removed from active listings, while backup or storage copies may persist temporarily for up to 6 months
Payment and billing data10 years (obligation under § 35 of the VAT Act and § 31 of the Accounting Act)
Security logs12 months
CookiesSee table in Art. 3.8

After the retention period expires, we delete or anonymize the data.


7. Your Rights under GDPR

As a data subject, you have the right:

  • Of access to your data (Art. 15 GDPR)
  • To rectification of inaccurate data (Art. 16 GDPR)
  • To erasure ("right to be forgotten", Art. 17 GDPR)
  • To restriction of processing (Art. 18 GDPR)
  • To data portability in a machine-readable format (Art. 20 GDPR)
  • To object to processing based on legitimate interest (Art. 21 GDPR)
  • To withdraw consent at any time, if it was the basis of processing (Art. 7(3) GDPR)
  • To lodge a complaint with a supervisory authority — in the Czech Republic this is the Office for Personal Data Protection (www.uoou.cz, Pplk. Sochora 27, 170 00 Prague 7)

How to exercise your rights

  • You can delete your account in the application via the "Delete account" function where server-side account deletion is enabled, or by submitting a request to [email protected].
  • You can exercise other rights by e-mail at [email protected].
  • We will respond to your request without undue delay and no later than 1 month from receipt (with the possibility of an extension by 2 further months for more complex requests, Art. 12(3) GDPR).
  • To verify identity we may require confirmation from the e-mail associated with the account.

8. Automated Decision-Making and Profiling

We do not carry out automated decision-making within the meaning of Art. 22 GDPR that would have legal effects or similarly significantly affect you.


9. Security of Processing

We have adopted appropriate technical and organizational measures, including:

  • Encrypted connection (HTTPS / TLS)
  • Password hashing
  • HttpOnly + Secure + SameSite=Strict session cookies
  • Rate-limiting of login attempts
  • Audit of security events
  • Separated roles and access permissions

In the event of a security incident that would pose a high risk to your rights and freedoms, we will inform you without undue delay (Art. 34 GDPR).


10. Children

The Service is not intended for persons under the age of 16. If we discover that we have processed the data of a child under 16 without verified consent from a legal guardian, we will delete the data immediately.


11. Changes to This Policy

We may update this Policy from time to time. We will inform you of material changes by e-mail or by notification in the application at least 14 days before the change takes effect. The date of the last update can be found in the header of this document.


12. Contact

For any questions, requests or complaints regarding the processing of your personal data, please contact us:

  • E-mail: [email protected]
  • GDPR requests: [email protected]

This document has been drawn up in accordance with Regulation (EU) 2016/679 (GDPR) and Act No. 110/2019 Coll., on the processing of personal data.

AnyAirline

Real airline cabin for your flight sim.

Privacy PolicyTerms & ConditionsGDPR