Skip to main content

Privacy Policy

Introduction

This Privacy Policy describes how Aviate ("we", "our", or "us") collects, uses, and protects your personal information when you use our mobile application. By using our app, you agree to the collection and use of information in accordance with this policy.

Children's Privacy

Our app is not directed at children under 13. We do not knowingly collect personal information from children under 13. If we become aware that we have collected data from a child under 13 without parental consent, we will delete that information promptly. If you believe a child under 13 has provided us with personal information, please contact us at [email protected].

Information We Collect

We collect and store the following information:

  • Account information (email address, username)
  • Securely hashed passwords
  • Encrypted boarding pass information (passenger name, confirmation number, seat details, frequent flyer numbers, baggage allowance)
  • Manually inputted flight information (airline, flight number, departure date, airports)
  • Encrypted shared flight information
  • Group membership information (group name, member usernames) and end-to-end encrypted group flight data
  • Flight data imported from third-party apps (such as Flighty or byAir) via CSV export files
  • Trip documents you add are stored locally on your device and are not uploaded to our servers. Documents are automatically removed after the associated trip has ended
  • Parking information (location notes, GPS coordinates, photos, cost, and booking reference) is stored locally on your device and is not uploaded to our servers
  • Travel checklists and packing lists are stored locally on your device and are not uploaded to our servers
  • Subscription and purchase verification data (transaction IDs, purchase tokens, product IDs) processed through Google Play Billing
  • Responses to in-app forms and surveys
  • Logs that you choose to share when reporting an issue (optionally including network debug logs and console logs)

App Permissions

Our app requires the following permissions:

  • Camera access - Used for scanning boarding passes and taking photos of your parking spot
  • Photo library access - Used only for importing boarding passes
  • Calendar access - Used only for saving flights to your calendar
  • Location access - Used locally to provide relevant airport information in the layover map and to save your parking location
  • Notification access - Used for live flight tracking notifications and parking reminders (available with a paid subscription)
  • File access - Used for importing documents and flight data from third-party apps

Important: Images captured through the camera or selected from your photo library are processed and stored locally on your device. We do not collect, store, or transmit any photos to our servers. Calendar data, location data, and parking information are processed locally on your device and are not sent to our servers.

How We Use Your Information

We use your information for the following purposes and legal bases:

  • Account authentication and management — necessary to provide the service (contractual necessity)
  • Providing our core service features (flight tracking, boarding pass storage, sharing) — necessary to provide the service (contractual necessity)
  • Improving and optimizing our services — legitimate interest in improving our product
  • Communication about service updates or changes — legitimate interest in keeping you informed
  • Contacting you by email to request additional details when you submit a bug report or support request — legitimate interest in resolving issues and improving our service

Groups

Aviate allows you to create or join flight groups to share flight information with other users:

  • You can create up to 5 groups. Group data (name, member list) is stored on our servers
  • Your username is visible to other members of any group you join
  • Flight information shared within a group is protected with end-to-end encryption — only group members can decrypt and view shared flight details
  • You can leave a group or remove your shared flights at any time

Shared Flights

When you share a flight, the following applies:

  • Your email address is visible to anyone you share a flight with
  • Shared flight links are publicly accessible — anyone with the link can view flight details and real-time flight position (including location, altitude, and speed)
  • You can share flights from both boarding passes and manually added flights
  • You can revoke shared flights at any time, which immediately removes access

Live Flight Notifications

For paid subscribers, the app provides live flight tracking notifications:

  • Flight status is polled from our servers approximately every 5 minutes when tracking is active
  • Notifications display flight phase, departure gate, terminal, in-flight progress, altitude, and baggage claim information
  • A persistent foreground service runs on Android while tracking is active
  • Tracking data is stored locally on your device and is not shared with third parties

Home Screen Widget

The app can display your next flight on a home screen widget. A map snapshot of your flight route is generated locally on your device and stored in local storage. No widget data is sent to our servers.

WearOS Companion

If you use the Aviate WearOS companion app on a paired smartwatch, your authentication token and upcoming flight data are synced locally to your watch. This data is transmitted directly between your phone and watch and is not routed through our servers.

Trip Documents

You can add documents (such as itineraries, confirmations, or travel documents) to your trips. All documents are stored locally on your device and are never uploaded to our servers. Documents are automatically removed after the associated trip has ended.

Flight Data Import

You can import flight data from third-party apps (such as Flighty or byAir) by selecting a CSV export file from your device. The CSV file is read and parsed locally on your device. The extracted flight details (airline, flight number, date, airports) are then sent to our servers to be added to your account, where they are treated the same as manually added flights. The original CSV file is not uploaded or stored by Aviate.

