Privacy Policy

This Privacy Policy explains how Heliroutes (“we”, “us” or “our”) collects, uses, stores, shares and protects personal data when you visit www.heliroutes.co.uk (the “Site”), create an account, purchase a product or otherwise interact with our services.

We are committed to protecting your privacy and handling your data in an open and transparent manner. This policy is drafted in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

Please read this policy carefully before using our Site.

For the purposes of UK data protection law, the data controller responsible for your personal data is:

Heliroutes Ltd
Company number: 17153847
Registered office: Suite RA01, 195-197 Wood Street, London, E17 3NU
Email: hello@heliroutes.co.uk

If you have any questions about this policy or the way we handle your personal data, please contact us at the email address above.

We collect and process the following categories of personal data:

3.1 Data you provide to us

• Account information — your first name, email address and password when you register for an account.
• Profile data — your profile avatar image, if you choose to upload one.
• Purchase information — details of the products you purchase, including the tier selected and transaction reference.
• Marketing preferences — your explicit opt-in (or absence of opt-in) to receive marketing communications, captured at registration and stored alongside the date and time you provided it. You can withdraw consent at any time.
• Contact form submissions — your name, email address and the content of any message you send us through our contact or booking request forms.

3.2 Data we collect automatically

• Usage data — pages visited, links clicked, time spent on pages, referring URL and navigation paths through the Site.
• Device and technical data — IP address, browser type and version, operating system, screen resolution and device type.
• Progress data — which content you have completed and when, stored against your user account.
• Cookies and similar technologies — see section 12 below and our Cookie Policy for full details.

3.3 Data from third parties

• Payment confirmation — Stripe provides us with confirmation of successful payments, including a payment reference and the amount paid. We do not receive or store your full card number, expiry date or CVV.

We rely on the following lawful bases under Article 6 of the UK GDPR:

• Performance of a contract (Article 6(1)(b)) — processing your account data, purchase information and progress data is necessary to deliver the products and services you have purchased.
• Legitimate interests (Article 6(1)(f)) — we use analytics data and usage information to improve our Site, understand how our services are used and maintain security. Our legitimate interests do not override your fundamental rights and freedoms.
• Consent (Article 6(1)(a)) — where we use non-essential cookies or send marketing communications, we do so only with your explicit consent. You may withdraw consent at any time.
• Legal obligation (Article 6(1)(c)) — we retain purchase and financial records as required by HMRC and UK tax law.

We process your personal data for the following purposes:

• Account management — to create and maintain your user account, authenticate your identity and manage your profile.
• Product delivery — to grant access to purchased content, track your progress and issue completion certificates.
• Payment processing — to process your payments securely through Stripe and maintain records of your transactions.
• Communication — to respond to enquiries submitted through our contact form, send transactional emails (such as purchase confirmations, password resets and account notifications) and, where you have consented, send marketing communications.
• Site improvement — to analyse how users interact with the Site, identify issues and improve functionality and user experience.
• Security — to detect and prevent fraud, abuse and unauthorised access to the Site and user accounts.
• Legal compliance — to comply with applicable laws, regulations and legal processes, including tax obligations.

We share your personal data only with trusted third-party service providers who process data on our behalf and under our instructions. We do not sell, rent or trade your personal data to any third party. The following processors are used:

Supabase (Authentication and Database)

Supabase provides our authentication system and database infrastructure. It stores your account credentials, profile information, progress data and purchase records. Supabase processes data in the EU (Ireland). Their privacy policy is available at supabase.com/privacy.

Stripe (Payment Processing)

Stripe processes all card payments on our behalf. When you make a purchase, your payment card details are submitted directly to Stripe's servers and are never transmitted to or stored on our own systems. Stripe is certified as a PCI Level 1 Service Provider. Stripe may store your card details, billing address and transaction history in accordance with its own privacy policy, available at stripe.com/gb/privacy.

Resend (Transactional Email)

Resend delivers transactional emails on our behalf, such as purchase confirmations, contact form acknowledgements and booking requests. Resend processes your email address and name for the purpose of email delivery only. Their privacy policy is available at resend.com/legal/privacy-policy.

Google Analytics 4 (Website Analytics)

We use Google Analytics 4 (GA4) to understand how visitors use our Site. GA4 collects pseudonymised data such as pages visited, session duration, browser type, device information and approximate geographic location derived from your IP address. GA4 does not collect full IP addresses — IP anonymisation is enabled by default in GA4. This data is used for aggregated statistical reporting only. Google Analytics cookies are only set when you consent via our cookie banner and are blocked until that consent is given.

Google signals. We have enabled Google signals on our GA4 property. Where you are signed in to your Google account and have enabled Ads Personalisation in your Google settings, Google may associate the data collected from our Site with your Google account to enable cross-device reporting and more accurate demographic and interest reporting. No data that personally identifies you is passed to us — reports are provided in an aggregated form. You can disable Ads Personalisation at any time from your Google Ad settings.

