Privacy Policy

Last updated: 29 June 2026

SkyStudy (“we”, “us”, or “our”) operates the SkyStudy ATPL platform. This Privacy Policy explains how we collect, use, and protect your personal data in compliance with the General Data Protection Regulation (GDPR) and other applicable data protection laws.

1. Data Controller

SkyStudy is the data controller responsible for your personal data. The operator and its establishment details are identified on our Legal Notice page. For any data protection matter, contact: to2000bv@gmail.com.

2. Data We Collect

2.1 Account Data

• Email address: for authentication and communications
• Display name: for your profile
• Password: handled by our authentication provider (Supabase Auth) and stored only as a secure hash; we never see or store it in plain text
• Profile information: licence type, target exam date, and selected subjects
• Sign-in with Google (optional): if you choose Google sign-in (when enabled), we receive your email address, name, and profile picture URL from Google
• Communication preferences: your email reminder and unsubscribe choices
• Marketing email opt-in (optional): if you submit your email to receive study tips or a free download, we store your email address together with the date, time, and IP address of your consent and how you reached us. You can unsubscribe at any time; once you have unsubscribed, re-submitting the form will not silently put you back on the list
• Support correspondence: messages you send us about billing, access, or content issues

2.2 Study Data

• Question answers: your responses to practice and exam questions, with timing and correctness
• Study sessions: mode, duration, subject, and score
• Learning-progress model: a per-topic estimate of your knowledge and weak areas, used by the adaptive engine (see Section 2.5)
• Spaced-repetition data: review scheduling state for questions you study
• Personal notes, bookmarks, flags, and collections: items you save, tag, or organise
• Gamification data: XP, level, streaks, and achievements
• Analytics data: computed accuracy, streaks, and study time (derived from the above)
• Offline study data: downloaded question packs, pending offline answers, and offline sync metadata stored on your device

2.3 Community Content (when you use it)

• Explanations, comments, and replies you post on questions
• Votes, reports, and exam sightings you submit
• Public-page comments you post on public pages (visible to other visitors)
• Public community profile (display name, optional bio) if you opt in to make it public
• Feedback you submit about the product

2.4 Payment Data (when paid plans are enabled)

• Stripe Customer ID: links your account to Stripe for billing
• Subscription status and plan: stored for access control
• Payment details: handled entirely by Stripe; we never store card numbers
• Billing event records: a log of Stripe webhook events, kept for reconciliation and fraud prevention

Paid subscriptions are currently switched off (free public beta), so no payment data is collected yet.

2.5 Adaptive Learning Profile (automated processing)

When the adaptive study engine is enabled, every answer you give in practice and exam mode feeds a model that estimates your ability per learning objective (a per-topic mastery rating with a confidence value), classifies each topic (for example “learning”, “weak”, “proficient”, “mastered”), and predicts your accuracy. This is automated profiling of your learning performance. We use it only to personalise your study, to show your weak areas, and to choose which questions to serve you next so you learn faster. It has no legal or similarly significant effect on you, it never determines pricing or access, and there is no automated decision-making about you in the sense of Article 22 GDPR. You can object to this profiling (see Section 6.6); if you do, we serve questions without adaptive personalisation.

2.6 Technical Data

• IP address: used transiently as a key for rate limiting and abuse prevention, and not otherwise stored in our database in normal use. Two exceptions: if you opt in to marketing emails we record the IP address at the moment of consent as part of the consent record (proof of consent), and IP ranges may be recorded in an abuse blocklist if an administrator blocks them
• Device/browser info: for compatibility, debugging, and, if you enable push notifications, to deliver them
• Usage analytics: aggregate, cookieless usage measurement (see Section 8). No cross-site tracking
• Error telemetry: redacted runtime errors if error monitoring (Sentry) is configured in production. IP address, email, headers, cookies, and request bodies are stripped before any event is sent
• Anti-abuse checks: Cloudflare Turnstile verification during registration; your IP and a challenge token are processed by Cloudflare for bot detection

We do not collect or store your timezone, and we do not use advertising or cross-site tracking cookies.

3. Legal Basis for Processing

4. Data Sharing (Processors)

We share data only with the processors below, under data processing agreements. We do not sell your personal data, and we do not share it with advertisers or marketing platforms.

• Supabase (database, authentication, file storage): hosted in the EU region we selected at setup
• Vercel (application hosting and edge network): processes requests and may route through US edge locations under appropriate safeguards
• Upstash (rate limiting): receives only rate-limit keys (user ID and/or IP); configured in an EU region
• Cloudflare (Turnstile anti-abuse): processes IP and challenge data during registration
• Resend (transactional email, when configured): receives your email address and message content to deliver account and system emails; processed on Resend's infrastructure (US)
• Sentry (error monitoring, when configured): receives redacted diagnostic events with personal data stripped; configured in the EU (Frankfurt) region
• Stripe (payment processing, when paid plans are enabled): PCI DSS Level 1; US-based
• Aggregate analytics provider (when enabled): a cookieless, privacy-focused analytics service (see Section 8)

Only if you use an optional feature: if you sign in with Google, Google LLC (US) processes your sign-in. If community explanation videos are enabled and you view one, YouTube (Google LLC, US) or Vimeo (US) receives your browser request to load the embed. These features are off by default.

