At Dataero Europe SRL, protecting your personal data is a core responsibility. This Privacy Policy explains how we collect, use, share, and safeguard personal data in connection with our website at dataero.eu and our aviation management software platform (the “Services”), in compliance with Regulation (EU) 2016/679 (the General Data Protection Regulation, “GDPR”) and applicable Belgian data protection law (Loi du 30 juillet 2018 relative à la protection des personnes physiques à l’égard des traitements de données à caractère personnel).

1. Who We Are & Contact Details

The data controller responsible for your personal data is:

Dataero Europe SRL
Rond-Point Robert Schuman 11
1040 Bruxelles, Belgium
Company number: BE1004.272.375
Email: legal@dataero.eu
Website: dataero.eu

For all data protection enquiries, to exercise your rights, or to report a concern, please contact us at legal@dataero.eu. We aim to respond to all requests within the timeframes required by applicable law.

Dataero has not appointed a formal Data Protection Officer (DPO) as it does not engage in large-scale systematic monitoring or large-scale processing of special category data within the meaning of Article 37 GDPR. Privacy matters are handled by our legal function at the address above.

2. Scope of This Policy

This Privacy Policy applies to personal data processed in connection with:

(a) Visitors to the dataero.eu website;
(b) Individuals who contact us through forms, email, or other communication channels;
(c) Employees, representatives, and authorised users of our business customers who access the Dataero platform;
(d) Any other person whose personal data we process in our capacity as data controller.

Controller vs. Processor Distinction. Where Dataero processes personal data on behalf of a business customer acting as data controller (for example, crew management records, staff operational data, or passenger-adjacent data entered into our platform by a customer), Dataero acts as a data processor within the meaning of Article 4(8) GDPR. In those circumstances, the customer’s own privacy documentation and our Data Processing Agreement (“DPA”) govern such processing. This Policy does not apply to personal data for which Dataero acts solely as processor.

Customers who wish to enter into a DPA with Dataero should contact legal@dataero.eu.

3. Personal Data We Collect

3.1 Website Visitor Data

When you visit our website, we may collect:

Technical data: IP address, browser type and version, device type, operating system, referring URL, pages visited, and time and duration of visit (via analytics tools).

Contact data: Name, professional email address, job title, company name, and phone number voluntarily provided through contact or enquiry forms.

Marketing data: Email preferences and engagement data if you subscribe to marketing communications from us.

Cookie and tracking data: As described in Section 6 below.

3.2 Platform Data (Business Customers and Their Users)

When you or your organisation uses the Dataero platform, we may process:

Account data: Name, professional email address, job title, role, and employer organisation.

Operational data: Data entered into the platform relating to aviation operations, which may include records associated with named crew members, operational personnel, or other individuals. Where such data constitutes personal data, Dataero processes it as processor on behalf of the customer-controller.

Usage data: Log files, session information, feature usage patterns, system events, and error reports generated during use of the platform.

Support data: Communications and information provided when you contact our customer support team.

3.3 Data We Do Not Collect

We do not intentionally collect special category personal data (Article 9 GDPR) — such as health data, racial or ethnic origin, political opinions, religious beliefs, or biometric data — through our website. If any such data is incidentally included in platform operational data by a customer, the customer remains the data controller responsible for ensuring a valid legal basis for that processing, and Dataero will process it solely in accordance with the applicable DPA.

4. Legal Bases for Processing (Article 6 GDPR)

We process your personal data only where we have a valid legal basis to do so. The legal bases we rely on are as follows:

4.1 Performance of a Contract (Art. 6(1)(b) GDPR)
We process account data, platform usage data, and support data to provide and manage our Services pursuant to our Software Subscription Agreement with your organisation, and to take pre-contractual steps at your request (e.g. responding to a product enquiry or demo request).

4.2 Legitimate Interests (Art. 6(1)(f) GDPR)
We process website analytics data, security and fraud-prevention logs, and B2B marketing communications (where not requiring consent under applicable ePrivacy rules) on the basis of our legitimate interests in: understanding how our website and Services are used; maintaining the security and integrity of our systems; and marketing our Services to relevant professional contacts. We have assessed that these interests are not overridden by your fundamental rights and freedoms, given the B2B context of our operations and the limited intrusiveness of the processing involved.

4.3 Compliance with Legal Obligations (Art. 6(1)(c) GDPR)
We process certain data where required to do so by Belgian law, EU law, applicable tax regulations, court orders, or requests from competent supervisory or law enforcement authorities.