User-provided data (enhanced measurement).Where you have consented via our cookie banner, we may in future send hashed identifiers (such as a one-way SHA-256 hash of your email address) to Google alongside conversion events to improve measurement accuracy. The raw email is hashed in your browser before transmission and is never sent in clear text. This practice is commonly known as “enhanced conversions” or “user-provided data”. You can withdraw consent at any time via our cookie banner, and you can request that we remove hashed data associated with you by contacting us.

Google's privacy policy is available at policies.google.com/privacy. You may opt out of Google Analytics by using the Google Analytics Opt-out Browser Add-on.

Google Ads (Advertising and Conversion Measurement)

We use Google Ads to promote our courses and measure the effectiveness of that advertising. Where you have granted advertising consent via our cookie banner, Google Ads may store identifiers (such as the _gcl_cookie) to recognise your browser across sites that participate in the Google Display Network, build remarketing audiences so we can show you relevant advertising on other websites and on YouTube, and import conversion events (such as a completed purchase) from GA4 to attribute those conversions to the Google Ads campaign that referred you. Aggregate conversion reporting is provided to us; we do not receive individual Google Ads user profiles. Google Ads cookies are blocked until you provide consent and you can withdraw that consent at any time by clicking “Cookie Settings” at the bottom of any public page.

Meta Pixel (Facebook and Instagram Advertising)

We use the Meta Pixel (also known as the Facebook Pixel) to measure the effectiveness of our advertising on Facebook and Instagram and to build retargeting audiences. Where you have granted advertising consent via our cookie banner, the Pixel collects events such as a page view, product view, the start of checkout and a completed purchase, along with basic technical data such as browser type, page URL and referrer. Meta may match this activity to your Meta account (if you have one) to enable personalised advertising and report on campaign performance. If you do not have a Meta account, events are processed pseudonymously. Pixel events are blocked until you provide advertising consent through our cookie banner. Meta's privacy policy is available at facebook.com/privacy/policy.

Vercel (Hosting)

Our Site is hosted on Vercel's infrastructure. Vercel may process your IP address and request metadata as part of delivering web pages to your browser. Vercel's privacy policy is available at vercel.com/legal/privacy-policy.

Google Workspace (Business Email)

We use Google Workspace for our business email (hello@heliroutes.co.uk). If you email us directly, Google processes and stores the contents of those communications. Google's privacy policy applies.

Some of our third-party processors are based in or transfer data to countries outside the United Kingdom, including the United States. Where such transfers occur, we ensure that appropriate safeguards are in place in accordance with UK GDPR, including:

• Adequacy decisions — where the UK Secretary of State has determined that the receiving country provides an adequate level of data protection.
• Standard contractual clauses — where no adequacy decision exists, transfers are governed by UK International Data Transfer Agreements or equivalent standard contractual clauses approved by the Information Commissioner's Office.
• Supplementary measures — additional technical and organisational measures are applied where necessary to ensure your data remains protected.

In particular, Stripe, Vercel, Resend, Google (Analytics, Ads and Workspace) and Meta (Facebook and Instagram) may transfer personal data to the United States. Each of these providers maintains appropriate safeguards as described in their respective privacy policies.

We retain your personal data only for as long as is necessary for the purposes set out in this policy:

• Account data — retained for as long as your account remains active. You can deactivate your account at any time, which immediately disables login and can be reversed on request. If you ask us to fully anonymise your account, we will remove your personal identifiers within 30 days, subject to the exceptions below.
• Purchase and financial records — retained for a minimum of six years after the date of the transaction, as required by HMRC for tax and accounting purposes. This retention applies even after an account is deactivated or anonymised, using data captured at the time of purchase.
• Progress and activity data — retained while your account is active. After account anonymisation, non-identifying activity data (such as aggregate lesson completion counts and account lifespan) may be retained for service analytics in a form that cannot be linked back to you.
• Contact form submissions — retained for up to 12 months from the date of submission, unless the enquiry leads to a contractual relationship.
• Analytics data — Google Analytics data is retained in accordance with Google's data retention settings. We have configured a retention period of 14 months for user-level data.

When personal data is no longer required, it is securely deleted or anonymised so that you can no longer be identified from it.

Under UK GDPR, you have the following rights in relation to your personal data:

