Legal & compliance
Last updated 26 June 2026
Last updated: 26 June 2026 Effective: 3 May 2026
This Privacy Policy describes how Waypoint TMS ("Waypoint", "we", "us") collects, uses and shares personal data when you use our Training Management System (the "Service"). Waypoint is the data processor for personal data your employer (the "Operator") uploads to the Service. The Operator is the data controller of that data and is responsible for lawful basis, retention and data-subject rights under UK GDPR / EU GDPR. For data we collect about you directly (e.g. when you contact our support desk), Waypoint is the controller.
Waypoint TMS is operated by Waypoint Aviation Software Ltd, a company incorporated in England and Wales. Contact: privacy@waypointtms.com.
As a processor on behalf of the Operator we process:
As a controller of our own business records we process:
We use a small, audited set of subprocessors to deliver the Service. The current list lives at https://waypointtms.com/legal/subprocessors and is also distributed to all Operators 30 days before any change. Today's subprocessors are:
We do not sell personal data and we do not share it with advertisers.
Business transfers. If Waypoint is involved in a merger, acquisition, investment, corporate reorganisation, insolvency, or a sale of some or all of its business or assets, personal data may be disclosed to the prospective or actual buyer and its professional advisers as part of due diligence and completion. We will require any recipient to honour commitments at least as protective as this Privacy Policy and to comply with applicable data-protection law, and the processor / controller roles described above continue: we remain the processor of training records and your Operator remains their controller. Where such a transaction would change the controller of data that Waypoint itself controls, or would otherwise materially affect how your personal data is handled, we will notify affected Operators in advance. Your rights under this policy and under UK / EU GDPR are not affected by any such transfer.
Where personal data leaves the UK / EEA (e.g. Sentry, Resend, Replit hosting), we rely on the UK International Data Transfer Addendum and the EU Standard Contractual Clauses (2021/914), supplemented by the technical measures listed in our Security Policy: AES-256-GCM at rest, TLS 1.2+ in transit, application-level field encryption for licence numbers, scoped IAM roles.
Training records held in the Service are operationally and regulatory-critical, so retention is driven by the Operator's regulatory obligations rather than by us. While you are an active user of an Operator's Waypoint tenant, we keep your records for as long as the Operator instructs us to. After your Operator deletes your account or terminates their contract:
Under UK / EU GDPR you may: access your data, correct it, request deletion, object to processing, request restriction, request portability, lodge a complaint with the ICO (UK) or your local supervisory authority. For training records, please contact your Operator directly — they are the controller. For data Waypoint controls (e.g. support emails), write to privacy@waypointtms.com and we will respond within 30 days.
See our Security Policy at https://waypointtms.com/legal/security. In summary: encrypted in transit and at rest, MFA available for all staff and admin users, principle-of-least-privilege IAM, security headers (HSTS, X-Frame-Options, CSP on the web client), rate-limiting on auth endpoints, full audit log on every privileged action, 30-day automated PostgreSQL point-in-time backups, tested disaster-recovery runbook with a 4-hour RTO and 1-hour RPO target. Annual third-party penetration test.
The Service is not intended for, and we do not knowingly process data of, children under 16.
We will email Operator administrators and post a notice in the Staff Console at least 30 days before a material change to this policy.
privacy@waypointtms.com — for data-subject requests, security disclosures, and DPA execution.