Legal

Privacy policy

How FlyWinger Aviation Limited collects, uses, shares, and protects personal data.

Last updated: 2 July 2026

At FlyWinger Aviation Limited ("we", "us", "our", or "FlyWinger"), we are fully committed to protecting and respecting your privacy and safeguarding your personal data. This Privacy Policy explains how we collect, use, disclose, and protect your personal data when you visit our website, use our services, or interact with us.

1. Important information and who we are

Data controller

FlyWinger Aviation Limited is the data controller and is responsible for your personal data.

Regulatory registration

We are formally registered as a data controller with the UK Information Commissioner's Office (ICO) under registration number: ZC180017. We maintain full regulatory compliance, including the annual payment of our data protection fee.

Contact details

If you have any questions about this Privacy Policy, including any requests to exercise your legal rights, please contact our privacy team using the details below.

Legal entity
FlyWinger Aviation Limited
Email
support@flywinger.com
Postal address
252 Colindeep Lane, London, NW9 6DE, United Kingdom

You have the right to make a complaint at any time to the ICO (www.ico.org.uk). We would appreciate the chance to deal with your concerns before you approach the ICO, so please contact us in the first instance.

2. The data we collect about you

Personal data means any information about an individual from which that person can be identified. Because our Platform facilitates aircraft rentals for hour building and training purposes, we collect, use, store, and transfer various kinds of personal data.

  • Identity Data: First name, last name, date of birth, and copies of government-issued identification such as a passport or driving licence to verify aircraft owners and pilots.
  • Aviation & Licensing Data: Pilot licences, ratings, total logged hours, and pilot logbook histories.
  • Contact Data: Operational base address, billing address, email address, and telephone numbers.
  • Aircraft Data for Owners: Aircraft registration numbers and performance or specification data, including MTOW and usable fuel.
  • Financial Data: We do not store or view your full credit card or bank account details. Payment processing is securely managed by our third-party payment processor, Stripe. We only retain tokenised transaction representations and basic billing data.
  • Transaction Data: Details about payments to and from you, aircraft rentals, bookings, and hours logged through our Platform.
  • Technical and Usage Data: IP address, login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, and details of how you interact with our website and booking system.

3. How we use your personal data

We will only use your personal data when the law allows us to. Most commonly, we use your personal data in the circumstances below.

Purpose/activityType of dataLawful basis of processing
To register you as a new user, pilot, or ownerIdentity, contact, aviation & licensingPerformance of a contract with you
To facilitate and manage bookings, rentals, and hours loggedIdentity, contact, aviation, aircraft, transactionPerformance of a contract with you
To process payments, fees, and chargesIdentity, contact, transactionPerformance of a contract with you
To manage our relationship with you, including policy changesIdentity, contact, profilePerformance of a contract with you; necessary to comply with a legal obligation
To administer and protect our business and platform, including troubleshooting, data analysis, and system maintenanceTechnical, usage, identity, contactNecessary for our legitimate interests in running our business, administration, IT services, network security, and platform security

4. How your data is shared

To facilitate aircraft rentals safely and transparently, we share certain information under strict compliance conditions.

Sharing between Platform users

  • To aircraft owners: Once a booking request is initiated, we share relevant pilot qualification, licensing, and identity data with the respective aircraft owner to verify regulatory compliance, safety, and insurance mandates.
  • To hour builders and pilots: We share registration and technical data, including MTOW, usable fuel, and location, with the pilot for flight planning and safety verification.

Third-party service providers

We share data with trusted third parties who provide operational infrastructure services to us, including:

  • Database & cloud infrastructure: Supabase, Inc. is our primary backend data processor. Personal, aircraft, and licensing data collected through the Platform is securely processed and hosted via Supabase infrastructure.
  • Payment processors: Stripe securely handles rental fees and payouts.
  • Professional advisers: Insurance brokers, lawyers, auditors, or regulators such as the Civil Aviation Authority (CAA), if required by law or to protect safety.

5. International data transfers

Our primary cloud database infrastructure via Supabase is configured to host data within compliant UK/EU regions, such as UK/EU AWS data centres managed by Supabase. However, because Supabase, Inc. and certain payment processors are headquartered in the United States, processing technical logs, system metadata, or background authentication may occasionally involve data transfers outside the United Kingdom.

Whenever your personal data is transferred out of the UK, we ensure a similar degree of protection is afforded to it by enforcing the following safeguards:

  • We enter into a formal Data Processing Addendum (DPA) with our infrastructure providers.
  • Where data is transferred to entities outside the UK without an adequacy decision, we use the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses (SCCs).

6. Data security

We have put in place appropriate technical and organisational security measures to prevent your personal data from being accidentally lost, used, accessed in an unauthorised way, altered, or disclosed.

Our core application infrastructure relies on Supabase, using industry-standard database environments. Security measures natively covering your data include:

  • Encryption in transit: Connections between your browser, our website, and our Supabase database enforce Transport Layer Security (TLS) encryption.
  • Encryption at rest: User records, identifying documentation, and database backups are encrypted at rest using Advanced Encryption Standard (AES-256) keys.
  • Row-Level Security: We implement strict database Row-Level Security policies within Supabase, isolating data so pilots and aircraft owners can only access or modify records they are authorised to interact with.
  • Access control: We limit access to your personal data to employees, agents, contractors, and third parties who have a strict business need to know and operate under duties of confidentiality.

7. Data retention

We will only retain your personal data for as long as reasonably necessary to fulfil the purposes we collected it for, including satisfying legal, regulatory, tax, accounting, or reporting requirements. All active data is dynamically held in our production cloud databases.

  • Active accounts: We retain your data in our live databases for the duration of your active membership or registration on our Platform.
  • Inactive accounts: We execute automated routines that flag and delete user profile, licensing, and flight contract data from our primary Supabase tables 1 year after your account becomes completely inactive. This temporary retention window safeguards against retroactive insurance claims, regulatory audits, or contract disputes.
  • Database backups: When data is deleted from our live databases upon your request or account closure, residual copies may persist in encrypted point-in-time database backups for a limited cyclical retention cycle of up to 30 days before being overwritten.
  • Financial and transaction data: We retain basic transactional records for up to 6 years after the tax year in which the transaction took place to comply with UK tax and accounting laws.

8. Your legal rights

Under UK data protection laws, you have rights in relation to your personal data:

  • Request access to your personal data, commonly known as a data subject access request.
  • Request correction of the personal data that we hold about you.
  • Request erasure of your personal data, subject to operational or regulatory retention requirements.
  • Object to processing of your personal data where we are relying on a legitimate interest.
  • Request restriction of processing of your personal data.
  • Request the transfer of your personal data to you or to a third party.
  • Withdraw consent at any time where we are relying on consent to process your personal data.

If you wish to exercise any of these rights, please contact us at support@flywinger.com. We aim to respond to all legitimate requests within one month.

Changes to this Privacy Policy

We keep our Privacy Policy under regular review. Any changes we make in the future will be posted on this page and, where appropriate, notified to you by email.