PRIVACY POLICY

1. Introduction

This Privacy Policy explains how NewHangar ("we," "us," or "our"), based in Nijmegen, Netherlands, collects, uses, shares, and protects your personal information when you visit or use our web application ("Service"). This policy is designed in compliance with the General Data Protection Regulation (GDPR) and other applicable data protection laws.

By accessing or using our Service, you acknowledge that you have read and understood this Privacy Policy.

2. Data Controller Information

NewHangar
Nijmegen, Netherlands
Contact: info@newhangar.com

KVK: 94720495
BTW-ID: NL005104365B85

3. Types of Data We Collect

3.1 Personal Data

We may collect the following categories of personal data:

• Identity Data: First name, last name, username or similar identifier.
• Contact Data: Email address, telephone numbers, postal address.
• Professional Data: Aviation qualifications, certifications, experience level.
• Technical Data: Internet protocol (IP) address, browser type and version, time zone setting, browser plug-in types and versions, operating system and platform.
• Usage Data: Information about how you use our Service, including which pages you visit, how long you spend on each page, and your interactions with the Service.
• User-Generated Content: Reviews, ratings, comments, forum posts, profile information, achievements, and any other content you create or upload to the Service.

3.2 Age Restrictions

Our Service is intended for individuals who are at least 18 years of age. We do not knowingly collect personal information from anyone under 18. If you are under 18, please do not use the Service or provide any personal information. If we discover that we have collected personal data from someone under 18, we will delete that information immediately.

4. How We Use Your Data

We will only use your personal data when legally permitted. The most common uses are:

• To provide our Services and maintain user accounts
• To connect aspiring pilots with flight instructors and AMEs
• To provide guidance and information about aviation training
• To display and manage user-generated content (reviews, ratings, forum posts)
• To manage our relationship with you and respond to inquiries
• To improve our Service, products, marketing, and user experience
• To analyze usage patterns and Service performance
• To ensure security and prevent fraud or abuse

5. Third-Party Services and Data Processors

To provide and improve our Service, we use trusted third-party service providers who process your personal data on our behalf. We have data processing agreements in place with these providers to ensure GDPR compliance.

5.1 Hosting and Infrastructure

Vercel Inc. - Our Service is hosted on Vercel's cloud infrastructure. Vercel may process technical data such as IP addresses, request logs, and performance metrics for hosting and security purposes.

• Location: United States (with EU data centers available)
• Purpose: Website hosting, content delivery, performance monitoring
• Privacy Policy: https://vercel.com/legal/privacy-policy
• Data Processing Agreement: https://vercel.com/legal/dpa

5.2 Security and Content Delivery

Cloudflare Inc. - We use Cloudflare for SSL/TLS encryption, DNS services, DDoS protection, and content delivery network (CDN) services. Cloudflare processes technical data to secure and accelerate our Service.

• Location: United States (with global data centers)
• Purpose: Security, SSL/TLS encryption, DDoS mitigation, performance optimization
• Privacy Policy: https://www.cloudflare.com/privacypolicy/
• Data Processing Agreement: https://www.cloudflare.com/cloudflare-customer-dpa/

5.3 Database and Authentication

Supabase Inc. - We use Supabase for secure database storage, user authentication, and data management. Your account credentials, profile information, and user-generated content are stored in Supabase's infrastructure.

• Location: European Union (project deployed in EU region for GDPR compliance)
• Purpose: Database storage, user authentication, data management
• Privacy Policy: https://supabase.com/privacy
• Data Processing Agreement: https://supabase.com/legal/dpa
• Security: SOC 2 Type II compliant

5.4 Analytics

Google Analytics (Google LLC) - We use Google Analytics to understand how visitors use our Service. Google Analytics uses cookies to collect anonymous usage data.

• Location: United States
• Purpose: Website analytics, user behavior analysis, performance monitoring
• Privacy Policy: https://policies.google.com/privacy
• Opt-out: Google Analytics Opt-out Browser Add-on
• Data Sharing: Analytics data is anonymized and aggregated. We have enabled IP anonymization.

5.5 International Data Transfers

Some of our service providers are located in the United States. When we transfer your personal data outside the European Economic Area (EEA), we ensure appropriate safeguards are in place, including:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Data Processing Agreements (DPAs) with all third-party processors
• EU-US Data Privacy Framework participation (where applicable)
• Primary data storage in EU regions (Supabase database hosted in EU)

6. Legal Basis for Processing

Under the GDPR, we must have a lawful basis for processing your personal data. We rely on the following legal bases:

• Consent: We process certain data based on your consent, which you can withdraw at any time.
• Contractual Necessity: Processing is necessary for the performance of a contract with you.
• Legal Obligation: Processing is necessary for compliance with a legal obligation.
• Legitimate Interests: Processing is necessary for our legitimate interests or those of a third party.

