Privacy policy

1. Controller

2. Access to the website and web app

When you access the website or web app, technically necessary connection data is processed. This includes in particular the IP address, date and time of access, requested address, amount of transmitted data, browser and device information, and HTTP status information. This data is typically stored in server log files and processed to provide, stabilize, and secure the service.

The legal basis is Article 6(1)(f) GDPR. Our legitimate interest lies in the secure and uninterrupted provision of the service.

3. Account, sign-in, and profile

When you register, sign in, and use the user account, we process the account data you enter. This includes in particular your name, email address, password in hashed form, and the time of your last sign-in.

If you complete your profile, we also process the information stored there such as phone number, employer, crew position, default operator, home base, flight prefixes, and other default values maintained by you.

This processing is carried out for the establishment, performance, and administration of the user relationship. The legal basis is Article 6(1)(b) GDPR.

4. Flight log and logbook data

To provide the actual flight log functions, we process the flight data you enter or import. Depending on the entry, this includes in particular date, flight number, route, departure and destination airfield, times, operational role, crew information, aircraft data, landings, simulator information, remarks, and imported raw data from CSV files.

This data is required to display, edit, synchronize, and export your flight hours as CSV or PDF. The legal basis is Article 6(1)(b) GDPR.

5. CSV import, export, and document creation

When you upload CSV files, the contained data is processed to read, check, map, and transfer it into your logbook. Depending on the file, it may also contain names, identifiers, or contact data of crew members.

When exporting, the logbook data you have stored is output in CSV or PDF files. The processing is carried out solely to provide the functions you requested. The legal basis is Article 6(1)(b) GDPR.

6. Technically necessary cookies and local storage

The web app uses technically necessary session cookies to enable logins, form protection, and secure operation of the application. In addition, the web app may locally cache static application files through a service worker so that the service loads faster and can be used as a web app.

This storage is necessary to provide the service expressly requested by you. The legal basis is Article 6(1)(f) GDPR and Section 25(2) No. 2 TDDDG.

7. Use of the iPhone app

The iPhone app can store flight data locally on the device so you can keep working offline. For this purpose, app data is stored in a local app store on the device. If you use saved credentials, they are stored locally in the Apple Keychain of the device. Optional unlocking via Face ID, Touch ID, or device passcode is processed only locally on the device; we do not receive biometric raw data.

Local storage serves the offline use requested by you, convenient sign-in, and the protection of your data on the device. The legal basis is Article 6(1)(b) and (f) GDPR.

8. Synchronization between app and web

When you use the synchronization functions, the profile and flight data you recorded locally is synchronized between the app and the server. Only the data records required for the respective synchronization are processed. The legal basis is Article 6(1)(b) GDPR.

9. Security check via Cloudflare Turnstile

We use Cloudflare Turnstile on the sign-in and registration pages to reduce abusive automated access. Technical connection and usage data is transmitted to Cloudflare to the extent required for the security check, in particular IP address, browser and device information, and request data related to the verification.

The legal basis is Article 6(1)(f) GDPR. Our legitimate interest lies in protecting the service from spam, abuse, and automated attacks.

10. Further recipients and external sources

Personal data is generally only disclosed to third parties to the extent required for hosting, database operations, IT security, or the functions used by you. This may include technical service providers used for hosting and infrastructure.

For the delivery of transactional emails such as verification links, password reset messages, and contact requests, we use the Gmail API from Google via OAuth. In particular, the recipient address, subject, message content, and technical delivery data are transmitted to Google to the extent necessary for delivery.

If the function for updating worldwide airfield data is used, a CSV file is loaded from an external source. This function serves solely to update the airfield database; your logbook data is not transmitted to that source.

11. Storage period

We generally store account data, profile information, and logbook data for as long as the user account exists and the data is needed to perform the contract. If you delete your account, the associated data is deleted unless statutory retention obligations or legitimate reasons for longer storage prevent this.

Technical log data and security data are stored only as long as necessary for operation, security, and error analysis. App data stored locally on your device remains until it is deleted in the app, by signing out, by uninstalling the app, or by deleting device storage.

12. Contact

If you contact us by email or via the contact form, we process the information you provide to handle your request and any follow-up questions. This includes in particular your name, email address, subject, and message content. The legal basis is Article 6(1)(b) GDPR if your request relates to an existing or future contractual relationship; otherwise Article 6(1)(f) GDPR applies.

13. Your rights

Subject to the statutory requirements, you have in particular the right of access, rectification, erasure, restriction of processing, data portability, and objection to processing based on legitimate interests. You also have the right to lodge a complaint with a data protection supervisory authority.

To exercise your rights, simply send a message to hello@echolima.de or call +49(0)175 - 9679 826.

14. No automated decision-making

Automated decision-making including profiling within the meaning of Article 22 GDPR does not take place.