Privacy Policy

1. Who we are

CitadelAero is the trading name of JLEC Limited, a company incorporated in Jersey, Channel Islands (company number 165488) ("we", "us", "our", "CitadelAero").

We operate the aviation safety management system platform available at citadelaero.com and its subdomains, including the demonstration environment at demo.citadelaero.com.

For the purposes of data protection law, JLEC Limited is registered with the Jersey Office of the Information Commissioner (JOIC) under the Data Protection (Jersey) Law 2018.

Our contact details for data protection matters are: privacy@citadelaero.com.

2. Scope of this policy

This Privacy Policy explains how we collect, use, store, and protect personal data in connection with:

• visitors to citadelaero.com and demo.citadelaero.com ("our websites");
• individuals who contact us via our website contact form or by email;
• individuals who sign up for a trial, or who act as the commercial or administrative contact for a customer organisation; and
• individuals whose personal data is processed within the CitadelAero platform on behalf of our operator customers.

This policy applies to B2B customers only. The CitadelAero platform is not directed at or intended for use by consumers or individuals under the age of 18.

This policy should be read alongside our Data Processing Agreement and our Cookie Policy.

3. Our roles: data controller and data processor

We process personal data in two distinct capacities, and it is important to understand the difference:

When we are a Data Controller

We act as data controller — meaning we determine the purposes and means of processing — in relation to:

• personal data collected from website visitors and individuals who contact us;
• personal data of individuals who sign up for a trial or manage a customer account (account holders, billing contacts, and administrative contacts); and
• our own internal business records, including contractual and financial records relating to our customers.

In these circumstances, this Privacy Policy governs our processing and sets out your rights directly against us.

When we are a Data Processor

We act as data processor — meaning we process data on behalf of and under the instructions of our operator customers — in relation to personal data that operator customers and their staff submit to, or generate within, the CitadelAero platform. This includes staff records, training data, occurrence reports, and other data entered into the platform.

In these circumstances, the operator customer is the data controller responsible for that data. Our obligations as processor are governed by our Data Processing Agreement with that operator. Staff members and other individuals whose data is processed within the platform should refer to their employer's own privacy policy for information about how their data is used. They may also contact us directly at privacy@citadelaero.com, and we will direct their enquiry to the relevant operator.

Important for operator staff: If you are an employee of an aviation operator that uses CitadelAero, your employer controls how your data is used in the platform. Please refer to your employer's privacy notice. You can also contact us at privacy@citadelaero.com and we will forward your enquiry to your employer.

4. Personal data we collect and process (as controller)

4.1 Website visitors

When you visit citadelaero.com or demo.citadelaero.com, we may automatically collect:

• technical data including your IP address, browser type and version, operating system, referring URL, and pages visited;
• usage data such as time spent on pages and navigation patterns; and
• data collected via cookies and similar technologies, as described in our Cookie Policy.

Legal basis: Legitimate interests (Article 6(1)(f) GDPR / Schedule 2 paragraph 5 of the Data Protection (Jersey) Law 2018) — specifically, our interest in maintaining the security of our websites, understanding how our websites are used, and improving them.

Retention: Technical access logs are retained for up to 90 days. Aggregated, anonymised analytics data may be retained indefinitely.

4.2 Contact form and email enquiries

When you submit an enquiry through our website contact form or contact us by email, we collect:

• your name;
• your email address;
• your organisation name (if provided);
• the content of your message; and
• any additional information you choose to include.

We use this information to respond to your enquiry and, where relevant, to follow up on a potential commercial relationship.

Legal basis: Legitimate interests (Article 6(1)(f)) — specifically, our interest in responding to genuine business enquiries and developing commercial relationships.

Retention: Enquiry data is retained for up to 2 years from last contact, or longer if the enquiry develops into a customer relationship (see section 4.3).

4.3 Trial sign-ups and customer account holders

When an individual signs up for a trial or manages a CitadelAero customer account, we collect:

• name and email address of the account holder or administrative contact;
• organisation name and, where provided, job title and role;
• account login credentials (passwords are stored in hashed, non-reversible form — we cannot access your plain-text password);
• activity logs relating to account management actions; and
• correspondence with us relating to the account or service.

