Privacy Policy

1. Data Controller

The data controller responsible for the processing of your personal data is Margherita Roncone, Spanish CIF Y9979373D, with registered address at Calle Pelayo 3, 6B, Las Palmas De Gran Canaria, Las Palmas, Spain. You can contact us at business@aviaproof.com.

2. Data We Collect

We process the following categories of personal data:

• Account data: name, email, password hash, organization details.
• Candidate data: name, passport details, EASA Part-66 license information, certificates and other aviation documents uploaded for verification.
• Usage data: log files, IP address, browser type, interaction events.
• Document content: PDF files processed via OCR to extract identity, qualification and expiry information.

3. Legal Basis (GDPR)

We process personal data under the EU General Data Protection Regulation (Regulation (EU) 2016/679 — "GDPR") on the following bases:

• Contract (Art. 6(1)(b)): to provide the verification service to sourcers and process candidate submissions.
• Legitimate interest (Art. 6(1)(f)): to secure the platform, prevent fraud, and improve our services.
• Consent (Art. 6(1)(a)): when candidates connect their Google Drive account or submit documents via the candidate link.
• Legal obligation (Art. 6(1)(c)): to comply with applicable Spanish and EU regulations.

4. Google Drive Integration

Candidates may optionally connect a Google Drive account to import documents directly instead of uploading them from their device. When you choose to connect Google Drive:

• We request the drive.readonly scope solely to list and download PDF files you explicitly select.
• Your Google access token is held only in your browser session (sessionStorage) and is never persisted on our servers or database.
• The token is discarded as soon as you close the browser tab or end the qualification session.
• We only download the specific file you pick. We do not browse, index, or store the rest of your Drive.
• AviaProof's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

5. How We Use Your Data

• Validate aviation credentials via automated OCR pipelines.
• Match candidate identity, qualifications and expiry dates against the requirements set by sourcers.
• Notify sourcers when a candidate has completed their validation.
• Maintain account security and prevent abuse.

6. Data Sharing

We do not sell personal data. We share data only with: (a) the sourcer/organization that issued the candidate link; (b) sub-processors that host infrastructure, send transactional emails, or provide OCR services, all bound by data processing agreements; (c) authorities when required by law.

7. International Transfers

Data is primarily processed within the European Economic Area. Where transfers to third countries occur (e.g. via Google APIs), they are protected by Standard Contractual Clauses or equivalent safeguards under Chapter V of the GDPR.

8. Retention

Candidate documents and extracted data are retained for as long as the related position is active and for a reasonable period afterwards to support audit and dispute resolution, after which they are deleted or anonymized. You can request earlier deletion at any time.

9. Your Rights (GDPR)

You have the right to access, rectify, erase, restrict and port your personal data, as well as to object to processing and to withdraw consent at any time. You may also lodge a complaint with the Spanish Data Protection Agency (AEPD — aepd.es). To exercise any right, write to business@aviaproof.com.

10. Security

We apply technical and organizational measures including encryption in transit (TLS) and at rest, role-based access control, audit logging, and the principle of least privilege for all sub-processors.

11. Changes

We may update this policy from time to time. Material changes will be communicated via email or in-app notice.

12. Contact

For any privacy-related question, write to business@aviaproof.com.