Privacy Policy

WingLedger ("wingledger.co.uk") is the data controller responsible for your personal data. For the purposes of UK GDPR, the data controller is the individual or organisation that determines the purposes and means of processing personal data.

If you have any questions about this privacy policy or how we handle your personal data, please contact us at: privacy@wingledger.co.uk

We are not required to appoint a Data Protection Officer (DPO) under Article 37 UK GDPR, as we do not carry out large-scale systematic monitoring of individuals or process special category data at scale. However, we take data protection seriously and treat all enquiries promptly.

We collect and process the following categories of personal data:

Account and identity data

• Email address (used for login and notifications)
• Full name (used to identify you within the service and on endorsements)
• Profile settings and preferences

Flight and logbook data

• Flight records including dates, times, aircraft, routes, and remarks
• Aircraft registration numbers and type details
• Exercise and training notes
• Imported historical flight data (where provided)

Endorsement data

• Endorser name and professional reference (licence number or rating reference)
• Digital signature images (canvas-drawn, stored as image data)
• Endorsement remarks and any amendment history
• Timestamps of endorsement actions

Licence and medical data

• Pilot licence details, ratings, and type endorsements
• Medical certificate type and expiry dates
• Certificate reference numbers

Technical data

• Session tokens and authentication data
• Browser type and device information (collected automatically on access)
• IP address (processed by our infrastructure but not stored by us long-term)
• Log data generated by your use of the service

Data provided about others

If you are a syndicate administrator, you may enter details about other syndicate members (name, email). You are responsible for ensuring you have the appropriate basis to share that information with us and that the individuals concerned are aware their details are being stored in WingLedger.

We use your personal data for the following purposes:

• Providing the service: Creating and managing your account, storing flight records, processing endorsements, and making your data available to you across devices.
• Syndicate features: Sharing aircraft information and flight records with other members of a syndicate you belong to, as configured by you or the syndicate administrator.
• Endorsement workflows: Sending endorsement requests to named instructors or examiners by email link, and recording their approval.
• Currency and compliance tracking: Calculating flight currency, licence expiry, and medical validity based on data you provide.
• Service communications: Sending you essential service-related notices (e.g. security alerts, significant policy changes). We do not send marketing emails without your explicit consent.
• Security and fraud prevention: Detecting and preventing abuse of the platform.
• Service improvement: Understanding how features are used in aggregate to improve the product (no individual profiling).

Under UK GDPR, we must have a legal basis for processing your personal data. We rely on the following:

• Contract (Article 6(1)(b)): Processing your account, flight records, endorsements, licences, and other core service data is necessary to perform the contract between you and WingLedger. Without this data, we cannot provide the service.
• Legitimate interests (Article 6(1)(f)): We process technical/log data and use aggregated analytics to improve the service and ensure security. Our legitimate interests in operating and improving a safe, reliable service are not overridden by your interests or rights, given the minimal intrusiveness of this processing.
• Consent (Article 6(1)(a)): Where we ask for consent (e.g. optional marketing communications), you may withdraw it at any time by contacting us. Withdrawal does not affect the lawfulness of processing prior to withdrawal.

We do not consider any of the data we process to be “special category” data under Article 9 UK GDPR. Medical certificate expiry dates relate to aviation licencing administration and are provided voluntarily by you for your own organisational benefit.

We do not sell your personal data. We share it only as follows:

Sub-processors (data processors acting on our behalf)

• Supabase, Inc. — our database and authentication provider. Supabase stores all your account data, flight records, and related content on our behalf. Supabase is headquartered in the United States (see section 6 on international transfers). Supabase commits to the same data protection standards we require via a Data Processing Agreement.
• Vercel, Inc. — our hosting and content delivery provider. Your requests are processed through Vercel's infrastructure, which may be located in the US or EU depending on routing. Vercel operates under a Data Processing Addendum aligned to GDPR requirements.

Other syndicate members

If you are part of a syndicate, other members of that syndicate can see aircraft records and certain shared flight information as configured by the syndicate administrator. You control what you add to shared records.

Endorsers

When you request an endorsement, the flight details and your name are shared with the endorser via an email link. The endorser's name, reference, remarks, and signature are stored against your logbook record. Endorsers who are registered WingLedger users can also see pending endorsement requests in their own profile.

Legal obligations

We may disclose personal data where required by law, regulation, or a binding legal order from a UK court, regulator, or government authority.

Our key data processors — Supabase and Vercel — are based in the United States. Transferring your personal data to the US constitutes an international transfer under UK GDPR, as the US does not have an adequacy decision from the UK.