Legal basis: Performance of a contract (Article 6(1)(b)) — this data is necessary to set up and manage the subscription relationship. Legitimate interests (Article 6(1)(f)) for security logging and fraud prevention.

Retention: For the duration of the subscription and for 6 years following termination of the customer relationship, in accordance with standard commercial record-keeping obligations.

4.4 Billing and payment records

Billing and payment transactions are processed by Paddle.com Market Limited as our merchant of record. We do not directly process or store your payment card details. We do receive and retain:

• records of transactions (amounts, dates, subscription plan);
• invoicing information; and
• records of refund or dispute outcomes.

Legal basis: Performance of a contract (Article 6(1)(b)) and legal obligation (Article 6(1)(c)) — retention of financial records is required by applicable law.

Retention: Financial and transactional records are retained for 7 years from the date of the transaction in accordance with applicable accounting and tax obligations.

4.5 Service usage and security logs

We maintain logs of certain activity within the CitadelAero platform for security, fraud prevention, and operational purposes. These logs may include IP addresses, login events, and significant account actions performed by account holders.

Legal basis: Legitimate interests (Article 6(1)(f)) — specifically, our interest in maintaining the security and integrity of the Service and protecting other customers' data from unauthorised access.

Retention: Security and audit logs are retained for up to 12 months.

5. Personal data processed on behalf of operators (as processor)

When we provide the CitadelAero platform to operator customers, we process personal data on their behalf as data processor. This data typically includes:

• Staff personal data: names, email addresses, job titles, employee numbers, licence details, training records, and certificate files belonging to the operator's personnel;
• Occurrence report data: details of aviation safety occurrences submitted through the safety reporting module, which may include reporter identity and other information protected under EU Regulation 376/2014 and equivalent UK law;
• User account data: login credentials, role and permission configurations, and in-platform activity logs for the operator's users; and
• Operational records: documents, audit records, meeting minutes, workflow records, and other data uploaded or generated within the platform.

As processor, we only process this data in accordance with the operator's instructions and as set out in our Data Processing Agreement. The operator is the data controller for this data and is responsible for ensuring their collection and use of it complies with applicable data protection law.

All data processed on behalf of operators is stored within the European Union (EU West, Frankfurt, Germany). Please refer to our Data Processing Agreement for full details of sub-processing arrangements, security measures, and data subject rights processes applicable to operator data.

6. Protected occurrence data

Aviation-specific note: Occurrence reports submitted through the CitadelAero platform may be protected under EU Regulation 376/2014 and the UK Occurrence Reporting Regulations 2016. This data has special legal status under aviation "just culture" frameworks.

EU Regulation 376/2014 and its UK equivalent establish that:

• information in occurrence reports may only be used for the maintenance or improvement of aviation safety;
• reporter identity must be protected and must not be disclosed beyond those authorised to access it under the operator's safety reporting processes; and
• occurrence report data must not be used in connection with disciplinary, civil, criminal, or administrative proceedings against reporters.

As data processor, JLEC Limited processes occurrence report data solely for the purpose of providing the CitadelAero platform to the operator. We do not access, review, analyse, or use occurrence report content for any secondary purpose — including product improvement, analytics, benchmarking, or training of artificial intelligence or machine learning models — without the express written consent of the relevant operator.

Operators are responsible for configuring access controls within the platform to ensure that occurrence report data is accessible only to those individuals who are authorised to access it under the operator's own safety reporting procedures and obligations under the Occurrence Reporting Legislation.

7. Sub-processors

We engage the following third-party sub-processors who may process personal data in connection with the CitadelAero platform. All sub-processors are bound by contractual obligations that require them to process personal data only on our instructions and to maintain appropriate security measures.

We will notify operator customers of any intended changes to our sub-processor arrangements (additions or replacements) in accordance with our Data Processing Agreement, providing them with the opportunity to object.

8. International data transfers

JLEC Limited is incorporated in Jersey, Channel Islands. Jersey benefits from adequacy decisions from both the European Commission (for transfers from the EEA to Jersey) and from the UK Government (for transfers from the UK to Jersey). This means that transfers of personal data to JLEC Limited in Jersey from the UK or EEA are permitted without additional transfer mechanisms.

