Privacy Policy

1. Who We Are and Scope

Contrail LLC is a limited liability company providing an aviation-native intelligence platform serving airlines, MRO providers, original equipment manufacturers (OEMs), and cargo operators (the "Services").

This Privacy Policy covers: (a) the website at www.contrailllc.com and its subdomains; (b) our SaaS platform; and (c) all related products and services. It does not apply to third-party websites linked from our Services.

Controller vs. Processor: When your employer or contracting organization provides your details to access the platform, that organization acts as the data controller and Contrail operates as data processor. For direct website visitors and prospective customers, Contrail is the data controller. Where a Data Processing Addendum (DPA) or Master Services Agreement (MSA) governs our relationship, its terms prevail over this Policy in the event of conflict.

2. Key Definitions

• Personal Data — information about an identified or identifiable individual, including as defined under CCPA/CPRA, GDPR, UK Data Protection Act 2018, and equivalent state laws.
• Sensitive Data — special categories under GDPR Article 9 and analogous state-law definitions.
• Processing — any operation performed on personal data, whether automated or not, including collection, use, disclosure, storage, and deletion.
• Customer Data — materials uploaded or generated within the Platform, including supplier lists, operational logs, vendor risk records, and cybersecurity telemetry.
• Aviation Safety Data — safety management information per ICAO Annex 19.
• Sub-processor — a third party engaged to process personal data on Contrail's behalf.

3. Categories of Personal Data Processed

3.1 Account and Contact Data

• Name, job title, role, employer, department
• Work email, phone number, business mailing address
• Username, hashed passwords, authentication credentials (SSO identifiers, MFA artifacts)
• Language preference, time zone, communication preferences

3.2 Billing and Transaction Data

• Billing contact details and purchase-order references
• Subscription plan, contract value, renewal dates
• Payment card last four digits, brand, expiry, and payment token
• Invoice and receipt history

3.3 Platform Usage and Telemetry

• Login timestamps, IP address, user agent, device identifiers, geolocation
• Pages viewed, features used, queries run, alerts reviewed
• Administrator action audits, permission changes, data exports

3.4 Customer-Uploaded Supply-Chain Data

• Supplier and vendor names and points of contact
• Part numbers, purchase-order identifiers, inspection records, airworthiness documentation
• Certifications and approvals (FAA 14 CFR Part 145, EASA Part-145)
• Shipping, logistics, and lead-time information

3.5 Cybersecurity Telemetry (OT & IT)

• Network-flow summaries, endpoint inventories, IAM events, vulnerability outputs
• Threat indicators (IPs, file hashes, domains, detection signatures)
• Vendor remote-access logs, VPN session metadata
• OT device identifiers, protocol metadata, anomaly-scoring results
• Incident records, analyst notes, remediation status

3.6 Marketing, Support, and Correspondence

• Messages to sales, support, and customer-success teams
• Event and webinar registration data
• Marketing engagement metrics (opens, clicks, form submissions)

3.7 Sensitive and Special-Category Data

Contrail does not knowingly solicit or use racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetic or biometric data for identification, health data (except aviation medical-certification references), sex-life or sexual-orientation data, or criminal-offense data.

4. How Data Is Collected

• Directly from you — account registration, demo requests, free trials, contact forms, correspondence, platform uploads.
• From your employer or contracting entity — account provisioning, data uploads referencing individuals.
• Automatically — through cookies, local storage, and log files during Site or Platform interaction.
• From third parties — identity providers, public business records, commercially licensed threat-intelligence feeds, event and marketing partners.

5. Purposes and Legal Bases

Where we rely on your consent, you may withdraw it at any time without affecting the lawfulness of processing performed before withdrawal.

6. Aviation-Specific Data Handling

ICAO Annex 19 Safety Data

Data reported under safety-management systems receives "safety-privileged" treatment. Contrail uses such data only for platform provision to reporting customers, except where law requires disclosure.

FAA Cybersecurity Requirements (14 CFR)

Contrail is not a type-certified avionics system or part of any aircraft's certified configuration. Our Platform operates exclusively on ground-based enterprise infrastructure and does not process data on airborne aircraft systems, transponders, or flight-critical networks.

EASA Part-IS and NIS2 Directive

Our DPA contains cooperation commitments to support incident reporting, information-security management obligations, and supplier-risk-management duties under EASA Part-IS and the NIS2 Directive (EU) 2022/2555.

TSA Security Directives

Contrail does not collect or transmit "Sensitive Security Information" (SSI) as defined in 49 CFR Part 1520 unless expressly requested and authorized by a customer in writing.

Export Controls (ITAR, EAR, OFAC)

7. Data Sharing

We do not sell personal data, and we do not share personal data for cross-context behavioral advertising.

7.1 Sub-Processors

Sub-processors are bound by written contracts requiring: restriction to documented instructions, confidentiality obligations, appropriate security measures, and pass-through of data-subject protections. Customers receive notice of new sub-processors and may object within 30 days.

7.2 Within Enterprise Accounts

Authorized users within your organization's tenant may view data consistent with the roles and permissions configured by your administrator.

7.3 Legal Compliance and Rights Protection

Disclosure may occur when required to comply with applicable law, a subpoena, court order, or lawful request of a regulator (including the US FAA, TSA, EASA, and counterpart aviation authorities); to enforce our Terms; or to protect the safety, rights, or property of Contrail, our customers, or the public. We evaluate government requests carefully, narrow them where legally permissible, and notify affected customers unless legally prohibited.

