Last updated: 2 July 2026
At FlyWinger Aviation Limited ("we", "us", "our", or "FlyWinger"), we are fully committed to protecting and respecting your privacy and safeguarding your personal data. This Privacy Policy explains how we collect, use, disclose, and protect your personal data when you visit our website, use our services, or interact with us.
1. Important information and who we are
Data controller
FlyWinger Aviation Limited is the data controller and is responsible for your personal data.
Regulatory registration
We are formally registered as a data controller with the UK Information Commissioner's Office (ICO) under registration number: ZC180017. We maintain full regulatory compliance, including the annual payment of our data protection fee.
Contact details
If you have any questions about this Privacy Policy, including any requests to exercise your legal rights, please contact our privacy team using the details below.
- Legal entity
- FlyWinger Aviation Limited
- support@flywinger.com
- Postal address
- 252 Colindeep Lane, London, NW9 6DE, United Kingdom
You have the right to make a complaint at any time to the ICO (www.ico.org.uk). We would appreciate the chance to deal with your concerns before you approach the ICO, so please contact us in the first instance.
2. The data we collect about you
Personal data means any information about an individual from which that person can be identified. Because our Platform facilitates aircraft rentals for hour building and training purposes, we collect, use, store, and transfer various kinds of personal data.
- Identity Data: First name, last name, date of birth, and copies of government-issued identification such as a passport or driving licence to verify aircraft owners and pilots.
- Aviation & Licensing Data: Pilot licences, ratings, total logged hours, and pilot logbook histories.
- Contact Data: Operational base address, billing address, email address, and telephone numbers.
- Aircraft Data for Owners: Aircraft registration numbers and performance or specification data, including MTOW and usable fuel.
- Financial Data: We do not store or view your full credit card or bank account details. Payment processing is securely managed by our third-party payment processor, Stripe. We only retain tokenised transaction representations and basic billing data.
- Transaction Data: Details about payments to and from you, aircraft rentals, bookings, and hours logged through our Platform.
- Technical and Usage Data: IP address, login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, and details of how you interact with our website and booking system.
3. How we use your personal data
We will only use your personal data when the law allows us to. Most commonly, we use your personal data in the circumstances below.
| Purpose/activity | Type of data | Lawful basis of processing |
|---|---|---|
| To register you as a new user, pilot, or owner | Identity, contact, aviation & licensing | Performance of a contract with you |
| To facilitate and manage bookings, rentals, and hours logged | Identity, contact, aviation, aircraft, transaction | Performance of a contract with you |
| To process payments, fees, and charges | Identity, contact, transaction | Performance of a contract with you |
| To manage our relationship with you, including policy changes | Identity, contact, profile | Performance of a contract with you; necessary to comply with a legal obligation |
| To administer and protect our business and platform, including troubleshooting, data analysis, and system maintenance | Technical, usage, identity, contact | Necessary for our legitimate interests in running our business, administration, IT services, network security, and platform security |
4. How your data is shared
To facilitate aircraft rentals safely and transparently, we share certain information under strict compliance conditions.
Sharing between Platform users
- To aircraft owners: Once a booking request is initiated, we share relevant pilot qualification, licensing, and identity data with the respective aircraft owner to verify regulatory compliance, safety, and insurance mandates.
- To hour builders and pilots: We share registration and technical data, including MTOW, usable fuel, and location, with the pilot for flight planning and safety verification.
Third-party service providers
We share data with trusted third parties who provide operational infrastructure services to us, including:
- Database & cloud infrastructure: Supabase, Inc. is our primary backend data processor. Personal, aircraft, and licensing data collected through the Platform is securely processed and hosted via Supabase infrastructure.
- Payment processors: Stripe securely handles rental fees and payouts.
- Professional advisers: Insurance brokers, lawyers, auditors, or regulators such as the Civil Aviation Authority (CAA), if required by law or to protect safety.
5. International data transfers
Our primary cloud database infrastructure via Supabase is configured to host data within compliant UK/EU regions, such as UK/EU AWS data centres managed by Supabase. However, because Supabase, Inc. and certain payment processors are headquartered in the United States, processing technical logs, system metadata, or background authentication may occasionally involve data transfers outside the United Kingdom.
Whenever your personal data is transferred out of the UK, we ensure a similar degree of protection is afforded to it by enforcing the following safeguards:
- We enter into a formal Data Processing Addendum (DPA) with our infrastructure providers.
- Where data is transferred to entities outside the UK without an adequacy decision, we use the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses (SCCs).
6. Data security
We have put in place appropriate technical and organisational security measures to prevent your personal data from being accidentally lost, used, accessed in an unauthorised way, altered, or disclosed.
Our core application infrastructure relies on Supabase, using industry-standard database environments. Security measures natively covering your data include:
- Encryption in transit: Connections between your browser, our website, and our Supabase database enforce Transport Layer Security (TLS) encryption.
- Encryption at rest: User records, identifying documentation, and database backups are encrypted at rest using Advanced Encryption Standard (AES-256) keys.
- Row-Level Security: We implement strict database Row-Level Security policies within Supabase, isolating data so pilots and aircraft owners can only access or modify records they are authorised to interact with.
- Access control: We limit access to your personal data to employees, agents, contractors, and third parties who have a strict business need to know and operate under duties of confidentiality.
7. Data retention
We will only retain your personal data for as long as reasonably necessary to fulfil the purposes we collected it for, including satisfying legal, regulatory, tax, accounting, or reporting requirements. All active data is dynamically held in our production cloud databases.
- Active accounts: We retain your data in our live databases for the duration of your active membership or registration on our Platform.
- Inactive accounts: We execute automated routines that flag and delete user profile, licensing, and flight contract data from our primary Supabase tables 1 year after your account becomes completely inactive. This temporary retention window safeguards against retroactive insurance claims, regulatory audits, or contract disputes.
- Database backups: When data is deleted from our live databases upon your request or account closure, residual copies may persist in encrypted point-in-time database backups for a limited cyclical retention cycle of up to 30 days before being overwritten.
- Financial and transaction data: We retain basic transactional records for up to 6 years after the tax year in which the transaction took place to comply with UK tax and accounting laws.
8. Your legal rights
Under UK data protection laws, you have rights in relation to your personal data:
- Request access to your personal data, commonly known as a data subject access request.
- Request correction of the personal data that we hold about you.
- Request erasure of your personal data, subject to operational or regulatory retention requirements.
- Object to processing of your personal data where we are relying on a legitimate interest.
- Request restriction of processing of your personal data.
- Request the transfer of your personal data to you or to a third party.
- Withdraw consent at any time where we are relying on consent to process your personal data.
If you wish to exercise any of these rights, please contact us at support@flywinger.com. We aim to respond to all legitimate requests within one month.
Changes to this Privacy Policy
We keep our Privacy Policy under regular review. Any changes we make in the future will be posted on this page and, where appropriate, notified to you by email.