Legal
Privacy Policy
Last updated: April 2026
1. Information We Collect
Personal data: We collect your name, email address, date of birth, fleet type, and password (stored securely using bcrypt hashing, we never store plaintext passwords). Usage data: During training sessions, we collect and store your responses, competency scores, and performance analytics to deliver personalised feedback and track your progress. Payment data: Payment transactions are processed by Dodo Payments, our Merchant of Record. We do not store your credit card numbers or full payment details on our servers.
2. Legal Basis for Processing (GDPR Article 6)
We process your personal data on the following legal bases: (a) Contract performance, processing is necessary to provide your account, deliver training sessions, and fulfil our service obligations to you. (b) Consent, where you have given explicit consent, such as for AI processing of your training responses to generate scenarios and feedback, and for any optional marketing communications. (c) Legitimate interest, processing is necessary for platform security, fraud prevention, and analytics to improve the quality of our services, where those interests are not overridden by your rights.
3. How We Use Your Information
We use your data to: deliver AI-powered training sessions and generate realistic interview scenarios; calculate competency scores across the 8 ICAO competencies; generate personalised feedback and coaching recommendations; track your progress and performance trends over time; send account-related communications such as verification emails and password resets; and improve overall platform quality and reliability through aggregated analytics.
4. Third-Party Data Processors
We share your data with the following third-party processors, each bound by data processing agreements (DPAs): OpenRouter (AI API), processes your training responses to generate scenarios, follow-up questions, and competency feedback. Data is transferred to the United States. Dodo Payments (Merchant of Record), processes payment transactions on our behalf. See dodopayments.com for privacy details. Resend (email), sends transactional emails including account verification and password reset messages. Data is transferred to the United States. Vercel (hosting), hosts the application and serves web content. Data may be processed in US and EU regions. All processors are contractually obligated to protect your data and process it only on our instructions.
5. International Data Transfers
Your data may be transferred to and processed in the United States and other countries outside your country of residence. Where data is transferred outside the EEA or UK, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission, together with processor-specific data processing agreements, to ensure an adequate level of data protection. For users in the United Arab Emirates: cross-border data transfers comply with UAE Federal Decree-Law No. 45 of 2021 (Personal Data Protection Law), Article 22.
6. AI-Generated Content & Automated Decision-Making (GDPR Article 22)
Our platform uses artificial intelligence to generate training scenarios, score your responses, and assess your performance across the 8 ICAO pilot competencies. These AI-generated scores and assessments are for training and self-improvement purposes only. They do not constitute an official assessment, examination result, or employment decision, and have no bearing on your professional standing or career progression. You have the right to request human review of any AI-generated assessment by contacting us at support@upgradealready.com.
7. Data Storage & Security
Your data is stored in encrypted databases hosted on industry-standard cloud infrastructure. We implement the following security measures: HTTPS/TLS encryption for all data in transit; bcrypt hashing for passwords; input validation and parameterised queries to prevent injection attacks; role-based access controls; and regular security reviews. While no system can guarantee absolute security, we take commercially reasonable steps to protect your personal data from unauthorised access, alteration, disclosure, or destruction.
8. Data Retention
Account data (name, email, profile information) is retained for as long as your account remains active. Training session data (responses, scores, competency assessments) is retained for the duration of your subscription. Upon account deletion, all personal data is permanently removed from our systems within 30 days. Anonymised and aggregated analytics data, which cannot be used to identify you, may be retained indefinitely for platform improvement purposes.
9. Your Rights
Under applicable data protection law, you have the following rights: Right of Access (GDPR Article 15), request a copy of all personal data we hold about you. Right to Rectification (Article 16), correct inaccurate or incomplete data via your account settings or by contacting us. Right to Erasure (Article 17), delete your account and all associated data via account settings or by request. Right to Data Portability (Article 20), export your data in a machine-readable format via account settings. Right to Object (Article 21), object to processing of your data based on legitimate interest. Right to Restrict Processing (Article 18), request that we limit how we process your data. Right to Withdraw Consent, withdraw your consent at any time, without affecting the lawfulness of processing carried out before withdrawal. To exercise any of these rights, use your account settings or email support@upgradealready.com. We will respond within 30 days.
