Privacy Policy

Last updated: 10 May 2026

1. Who we are

FlightDeck CV ("we", "us", "our") operates the website located at https://www.flightdeckcv.com. We provide an online tool that lets aviation professionals (pilots, cabin crew, and aircraft maintenance engineers) build region-specific CVs and download them as PDFs. We are the data controller for personal data processed via this site.

For privacy enquiries or to exercise the rights described below, contact us at info@flightdeckcv.com.

2. What data we collect

We collect the minimum data needed to provide the service. None of the items in section 2.2 are required to use the site; they are collected only if and when you choose to include them in a CV you build.

2.1 Account data (required to use the site)

  • Your email address and a password (used for sign-in).
  • Your full name (collected at signup, displayed only to you).

2.2 CV content (entered by you, never required)

Anything you choose to put into a CV. Depending on the template you pick this can include: date of birth, nationality, postal address, phone number, photograph, licence numbers, medical certificate details, flight hours, type ratings, employment history, education history, and language proficiency. You decide what to include; we do not require any specific field.

2.3 Payment data

When you pay for a CV download we use Stripe as our payment processor. Card numbers, CVCs, and billing addresses are entered directly into Stripe's payment form and never reach our servers. We store only: a Stripe session identifier, the amount paid, the currency, and the timestamp.

2.4 Reviews

If you submit a post-download review, we store the rating (1–5 stars), any preset tags you selected, your free-text comment if you wrote one, and a derived role / region label (e.g. "Pilot · EASA") so we can attribute the review on landing pages. Reviews on the public site display only the role / region label and your rating / comment — your name and email are never shown.

2.5 Technical data

  • IP address — used by our rate-limiter to prevent brute-force attacks. Kept transiently in memory and in Vercel request logs for up to 30 days.
  • Browser type, device, page-view sequence — collected by our analytics providers if you consent to non-essential cookies (see Cookie Policy).
  • Error reports — automatic crash and error reports via Sentry, scrubbed of personally identifiable information before transmission.

3. Why we use your data (legal basis under UK / EU GDPR)

PurposeLegal basis
Creating and maintaining your account; storing your CVs; processing PDF downloadsPerformance of a contract with you (Art. 6(1)(b))
Processing paymentsPerformance of a contract; legal obligation (Art. 6(1)(b), 6(1)(c))
Rate limiting, CAPTCHA, security headers, intrusion detectionLegitimate interest in preventing fraud and abuse (Art. 6(1)(f))
Sending you transactional emails (payment receipts, account confirmations)Performance of a contract (Art. 6(1)(b))
Analytics, advertising-effectiveness trackingYour consent (Art. 6(1)(a)) — opt-in via the cookie banner

4. Who we share data with

We use a small set of third-party processors, each contracted under data-processing agreements (DPAs):

  • Supabase — database, authentication, and file storage. Data residency depends on the region we provisioned in.
  • Vercel — hosting, edge CDN, analytics (privacy-friendly, cookieless).
  • Stripe — payment processing.
  • Resend — transactional email (signup confirmations, contact-form notifications).
  • Cloudflare — Turnstile CAPTCHA to protect signup, login, and contact forms from automated abuse.
  • Sentry — error and crash reporting (PII-scrubbed).
  • Google Analytics — usage analytics, loaded only if you accept analytics cookies.

We do not sell your data to third parties. We do not share your CV content with anyone other than the processors listed above acting on our behalf.

5. International transfers

Some of our processors (Stripe, Resend, Google Analytics, Sentry) are based in the United States. Where we transfer your personal data outside the UK / EU we rely on the relevant transfer mechanisms (e.g. the EU–US Data Privacy Framework, UK Addendum to the EU Standard Contractual Clauses, or equivalent Australian instruments) to ensure a comparable level of protection.

6. How long we keep your data

  • Account and CV content — for as long as your account exists. When you delete your account (Dashboard → Settings) we delete your auth record, your CV rows, your uploaded photos, and your reviews within 30 days.
  • Payment records — retained for 7 years after the transaction. We are legally required to keep these for tax and consumer-protection reasons even after account deletion.
  • Server logs — Vercel and Supabase rotate these within 30–90 days depending on the service.
  • Anonymous analytics — aggregated data is kept indefinitely.

7. Your rights

If you are located in the UK, EU/EEA, or Australia, you can:

  • Access the personal data we hold about you — most of it is already visible in your account; for the rest, email us.
  • Correct inaccurate data — you can edit your CV content directly; for anything else, email us.
  • Deleteyour account and all associated personal data (except payment records, which we're legally required to retain). Use Dashboard → Settings → Delete Account, or email us to request manual deletion.
  • Object to processing based on our legitimate interests, or withdraw consent for analytics cookies at any time via the cookie banner.
  • Receive a copyof your data in a portable format — email us and we'll generate an export within 30 days.
  • Complain to a supervisory authority (the UK ICO, your local EU data-protection authority, or the OAIC in Australia).

To exercise any of these rights, email info@flightdeckcv.com. We'll respond within 30 days.

8. Security

We protect your data using industry-standard practices: HTTPS everywhere, encrypted-at-rest databases, row-level security ensuring users can only access their own records, hashed passwords (we never store or see your password in plain text), CAPTCHA on public forms, and rate-limiting against brute-force attacks. Payment card details never reach our servers — they go directly from your browser to Stripe's PCI-DSS-Level-1-compliant infrastructure.

Despite these measures, no online service can guarantee absolute security. If we become aware of a personal data breach affecting your data, we'll notify you and the relevant supervisory authority within 72 hours as required by GDPR.

9. Children

FlightDeck CV is intended for users aged 18 and over. Aviation licensing in every jurisdiction we serve requires applicants to be at least 17 or 18 years old. We do not knowingly collect data from children. If you believe a child has provided us with personal data, please email us and we will delete it.

10. Changes to this policy

If we make significant changes to this policy (e.g. adding a new data processor or a new data category), we'll notify registered users by email before the changes take effect. Minor wording changes will be reflected on this page with an updated "Last updated" date at the top.

11. Contact

Email: info@flightdeckcv.com
Web: www.flightdeckcv.com/contact