Privacy Policy

1. Data Controller and Point of Contact

The data controller responsible for the processing of personal data described in this policy is:

Because vIFF & CDM is a non-commercial community project, a Data Protection Officer (DPO) is not required under Article 37 GDPR. The contact above is designated as the point of contact for any data protection enquiry, request, or complaint.

2. Scope

This policy applies to the public website at this domain and to operational dashboards and tools linked from it (collectively, the “Service”). The Service is intended for use by VATSIM controllers, pilots, and FMP staff in a simulated air traffic control environment. It is not directed at children under 16.

3. Categories of Personal Data Processed

Depending on how you use the Service, the following categories of data may be processed:

• Technical data: IP address, browser type and version, operating system, referrer URL, date and time of requests, pages viewed (collected automatically in server logs).
• VATSIM identifiers: VATSIM CID, callsign, controller position, and other publicly broadcast network data, when you connect to the VATSIM network or authenticate to ATC tools.
• Operational data: flight plan information, EOBT/TOBT/CTOT timestamps, ATFCM measures, sector configuration and similar simulation data submitted by users of the tools.
• Authentication data: data returned by VATSIM Connect (OAuth) when you sign in, limited to what is necessary to verify your identity and rating.
• Communication data: any information you voluntarily send us by email or via Discord.

The Service does not knowingly process special categories of personal data (Article 9 GDPR).

4. Purposes and Legal Bases

• Operating the Service and security (Art. 6(1)(f) GDPR – legitimate interests): logging, abuse prevention, debugging, ensuring availability and integrity.
• Providing ATC/ATFCM functionality (Art. 6(1)(b) GDPR – performance of a quasi-contractual relationship with users of the tools, and Art. 6(1)(f) – legitimate interests in offering the simulation service): processing flight, sector and slot data necessary for the tools to function.
• Authentication via VATSIM Connect (Art. 6(1)(b) GDPR): to identify the user and grant the appropriate access level.
• Responding to enquiries (Art. 6(1)(f) GDPR): handling messages received via email or Discord.
• Legal compliance (Art. 6(1)(c) GDPR): where processing is required to comply with a legal obligation.

5. Recipients and Third Parties

Personal data may be shared with the following categories of recipients, only to the extent necessary:

• Hosting and infrastructure providers processing data on our behalf as processors under Art. 28 GDPR.
• VATSIM (vatsim.net), as the underlying network whose data is consumed and to which authentication is delegated. VATSIM operates under its own privacy policy.
• Other vACCs and FMP staff who legitimately use the operational tools and may see operational data such as callsigns and flight plans, in line with their role.
• Public authorities where disclosure is required by law.

Personal data is not sold and is not used for advertising or profiling.

6. International Transfers

The Service is operated from within the European Economic Area (EEA) where reasonably possible. Where personal data is transferred to a third country, we rely on appropriate safeguards under Chapter V GDPR, in particular the European Commission’s Standard Contractual Clauses, or transfers based on an adequacy decision.

7. Retention

• Server access logs: typically up to 30 days, longer only where needed to investigate security incidents.
• Operational data (flight plans, slots, ATFCM measures): retained only as long as needed for the simulation session and short-term statistics; aggregated and anonymised data may be kept longer.
• Authentication session data: kept for the duration of the session and a short time afterwards.
• Correspondence: kept as long as necessary to handle the request and any follow-up.

8. Cookies and Local Storage

The Service uses only strictly necessary cookies and equivalent local-storage entries required to provide the requested functionality (e.g. authentication, session state, user preferences). No advertising, tracking or analytics cookies are set without your consent. Where any non-essential cookie is introduced in the future, prior consent will be requested through a cookie banner in line with the ePrivacy Directive and GDPR.

9. Your Rights under GDPR

Subject to the conditions set out in the GDPR, you have the right to:

• access your personal data (Art. 15);
• request rectification of inaccurate or incomplete data (Art. 16);
• request erasure of your data (Art. 17);
• request restriction of processing (Art. 18);
• data portability (Art. 20);
• object to processing based on legitimate interests (Art. 21);
• not to be subject to a decision based solely on automated processing (Art. 22) – the Service does not carry out such decision-making;
• withdraw consent at any time, where processing is based on consent (Art. 7(3)), without affecting the lawfulness of processing carried out before withdrawal.

To exercise any of these rights, please contact the point of contact in section 1. We will respond within one month, as required by Art. 12(3) GDPR.

10. Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority, in particular in the EU Member State of your habitual residence, place of work, or place of the alleged infringement (Art. 77 GDPR). A list of national supervisory authorities is available at edpb.europa.eu.

11. Security

We implement appropriate technical and organisational measures (Art. 32 GDPR) to protect personal data against unauthorised access, alteration, disclosure or destruction, including transport encryption (HTTPS), access control, and minimisation of stored data.

12. Changes to this Policy

This Privacy Policy may be updated from time to time. The “Last updated” date at the top reflects the latest revision. Material changes will be announced via the Service and/or the project Discord.