Aero.Academy

Legal

Privacy Policy

We handle your data minimally and transparently. This statement gives you the overview — what we collect, why, who we share it with, and what rights you have.

As of: May 2026 · governed by the revised Swiss Federal Act on Data Protection (FADP, in force since 1 September 2023). For users from the EU/EEA, the GDPR additionally applies.

1 · Controller

Controller for the data processing on aero.academy is Tom Hofer (see imprint). Contact for data protection matters: [email protected].

2 · What data we collect

On sign-in via Google or Apple we receive: your email address, your display name, a profile picture (if you released it) and a technical user ID from the OAuth provider. Nothing else.

During learning we store which cards you saw when, how you rated them (FSRS) and how you did in mock exams. We need this data so spaced repetition works and you see your progress.

With the AI-FI tutor we store your questions and the tutor's answers so you can continue conversations later.

On payment Stripe processes your payment data. We see neither your credit card number nor your bank details — we only get a subscription ID and status (active / cancelled).

Technically our hosting providers log server requests (IP, user-agent, timestamp, requested URL) — standard, minimal, for debugging and abuse prevention.

3 · What we use the data for

  • Provision of the learning tool and your account
  • Progress tracking, spaced-repetition scheduling, mock-exam scoring
  • AI-FI tutor dialogues and their persistent storage
  • Subscription handling (Pro tier)
  • Security, fraud prevention, account-sharing protection, bot defence
  • Occasional service emails (e.g. pricing changes, important updates) — no marketing spam

4 · Processors and third parties

We use the following services to operate the platform. With all of them we have a data processing agreement; they may only process your data on our behalf.

  • Supabase (USA, with EU region) — database, authentication. Your account, learning progress and AI-FI dialogues live here.
  • Railway (USA) — hosting the web application and background workers.
  • Stripe (USA, with Swiss subsidiary) — payment processing for the Pro subscription. Own privacy policy: stripe.com/ch/privacy.
  • Anthropic (USA) — AI models behind the AI-FI tutor and card QA. Anthropic does not use API inputs for training and deletes them after a short retention period. Own privacy policy: anthropic.com/legal/privacy.
  • Google and Apple (USA) — OAuth sign-in. You authenticate directly with Google/Apple; we only get the result.
  • Plausible Analytics (EU, servers in Germany) — cookieless, IP-anonymised reach measurement. No personal profiles, no cross-site tracking. Own privacy policy: plausible.io/privacy.
  • Google Ads (USA) — conversion tracking for our ads. Helps us understand which ads lead to sign-ups. Own privacy policy: policies.google.com/privacy.

Data transfers to the USA rely on Standard Contractual Clauses and — where available — the adequacy decision under the Swiss FADP and the EU-US Data Privacy Framework.

5 · Cookies and local storage

We set technically necessary cookies for your sign-in (session) and CSRF protection. Additionally, the Google Ads tag (see section 4) sets cookies for conversion tracking of our ads. No other tracking or analytics cookies from third parties.

As a Progressive Web App (PWA) aero.academy additionally stores today's card queue locally on your device so you can learn offline. This data does not leave your device until you're back online and sync reviews.

6 · Retention and deletion

We store your account and learning data for as long as your account is active. On account deletion (request via [email protected]) we delete your personal data within 30 days — statutory retention obligations (in particular for accounting data from the Stripe subscription) remain reserved.

7 · Your rights

Under Swiss FADP (and GDPR for EU/EEA users) you have the right to:

  • Access — we tell you what data we have stored about you
  • Rectification — incorrect data is corrected
  • Deletion — you can have your account deleted
  • Data portability in a common format
  • Objection against certain processing

For all of these matters, simply write to [email protected]. We respond within a few working days. You also have the right to file a complaint with the competent data protection authority (in Switzerland: FDPIC; in the EU: your national authority).

8 · Security

We use TLS encryption in transit, passwords are never stored in the first place (OAuth-only), and access to the production database is restricted to a few people. In case of a relevant data breach we'll inform you and the competent supervisory authority pursuant to FADP / GDPR.

9 · Changes

We update this statement when our data processing changes materially. The current version is always available at /datenschutz.

For general questions you can also use our contact form.

Quick note

Conversion tracking via Google Ads

If you accept, we set Google Ads cookies to measure which ads lead to signups. Our analytics (Plausible) is cookieless and runs regardless. Details in the privacy policy.

Privacy Policy — Aero.Academy · Aero.Academy