Live weather pages fetch public data from NOAA / aviationweather.gov using airport codes only; no personal data is sent to that source.

5. Data Retention

• Account and study data: retained while your account is active
• Support correspondence: retained as needed to resolve your request and for audit/compliance records
• Offline local data: kept on your device until you clear it, clear browser storage, or the browser removes it
• Payment records: invoice records are retained by Stripe for 7 years per EU tax requirements; billing event logs we keep for reconciliation and fraud prevention do not contain a direct account identifier
• After account deletion: your personal data is permanently erased immediately (see Sections 6.3 and 7)

6. Your Rights (GDPR)

As an EU resident, you have the following rights:

6.1 Right to Access & Portability (Art. 15 & 20)

You can request a copy of your personal data in a machine-readable format (JSON) using the data export feature in your account settings. The export covers your profile, study history and answers, your learning-progress model, spaced-repetition data, notes, flags, bookmarks, collections, gamification data, your community contributions, reports, sightings, feedback, and subscription metadata. If you need any data that is not included in the automated export, contact us at to2000bv@gmail.com and we will provide it.

6.2 Right to Rectification (Art. 16)

You can update your profile information at any time from your account settings.

6.3 Right to Erasure (Art. 17)

You can delete your account from your account settings. Deletion is immediate and permanent: there is no grace period and it cannot be undone. We recommend exporting your data (Section 6.1) first if you want to keep a copy. When you delete your account:

1. any active subscription is cancelled and your Stripe customer record is removed;
2. you are signed out; and
3. your personal data is permanently erased straight away.

Some data is retained only where the law requires it (for example, Stripe keeps invoice records for tax purposes for up to 7 years on its own systems). See Section 7 for exactly what is deleted and what survives anonymised.

6.4 Right to Restrict Processing (Art. 18)

You can request that we restrict processing of your data while a complaint is being investigated.

6.5 Right to Data Portability (Art. 20)

Covered by the export feature described in Section 6.1.

6.6 Right to Object (Art. 21)

You can object to processing based on legitimate interests, including the adaptive learning profiling described in Section 2.5. We will stop that processing unless we demonstrate compelling legitimate grounds; for adaptive profiling we simply serve questions without personalisation.

7. What Happens When You Delete Your Account

Deletion is immediate and irreversible. The following is permanently deleted right away:

• your profile, answers, study sessions, learning-progress model, spaced-repetition data, notes, bookmarks, flags, collections, gamification data, and achievements;
• your community explanations, comments, votes, reports, exam sightings, public-page comments, public profile, and feedback;
• your local subscription record; your Stripe customer is deleted, which cancels any remaining subscriptions.

One exception: if you replied to another user's comment, your reply may remain visible so the discussion stays intact, but it is unlinked from your account and is no longer attributable to you. Administrative audit-log entries are kept with your identity removed, as required for security and accountability. Stripe invoice records are retained by Stripe under its own compliance policies.

8. Cookies & Analytics

We use essential cookies and on-device storage for authentication, security, and account session management, plus a small set of preference values (such as theme and resume state) stored in your browser. These are strictly necessary or set only when you change a setting, and do not require consent under GDPR.

Where usage analytics are enabled, we use a cookieless, privacy-focused analytics service that measures aggregate usage only. It sets no cookies and does not track you across sites. Where we ask for your consent to analytics, you can decline, and you can change your choice later from the cookie banner or your in-app settings.

Offline mode uses IndexedDB, service workers, and browser cache storage on your device. See our Cookie Policy for the full list of cookies and browser storage and how to clear it.

9. Security

We protect your data through:

• Encryption in transit (TLS/HTTPS)
• Encryption at rest (Supabase)
• Encrypted offline question storage on supported browsers
• Row-Level Security (RLS) on database tables
• Rate limiting on API endpoints
• Secure password hashing (via Supabase Auth)
• Stripe handles all payment data (PCI DSS Level 1)

10. Children's Privacy

SkyStudy is not intended for users under 16 years of age. We do not knowingly collect data from children under 16. If we learn that we have collected such data, we will delete it promptly.

11. International Transfers

Your data is primarily processed within the EU. Some processors operate in or route through the United States, including Stripe, Resend (email), Cloudflare (anti-abuse), and Vercel's edge network, and Google/YouTube/Vimeo if you use those optional features. Where data is transferred outside the EU, it is protected by EU Standard Contractual Clauses (SCCs) or an equivalent safeguard under each provider's data processing agreement.

12. Changes to This Policy

We will notify you of material changes via email or in-app notice at least 30 days before they take effect.

13. Contact & Complaints

Data protection questions: to2000bv@gmail.com

You have the right to lodge a complaint with your local data protection authority (for example, ANSPDCP in Romania, or any EU Member State supervisory authority).