Privacy Policy

Last updated: 23 March 2026

Controller: Now-Next · pilot-next.com · contact@pilot-next.com

1. Who we are

Now-Next (“we”, “us”, “our”) operates the Pilot-Next SaaS platform at pilot-next.com. We are the data controller for personal data processed through this website and application. Questions or requests may be sent to contact@pilot-next.com.

2. Data we collect and why (Art. 13–14 GDPR)

We collect personal data only for the purposes described below. The legal bases are those listed in Art. 6 GDPR.

2.1 Account and profile data
  • Name, email address, password hash — to create and authenticate your account.
  • Profile picture (optional) — to personalise your profile within your flying group.
  • Preferred billing method (Hobbs / Tacho) — to calculate flight costs correctly.
  • Legal basis: Art. 6(1)(b) GDPR — performance of the contract with you.
2.2 Flight and booking data
  • Bookings: aircraft, start/end time, pilot name.
  • Flight logs: Hobbs/Tacho readings, flight duration.
  • Invoices and transactions: amounts, dates, line items.
  • Legal basis: Art. 6(1)(b) — performance of the contract; Art. 6(1)(c) — compliance with legal obligations (accounting records).
2.3 Payment data
  • Subscription billing is handled by Stripe. We store only your Stripe customer ID and subscription status — not raw card numbers.
  • Legal basis: Art. 6(1)(b) — performance of the contract.
2.4 Technical and usage data
  • IP address, browser type, pages visited, session duration — collected via Google Analytics (anonymised).
  • Server access logs retained for security and debugging.
  • Legal basis: Art. 6(1)(f) — our legitimate interest in keeping the service secure and improving it.
2.5 Email communications
  • Transactional emails (password reset, booking confirmations, invoice delivery) — sent to the email address you registered with.
  • Legal basis: Art. 6(1)(b) — performance of the contract.

3. Third-party processors (Art. 28 GDPR)

We share data only with processors who provide infrastructure for the service. A written Data Processing Agreement (DPA) is in place with each processor as required by Art. 28 GDPR.

  • Stripe, Inc. (USA) — payment processing and subscription management. DPA signed. Stripe is certified under the EU–US Data Privacy Framework.
  • Amazon Web Services / S3 (EU region) — secure object storage for profile pictures and generated invoice PDFs. AWS Data Processing Addendum accepted.
  • Strato AG (Germany) — transactional email delivery (password resets, booking confirmations, invoice delivery). DPA signed. EU-based infrastructure.
  • Google LLC (USA) — anonymised website analytics via Google Analytics. DPA accepted. IP anonymisation is enabled; data is subject to the EU–US Data Privacy Framework.

We do not sell personal data to third parties, nor do we use it for advertising.

4. International transfers

Stripe and Google Analytics involve transfers of data to the United States. These transfers rely on the EU–US Data Privacy Framework (Commission Implementing Decision (EU) 2023/1795) or, where applicable, Standard Contractual Clauses adopted under Art. 46 GDPR.

5. Retention periods

Retention periods are enforced by an automated nightly purge process:

  • Account and profile data — retained while your account is active. 30 days after account deactivation all personal identifiers (name, email, phone, address) are irreversibly anonymised.
  • Profile pictures — deleted immediately upon removal or account deactivation.
  • Flight logs (not linked to an invoice) — deleted after 5 years.
  • Flight logs linked to an invoice — retained for 7 years together with the invoice (statutory accounting obligation).
  • Invoices and transactions — retained for 7 years to satisfy statutory accounting obligations under applicable EU member-state law.
  • Audit logs — deleted after 2 years.
  • Server access logs — retained for 90 days.
  • Analytics data (Google Analytics) — retained for 14 months per Google Analytics default.

6. Your rights (Art. 15–22 GDPR)

As a data subject you have the following rights:

  • Right of access (Art. 15) — request a copy of your personal data.
  • Right to rectification (Art. 16) — correct inaccurate data; update most data directly in your account settings.
  • Right to erasure (Art. 17) — request deletion of your account and personal data, subject to legal retention obligations.
  • Right to restriction of processing (Art. 18) — ask us to pause processing in certain circumstances.
  • Right to data portability (Art. 20) — receive your data in a structured, machine-readable format.
  • Right to object (Art. 21) — object to processing based on legitimate interests (e.g. analytics).
  • Right to withdraw consent — where processing is based on consent, you may withdraw at any time without affecting prior processing.

To exercise any right, email contact@pilot-next.com. We will respond within 30 days. You also have the right to lodge a complaint with your national supervisory authority.

7. Cookies

We use only technically necessary session cookies for authentication. Google Analytics sets analytics cookies; you can opt out via your browser settings or the Google Analytics Opt-out Browser Add-on. No marketing or tracking cookies are used.

8. Security

We protect personal data using TLS encryption in transit, bcrypt password hashing, and access controls restricted to authorised personnel. Financial endpoints are processed over network-only connections with no client-side caching.

9. Changes to this policy

We may update this policy to reflect changes in the service or applicable law. We will notify you by email and update the “last updated” date above. Continued use of the service after the effective date constitutes acceptance.

10. Contact

Data controller: Now-Next
Email: contact@pilot-next.com
Website: pilot-next.com

Features
Screens
Pricing
FAQ