4.4 Consent (Art. 6(1)(a) GDPR)
Where we rely on your consent — for example, for non-essential cookies or for email marketing communications where required by applicable ePrivacy rules — you may withdraw your consent at any time without affecting the lawfulness of processing carried out prior to withdrawal. Consent withdrawal requests should be directed to legal@dataero.eu.

5. How We Use Your Personal Data

We use the personal data we collect for the following purposes, each supported by a legal basis described in Section 4:

• To operate, maintain, and improve this website and the Services;

• To create and manage user accounts and provide customer support;

• To respond to enquiries and process pre-contractual and contractual requests;

• To send transactional emails and service notifications necessary for the operation of your account;

• To send marketing communications to business contacts about our products and services (subject to opt-out or consent as applicable);

• To conduct analytics on website and platform usage to improve our Services and user experience;

• To detect, investigate, and prevent fraud, abuse, unauthorised access, and security incidents;

• To comply with legal obligations and respond to lawful requests from regulatory, judicial, or law enforcement authorities;

• To enforce our Terms and Conditions and protect the rights and interests of Dataero and third parties.

6. Cookies and Tracking Technologies

Our website uses cookies and similar tracking technologies (such as pixels and local storage). A cookie is a small text file placed on your device when you visit a website.

We use the following categories of cookies:

Strictly necessary cookies: Essential for the website to function correctly (e.g. session management, security). These do not require your consent.

Analytics cookies: Help us understand how visitors interact with our website by collecting aggregated data on pages visited, time spent, and navigation paths. These require your consent.

Marketing and preference cookies: Used to deliver relevant content, measure campaign performance, and remember your preferences. These require your consent.

You can manage your cookie preferences through our cookie consent banner or by adjusting your browser settings. Withdrawing consent for non-essential cookies will not affect your ability to use the core website. For full details of the cookies we use, their purposes, and their retention periods, please see our Cookie Policy.

7. International Data Transfers

Dataero is a Belgian company and processes personal data primarily within the European Economic Area (“EEA”). However, some of our third-party service providers are based outside the EEA, including in the United States. Where we transfer personal data to countries that have not received an adequacy decision from the European Commission under Article 45 GDPR, we ensure that appropriate safeguards are in place, specifically:

Standard Contractual Clauses (SCCs): We rely primarily on the Standard Contractual Clauses adopted by the European Commission pursuant to Commission Implementing Decision (EU) 2021/914 of 4 June 2021 (for controller-to-processor and controller-to-controller transfers). Where required, SCCs are supplemented by a Transfer Impact Assessment (“TIA”) and additional technical and organisational measures.

EU–US Data Privacy Framework: For transfers to US-based providers that are certified under the EU–US Data Privacy Framework (adequacy decision adopted by the European Commission on 10 July 2023), we may rely on that adequacy decision as a transfer mechanism.

You may request information about the specific safeguards applicable to transfers to a particular processor by contacting legal@dataero.eu.

8. Data Retention

We retain personal data only for as long as necessary for the purposes for which it was collected, taking into account applicable statutory retention obligations and legitimate business needs. Our standard retention periods are as follows:

Website analytics data — 14 months from collection

Contact form and enquiry data — 3 years from the date of last contact or the close of the relevant pre-contractual relationship

Account and platform data — For the duration of the contractual relationship plus 5 years, or as otherwise required by applicable law

Financial, invoicing, and tax records — 7 years, in accordance with Belgian accounting and tax law (Code des sociétés et des associations)

Security and access logs — 6 to 12 months

Marketing consent records — For the duration of the marketing relationship plus 3 years

Upon expiry of the applicable retention period, personal data is securely deleted or irreversibly anonymised. Where deletion is not immediately practicable (e.g. backup systems), data is isolated and protected from further active processing until deletion can be completed.

9. Data Security

Dataero implements appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access, in accordance with Article 32 GDPR. Our security measures include, but are not limited to:

• Encryption of personal data in transit (TLS/SSL) and at rest;

• Role-based access controls and the principle of least privilege;

• Multi-factor authentication for access to production systems;

• Regular security assessments, vulnerability scanning, and penetration testing;

• Staff training on data protection and information security;

• Incident response and data breach notification procedures in accordance with Articles 33 and 34 GDPR.

Notwithstanding these measures, no system is entirely immune from security incidents. If you become aware of any security vulnerability or incident involving our Services, please notify us immediately at legal@dataero.eu.

