Privacy Policy

Core Aviation Group LLC (“Company,” “we,” “us,” or “our”) operates Canopy, an aviation organization and flight school management platform (“Service”). Our principal place of business is 1675 Broadway, Suite 600, Denver, CO 80202. This Privacy Policy explains what information we collect, how we use it, and the rights you have with respect to it.

Canopy is a business-to-business (“B2B”) platform. Our direct customers are aviation organizations and flight schools (“Organizations”). Users access the platform through their Organization’s portal. In most cases the Organization is the data controller for its users’ personal information and we act as a data processor on the Organization’s behalf. Where we determine the purposes and means of processing — such as for account administration and platform security — we act as a controller in our own right.

By using the Service you acknowledge that you have read and understood this Policy.

Organization account information. When an Organization signs up we collect the organization name, administrator name, email address, and billing details.

User data (provided by Organizations). Organizations enter or upload information about their users, which may include:

• Full name and email address
• Enrollment status, role, and tenure
• Pilot certificates, ratings, and qualification records
• Flight hours, training records, and endorsements
• Billing history, account balances, and invoices
• Emergency contact information (if entered by the Organization)

Usage and log data. We automatically collect information about how the Service is used, including pages visited, features accessed, timestamps, IP addresses, browser type, and device identifiers. This data is used for security monitoring, debugging, and aggregate analytics.

Payment information. Payments are processed by Stripe or PayPal. We do not store full card numbers or bank account numbers. We receive and store transaction confirmations, amounts, last-four digits, and related metadata.

Communications. If you contact us for support or any other purpose, we retain those communications to resolve your inquiry and improve the Service.

We use the information we collect to:

• Provide, operate, maintain, and improve the Service.
• Process payments and issue receipts and invoices.
• Send transactional emails such as booking confirmations, billing alerts, and system notifications.
• Respond to support requests and communicate with Club administrators.
• Monitor for security threats, fraud, and abuse.
• Comply with legal and regulatory obligations.
• Produce anonymized, aggregated analytics about platform usage.

We do not sell personal information to third parties. We do not use User data for advertising, profiling for commercial purposes, or any purpose unrelated to providing the Service.

Where the EU General Data Protection Regulation (“GDPR”) or the laws of the United Kingdom or Switzerland apply to our processing, we rely on the following legal bases:

• Contract performance — processing necessary to provide the Service under our agreement with the Organization, including account management, billing, and operational features.
• Legitimate interests — processing for security monitoring, fraud prevention, service improvement, and aggregate analytics, where those interests are not overridden by your rights.
• Legal obligation — processing required to comply with applicable law, including tax and accounting records.
• Consent — where we rely on consent (for example, for optional marketing communications), you may withdraw consent at any time without affecting the lawfulness of prior processing.

Because Organizations act as controllers of their users’ data, Organizations are responsible for establishing the appropriate lawful basis for collecting and submitting user data to the Service.

We share personal information only in the following circumstances:

Service providers and sub-processors. We use the following third-party sub-processors to operate the platform. Each is bound by data processing agreements consistent with applicable law:

• Supabase — database hosting and authentication (data stored in AWS us-east-1, United States)
• Vercel — application hosting and edge delivery (United States)
• Stripe — payment processing (United States)
• PayPal — payment processing (United States)
• Resend — transactional email delivery (United States)

Legal requirements. We may disclose personal information if we believe in good faith that disclosure is required by applicable law, court order, regulation, or government request, or to protect the safety and rights of users or the public.

Business transfers. In the event of a merger, acquisition, financing, or sale of all or substantially all of our assets, Club data may be transferred to the successor entity. We will provide Club administrators with advance notice of any such transfer and the opportunity to export their data.

With your consent. We may share information for other purposes with your explicit consent.

All data is stored on servers located in the United States (AWS us-east-1). If you or your users are located in the European Economic Area (“EEA”), the United Kingdom, Switzerland, or another jurisdiction with data transfer restrictions, personal information will be transferred to and processed in the United States, which may have different data protection standards than your home jurisdiction.

Where required by applicable law, we implement appropriate safeguards for such transfers, including Standard Contractual Clauses (“SCCs”) approved by the European Commission. To request a copy of applicable transfer mechanisms, contact us at privacy@flycanopy.com.

We retain Club data for as long as the subscription is active and in good standing. Upon cancellation or termination of a subscription:

• Club data remains accessible for export for 60 days following the termination date.
• After the 60-day retention period, Club data is permanently deleted from production systems.
• Backups containing Club data are purged on a rolling schedule within 90 days of deletion from production.

Usage logs and anonymized analytics may be retained for up to 24 months. Billing records are retained for as long as required by applicable tax and accounting law (typically 7 years).