We ensure these transfers are protected by appropriate safeguards:

• Supabase:Transfers are covered by Standard Contractual Clauses (SCCs) incorporated into Supabase's Data Processing Agreement, as recognised under the UK GDPR international transfer mechanism (the UK IDTA or equivalent SCCs as approved by the ICO).
• Vercel:Transfers are covered by Vercel's Data Processing Addendum, which incorporates SCCs and equivalent transfer safeguards.

You can request a copy of the relevant transfer safeguards by contacting us at privacy@wingledger.co.uk.

We retain personal data only for as long as necessary to provide the service or as required by law:

• Account data: Retained for the duration of your account. If you close your account, we will delete or anonymise your personal data within 30 days, unless we are required to retain it for legal or regulatory purposes.
• Flight and logbook records: Retained for the lifetime of your account. You may export or delete individual records at any time.
• Endorsement records (including signatures): Retained for the duration of your account. Endorsement data may constitute part of an official aviation record and we therefore retain it until you explicitly request deletion.
• Licence and medical data: Retained for the duration of your account.
• Technical/log data: Retained for up to 90 days for security and diagnostic purposes.

Where we are required by law to retain data beyond account closure (e.g. financial records under Companies Act obligations), we will retain the minimum necessary data for the required period only.

Under UK GDPR, you have the following rights regarding your personal data. To exercise any of these rights, contact us at privacy@wingledger.co.uk. We will respond within one calendar month.

• Right of access (Subject Access Request): You have the right to request a copy of the personal data we hold about you and information about how we process it.
• Right to rectification: You have the right to ask us to correct inaccurate or incomplete personal data. Much of your data can be corrected directly within the application.
• Right to erasure (“right to be forgotten”): You may request that we delete your personal data where there is no longer a legal basis for us to hold it. This right is not absolute — we may need to retain certain data to comply with legal obligations or for the establishment, exercise, or defence of legal claims.
• Right to restriction of processing: You may ask us to restrict how we process your personal data in certain circumstances (e.g. while a dispute about accuracy is resolved).
• Right to data portability: Where processing is based on consent or contract and carried out by automated means, you have the right to receive your personal data in a structured, commonly used, machine-readable format. WingLedger supports CSV export of your flight data from within the application.
• Right to object: You have the right to object to processing based on legitimate interests. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests.
• Rights related to automated decision-making: We do not carry out automated decision-making or profiling that produces legal or similarly significant effects on you. Currency calculations and expiry alerts are informational tools only; no automated decisions are made on your behalf.
• Right to withdraw consent: Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of processing before withdrawal.

Right to complain to the ICO

You have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK supervisory authority for data protection, if you are unhappy with how we have handled your personal data.

• ICO website: ico.org.uk
• ICO helpline: 0303 123 1113
• ICO address: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

We would always appreciate the opportunity to address your concerns before you contact the ICO, so please contact us first at privacy@wingledger.co.uk.

WingLedger uses cookies and similar technologies to operate the service. We do not use tracking or advertising cookies. The cookies we set are:

• Authentication session cookies: Set by Supabase to maintain your login session. These are strictly necessary for the service to function and are set only when you sign in. They expire at the end of your session or after a configurable period of inactivity.
• Preference cookies: Used to remember your in-app settings (e.g. appearance preferences) across sessions. These contain no personal data beyond an identifier.

Because we only use strictly necessary cookies, we do not require consent under the UK Privacy and Electronic Communications Regulations (PECR) for these cookies. No third-party advertising or analytics cookies are set by WingLedger.

You can manage or delete cookies through your browser settings. Blocking session cookies will prevent you from signing in to the service.

We take appropriate technical and organisational measures to protect your personal data against unauthorised access, accidental loss, destruction, or disclosure. These include:

• All data in transit is encrypted using TLS (HTTPS).
• Data at rest is encrypted by Supabase using AES-256.
• Authentication is handled by Supabase Auth with industry-standard token practices.
• Row-level security policies in our database ensure each user can only access their own data.
• Access to production infrastructure is restricted to the data controller.

In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the ICO within 72 hours as required by Article 33 UK GDPR, and will notify affected individuals without undue delay where the breach is likely to result in a high risk to them.

WingLedger is intended for use by individuals aged 18 and over. We do not knowingly collect personal data from children under 13. If you believe a child under 13 has provided us with personal data, please contact us at privacy@wingledger.co.uk and we will delete the data promptly.

We may update this privacy policy from time to time to reflect changes in our practices or legal requirements. When we make material changes, we will update the “Last updated” date at the top of this page and, where appropriate, notify you by email or via the application.

Your continued use of WingLedger after any changes constitutes your acknowledgement of the updated policy. If you do not agree with a change, you should stop using the service and may request deletion of your data under your right to erasure.

For any questions, concerns, or requests relating to this privacy policy or your personal data, please contact us:

We aim to respond to all privacy-related enquiries within five working days and will always resolve requests within the one-month statutory deadline.