Privacy Policy

1. Introduction

PartFive LLC ("we," "us," or "our") provides flight training and safety management for flight schools and individual instructors. This Privacy Policy describes how we collect, use, share, and protect personal information about users of our web application at app.partfive.app and our marketing site at partfive.app (collectively, the "Service").

We take privacy seriously. Aviation training records are sensitive — they may contain personally identifying information, professional certifications, and information relevant to regulatory oversight. We have designed our data practices accordingly.

By using the Service, you agree to the collection and use of information as described in this Policy. This Policy is incorporated into and subject to our Terms of Service. Capitalized terms not defined here have the meaning given in our Terms of Service.

2. Data We Collect

We collect the following categories of personal information:

Account Data

• Identity: Full name, email address, role (Safety Officer, Admin, CFI, Dispatcher, Student), and organization affiliation.
• Authentication: Hashed password (we never store plaintext passwords), authentication tokens, session identifiers.
• Organization profile: Organization name, type (Part 141 school, independent CFI, etc.), base airport identifier, and organizational configuration.
• Professional information (where provided): FAA certificate number, certificate type, ratings, and expiration dates. This information is entered voluntarily to support endorsement and sign-off workflows.

Training Data

When users interact with training features, we collect and store:

• Lesson progress records: completed lessons, lesson dates, instructor sign-offs, maneuver evaluations, and notes.
• Pre-flight risk assessments (PAVE model): risk scores, aircraft tail number, lesson identifier, weather conditions at time of assessment, CFI approval status and timestamp.
• Endorsements: the full text of each endorsement issued (per AC 61-65K or custom), issuance date, endorsing CFI identity, student identity, and any revocation records.
• Stage check and end-of-course records: check type, date, examiner identity, outcome, and student progress snapshots.
• Flight logs: aircraft tail number, flight date, duration, lesson, and companion pilot information.
• Safety reports: report type, severity, description, involved parties (if provided), status, investigation records, and corrective actions.
• Safety Management System (SMS) content: SMS manual sections, SOP documents, safety bulletins, safety meeting records, and hazard reports authored within the platform.
• Graduation records: graduation certificate data, EOC endorsements, and program completion records.

Operational Data

• Timestamps on all significant actions (record creation, modification, sign-off, revocation).
• IP address and browser/device type at login, for security, diagnostics, and fraud prevention. We do not use IP data for advertising targeting.
• Supabase authentication logs (session creation/expiry events).

Communications

• Emails sent to or received from our support address (hello@partfive.app).
• In-platform notification content where applicable.

Data You Do Not Provide Directly

We do not purchase data about you from third-party data brokers. We do not collect social media profile data. We do not conduct behavioral advertising or cross-site tracking.

3. How We Use It

We use the information we collect for the following purposes:

• Service delivery: Operating the platform, authenticating users, displaying the correct data to the correct role, processing training records, and supporting endorsement and sign-off workflows.
• Account management: Managing user accounts and organizational relationships, processing role assignments and invitations, and enabling user-initiated account changes.
• Record retention for regulatory purposes: Aviation training records have regulatory retention requirements (see Section 8). We retain records as required to support organizational compliance with applicable regulations.
• Safety and security: Detecting and investigating fraudulent activity, unauthorized access, and security incidents. Enforcing our Terms of Service.
• Service improvement: Understanding how the platform is used (in aggregate, not at the individual user level) to prioritize features and fix issues.
• Communications: Responding to support requests and sending service-related communications (not marketing without explicit opt-in).

We do not use your data to train external artificial intelligence models. AI-assisted features within PartFive (SMS manual authoring, syllabus generation) use models accessed via API; user content passed to those APIs is subject to the terms of the relevant AI provider as disclosed in our terms.

4. Legal Basis (GDPR and Similar Frameworks)

For users in jurisdictions where a legal basis for processing is required — including the European Economic Area (EEA) and the United Kingdom — our legal bases for processing personal data are:

• Contract performance: Processing necessary to provide the Service you have signed up for, including maintaining your account, storing your training records, and operating endorsement and sign-off workflows.
• Legitimate interests: Processing for security, fraud prevention, service improvement, and operational analytics, where these interests are not overridden by your rights and freedoms.
• Legal obligation: Where we are required to retain or disclose data by applicable law (see Section 6).
• Consent: Where we rely on consent (e.g., for optional communications), you may withdraw it at any time without affecting the lawfulness of prior processing.

