AERONOVA

AERONOVA SYSTEMS SRL — PRIVACY POLICY

Effective Date: [To be confirmed] | Last Updated: March 2026

SECTION 1 — DATA CONTROLLER

The data controller for personal data processed through the AeroNova platform is: Aeronova Systems SRL, CUI/CIF: [To be inserted], registered address: [To be inserted], Romania. Trading as AeroNova. Email: privacy@aeronovais.com. Website: aeronovais.com.

Where the Client (an aviation organisation) inputs personal data of its employees, contractors, or management personnel into the Platform, the Client is the data controller and AeroNova acts as a data processor on the Client's behalf, in accordance with the Data Processing Agreement.

SECTION 2 — PERSONAL DATA WE COLLECT

2.1 Account Data: name, email address, job title, organisation name, and contact details of account holders and authorised users provided during registration.

2.2 Organisational Data Entered by Users: information entered for ISMS compliance management, which may include names and contact details of Accountable Managers, IS Managers, IT Contacts, and other personnel; organisational structures; information system and network descriptions; supplier and contractor names and contacts; incident reports referencing personnel; training records including names and completion dates; and any other data the Client enters.

2.3 Usage Data: features accessed, pages viewed, actions taken, session duration, timestamps, and feature interaction data.

2.4 Technical Data: IP address, browser type and version, operating system, device type, referring URL, and unique device identifiers collected automatically.

SECTION 3 — HOW WE USE PERSONAL DATA AND LEGAL BASIS

  • Account registration and management — Create and manage accounts, authenticate users — Performance of contract (GDPR Art. 6(1)(b))
  • Provision of Platform services — Deliver ISMS management features, generate documents, manage compliance workflows — Performance of contract (GDPR Art. 6(1)(b))
  • AI document generation — Transmit organisational data to Anthropic API for generating ISMS compliance documents, briefings, risk suggestions, and evidence tags — Performance of contract (GDPR Art. 6(1)(b))
  • Payment processing — Process subscription payments and manage billing — Performance of contract (GDPR Art. 6(1)(b))
  • Email communications — Send transactional emails, weekly briefings, account alerts, billing notices — Performance of contract (GDPR Art. 6(1)(b))
  • Platform security and rate limiting — Protect Platform from abuse, enforce rate limits, detect threats — Legitimate interests (GDPR Art. 6(1)(f))
  • Technical operations and logging — Maintain infrastructure, debug errors, monitor performance — Legitimate interests (GDPR Art. 6(1)(f))
  • Legal compliance — Comply with applicable laws and lawful authority requests — Legal obligation (GDPR Art. 6(1)(c))

SECTION 4 — DISCLOSURE OF ORGANISATIONAL DATA TO AI SERVICE PROVIDER

IMPORTANT DISCLOSURE:

When the Client uses AI document generation, weekly briefings, risk suggestions, or evidence tagging features, organisational data entered by the Client — including organisation profile information, personnel names and roles, information system descriptions, risk data, incident descriptions, and supplier information — is transmitted to Anthropic, LLC (United States) via the Anthropic Claude API for the purpose of generating AI content.

Safeguards for this transfer include:

  • Standard Contractual Clauses (SCCs) approved by the European Commission (Commission Implementing Decision (EU) 2021/914) between AeroNova and Anthropic.
  • TLS 1.2 or higher encryption in transit.
  • Anthropic's data processing terms explicitly prohibit the use of API input data for AI model training purposes.
  • Data is processed on a transient basis for generating the requested output and is not retained by Anthropic beyond the period necessary for processing.
  • AeroNova does not use Client Data or AI-Generated Content to train external AI models.

The Client acknowledges and consents to this transmission as a necessary part of using AI-powered features. If the Client does not wish for organisational data to be transmitted to Anthropic, the Client should not use the AI document generation, weekly briefing, risk suggestion, or evidence tagging features.