10. Cookies
We use only strictly necessary cookies for authentication and session management. These cookies are essential for the platform to function and cannot be disabled. We do not use tracking cookies, advertising pixels, or third-party analytics cookies. Under the ePrivacy Directive, no consent is required for strictly necessary cookies.
11. California Residents (CCPA/CPRA)
If you are a California resident, the following additional disclosures apply: We do not sell your personal information. We do not share your personal information for cross-context behavioural advertising. You have the right to request disclosure of the categories and specific pieces of personal information we have collected about you. You have the right to request deletion of your personal information. To exercise these rights, contact support@upgradealready.com. We will not discriminate against you for exercising your privacy rights.
12. UAE Residents (PDPL)
Our processing of personal data complies with UAE Federal Decree-Law No. 45 of 2021 (Personal Data Protection Law). Cross-border data transfers are disclosed in Section 5 above. UAE residents may exercise their data subject rights, including the right to access, rectify, and erase personal data, by contacting us at support@upgradealready.com.
13. UK Residents (UK GDPR)
Following the UK’s departure from the European Union, data protection in the United Kingdom is governed by the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. UK residents have the same rights as described in Section 9 above, including the rights of access, rectification, erasure, data portability, and objection to processing. If you are a UK resident and wish to exercise your rights, contact us at support@upgradealready.com. You also have the right to lodge a complaint with the Information Commissioner’s Office (ICO) at ico.org.uk.
14. Brazilian Residents (LGPD)
If you are a resident of Brazil, the Lei Geral de Proteção de Dados (LGPD, Law No. 13,709/2018) provides you with additional rights regarding your personal data. These include: the right to confirmation of the existence of processing; the right to access your data; the right to correct incomplete, inaccurate, or outdated data; the right to anonymisation, blocking, or deletion of unnecessary or excessive data; the right to data portability; the right to deletion of data processed with your consent; the right to information about public and private entities with which your data has been shared; and the right to revoke consent. To exercise these rights, contact support@upgradealready.com. Our legal basis for processing under the LGPD is the performance of a contract and your explicit consent.
15. Canadian Residents (PIPEDA)
If you are a resident of Canada, the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial legislation protect your personal information. Under PIPEDA, you have the right to: access your personal information held by us; challenge the accuracy and completeness of your information and have it amended as appropriate; and withdraw your consent to the collection, use, or disclosure of your personal information, subject to legal or contractual restrictions. We collect, use, and disclose your personal information only for purposes that a reasonable person would consider appropriate in the circumstances. To exercise your rights, contact support@upgradealready.com.
16. South African Residents (POPIA)
If you are a resident of South Africa, the Protection of Personal Information Act (POPIA, Act 4 of 2013) provides you with rights over your personal information. These include: the right to be notified that your personal information is being collected; the right to access your personal information; the right to request correction or deletion of your personal information; the right to object to the processing of your personal information; and the right to submit a complaint to the Information Regulator. Our processing of your personal information complies with the conditions for lawful processing set out in POPIA. To exercise your rights, contact support@upgradealready.com.
17. How to Exercise Your Rights
You can exercise most of your data protection rights directly through the platform: go to Settings → Your Data to export your data or delete your account. For any other requests, including access requests, rectification, objection to processing, or consent withdrawal, email support@upgradealready.com. We will respond to all requests within 30 days (or sooner where required by applicable law). We may ask you to verify your identity before processing your request. Exercising your rights is free of charge, though we reserve the right to charge a reasonable fee for manifestly unfounded or excessive requests.
18. Children’s Privacy
This service is designed exclusively for professional pilots aged 18 and over. We do not knowingly collect or process personal data from anyone under the age of 18. If we become aware that we have collected data from a person under 18, we will delete it promptly.
19. Changes to This Policy
We may update this privacy policy from time to time to reflect changes in our practices, technology, or legal requirements. When we make material changes, we will notify registered users via email and update the "Last updated" date at the top of this page. Your continued use of the platform after such changes constitutes acceptance of the updated policy.
20. Data Controller & Contact
Data Controller: Upgrade Already. For any questions about this privacy policy, your personal data, or to exercise your data subject rights, contact us at support@upgradealready.com. You also have the right to lodge a complaint with a supervisory authority in your jurisdiction, such as the ICO (United Kingdom), CNIL (France), or the relevant data protection authority where you reside.