All customer data at rest is stored within the European Union (EU West, Frankfurt, Germany). However, some of our sub-processors are headquartered in the United States and their personnel may have access to personal data in the course of providing their services. Where such transfers occur, we ensure they are protected by one or more of the following safeguards:

• EU Standard Contractual Clauses (SCCs): the European Commission's approved standard contractual clauses (Commission Decision 2021/914/EU), specifically Module 2 (controller-to-processor) or Module 3 (processor-to-processor) as applicable;
• UK International Data Transfer Agreement (IDTA): the UK's equivalent transfer mechanism approved by the Information Commissioner's Office for transfers from the UK; and/or
• UK Addendum to EU SCCs: where applicable, the UK addendum to the EU SCCs.

Details of the transfer mechanisms applicable to each sub-processor are set out in the table in section 7 above. Full copies of applicable SCCs and the UK IDTA are incorporated into our Data Processing Agreement.

9. Data security

We implement appropriate technical and organisational measures to protect personal data against unauthorised access, accidental loss, destruction, or disclosure. Our security measures include:

• schema-isolated multi-tenancy architecture ensuring customer data is logically separated at database level;
• encryption of data in transit using TLS and at rest within our hosting infrastructure;
• password hashing using bcrypt (no plain-text passwords are stored);
• JWT-based session management with HTTP-only cookies and session expiry controls;
• role-based access controls and module-level permissions within the platform;
• access logging and audit trails for security-relevant events; and
• hosting within Supabase's SOC 2 Type II certified infrastructure in the EU West (Frankfurt) region.

Despite these measures, no data transmission over the internet or data storage system is guaranteed to be 100% secure. If you become aware of any security concern or suspected breach, please contact us immediately at security@citadelaero.com.

In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of individuals, we will notify the relevant supervisory authority without undue delay and, where required, affected individuals, in accordance with our obligations under applicable data protection law.

10. Data retention

We retain personal data only for as long as is necessary for the purposes for which it was collected, or as required by applicable law. Our key retention periods are:

• Website visitor and analytics data: up to 90 days for raw access logs; aggregated anonymised data retained indefinitely.
• Contact form enquiries: up to 2 years from last contact, or longer if a customer relationship develops.
• Customer account and commercial records: for the duration of the subscription and for 6 years following termination.
• Financial and transactional records: 7 years from the date of the transaction.
• Security and audit logs (controller): up to 12 months.
• Customer data processed as processor: retained for 30 days following termination of the relevant subscription, then permanently deleted in accordance with our Data Processing Agreement.

Where data is retained beyond the period of active use for legal compliance purposes, access to it will be restricted to those with a specific need.

11. Your rights as a data subject

Where JLEC Limited acts as a data controller in relation to your personal data, you have the following rights under applicable data protection law (including the Data Protection (Jersey) Law 2018, UK GDPR, and EU GDPR):

• Right of access — to request a copy of the personal data we hold about you and information about how we process it.
• Right to rectification — to request that we correct any inaccurate or incomplete personal data we hold about you.
• Right to erasure ("right to be forgotten") — to request that we delete your personal data in certain circumstances, including where it is no longer necessary for the purposes for which it was collected, or where you withdraw consent (where consent was the legal basis for processing).
• Right to restriction of processing — to request that we restrict the processing of your personal data in certain circumstances, for example while we investigate a challenge to its accuracy.
• Right to data portability — to receive your personal data in a structured, commonly used, machine-readable format and to have it transferred to another controller, where processing is based on consent or contract and is carried out by automated means.
• Right to object — to object to processing of your personal data based on our legitimate interests, or to processing for direct marketing purposes.
• Right not to be subject to automated decision-making — we do not currently make solely automated decisions that have legal or similarly significant effects on individuals.

To exercise any of these rights, please contact us at privacy@citadelaero.com. We will respond to your request within one month. We may ask for verification of your identity before processing your request.

