1. Personal Data Controller

Controller

M2A Facility Management GmbH operating under the trade name Pilot 100

Address

Bürgermeister-Smidt-Str. 116, 28195 Bremen, Germany

Register

Registergericht Bremen · HRB 40419 · USt-ID: DE 369257816

Email

support@pilot100atpl.com

Data Protection Officer (DPO): M2A Facility Management GmbH has assessed its processing activities and determined that the appointment of a DPO is not currently mandatory under Article 37 GDPR or §38 BDSG. This threshold is actively monitored as headcount grows. For all data protection queries, contact support@pilot100atpl.com.

2. Purposes, Legal Basis, and Processing Activities

We process your personal data only where we have a valid legal basis under Article 6 GDPR:

• Account creation, login, service delivery, billing, subscription management — Art. 6(1)(b) GDPR (performance of a contract)
• Payment processing via Stripe and transaction records — Art. 6(1)(b) + Art. 6(1)(c) GDPR (contract + legal obligation)
• Tax, accounting, and financial record-keeping under German law — Art. 6(1)(c) GDPR (legal obligation)
• Transactional and service emails — Art. 6(1)(b) GDPR (performance of a contract)
• Customer support and complaint handling — Art. 6(1)(b) + Art. 6(1)(f) GDPR (contract + legitimate interest in service quality)
• Personalizing the study experience and AI-powered performance insights — Art. 6(1)(b) GDPR (core features of the subscribed service)
• Fraud detection, unauthorized access, scraping, account sharing, automated abuse prevention — Art. 6(1)(f) GDPR (legitimate interest: platform security and IP protection)
• Service improvement via aggregated, anonymized analytics — Art. 6(1)(f) GDPR (legitimate interest; data anonymized before use)
• Debt recovery and legal claims — Art. 6(1)(f) GDPR (legitimate interest: enforcing legal rights)
• Marketing and promotional communications — Art. 6(1)(a) GDPR (freely given, specific, informed, unambiguous consent — withdraw any time, see Section 7)

Providing personal data for contract-related purposes is voluntary but necessary. Without required data we cannot provide the Service.

2a. Automated Decision-Making and AI-Powered Analytics

Pilot 100 uses AI-powered analytics to generate personalized study insights, track performance trends, and provide recommendations. This constitutes profiling within the meaning of Article 4(4) GDPR. It is used solely to improve the user's learning experience (e.g., identifying weak subject areas, recommending study focus). It does not produce legal effects or similarly significant effects — it does not affect exam eligibility, licensing decisions, or any determination made by aviation authorities.

No fully automated decisions with legal or similarly significant effects are made about users. You have the right to obtain information about the logic involved and to object to profiling (see Section 7).

3. Recipients of Personal Data

The following categories of third parties may access your personal data, subject to appropriate data processing agreements or equivalent safeguards:

• IT and infrastructure service providers (server hosting, storage, content delivery)
• Payment processors (Stripe — PCI-DSS compliant; the Controller does not store payment card details)
• Authentication service providers (Firebase / Google)
• Email delivery providers (Nodemailer — transactional emails only)
• Legal and accounting advisors — only to the extent necessary, subject to professional secrecy
• State authorities and law enforcement — where required by applicable law

Specific third-party services currently used:

• Firebase (Google) — Authentication and user identity management. Google LLC is certified under the EU-U.S. Data Privacy Framework and processes data under Standard Contractual Clauses (SCCs) where applicable.
• Stripe — Payment processing (PCI-DSS compliant). Certified under the EU-U.S. Data Privacy Framework. The Controller retains only transaction references, amounts, and billing address; credit card details are not stored by the Controller. All purchases are made on the website.
• Amazon Web Services (AWS) — Hosting, storage (S3), and content delivery (CloudFront). Data residency configured in EU regions (Frankfurt). AWS operates under SCCs for any transfers outside the EEA.
• Nodemailer — Transactional email delivery only (no marketing).
• Apple Inc. — When you download the App from the Apple App Store, Apple processes certain technical data (Apple ID, device identifiers, download records) under Apple's own Privacy Policy. This is outside the Controller's control; the Controller does not receive your Apple ID or payment details from Apple.
• Google LLC (Google Play) — When you download the App from Google Play, Google processes certain technical data (Google account info, device identifiers, download records) under Google's Privacy Policy. This is outside the Controller's control; the Controller does not receive your Google account details or payment information from Google.

International data transfers: Where personal data are transferred outside the EEA — in particular in connection with Firebase (Google) or Stripe — such transfers are carried out on the basis of adequate safeguards pursuant to Article 46 GDPR, including SCCs approved by the European Commission, and/or the EU-U.S. Data Privacy Framework adequacy decision. You may request a copy of the applicable safeguards by contacting support@pilot100atpl.com.

4. Categories of Personal Data Processed

Identification and account data

• Full name, username, email address, country of residence
• Exam authority preference (e.g., EASA, FAA)
• Registration date and last login date

Technical and operational data (website)

• IP address and approximate geolocation
• Browser type and version, HTTP user agent
• Device type and operating system
• Session tokens and unique device identifier (for session management and security)
• Date and time of logins

Technical and operational data (mobile App — additional)

• Mobile device type, model, and operating system version (iOS / Android)
• App version number
• Mobile device identifier (for session management and security)
• Crash and diagnostic data (anonymized error reports, used solely to improve app stability)

Service usage data

• Test results and performance analytics
• Study planner activity and progress
• Feature usage patterns and session duration (across both website and App)

Payment-related data

• Transaction references, amounts, and billing address (no credit card numbers or payment card details — processed exclusively by Stripe). All purchases are made on the website; no in-app purchases are processed through Apple or Google.