• Right of access (Article 15) — you have the right to request a copy of the personal data we hold about you. We will provide this free of charge within one month of receiving your request.
• Right to rectification (Article 16) — you have the right to request that we correct any personal data that is inaccurate or complete any data that is incomplete. You may also update your name and avatar directly through your profile settings.
• Right to erasure (Article 17) — you have the right to request that we delete your personal data where there is no compelling reason for its continued processing. This right does not apply where we are required to retain data for legal obligations (such as HMRC tax records). Where you have flown training flights with a flight school operating on the Heliroutes ATOS platform, those training-record flights are retained by the school for the school's regulatory record-keeping obligations under UK CAP 804 and EASA ORO.GEN.220 (see Article 17(3)(b)). On erasure, your personal identifiers are scrubbed from those rows but the flight itself remains linked to the school for audit. Personal flights you logged outside any school context are fully deleted.
• Right to restriction of processing (Article 18) — you have the right to request that we restrict the processing of your personal data in certain circumstances, for example if you contest its accuracy or object to our processing.
• Right to data portability (Article 20) — you have the right to receive the personal data you have provided to us in a structured, commonly used and machine-readable format, and to transmit that data to another controller without hindrance.
• Right to object (Article 21) — you have the right to object to processing based on legitimate interests or for direct marketing purposes. Where you object, we will cease processing unless we can demonstrate compelling legitimate grounds that override your interests, rights and freedoms.
• Rights related to automated decision-making (Article 22) — we do not currently make any decisions based solely on automated processing that produce legal effects or similarly significantly affect you. Should this change, we will update this policy and ensure appropriate safeguards are in place.

To exercise any of these rights, please contact us at hello@heliroutes.co.uk. We will respond to your request within one month. In exceptional circumstances, we may extend this period by a further two months, in which case we will inform you of the extension and the reasons for it.

We may ask you to verify your identity before processing your request. We will not charge a fee for handling your request unless it is manifestly unfounded or excessive, in which case we may charge a reasonable fee or refuse to act on the request.

We take the security of your personal data seriously and implement appropriate technical and organisational measures to protect it against unauthorised access, alteration, disclosure or destruction. These measures include:

• Encryption in transit — all data transmitted between your browser and our servers is encrypted using TLS (HTTPS).
• Encryption at rest — personal data stored in our database is encrypted at rest by our infrastructure providers.
• Access controls — access to personal data is restricted to authorised personnel on a need-to-know basis. Row-level security policies ensure users can only access their own data.
• Secure authentication — passwords are hashed using industry-standard algorithms. We support secure session management and token-based authentication.
• Regular review — we periodically review our security practices and update them in line with current best practice.

Whilst we take all reasonable steps to protect your data, no method of transmission over the internet or electronic storage is completely secure. We cannot guarantee the absolute security of your personal data.

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the Information Commissioner's Office (ICO) without undue delay and, where feasible, within 72 hours of becoming aware of the breach, in accordance with Article 33 of the UK GDPR.

Where a breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly without undue delay, in accordance with Article 34 of the UK GDPR, providing you with details of the breach and the steps we are taking in response.

Our Site uses cookies and similar technologies to distinguish you from other users, maintain your session and, where you have consented, analyse how the Site is used.

Essential cookies (such as authentication session cookies) are strictly necessary for the Site to function and are exempt from the consent requirement under the Privacy and Electronic Communications Regulations 2003 (PECR). Analytics cookies (such as those used by Google Analytics) are only set where you have provided your explicit consent through our cookie banner and are blocked until that consent is given.

For full details of the cookies we use, their purposes and how to manage your preferences, please see our Cookie Policy.

Individuals must be at least 18 years of age to create an account independently or make a purchase on the Site.

Where our Aviation Training Operating System (ATOS) is used by an authorised operator, accounts may be created for individuals under 18 by that operator with parental or guardian consent. In such cases, the operator is responsible for managing the account and ensuring appropriate consent is obtained before any personal data is collected. Any data processing for under-18s through ATOS is processed in accordance with applicable data protection law and subject to appropriate safeguards, including parental consent where required.

Outside of ATOS, we do not knowingly collect personal data from individuals under 18. If you are a parent or guardian and believe your child has provided us with personal data without your consent, please contact us at hello@heliroutes.co.uk and we will take steps to delete such data promptly.

Our Site may contain links to websites, services or resources operated by third parties. We have no control over and assume no responsibility for the content, privacy policies or practices of any third-party sites. We encourage you to review the privacy policy of every site you visit before providing any personal data.

We are developing an Aviation Training Operating System (“ATOS”) for flight schools, instructors and students. ATOS may collect additional categories of personal data, including but not limited to pilot licence details, medical certificate information, next of kin details and training records. The collection and processing of such data will be governed by separate terms and a supplementary privacy notice, which will be provided to all ATOS users at the point of registration. This policy does not cover data processed within ATOS except where expressly stated.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology or legal requirements. Any changes will be posted on this page with an updated effective date at the top.

Where changes are material, we will take reasonable steps to notify you, such as by displaying a prominent notice on the Site or sending you an email. We encourage you to review this policy periodically. Where any change to our processing requires your consent, we will seek that consent before the change takes effect.

If you are unhappy with the way we have handled your personal data or responded to a request, you have the right to lodge a complaint with the UK supervisory authority:

We would appreciate the opportunity to address your concerns before you approach the ICO. Please contact us at hello@heliroutes.co.uk in the first instance.

If you have any questions about this Privacy Policy, wish to exercise any of your rights or need further information about how we process your personal data, please contact us:

Email: hello@heliroutes.co.uk

Website: www.heliroutes.co.uk

Thank you for trusting Heliroutes with your personal data. We are committed to protecting your privacy and ensuring a secure experience.