Some rights are not absolute and are subject to exceptions under applicable law. Where we are unable to comply with a request, we will explain why.

If you are an operator's staff member: Where we act as a data processor on behalf of your employer, your rights should be exercised through your employer (as data controller). You can contact us at privacy@citadelaero.com and we will direct your request to the relevant operator. We will not be able to respond substantively to data subject requests concerning operator-controlled data without the operator's authorisation, except where required by law.

12. Supervisory authorities and the right to complain

You have the right to lodge a complaint with the relevant data protection supervisory authority. Depending on your location and the nature of the complaint, the relevant authority may be:

• Jersey Office of the Information Commissioner (JOIC): the supervisory authority for JLEC Limited as a Jersey-incorporated entity. Contact: jerseyoic.org · +44 (0)1534 716530
• Information Commissioner's Office (ICO), UK: if your complaint relates to processing of your personal data as a UK data subject or under UK GDPR. Contact: ico.org.uk · 0303 123 1113
• Your local EU data protection authority: if you are based in the European Union, you may also contact the data protection authority in your EU member state.

We would, however, welcome the opportunity to address your concerns directly before you contact a supervisory authority. Please contact us at privacy@citadelaero.com in the first instance.

13. The demonstration environment

A demonstration version of the CitadelAero platform is available at demo.citadelaero.com.

Do not submit real personal data, real occurrence reports, or any sensitive operational data to the demonstration environment. The demonstration environment is intended for product evaluation purposes only and does not carry the same access controls, data isolation guarantees, or contractual protections as the live platform.

The demonstration environment may be reset or cleared periodically without notice. Data entered into the demonstration environment:

• is not covered by a Data Processing Agreement;
• may be visible to CitadelAero personnel for support and maintenance purposes;
• should be treated as non-confidential; and
• will not be subject to the data deletion obligations applicable to live customer accounts.

If you enter personal data into the demonstration environment and wish for it to be deleted, please contact us at privacy@citadelaero.com.

14. Cookies and similar technologies

Our websites use cookies and similar tracking technologies. A full description of the cookies we use, their purpose, duration, and how to manage your preferences is set out in our Cookie Policy.

In summary, we use:

• Strictly necessary cookies: required for the operation of our websites and the Service, including session management. These cannot be disabled.
• Analytics tools:with your prior consent (collected through our cookie banner), we use Vercel Analytics, Google Analytics 4, and Microsoft Clarity to understand how visitors use citadelaero.com. Microsoft Clarity additionally sets identifiers — including MUID— that are shared across Microsoft properties including Bing and Microsoft Ads. These tools are only loaded once you accept analytics in the cookie banner, and you can change your choice at any time.
• Payment cookies: Paddle may set cookies in connection with the checkout and payment process. These are subject to Paddle's own cookie policy.

You can manage your cookie preferences through the cookie preference centre available on our websites or through your browser settings.

15. Third-party links and services

Our websites and the Service may contain links to third-party websites or integrate with third-party services. This Privacy Policy does not apply to those third parties. We encourage you to review the privacy policies of any third-party services you access through our platform.

We are not responsible for the privacy practices of third-party websites or services, even if accessed through links on our websites.

16. Children

The CitadelAero platform and websites are directed exclusively at business users in the aviation sector and are not intended for use by individuals under the age of 18. We do not knowingly collect personal data from children. If you believe that a child's personal data has been submitted to us, please contact us at privacy@citadelaero.com and we will take steps to delete it.

17. Changes to this Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our data practices, services, or applicable law. When we make material changes, we will notify customers by email and update the "last updated" date at the top of this page.

We encourage you to review this Privacy Policy periodically. Continued use of our websites or the Service after an updated policy has taken effect constitutes acceptance of the revised policy.

Previous versions of this Privacy Policy are available on request.

18. How to contact us

For any questions, requests, or concerns relating to this Privacy Policy or our data processing activities, please contact us:

• By email: privacy@citadelaero.com
• Website: citadelaero.com

We aim to respond to all privacy-related queries within 10 business days and will in any event respond to formal data subject rights requests within one calendar month.

© JLEC Limited t/a CitadelAero · citadelaero.com · Version 1.2