7. Data Retention and Deletion

7.1 Retention Periods

We will retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, including for the purposes of satisfying any legal, accounting, or reporting requirements. Our standard retention periods are:

• Account Data: Retained while your account is active
• User-Generated Content (reviews, posts): Retained while your account is active, or as required for Service functionality
• Analytics Data: Aggregated and anonymized data retained for up to 26 months (Google Analytics default)
• Transaction Records: Retained for 7 years for tax and accounting purposes (if applicable)
• Security Logs: Retained for up to 90 days for security and fraud prevention

7.2 Account Deletion

When you request account deletion:

• 30-Day Grace Period: Your account will be deactivated immediately but data retained for 30 days to allow account recovery if you change your mind
• Permanent Deletion: After 30 days, all personal data is permanently deleted from our systems and backups, except as noted below
• Exceptions: Some data may be retained longer if required by law, for fraud prevention, or to resolve disputes
• Anonymized Data: Aggregated, anonymized analytics data may be retained indefinitely as it cannot identify you

7.3 User-Generated Content After Deletion

When you delete your account, your reviews and forum posts may remain visible but will be anonymized (username removed and replaced with "Deleted User"). This is necessary to maintain the integrity of discussions and reviews for other users. If you want specific content removed, please contact us at info@newhangar.com before deleting your account.

8. Your Rights Under GDPR

Under the GDPR, you have the following rights regarding your personal data:

• Right to Access: Request a copy of all personal data we hold about you
• Right to Rectification: Correct inaccurate or incomplete personal data
• Right to Erasure ("Right to be Forgotten"): Request deletion of your personal data (subject to legal exceptions)
• Right to Restrict Processing: Limit how we process your data in certain circumstances
• Right to Data Portability: Receive your data in a machine-readable format and transfer it to another service
• Right to Object: Object to processing based on legitimate interests or for direct marketing
• Right to Withdraw Consent: Withdraw consent at any time where processing is based on consent
• Right Not to Be Subject to Automated Decision-Making: Not be subject to decisions based solely on automated processing

8.1 How to Exercise Your Rights

To exercise any of these rights, please contact us at info@newhangar.com with your request. We will respond within 30 days. You may also access and update some personal data directly through your account settings.

If you are not satisfied with our response, you have the right to lodge a complaint with your local data protection authority:

• Netherlands: Autoriteit Persoonsgegevens (Dutch Data Protection Authority) - https://autoriteitpersoonsgegevens.nl
• EU-wide: Find your local authority at https://edpb.europa.eu

9. Data Security

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures include:

• Encryption: All data transmitted between your browser and our Service is encrypted using SSL/TLS (via Cloudflare)
• Database Security: Data at rest is encrypted and stored in secure, SOC 2 compliant infrastructure (Supabase)
• Access Controls: Strict access controls limit who can access personal data
• Authentication: Secure authentication mechanisms protect user accounts
• Monitoring: Continuous security monitoring and incident response procedures
• Regular Updates: Regular security updates and vulnerability assessments

However, no method of transmission over the internet or electronic storage is 100% secure. While we strive to protect your personal data, we cannot guarantee absolute security.

10. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to enhance your experience on our Service. For detailed information about the cookies we use, their purposes, and how to manage your preferences, please see our comprehensive Cookie Policy.

Key points:

• Strictly Necessary Cookies: Essential for Service operation (authentication, security) - cannot be disabled
• Analytics Cookies: Help us understand how you use the Service (Google Analytics) - require your consent
• Cookie Consent: You can manage your cookie preferences through our cookie consent banner or by visiting our Cookie Policy

11. California Residents' Rights (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

• Right to Know: Request information about the personal data we collect, use, and disclose
• Right to Delete: Request deletion of your personal data (subject to exceptions)
• Right to Opt-Out: Opt-out of the "sale" of personal data (note: we do not sell personal data)
• Right to Non-Discrimination: Not receive discriminatory treatment for exercising your privacy rights

To exercise these rights, contact us at info@newhangar.com. We will not discriminate against you for exercising your CCPA rights.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons. When we make material changes, we will:

• Update the "Last Updated" date at the bottom of this policy
• Notify you via email if you have an account
• Display a prominent notice on the Service

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your data.

13. Contact Us

If you have any questions about this Privacy Policy, please contact us at:

Email: info@newhangar.com
Address: NewHangar, Nijmegen, Netherlands

Last Updated: January 2025