Privacy Policy
Last updated: 11 May 2026
SkyStudy (“we”, “us”, or “our”) operates the SkyStudy ATPL platform. This Privacy Policy explains how we collect, use, and protect your personal data in compliance with the General Data Protection Regulation (GDPR) and other applicable data protection laws.
1. Data Controller
SkyStudy is the data controller responsible for your personal data. Contact: privacy@skystudyatpl.com
2. Data We Collect
2.1 Account Data
- Email address — for authentication and communications
- Display name — for your profile
- Password hash — stored securely, never in plain text
- Profile information — licence type, target exam date, selected subjects
2.2 Study Data
- Question answers — your responses to practice and exam questions
- Study sessions — mode, duration, subject, score
- Personal notes — notes you attach to questions
- Bookmarks and flags — your saved and flagged questions
- Analytics data — computed accuracy, streaks, study time (derived from above)
2.3 Payment Data
- Stripe Customer ID — links your account to Stripe for billing
- Subscription status and plan — stored locally for access control
- Payment details — handled entirely by Stripe; we never store card numbers
2.4 Technical Data
- IP address — for rate limiting and security
- Browser/device info — for compatibility and debugging
- Usage analytics — page visits, feature usage (via Plausible Analytics, privacy-focused)
3. Legal Basis for Processing
| Purpose | Legal Basis (GDPR Art. 6) |
|---|---|
| Account creation and authentication | Contract performance (6.1.b) |
| Study progress tracking | Contract performance (6.1.b) |
| Subscription billing | Contract performance (6.1.b) |
| Security and abuse prevention | Legitimate interest (6.1.f) |
| Analytics (anonymized) | Legitimate interest (6.1.f) |
| Invoice retention | Legal obligation (6.1.c) — EU tax law |
4. Data Sharing
We share data only with the following processors:
- Supabase (database hosting) — EU region
- Stripe (payment processing) — PCI DSS compliant
- Upstash (rate limiting) — EU region
- Vercel (hosting) — data processed in EU/US with adequate safeguards
- Plausible Analytics (usage analytics) — EU-based, privacy-focused, no cookies
We do not sell your personal data. We do not share your data with advertisers or marketing platforms.
5. Data Retention
- Account data — retained while your account is active
- Study data — retained while your account is active
- Payment records — retained for 7 years per EU tax requirements
- After account deletion — personal data purged after 30-day grace period (see Section 7)
6. Your Rights (GDPR)
As an EU resident, you have the following rights:
6.1 Right to Access (Art. 15)
You can request a copy of all personal data we hold about you. Use the data export feature in your account settings, or contact us directly.
6.2 Right to Rectification (Art. 16)
You can update your profile information at any time from your account settings.
6.3 Right to Erasure (Art. 17)
You can delete your account from your account settings. The deletion process works as follows:
- You request deletion → your account is immediately soft-deleted
- 30-day grace period → you can contact support to cancel the deletion
- After 30 days → all personal data is permanently purged
Some data may be retained in anonymized form (community explanations become “[deleted user]”) or for legal compliance (payment records retained for tax purposes for 7 years).
6.4 Right to Data Portability (Art. 20)
You can export all your data in a machine-readable format (JSON) via the data export feature.
6.5 Right to Restrict Processing (Art. 18)
You can request that we restrict processing of your data while a complaint is being investigated.
6.6 Right to Object (Art. 21)
You can object to processing based on legitimate interests. We will cease processing unless we demonstrate compelling legitimate grounds.
7. Account Deletion Details
When you delete your account:
- Your profile is immediately deactivated (soft delete)
- Active subscriptions are cancelled via Stripe
- You are signed out and cannot log in during the grace period
- After 30 days, the following data is permanently deleted: profile, answers, study sessions, notes, bookmarks, flags, achievements
- Community contributions (explanations, reports) are anonymized but preserved
- Stripe invoice records are retained per Stripe's own compliance policies
8. Cookies & Tracking
We use essential cookies only for authentication session management. These are strictly necessary and do not require consent under GDPR.
We use Plausible Analytics for privacy-focused usage analytics. Plausible does not use cookies, does not track individual users, and is fully GDPR compliant.
9. Security
We protect your data through:
- Encryption in transit (TLS/HTTPS)
- Encryption at rest (Supabase)
- Row-Level Security (RLS) on all database tables
- Rate limiting on all API endpoints
- Secure password hashing (bcrypt via Supabase Auth)
- Stripe handles all payment data (PCI DSS Level 1)
10. Children's Privacy
SkyStudy is not intended for users under 16 years of age. We do not knowingly collect data from children under 16. If we learn that we have collected such data, we will delete it promptly.
11. International Transfers
Your data is primarily processed within the EU. Where data is transferred outside the EU (e.g., Stripe US, Vercel US edge), it is protected by EU Standard Contractual Clauses (SCCs) or equivalent safeguards.
12. Changes to This Policy
We will notify you of material changes via email at least 30 days before they take effect.
13. Contact & Complaints
Data protection questions: privacy@skystudyatpl.com
You have the right to lodge a complaint with your local data protection authority (e.g., ANSPDCP in Romania, or any EU Member State supervisory authority).
⚠️ EASA Study-Aid Disclaimer
SkyStudy is an independent study aid not affiliated with EASA, any NAA, or any ATO. See our Terms of Service for full details.