Parking Information

You can save parking information for your trips, including a text description of your spot, notes, cost, and booking reference. The app can also capture your GPS coordinates and a photo of your parking location. All parking data — including GPS coordinates and photos — is stored locally on your device and is never uploaded to our servers. When you use the "Navigate to Car" feature, your saved GPS coordinates are passed to your device's default maps app to provide directions.

Checklists

You can create travel checklists and packing lists within the App. All checklist data is stored locally on your device and is not uploaded to our servers.

Delay Predictions

The app may display delay predictions for your flights based on historical flight data and weather conditions. These predictions are generated on our servers using aggregated, non-personal data and do not involve any collection of additional personal information.

Forms and Surveys

We may occasionally present in-app forms or surveys to collect feedback, feature requests, or other responses. Your submissions are associated with your account and stored on our servers however, submissions are anonymous in the sense that we are not able to link them to your personal information (email, flight data) when viewing or analyzing form responses. Participation is always voluntary.

Third-Party Services

Our app uses the following third-party services to provide its features:

  • Protomaps and MapLibre - For rendering basemap vector tiles in maps and widgets, hosted via tiles.aviate.to
  • NASA GIBS (Global Imagery Browse Services) - For satellite precipitation data overlays on maps
  • RainViewer - For real-time radar precipitation data overlays on maps
  • Wikidata/Wikipedia - For retrieving airline logos, restaurant logos, and airport/city images
  • Google Play Billing - For processing and verifying subscription purchases on Android
  • OpenStreetMap and Google - For airport restaurant and point-of-interest data
  • FAA (Federal Aviation Administration) - For airport operational status and delay information

These services may collect limited technical data (such as IP addresses) in accordance with their own privacy policies. We do not share your personal account information with these providers. We do not use third-party analytics, or tracking SDKs beyond those listed above.

Data Sharing

We do not sell your personal information. We may share your data only in the following circumstances:

  • With your consent, such as when you choose to share a flight
  • With law enforcement or government authorities when required by law or legal process
  • In connection with a merger, acquisition, or sale of assets, in which case your data may be transferred to the successor entity
  • With the third-party services listed above, limited to the technical data necessary for their operation

Data Security

We implement appropriate security measures to protect your personal information:

  • Passwords are securely hashed and never stored in plain text
  • Raw boarding passes and the majority of their contained information are protected with AES-256-GCM encryption using multiple layers of user-specific keys derived via PBKDF2, making unauthorized access virtually impossible
  • Group flight data is protected with end-to-end encryption — only group members hold the keys to decrypt shared flight information
  • App integrity is verified using Google Play Integrity checks to protect against tampered or unauthorized clients
  • Data transmission is encrypted using industry-standard protocols (HTTPS/TLS)
  • Regular security audits and updates

Data Retention

We retain your data until you delete your account. When you delete your account, we permanently delete all associated personal information, including flight data and form responses, from our servers. We do not retain any deleted data in backups or archives. Subscription and billing records may be retained as required by applicable tax and financial reporting laws.

Data Breach Notification

In the event of a data breach affecting your personal information, we will notify affected users and relevant authorities in accordance with applicable law, including within 72 hours where required by GDPR.

Your Rights

You have the right to:

  • Access your personal data
  • Request correction of inaccurate data
  • Request deletion of your account and associated data
  • Request a portable copy of your data. Because boarding pass data is encrypted with user-specific keys that Aviate cannot access on our servers, encrypted boarding pass data can only be accessed through the App on your device. For data we store in unencrypted form (account information, manually entered flight details, bug reports and form responses), we will provide a copy in a standard format upon request.
  • Restrict or object to certain processing of your data
  • Withdraw consent at any time where processing is based on consent
  • Opt-out of marketing communications

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.

For Users in the European Economic Area

If you are located in the EEA, UK, or Switzerland, the following additional terms apply:

  • Legal basis: We process your data based on contractual necessity (to provide the service), legitimate interest (to improve and secure the service), and consent (where applicable, such as for marketing communications)
  • Data storage: Your primary data is stored and processed on servers located in the Netherlands (EU). Limited data may be transferred outside the EEA in connection with third-party services (such as Google Play Billing and map providers) or administrative access. Where such transfers occur, we ensure appropriate safeguards are in place
  • Supervisory authority: You have the right to lodge a complaint with your local data protection authority if you believe your data is being processed unlawfully
  • Data Protection Officer: For data protection inquiries, contact us at [email protected]

For Users in California

If you are a California resident, you have the following additional rights under the California Consumer Privacy Act (CCPA/CPRA):

  • We do not sell your personal information
  • We do not share your personal information for cross-context behavioral advertising
  • You have the right to know what personal information we collect, use, and disclose
  • You have the right to request deletion of your personal information
  • You will not be discriminated against for exercising your privacy rights

Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the app accordingly.

Contact Us

If you have any questions about this Privacy Policy or our data practices, please contact us at:
[email protected]

Last updated: March 21, 2026