Privacy Policy

Last updated: March 2026

Data Controller

Lux Civica, Spain

Contact: support@flyfolio.co

What We Collect

1. Account Data

Email address, used for authentication via magic links and passkeys.

2. Flight Telemetry

Recorded by the desktop connector from MSFS 2024 and X-Plane 12: position, altitude, speed, heading, flight phases, and landing metrics. Stored locally in SQLite first, then synced to cloud for paid users.

3. Preferences

Language preference (NEXT_LOCALE cookie, 365 days) and landing page preference (localStorage, browser-only).

Legal Basis

  • Contract performance: Authentication, cloud sync, billing.
  • Legitimate interest: Error monitoring, performance metrics.
  • Consent: AI-powered flight debrief (optional, Captain tier).

Third-Party Processors

  • Paddle — Payment processing. Receives email and subscription data. DPA in place.
  • Mailgun — Email delivery for magic links. Receives email address. DPA in place.
  • Fireworks AI — AI flight debrief generation (optional, requires explicit consent). Receives flight telemetry only (no name/email).
  • Mapbox — Map tile rendering. Map interaction telemetry. Essential for flight visualization.
  • aviationweather.gov — Weather data. No personal data sent, only airport ICAO codes.
  • OpenWeatherMap — Weather radar tiles. Server-side API key, no user data exposed.
  • SimBrief — Flight plan import. User provides their own SimBrief pilot ID voluntarily.

Analytics

We use GoatCounter, self-hosted on our own infrastructure at stats.flyfolio.co. It’s a cookie-less, privacy-friendly page-counter:

  • No cookies, no localStorage, no browser fingerprinting
  • No IP addresses or User-Agent strings stored — a hashed, rotating salt is used to count unique visits, and the inputs to the hash are discarded
  • No data shared with third parties — the analytics database lives on our server, alongside your flight data
  • Counts are aggregate: page views, referrers, browser/OS family, country (derived server-side, never stored per-visitor)

Because no personal data is collected and no cookies are set, no consent banner is required (see ePrivacy Directive 2002/58/EC Art. 5(3), strictly-necessary exemption).

Cookies

  • folio_session — Authentication session. HttpOnly, Secure, 30-day expiry. Essential.
  • NEXT_LOCALE — Language preference. 365-day expiry. Preference/functional.

Local Storage

  • folio_landing_page — Preferred start page. Browser-only, never sent to server.
  • folio_debrief_consent — AI debrief consent status. Browser-only.

Data Retention

  • Account data: Retained while account is active. Deleted within 30 days of account deletion request.
  • Flight data: Retained while account is active. Always available locally in SQLite.
  • Server logs: 30 days.

Your Rights (GDPR)

  • Right to access your data
  • Right to rectification
  • Right to erasure ("right to be forgotten")
  • Right to data portability (CSV export available in Settings)
  • Right to object to processing
  • Right to withdraw consent (AI debrief can be disabled anytime)

Contact: support@flyfolio.co

Supervisory authority: Agencia Española de Protección de Datos (AEPD)

Data Location

EU (Hetzner, Falkenstein, Germany).

International Transfers

Fireworks AI (US) and Mailgun (US) — Standard Contractual Clauses apply.

Data Ownership

Your flight data is yours. The Community tier keeps everything in a local SQLite database on your PC — no account, no cloud. Paid tiers (First Officer, Captain) sync to cloud but you can export everything as CSV anytime. If you cancel, local data stays forever.