Privacy policy
Last updated: 30 April 2026
We take the protection of your data seriously. This policy explains exactly what data we collect through the website aerotaskrecorder.com and the AeroTask Recorder (mobile) and AeroTask Manager (web) applications, why we collect it, who has access to it, how long we retain it, and how to exercise your rights under the GDPR.
Contents
1. Data controller
The controller of your personal data is:
Registered office: 6 place du Président Thomas Woodrow Wilson, 31000 Toulouse, France
Represented by: Geoffrey BOTELLA, founder
General email: contact@aerotaskrecorder.com
Dedicated GDPR email: privacy@aerotaskrecorder.com
No Data Protection Officer (DPO) has been designated, as the activity does not fall within the cases of mandatory designation under article 37 of the GDPR.
2. Data we collect
2.1 On the aerotaskrecorder.com website
When you fill out one of our forms (contact, demo, reservation), we collect:
- Your first and last name
- Your email address
- The name of your organisation (optional)
- The content of your message or the nature of your request
Additionally, our analytics tool Plausible measures site traffic anonymously (page views, duration, traffic sources). No cookie is set, no personally identifying data is collected, and your IP address is never stored.
2.2 In the AeroTask Recorder mobile app
When you create an account and use the application, we process:
- Authentication data: email and password (hashed via Firebase Auth, never stored in plain text)
- Profile data: first name, last name, profile photo (optional), Part-66 licences, qualifications, type ratings, expiry dates
- Operational data: logged tasks (ATA codes, duration, aircraft, registration), records (continuation training, type rating, daily logs), generated reports, evidence photos attached to tasks
- Technical data: device type, app version, language, time zone, anonymised crash logs
2.3 In the AeroTask Manager web app (organisations)
For Part-145 MRO organisation managers subscribed to Manager:
- Manager authentication data (email, hashed password)
- Organisation information (name, address, Part-145 approval)
- Engineer data (added by themselves via their Recorder account)
- Billing data (managed by Stripe — see processors section)
3. Purposes and legal bases
| Processing | Purpose | Legal basis |
|---|---|---|
| Recorder / Manager user account | Provide the service you've subscribed to | Performance of a contract (art. 6.1.b GDPR) |
| Website forms (contact, demo, reservation) | Respond to your request, keep you informed | Consent (art. 6.1.a GDPR) |
| Anonymous audience measurement (Plausible) | Understand overall site usage | Legitimate interest (art. 6.1.f GDPR) |
| Technical and security logs | Prevent fraud, ensure service security | Legitimate interest (art. 6.1.f GDPR) |
| Billing and accounting | Issue invoices, accounting archives | Legal obligation (art. 6.1.c GDPR) |
4. Processors
To operate the service, we rely on technical providers (processors under the GDPR). Each is bound to AME Ledger by a Data Processing Agreement (DPA) ensuring a level of protection compliant with the GDPR.
| Processor | Role | Location |
|---|---|---|
| Google Cloud / Firebase | Authentication, database, file storage, cloud functions | EU + USA (Standard Contractual Clauses) |
| OVH SAS | Website hosting | France (EU) |
| Plausible Insights OÜ | Anonymous website audience measurement | Estonia (EU) |
| Apple Inc. / Google LLC | Mobile app distribution via App Store and Google Play | USA (Standard Contractual Clauses) |
| Stripe Payments Europe Limited | Manager subscription payment processing (when activated) | Ireland (EU) + USA (Standard Contractual Clauses) |
No personal data is sold, rented or transmitted to third parties for commercial or advertising purposes.
5. Transfers outside the European Union
Some data may be processed by our processors outside the European Union, in particular in the United States (Google Cloud, Apple, Google Play, part of Stripe processing). These transfers are framed by the European Commission's Standard Contractual Clauses, which guarantee a level of protection equivalent to the GDPR.
6. Retention periods
| Data category | Retention period |
|---|---|
| User account (profile, operational data) | As long as the account is active |
| Data after account deletion | Full erasure within 30 days |
| Technical and security logs | 12 months |
| Unconverted contact / demo / reservation requests | 3 years from last contact |
| Invoices and accounting documents | 10 years (article L123-22 of the French Code of Commerce) |
7. Your GDPR rights
Under the GDPR, you have the following rights:
- Right of access: obtain a copy of the data concerning you
- Right to rectification: correct inaccurate or incomplete data
- Right to erasure: request the deletion of your data
- Right to portability: retrieve your data in a structured format
- Right to object: object to processing based on legitimate interest
- Right to restriction: temporarily freeze the processing
- Right to withdraw consent at any time, without affecting the lawfulness of prior processing
To exercise these rights, write to privacy@aerotaskrecorder.com. We reply within 30 days maximum. Proof of identity may be requested in case of reasonable doubt.
For account deletion specifically, the easiest way is to follow the procedure on the Account deletion page.
8. Complaint to a Data Protection Authority
If you believe your rights are not respected, you can lodge a complaint with the French Data Protection Authority (CNIL):
3 place de Fontenoy, TSA 80715, 75334 PARIS CEDEX 07, France
Phone: +33 1 53 73 22 22
Website: www.cnil.fr/en
EU residents may also lodge a complaint with their national data protection authority. A list of all EU authorities is available on the European Data Protection Board website.
9. Cookies
The website aerotaskrecorder.com uses no tracking cookies, no advertising cookies and no third-party cookies. We therefore do not display a cookie consent banner, as no consent is required for the use we make of your browsing activity.
The audience tool we use (Plausible) is explicitly designed to operate without cookies or local storage, and collects no personally identifying data.
10. Security
We implement the following technical and organisational measures:
- TLS-encrypted connection across the entire website and application (HTTPS)
- Passwords hashed via Firebase Auth (never stored in plain text)
- Hosting at ISO 27001-certified providers (Google Cloud, OVH)
- Data access strictly limited to authorised personnel
- Daily automatic database backups
- Regular security audits of code and dependencies
11. Changes to this policy
This policy may be updated to reflect technical, legal or service evolutions. The last update date is shown at the top of this page. In case of significant changes, we will notify you by email before the changes take effect.
A question, a doubt, a complaint? Write to us at privacy@aerotaskrecorder.com, we reply within 72 working hours.