5. Data Sharing

We do not sell your personal data. We do not share personal data with advertising networks, data brokers, or any party for marketing purposes.

We share data in the following limited circumstances:

Service Providers

We use third-party vendors to operate the Service. These vendors process data only on our behalf and under our instructions:

• Supabase: Our database, authentication, and storage provider. User data — including account information, training records, and files — is stored on Supabase infrastructure. Supabase is subject to its own privacy and security practices.
• Hosting and infrastructure providers: Web hosting and CDN services used to deliver the platform.
• AI API providers: Where you use AI-assisted features (e.g., SMS manual generation, syllabus drafting), text you submit to those features may be transmitted to a third-party AI API provider, which processes it to generate the requested output subject to that provider's applicable terms. We do not authorize the use of your content to train third-party models.

Legal Requirements

We may disclose your data if required to do so by law, court order, subpoena, or other legal process, or when we believe in good faith that disclosure is necessary to protect our rights, protect your safety or the safety of others, investigate fraud, or respond to a government request.

Business Transfers

In the event of a merger, acquisition, or sale of substantially all assets, your data may be transferred to the acquiring entity, which will be bound by this Privacy Policy or will notify you of any material changes before your data is subject to a different policy.

With Your Consent

We may share data in other circumstances with your explicit consent.

6. Aviation-Specific Data Disclosure Note

Training records maintained by FAA-certificated flight training organizations are subject to inspection by the FAA under 14 CFR §141.95(d) and related provisions. PartFive will comply with any lawful FAA request for records pertaining to the organization that owns those records. We will make reasonable efforts to notify the affected organization prior to disclosure, unless prohibited by law or court order.

Individual pilot training records may also be subject to inspection under applicable regulations. CFIs are required to maintain their own endorsement records under 14 CFR §61.189. PartFive's records supplement but do not replace a CFI's obligation to maintain their own logbook endorsement entries as required by regulation.

We are not a law enforcement agency and will not proactively share data with the FAA or other authorities except as required by law or lawful process.

7. Student Records and FERPA

When PartFive is used by educational institutions (such as colleges and universities operating Part 141 flight training programs), student training records maintained within PartFive may be subject to the Family Educational Rights and Privacy Act (FERPA), 20 U.S.C. § 1232g.

In such cases:

• The educational institution is the data controller and "school official" responsible for FERPA compliance.
• PartFive operates as a service provider to the institution, with access to student records limited to what is necessary to fulfill our contractual obligations.
• Students at FERPA-covered institutions may have rights to inspect and request correction of their education records. Those rights are exercised through the institution, not directly through PartFive.
• PartFive will not disclose student education records to third parties except as permitted under FERPA and as described in this Policy.

Organizations using PartFive in a FERPA-covered context should ensure their use of the Service is consistent with their own FERPA obligations, including appropriate data use agreements where required.

8. Data Retention

We retain personal data for as long as your account is active, plus additional periods required by law, regulation, or legitimate business need. Specific retention guidelines:

• Active accounts: Data is retained for the lifetime of the account. Soft-deleted records (e.g., deactivated users, revoked endorsements) are retained in a non-active state for record integrity and audit purposes.
• Training records — Part 141 organizations: Per 14 CFR §141.101, training records for students who have completed or discontinued training must be retained for a minimum of one year following graduation or discontinuation. PartFive will retain records consistent with this requirement regardless of account status.
• Endorsement records: Per 14 CFR §61.189, CFIs must retain endorsement records for three years. PartFive retains endorsement records for at least this period.
• Safety reports and investigation records: Retained for a minimum of three years from the date of resolution, or longer as required by the organization's SMS program.
• Account deletion requests: When you request account deletion, we will anonymize or delete personal data except where retention is required by law or regulatory obligation. We cannot delete records that are part of an organization's required training record under applicable regulations.

Retention periods are aligned with applicable federal and state requirements. Where regulations require longer retention than described above, those requirements control.

9. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

• Access: Request a copy of the personal data we hold about you.
• Correction: Request correction of inaccurate data. Note that certain regulated records (such as completed endorsements) may not be editable after issuance to maintain their integrity as legal records.
• Deletion: Request deletion of your personal data, subject to our legal retention obligations described in Section 8.
• Export / Portability: Request a machine-readable export of your account data.
• Objection / Restriction: Object to or request restriction of certain processing, where applicable law permits.
• Withdrawal of consent: Where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, contact us at hello@partfive.app. We will respond within 30 days. We may need to verify your identity before fulfilling your request. Where your rights are limited by regulatory retention obligations, we will explain the specific basis for the limitation.

If you are in the EEA or UK and believe we have not handled your data in accordance with applicable law, you have the right to lodge a complaint with your local supervisory authority.

10. Children's Data

The Service is not directed at children under 13 years of age, and we do not knowingly collect personal information from children under 13. If we learn that we have collected personal information from a child under 13 without verifiable parental consent, we will delete that information as promptly as possible.

Flight training students are frequently minors (ages 14–17, as private pilot training may begin at age 16 and sport/recreational at age 16). For students under 18:

• Organization administrators are responsible for ensuring appropriate parental notice and consent has been obtained before adding minor students to the platform.
• Where student records are subject to FERPA (see Section 7), FERPA's provisions regarding rights of parents of students under 18 apply.
• We do not use data about minors for any purpose beyond delivery of the Service.

11. Security

We implement security measures appropriate to the sensitivity of the data we process:

• Encryption in transit: All data transmitted between your browser or device and our servers is encrypted using TLS (HTTPS). We do not transmit personal data over unencrypted connections.
• Encryption at rest: Data stored in our Supabase database is encrypted at rest using industry-standard encryption.
• Row-level security (RLS): We use Supabase's row-level security to enforce data isolation between organizations and between users within an organization. Users can only access data they are authorized to see based on their assigned role.
• No plaintext passwords: Passwords are hashed using industry-standard algorithms. We never store plaintext passwords.
• Access controls: Administrative access to production systems is limited to authorized personnel on a need-to-know basis.

No security system is impenetrable. While we use commercially reasonable measures to protect your data, we cannot guarantee absolute security. In the event of a data breach affecting your information, we will notify affected users as required by applicable law.

12. Cookies and Tracking

We use minimal tracking technologies:

• Session cookies: Required for authentication. These cookies maintain your logged-in state during a session. They are not used for advertising and expire when you log out or close your browser.
• Local storage: The application may use browser local storage to persist UI preferences (such as dark/light mode) on your device. This data does not leave your device.

We do not use:

• Third-party advertising tracking pixels or cookies.
• Cross-site tracking technologies.
• Analytics services that create individual behavioral profiles.

If aggregate analytics are added in a future version, we will update this Policy and notify users. Any analytics used will not include individually identifiable operational data (training records, endorsements, safety reports).

13. International Users

PartFive is operated in the United States, and our servers and service infrastructure are located in the United States. If you access the Service from outside the United States, your data will be transferred to, processed, and stored in the United States, which may have different data protection laws than your home country.

For users in the European Economic Area (EEA) or United Kingdom, any such transfer is made subject to appropriate safeguards consistent with applicable data protection law.

By using the Service from outside the United States, you acknowledge and consent to the transfer of your data to the United States as described in this Policy.

14. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will post the updated Policy to this page with a revised effective date and, where appropriate, provide notice by email to registered users.

Your continued use of the Service after the effective date of any updated Policy constitutes your acceptance of the new Policy. If you do not agree to the updated Policy, you must stop using the Service and may request account deletion as described in Section 9.

We encourage you to review this Policy periodically. For users who have opted into email notifications, we will send notice of material changes to the email address associated with your account.

15. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us:

• PartFive LLC
• Email: hello@partfive.app

For data subject rights requests (access, correction, deletion, export), please email us with "Privacy Request" in the subject line. Include your full name, account email address, and a description of your request. We will acknowledge receipt within 5 business days and respond substantively within 30 days.

Effective Date

This Privacy Policy is effective as of June 1, 2026.