Legal & compliance

Privacy Policy

Last updated 26 June 2026

Privacy Policy

Last updated: 26 June 2026 Effective: 3 May 2026

This Privacy Policy describes how Waypoint TMS ("Waypoint", "we", "us") collects, uses and shares personal data when you use our Training Management System (the "Service"). Waypoint is the data processor for personal data your employer (the "Operator") uploads to the Service. The Operator is the data controller of that data and is responsible for lawful basis, retention and data-subject rights under UK GDPR / EU GDPR. For data we collect about you directly (e.g. when you contact our support desk), Waypoint is the controller.

1. Who we are

Waypoint TMS is operated by Waypoint Aviation Software Ltd, a company incorporated in England and Wales. Contact: privacy@waypointtms.com.

2. Personal data we process

As a processor on behalf of the Operator we process:

  • Identity and contact data: full name, email, employee/licence number, role, fleet, base.
  • Training records: event type, aircraft type, simulator, competency grades, instructor remarks, signatures, attached documents (e.g. licence scans).
  • Authentication metadata: hashed password, session identifiers, last login IP, login user-agent, multi-factor enrolment state.
  • Device data on the mobile app: push-notification token, device model, OS version, app version, biometric-enrolment flag (the biometric template never leaves your device).
  • Audit data: every privileged action (who, what, when, from which IP).

As a controller of our own business records we process:

  • Support correspondence, contract data, billing data, marketing-list data (separate opt-in).

3. Why we process it (purposes & legal bases)

  • Performing the contract with the Operator: storing and surfacing training records, generating regulator-ready PDF reports, sending sync/notification emails, rate-limiting and abuse prevention.
  • Legitimate interests: securing the Service (audit logs, brute-force protection, anomaly alerting), product analytics on aggregated usage, error monitoring, billing and dispute resolution.
  • Legal obligation: retaining records to meet EASA / UK CAA crew-training documentation requirements that apply to the Operator and the regulator's audit window.
  • Consent (only where applicable): marketing emails outside your existing customer relationship.

4. Who we share it with (subprocessors)

We use a small, audited set of subprocessors to deliver the Service. The current list lives at https://waypointtms.com/legal/subprocessors and is also distributed to all Operators 30 days before any change. Today's subprocessors are:

  • Replit Inc. — application hosting, autoscale, edge proxy, TLS termination (United States, with EU-region failover).
  • Neon, Inc. — managed PostgreSQL database (EU region).
  • Resend, Inc. — transactional email delivery (United States; EU SCC 2021/914 in place).
  • Expo Application Services — mobile build pipeline and over-the-air update distribution (United States).
  • Sentry / Functional Software, Inc. — application error monitoring (United States; EU SCC 2021/914 in place).
  • Stripe Payments Europe Ltd. — billing and payment processing (Ireland).

We do not sell personal data and we do not share it with advertisers.

Business transfers. If Waypoint is involved in a merger, acquisition, investment, corporate reorganisation, insolvency, or a sale of some or all of its business or assets, personal data may be disclosed to the prospective or actual buyer and its professional advisers as part of due diligence and completion. We will require any recipient to honour commitments at least as protective as this Privacy Policy and to comply with applicable data-protection law, and the processor / controller roles described above continue: we remain the processor of training records and your Operator remains their controller. Where such a transaction would change the controller of data that Waypoint itself controls, or would otherwise materially affect how your personal data is handled, we will notify affected Operators in advance. Your rights under this policy and under UK / EU GDPR are not affected by any such transfer.

5. International transfers

Where personal data leaves the UK / EEA (e.g. Sentry, Resend, Replit hosting), we rely on the UK International Data Transfer Addendum and the EU Standard Contractual Clauses (2021/914), supplemented by the technical measures listed in our Security Policy: AES-256-GCM at rest, TLS 1.2+ in transit, application-level field encryption for licence numbers, scoped IAM roles.

6. Retention

Training records held in the Service are operationally and regulatory-critical, so retention is driven by the Operator's regulatory obligations rather than by us. While you are an active user of an Operator's Waypoint tenant, we keep your records for as long as the Operator instructs us to. After your Operator deletes your account or terminates their contract:

  • Operational backups are retained for 30 days then cryptographically destroyed.
  • Audit logs are retained for 2 years for security forensics.
  • Regulator-mandated training records may be retained by the Operator (as controller) under their own retention schedule, typically 5 years (EASA Part-FCL §1.080 / Part-ORO).

7. Your rights

Under UK / EU GDPR you may: access your data, correct it, request deletion, object to processing, request restriction, request portability, lodge a complaint with the ICO (UK) or your local supervisory authority. For training records, please contact your Operator directly — they are the controller. For data Waypoint controls (e.g. support emails), write to privacy@waypointtms.com and we will respond within 30 days.

8. Security

See our Security Policy at https://waypointtms.com/legal/security. In summary: encrypted in transit and at rest, MFA available for all staff and admin users, principle-of-least-privilege IAM, security headers (HSTS, X-Frame-Options, CSP on the web client), rate-limiting on auth endpoints, full audit log on every privileged action, 30-day automated PostgreSQL point-in-time backups, tested disaster-recovery runbook with a 4-hour RTO and 1-hour RPO target. Annual third-party penetration test.

9. Children

The Service is not intended for, and we do not knowingly process data of, children under 16.

10. Changes

We will email Operator administrators and post a notice in the Staff Console at least 30 days before a material change to this policy.

11. Contact

privacy@waypointtms.com — for data-subject requests, security disclosures, and DPA execution.

← All legal documents