We do not process special categories of personal data ("sensitive data") within the meaning of Article 9 GDPR.

5. Security Measures

The Controller implements appropriate technical and organizational measures to protect your personal data, including:

• All data is transmitted and stored using industry-standard encryption
• Authentication is handled via secure, token-based mechanisms
• Technical and organizational measures protect against unauthorized access, abuse, and data loss
• Access to personal data is strictly restricted to authorized personnel only
• Data is stored on infrastructure with EU data residency

6. Retention Periods

We retain your personal data only for as long as necessary for the purposes set out in this Declaration and in compliance with applicable legal obligations:

• Account data: Retained while your account is active. Deleted within 30 days of a confirmed account deletion request, subject to legal retention obligations below.
• Test results and study progress: Retained while your account is active. Anonymized or deleted upon account deletion.
• Payment records: Retained for 10 years as required by German tax law (§147 AO) and commercial law (§257 HGB).
• Audit and security logs: Retained for 90 days for security monitoring purposes.
• Support inquiries: Retained for 2 years after resolution.
• Marketing consent records: Retained for the duration of the marketing relationship and for 3 years thereafter (for proof of consent), unless earlier deletion is requested.

Inactivity policy: If your account has been inactive (no login) for more than 12 consecutive months and you do not have an active subscription, we will notify you by email at least 30 days before deleting your account data, giving you the opportunity to reactivate. Payment records subject to statutory retention obligations will not be deleted regardless of inactivity.

Marketing consent: Consent remains valid until you withdraw it. Upon withdrawal, marketing processing ceases immediately. A record of the consent (and its withdrawal) is retained for 3 years for compliance purposes.

7. Rights of Data Subjects

As a data subject under the GDPR, you have the following rights. Exercise them by contacting support@pilot100atpl.com or in writing at the address in Section 1:

• Right of Access (Art. 15 GDPR): Obtain confirmation of whether and what personal data we process about you, and receive a copy.
• Right to Rectification (Art. 16 GDPR): Request correction of inaccurate or incomplete personal data.
• Right to Erasure / Right to be Forgotten (Art. 17 GDPR): Request deletion of your personal data, subject to our legal retention obligations.
• Right to Restrict Processing (Art. 18 GDPR): Request that we limit the processing of your data in certain circumstances.
• Right to Data Portability (Art. 20 GDPR): Receive your personal data in a structured, commonly used, machine-readable format and transmit it to another controller.
• Right to Object (Art. 21 GDPR): Object at any time to processing based on legitimate interests (Art. 6(1)(f) GDPR), including profiling. We will cease such processing unless we can demonstrate compelling legitimate grounds.
• Right regarding automated decision-making and profiling (Art. 22 GDPR): Obtain information about the logic and significance of automated processing and AI analytics applied to your data, and object to such processing.
• Right to withdraw consent (Art. 7(3) GDPR): Withdraw any consent given at any time, without affecting the lawfulness of prior processing. Withdrawal can be made via your account profile, by email, or in writing.
• Right to notification of data breach (Art. 34 GDPR): Be notified without undue delay if a personal data breach is likely to result in a high risk to your rights and freedoms.

We will respond to your request within 30 days. In cases of complexity or volume, this period may be extended by a further two months, in which case we will notify you.

Right to lodge a complaint with a supervisory authority: You have the right to lodge a complaint with the competent data protection supervisory authority. For M2A Facility Management GmbH, the competent authority is:

Authority

Die Landesbeauftragte für Datenschutz und Informationsfreiheit der Freien Hansestadt Bremen (LfDI Bremen)

Address

Arndtstraße 1, 27570 Bremerhaven, Germany

Tel.

+49 (0)421 361-2010

Email

office@datenschutz.bremen.de

Website

www.datenschutz.bremen.de

You may also lodge a complaint with the supervisory authority of your country of habitual residence or place of work.

8. Children's Privacy

The Service is not intended for individuals under 18 years of age. We do not knowingly collect personal data from minors. If we discover that we have inadvertently collected data from a person under 18, we will delete such data promptly. If you believe a minor has provided us with personal data, please contact us immediately at support@pilot100atpl.com.

9. Cookies and Local Storage

We use cookies and browser local storage in accordance with the German Telekommunikation-Telemedien-Datenschutz-Gesetz (TTDSG) and the EU ePrivacy Directive. We use only strictly necessary cookies required for the operation of the Service:

• Authentication cookies: Secure session tokens to keep you securely logged in. These are essential for the Service to function.
• Preference cookies: Theme selection (dark/light mode), language, and UI settings.
• Device identification: A unique device ID for session management and security monitoring (detecting unauthorized concurrent access).

We do not use third-party advertising cookies, tracking cookies, or analytics cookies that identify you individually. All cookies used are strictly functional and technically necessary for the Service to operate. Strictly necessary cookies do not require prior consent under the TTDSG and ePrivacy Directive; however, you are informed of their use by this Declaration.

If you disable cookies in your browser, some or all functionality of the Service may not work correctly.

10. Changes to This Declaration

We may update this Declaration from time to time to reflect changes in our processing practices or legal requirements. We will notify you of material changes via email and/or in-app notification at least 14 days before the changes take effect. The current version and effective date are always displayed at the top of this document and on pilot100atpl.com.

11. Contact

For any questions, requests, or concerns regarding the processing of your personal data:

Controller

M2A Facility Management GmbH operating under the trade name Pilot 100

Address

Bürgermeister-Smidt-Str. 116, 28195 Bremen, Germany

Email

support@pilot100atpl.com

Website

pilot100atpl.com

See also our Impressum and Terms of Use.