7.4 Corporate Transactions

If Contrail undergoes a merger, acquisition, financing, reorganization, bankruptcy, or sale of assets, personal data may be transferred as part of that transaction, subject to customary confidentiality obligations.

7.5 Consent or Direction

We share with third parties only with your consent or at your direction — for example, when you elect to integrate a third-party service with the Platform.

8. International Data Transfers

Contrail is US-headquartered with sub-processors in multiple jurisdictions. For transfers from the EEA, UK, or Switzerland to non-adequate countries, we use the following safeguards:

• European Commission Standard Contractual Clauses (EU 2021/914)
• UK International Data Transfer Agreement or UK Addendum
• EU–US Data Privacy Framework, UK Extension, and Swiss–US Data Privacy Framework (where certified)
• Binding Corporate Rules (where available)
• Explicit consent or GDPR Article 49 derogations

A copy of the safeguards in place for a particular transfer is available on request by contacting our data-protection team at privacy@contrailllc.com.

9. Data Retention

After the applicable retention period expires, we delete or anonymize personal data so it can no longer be used to identify you. Anonymized data may be retained for product improvement and analytics.

10. Security and Confidentiality

Contrail maintains administrative, technical, and physical safeguards designed to protect personal data proportionate to the risks presented by the processing. Our program aligns to SOC 2 Type II and ISO/IEC 27001:2022 and includes:

• TLS 1.2+ encryption in transit; AES-256 at rest
• Least-privilege access controls with mandatory MFA for all personnel
• Role-based access controls, just-in-time privilege elevation, quarterly access reviews
• Continuous vulnerability management, annual penetration testing, bug-bounty coverage
• Background checks and confidentiality obligations for all personnel
• Business-continuity and disaster-recovery testing
• Logging and monitoring aligned to SOC 2, NIS2, and EASA Part-IS

No security program can guarantee absolute security. In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, Contrail will notify affected customers without undue delay in accordance with applicable law (including GDPR Arts. 33–34, US state breach-notification statutes, and NIS2 incident reporting requirements).

11. Your Privacy Rights

Subject to applicable law and verified identity, you have the right to:

• Access — obtain a copy of the personal data we hold about you
• Correction — request correction of inaccurate or incomplete personal data
• Deletion — request erasure, subject to legal exceptions
• Portability — receive a copy of your data in a structured, machine-readable format
• Restriction / Objection — ask us to restrict or object to processing based on legitimate interests or for direct marketing
• Opt-out — from sale or sharing for behavioral advertising (we do not engage in these activities but honor the right)
• Withdraw Consent — where processing is consent-based
• Non-discrimination — we will not discriminate against you for exercising any of these rights
• Appeal — where rights requests are declined

To exercise these rights, email privacy@contrailllc.com. We verify identity before responding, with timeframes of 30 days (GDPR / UK GDPR) or 45 days (most US state laws).

12. US State-Specific Rights

12.1 California (CCPA / CPRA)

Contrail does not sell personal information and does not share personal information for cross-context behavioral advertising. California residents have all Section 11 rights plus limits on use of sensitive personal information. Authorized agents may submit requests with proof of authorization. Appeals go to privacy@contrailllc.com with "California Appeal" in the subject line; 45-day response required.

12.2 Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana

Residents have access, correction, deletion, and portability rights, plus opt-outs from targeted advertising, sales, and profiling. Since Contrail does not engage in these activities, opt-outs primarily cover legitimate-interest and contractual processing bases.

12.3 Shine the Light (California Civil Code § 1798.83)

Contrail does not share personal information with third parties for their direct-marketing purposes.

13. EU / UK / EEA / Swiss Rights

In addition to Section 11 rights, individuals in these jurisdictions may:

• Lodge complaints with their local Data Protection Authority, the UK ICO, or the Swiss FDPIC
• Request information on international transfer safeguards per Section 8
• Opt out of decisions based solely on automated processing with legal or similarly significant effects

Representatives: EU Representative and UK Representative details are available upon request. Data Protection Officer inquiries: privacy@contrailllc.com.

14. Automated Decision-Making and AI

The Platform uses machine-learning models and rule-based analytics to generate risk scores, supply-chain disruption alerts, and cybersecurity anomaly detections — intended for human analyst review.

Our AI governance includes model bias, accuracy, and drift testing; transparency mechanisms for administrators; and alignment to the EU Artificial Intelligence Act.

15. Cookies and Similar Technologies

• Strictly necessary — session, authentication, load-balancing, CSRF protection. Cannot be disabled.
• Functional — language, time-zone, and UI preferences.
• Analytics — aggregate usage insights, deployed with consent where required.
• Marketing — only with consent. We do not use third-party advertising cookies for cross-context behavioral advertising.

Manage preferences via the in-product cookie banner. We honor the Global Privacy Control (GPC) signal.

16. Children

The Services are intended for enterprise business users and are not directed to children. We do not knowingly collect personal data from individuals under 16 years of age (or the applicable minimum age in your jurisdiction). If you believe a child has provided personal data to us, please notify us at privacy@contrailllc.com.

17. Changes to This Policy

Updates will be posted on this page with a revised "Last Updated" date. Material changes will receive direct notice where required by applicable law. Continued use of the Services after an updated policy takes effect constitutes acceptance of the revisions.

18. Contact Us