1. Introduction

AOI Web Pro ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our aviation obstacle evaluation platform.

2. Information We Collect

2.1 Account Information

When you register for an account, we collect:

• Required: Email address, password (encrypted), name
• Optional: Organization, country, city, phone number, address
• Automatically generated: User ID, account creation date, email verification status

2.2 Aviation Data

When you use our services, we store:

• Airport and runway data
• Navigation aid (navaid) information
• Obstacle data and evaluations
• Custom surface definitions
• Analysis reports and results
• Criteria and regulatory data

2.3 Payment Information

Payment processing is handled by Stripe. We do NOT store your credit card information. We only store:

• Stripe customer ID (encrypted reference)
• Subscription status and tier
• Payment history (amounts, dates, status)
• Invoice records

2.4 Usage Information

We automatically collect:

• IP address (for security and rate limiting)
• Login/logout timestamps
• Browser type and version
• Device information
• Pages visited and features used
• Error logs and performance data

2.5 Communications

We collect information when you:

• Contact us via email or contact form
• Respond to our emails
• Participate in surveys or feedback requests

3. How We Use Your Information

3.1 Service Provision

• Create and manage your account
• Process and validate email verification
• Provide aviation analysis and evaluation tools
• Store and retrieve your aviation data
• Generate reports and analysis results

3.2 Billing and Payments

• Process subscription payments via Stripe
• Manage trial periods and subscription tiers
• Send payment confirmations and invoices
• Handle refunds and cancellations

3.3 Security and Fraud Prevention

• Implement rate limiting to prevent abuse
• Detect and prevent unauthorized access
• Verify user identity and email addresses
• Monitor for suspicious activity

3.4 Communications

• Send email verification links
• Send welcome emails after verification
• Send password reset links when requested
• Notify you of account or security issues
• Provide customer support
• Send service updates (you can opt-out of marketing emails)

3.5 Improvement and Analytics

• Analyze usage patterns to improve features
• Monitor performance and fix bugs
• Understand user needs and preferences

4. Data Storage and Security

4.1 Data Storage

• Database: PostgreSQL (hosted on neo.tech for production)
• Passwords: Encrypted using bcrypt with 12 rounds
• Sessions: JWT tokens with 30-day expiration
• Email tokens: Crypto-secure random tokens (256-bit) with 24-hour expiration

4.2 Security Measures

• HTTPS encryption for all data transmission
• Rate limiting to prevent brute force attacks
• Input validation and sanitization to prevent XSS attacks
• Email verification requirement before platform access
• Secure password requirements (8+ characters, mixed case, numbers, special chars)
• Regular security audits and updates

4.3 Data Retention

• Active accounts: Data retained while account is active
• Deleted accounts: Personal data anonymized within 30 days
• Financial records: Retained for 7 years for legal/tax compliance
• Backups: Automated daily backups retained for 30 days

5. Third-Party Services

5.1 Stripe (Payment Processing)

All payment processing is handled by Stripe. Please review Stripe's Privacy Policy.

5.2 Resend (Email Service)

Transactional emails (verification, welcome, password reset) are sent via Resend. Please review Resend's Privacy Policy.

5.3 EmailJS (Contact Form)

Contact form submissions are processed via EmailJS. Please review EmailJS Privacy Policy.

5.4 Upstash Redis (Rate Limiting)

IP addresses and email hashes are temporarily stored in Upstash Redis for rate limiting (data expires within 1 hour).

6. Data Sharing and Disclosure

We do NOT sell your personal information.

We may share your information only in these situations:

• With your consent: When you explicitly authorize sharing
• Service providers: Third parties that help us operate (Stripe, Resend, EmailJS, hosting providers)
• Legal requirements: When required by law, court order, or government request
• Business transfers: In case of merger, acquisition, or sale of assets
• Protection of rights: To prevent fraud, enforce our Terms, or protect safety

7. Your Rights and Choices

7.1 Access and Portability

You have the right to:

• Access your personal data through your account dashboard
• Request a copy of your data in a portable format
• Export your aviation data at any time

7.2 Correction and Updates

You can:

• Update your profile information in account settings
• Change your password at any time
• Update your email address (requires re-verification)

7.3 Deletion (Right to be Forgotten)

You can request:

• Account deletion through account settings or by contacting us
• Data anonymization (personal info removed, financial records preserved for compliance)
• Complete data erasure after legal retention periods

7.4 Marketing Communications

You can:

• Opt-out of marketing emails via unsubscribe links
• Continue to receive essential service emails (verification, security alerts, receipts)

8. Cookies and Tracking

We use essential cookies for:

• Authentication: Maintaining your login session (JWT tokens)
• Preferences: Remembering your theme (dark/light mode)
• Security: CSRF protection and rate limiting

We do NOT use third-party advertising or tracking cookies.

9. International Data Transfers

Your data may be transferred to and processed in countries where our service providers operate. We ensure appropriate safeguards are in place for international transfers.

10. Children's Privacy

Our Service is not intended for children under 18. We do not knowingly collect information from children. If we discover we have collected data from a child, we will delete it immediately.

11. Data Breach Notification

In the event of a data breach that affects your personal information, we will:

• Notify affected users within 72 hours via email
• Describe the nature of the breach and data affected
• Provide steps to protect yourself
• Notify relevant authorities as required by law

12. Changes to This Privacy Policy

We may update this Privacy Policy periodically. We will notify you of significant changes via:

• Email notification
• Notice on our website
• In-app notification

Continued use after changes constitutes acceptance of the updated policy.

13. Contact Us

For privacy-related questions, requests, or concerns:

• Email: privacy@aoiwebpro.com
• Support: hello@aoiweb.pro
• Contact Form: Available on our website

We will respond to privacy requests within 30 days.