We implement industry-standard technical and organizational measures to protect personal information, including:

• Encryption of all data in transit using TLS 1.2 or higher.
• Encryption of data at rest using AES-256.
• Row-level security (RLS) in the database — each Club's data is logically isolated from all other Clubs.
• Access controls — production database access is restricted to service accounts with the minimum permissions necessary.
• Audit logging for administrative actions and data export operations.
• Regular review of security configurations and dependencies.

No system is completely secure. In the event of a data breach that requires notification under applicable law, we will notify affected Club administrators without undue delay. If you discover or suspect a security vulnerability, please report it to security@flycanopy.com.

The Service uses session cookies to maintain authenticated user sessions. These cookies are strictly necessary for the Service to function and do not require consent. We do not use advertising cookies, third-party tracking pixels, or behavioral profiling technologies within the authenticated portal.

The public marketing site (flycanopy.com) may use privacy-preserving, anonymized analytics to measure aggregate page traffic. No personally identifiable information is stored in connection with these analytics.

Depending on your location and applicable law, you may have the following rights with respect to your personal information:

• Access. Request a copy of the personal information we hold about you.
• Correction / Rectification. Request correction of inaccurate or incomplete data.
• Deletion / Erasure. Request deletion of your personal information, subject to our legal retention obligations.
• Portability. Request an export of your data in a structured, machine-readable format.
• Restriction. Request that we restrict processing of your data in certain circumstances.
• Objection. Object to processing based on legitimate interests.
• Withdraw consent. Where processing is based on consent, withdraw it at any time.

Users should direct data requests to their Organization administrator in the first instance, as the Organization controls user data. Organization administrators may submit requests on behalf of their users by contacting us at privacy@flycanopy.com. We will respond within 30 days.

We will not discriminate against you for exercising any of these rights.

If you are a California resident, the California Consumer Privacy Act of 2018 as amended by the California Privacy Rights Act of 2020 (“CCPA/CPRA”) may give you additional rights, to the extent the law applies.

Categories of personal information collected. In the preceding 12 months we have collected the following categories as defined by the CCPA:

• Identifiers (name, email address, IP address)
• Professional or employment-related information (pilot certificates, ratings, role)
• Commercial information (subscription and billing records)
• Internet or other electronic network activity (usage logs)
• Inferences drawn from the above to provide platform features (e.g. role-based access)

We do not sell or share your personal information as those terms are defined under CCPA/CPRA, including for cross-context behavioral advertising. We have not done so in the preceding 12 months.

Your CCPA/CPRA rights include:

• Right to know — the categories and specific pieces of personal information collected about you.
• Right to delete — request deletion of your personal information, subject to applicable exceptions.
• Right to correct — request correction of inaccurate personal information.
• Right to opt-out of sale/sharing — not applicable as we do not sell or share personal information.
• Right to limit use of sensitive personal information — not applicable as we do not process sensitive personal information for purposes beyond those permitted under CPRA.
• Right to non-discrimination — we will not penalize you for exercising your rights.

To exercise your CCPA/CPRA rights, contact us at privacy@flycanopy.com or info@coreaviation.us. We will verify your identity before processing requests. You may designate an authorized agent to submit requests on your behalf.

If you are located in the European Economic Area, the United Kingdom, or Switzerland, the GDPR (or applicable national implementation) grants you additional rights and protections.

In addition to the rights described in Section 9, you have the right to lodge a complaint with the data protection supervisory authority in your Member State or the UK Information Commissioner’s Office (“ICO”) if you believe our processing of your personal information infringes applicable law.

For matters involving personal data of EU/EEA/UK individuals, our primary point of contact is privacy@flycanopy.com. We will respond to GDPR data subject requests within 30 days (extendable by a further two months for complex requests, with notice).

As a U.S.-based company processing data of EU/EEA/UK residents, we may be required under Article 27 GDPR to designate an EU representative. If and when we are required to do so, that information will be published in an updated version of this Policy.

The Service is not directed to individuals under the age of 13, and we do not knowingly collect personal information from children under 13. If a Club submits personal information relating to a child under 13, the Club is responsible for ensuring it has obtained all required parental consents under applicable law, including the Children’s Online Privacy Protection Act (“COPPA”). If we become aware that we have inadvertently collected such information without appropriate consent, we will take steps to delete it promptly. Contact us at privacy@flycanopy.com if you believe this has occurred.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons. We will notify Club administrators by email at least 14 days before any material changes take effect. Non-material changes (such as clarifications or updated contact details) may be made at any time and will be reflected in the effective date at the top of this page.

Continued use of the Service after the effective date of a revised Policy constitutes acceptance of the revised terms. If you do not agree to a material change, you may terminate your subscription before the change takes effect.

For privacy-related inquiries, data subject requests, or questions about this Policy:

Email: privacy@flycanopy.com
General inquiries: info@coreaviation.us
Security disclosures: security@flycanopy.com

Core Aviation Group LLC
1675 Broadway, Suite 600
Denver, CO 80202
United States