TrackerEFBData API soonPricingField notes
UTC20:43:16 Z

Privacy Policy

Effective: June 2, 2026  ·  Last updated: July 11, 2026

This Privacy Policy describes how Fly Overhead ("we," "us," or "our") collects, uses, and shares information when you use the Fly Overhead website, applications, and services (collectively, the "Service"). By using the Service you agree to the collection and use of information as described here.

1. Information we collect

1.1 Information you give us

  • Account information: email address, password (bcrypt hash, never plaintext), display name.
  • Billing information: held by Stripe. We receive only a Stripe customer ID and payment-method metadata (last four digits, brand, expiration). We do not store card numbers or CVV.
  • User content: logbook entries, flight notes, voice debrief audio, saved routes, and other content you submit.
  • Communications: support requests and feedback you send us.

1.2 Information collected automatically

  • Usage data: pages viewed, features used, timestamps.
  • Public-site navigation analytics: anonymous session ID, public marketing pages viewed, previous and destination paths, link label, external referrer hostname, UTM campaign fields, and broad device class. We do not attach these events to an account or collect form values, search text, full referrer URLs, or activity inside the EFB and account areas. Browser Do Not Track is honored.
  • Device data: browser type, OS, screen size, IP address, timezone.
  • Geolocation: only with your explicit browser-prompt consent. Never collected silently.
  • Cookies: session cookies for authentication only. No third-party advertising cookies.

1.3 Feeder data

If you run an ADS-B feeder, the feeder client sends aircraft positions received from your local decoder, aggregate message counts, and heartbeat pings. No personal data or device info beyond your account is collected. See the Feeder Data Policy for full details.

2. How we use information

  • Provide, operate, and improve the Service.
  • Authenticate accounts and process subscriptions.
  • Send transactional emails (account verification, password reset, billing receipts, service announcements).
  • Generate AI-powered features (briefings, debriefs, summaries) by transmitting relevant input to our AI provider as described in §3.
  • Detect and prevent fraud, abuse, and security incidents.
  • Comply with legal obligations.

We do not sell or rent your personal information.

We may use aggregated, anonymized flight data (aircraft positions contributed by the feeder network) for aviation research and safety applications. Individual account data, feeder locations, and personally identifiable information are never used for model training. Where we use a third-party AI provider for AI Features, we do not authorize that provider to use your personal data for model training.

3. How we share information

We share information only with the sub-processors below and only as necessary to operate the Service.

Sub-processorPurposeData shared
Stripe, Inc.Payment processingEmail, name, billing address, payment-method tokens
ResendTransactional emailEmail, name, message contents (reset links, receipts)
Anthropic, PBCAI FeaturesInput prompts, voice audio (when applicable), route/weather context. Anthropic does not train on inputs.
Mapbox, Inc.Map tilesApproximate viewport (no account-tied data)
Fly.ioHostingAll Service data at rest
Timescale CloudTime-series databaseAll Service data at rest

We may also share information in response to valid legal process, to protect our rights, or in a business transfer to a successor entity subject to this Policy.

4. Data retention

  • Account information: retained while your account is active and for up to 7 years after deletion to comply with legal and billing obligations.
  • Feeder aircraft states: retained for 30 days, then purged. Aggregated coverage statistics are retained indefinitely.
  • Voice debrief audio: processed for transcription and not retained beyond the time needed to generate your debrief. Generated summaries are retained in your logbook until you delete them.
  • Server logs: retained for 30 days.
  • Public-site navigation analytics: retained for up to 13 months and then deleted. Reports may retain aggregate counts that cannot be tied back to an anonymous session.

5. Security

We use TLS in transit, encrypted-at-rest storage, bcrypt password hashing, and scoped database credentials. No system is perfectly secure; we cannot warrant absolute security. We will notify you of any breach affecting your information as required by law.

6. Your choices and rights

You may access and update most account information in your settings. To request deletion of your account and associated personal data, visit Delete Account or email [email protected].

California residents: We do not sell personal information. You have the right to know, delete, and be free from discrimination for exercising CCPA rights. Email us from your account address to submit a request.

7. Changes

We may update this Policy from time to time. Material changes will be announced by email and/or in-product notice at least 14 days before taking effect.

8. Contact

Questions or requests: [email protected]

Advisory only - not for primary navigation. Pilot in command retains sole responsibility.Learn more →