SECTION 5 — SUB-PROCESSORS

  • Anthropic, LLC — United States — AI content generation — Organisation profile data, personnel names and roles, system descriptions, risk data, incident descriptions
  • Supabase, Inc. — Germany (EU Frankfurt, EU data residency) — Database and file storage — All application data, documents, evidence files, compliance records
  • Clerk, Inc. — United States — User authentication and organisation management — User email addresses, names, profile data, organisation membership, authentication tokens
  • Stripe, Inc. — United States and Ireland — Payment processing — Payment card details, billing addresses, transaction history, subscription data
  • Resend, Inc. — United States — Transactional email delivery — Recipient email addresses and email content (transactional only, no marketing)
  • Upstash, Inc. — United States and EU — Rate limiting and request management — IP addresses, request metadata for abuse prevention
  • Vercel, Inc. — United States — Application hosting and delivery — All HTTP request data, IP addresses, request headers, server-side logs

SECTION 6 — INTERNATIONAL DATA TRANSFERS

Several sub-processors are based in the United States. For transfers of personal data outside the European Economic Area, AeroNova relies on: Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) incorporated into agreements with each US-based sub-processor; EU-US Data Privacy Framework adequacy decision where the sub-processor is a certified participant; supplementary technical measures including encryption in transit and at rest, and contractual restrictions on data use. Copies of SCCs and relevant transfer documentation are available on request at privacy@aeronovais.com.

SECTION 7 — DATA RETENTION

  • Active accounts:for the duration of the Client's subscription.
  • Cancelled accounts: Client Data retained for thirty (30) days following termination for export, then deleted within thirty (30) additional days.
  • Backup copies: may be retained up to ninety (90) days after deletion from live systems for disaster recovery, then securely deleted.
  • Legal hold: retained only where required by law, regulation, or legal proceedings.
  • Billing records: retained as required under applicable Romanian tax and accounting law.

SECTION 8 — YOUR RIGHTS UNDER GDPR

Where AeroNova acts as data controller (for account data and technical data):

  • Right of Access (Article 15): Request a copy of personal data we hold. Contact privacy@aeronovais.com. Response within thirty (30) days.
  • Right to Rectification (Article 16): Request correction of inaccurate personal data. Most account data can be updated directly in the Platform.
  • Right to Erasure (Article 17): Request deletion of personal data, subject to legal retention requirements.
  • Right to Data Portability (Article 20): Receive personal data in a structured, machine-readable format. The Platform provides built-in data export functionality.
  • Right to Restriction of Processing (Article 18): Request restriction in certain circumstances.
  • Right to Object (Article 21): Object to processing based on legitimate interests.
  • Rights Related to Automated Decision-Making (Article 22): AeroNova does not make decisions based solely on automated processing that produce legal effects or significantly affect individuals. AI-Generated Content is produced as a tool to assist qualified personnel and is not used for automated decision-making about individuals.

Where AeroNova acts as data processor (for organisational data entered by Clients), data subjects should direct requests to the Client as data controller. AeroNova will assist the Client in responding to such requests per the DPA.

SECTION 9 — SUPERVISORY AUTHORITY

Romanian supervisory authority: Autoritatea Nationala de Supraveghere a Prelucrarii Datelor cu Caracter Personal (ANSPDCP), www.dataprotection.ro. You have the right to lodge a complaint with ANSPDCP or with the supervisory authority of any EU Member State where you reside or work, or where the alleged infringement occurred.

SECTION 10 — NO SALE OF PERSONAL DATA

AeroNova does not sell, rent, trade, or otherwise make personal data available to third parties for marketing or advertising purposes. AeroNova does not participate in data brokerage activities.

SECTION 11 — CHILDREN

The Platform is a B2B service intended for use by authorised personnel of aviation organisations. It is not directed at individuals under eighteen (18). We do not knowingly collect data from minors.

SECTION 12 — CHANGES

Material changes: at least thirty (30) days' advance notice by email and on the Platform. Continued use constitutes acceptance.

SECTION 13 — CONTACT

privacy@aeronovais.com