10. Third-Party Processors

We share personal data with trusted third-party processors who provide services on our behalf. All processors are subject to data processing agreements requiring them to: process personal data only on our documented instructions; implement appropriate technical and organisational security measures; assist us in complying with data subject rights requests and security obligations; and delete or return data upon termination of services.

Categories of third-party processors we engage include:

Cloud infrastructure and hosting (data storage, processing, and disaster recovery)

Analytics providers (website and platform usage analytics)

Customer relationship management (CRM) tools (management of business contacts and sales pipeline)

Email and marketing automation platforms (transactional and marketing communications)

Payment processors (processing of subscription payments; Dataero does not store payment card data)

Customer support tools (ticketing and support case management)

We do not sell, rent, or trade your personal data to any third party for their own independent marketing or commercial purposes.

11. Your Rights Under the GDPR

As a data subject, you have the following rights under the GDPR, subject to applicable conditions, limitations, and exemptions provided for by EU or Belgian law:

Right of access (Art. 15 GDPR): To obtain confirmation of whether we process personal data about you, and to receive a copy of that data together with information about how it is processed.

Right to rectification (Art. 16 GDPR): To have inaccurate or incomplete personal data corrected without undue delay.

Right to erasure / “right to be forgotten” (Art. 17 GDPR): To request deletion of your personal data where there is no overriding legitimate reason to retain it, where you withdraw consent (and no other legal basis applies), or where the data has been unlawfully processed.

Right to restriction of processing (Art. 18 GDPR): To request that we limit our processing of your personal data in certain circumstances (e.g. while the accuracy of data is contested).

Right to data portability (Art. 20 GDPR): To receive personal data you have provided to us in a structured, commonly used, machine-readable format, and to have that data transmitted to another controller where technically feasible (applies where processing is based on consent or contract and is carried out by automated means).

Right to object (Art. 21 GDPR): To object at any time to processing of your personal data based on legitimate interests (Art. 6(1)(f)), including profiling for those purposes, and to object to processing for direct marketing purposes (in which case we will cease processing immediately).

Right to withdraw consent (Art. 7(3) GDPR): Where processing is based on your consent, to withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.

To exercise any of these rights, please submit a written request to legal@dataero.eu. We will respond within one (1) month of receipt, extendable by a further two (2) months for complex or numerous requests (in which case we will notify you of the extension within the first month). We may verify your identity before processing your request. Requests are generally free of charge; we may charge a reasonable fee for manifestly unfounded or excessive requests.

12. Automated Decision-Making and Profiling

Dataero does not make decisions about individuals that produce legal effects or that similarly significantly affect them solely on the basis of automated processing, including profiling, within the meaning of Article 22(1) GDPR.

Where analytics or AI tools are used to analyse usage patterns, this is for internal product improvement purposes only and does not result in automated individual decision-making with significant legal or comparable effects. If this practice changes in the future, we will update this Policy and provide any additional information required under applicable law.

13. Children’s Data

The Dataero website and Services are directed exclusively at business users and professional organisations. We do not knowingly collect or process personal data relating to individuals under the age of 18. If you believe that we have inadvertently received personal data from or relating to a minor, please contact us immediately at legal@dataero.eu and we will take prompt steps to delete such data.

14. Supervisory Authority

You have the right to lodge a complaint at any time with the competent supervisory authority if you believe your personal data has been processed in violation of applicable data protection law. The lead supervisory authority for Dataero Europe SRL is:

Autorité de protection des données / Gegevensbeschermingsautoriteit (APD/GBA)
Rue de la Presse 35 / Drukpersstraat 35
1000 Brussels, Belgium
Tel: +32 2 274 48 00
Email: contact@apd-gba.be
Website: www.autoriteprotectiondonnees.be

If you are located in another EU/EEA member state, you may also lodge a complaint with the data protection authority of your country of habitual residence or place of work. We would, however, welcome the opportunity to address your concerns directly before you escalate to a supervisory authority. Please contact us at legal@dataero.eu in the first instance.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our data processing practices, legal requirements, or the Services we offer. Where changes are material, we will provide reasonable advance notice, which may be by email or by prominent notice on the website, at least fifteen (15) days before the changes take effect. The date of the most recent revision is shown at the top of this page.

Your continued use of the website or Services after any update constitutes your acknowledgement of the revised Policy. For significant changes affecting your rights, we may seek fresh consent where legally required.

For any questions about this Privacy Policy or our data protection practices, please contact us at legal@dataero.eu.