Privacy Policy

Introduction & Scope

This Privacy Policy ("Policy") describes how AI Lab Technologies ("Company", "we", "us", or "our") collects, uses, discloses, retains, and protects personal information through the Aeroxperess mobile application ("App") and its associated backend services ("Platform").

Aeroxperess is a professional aviation operations management platform designed exclusively for licensed aviation personnel — including pilots, maintenance officers, and operations staff — employed by or contracted with organisations that have licensed the Platform. The App facilitates pre-flight briefings, post-flight documentation, crew management, compliance tracking, and associated workflows.

By accessing or using the App, you acknowledge that you have read, understood, and agree to the collection and use of information in accordance with this Policy. If you do not agree, you must immediately cease using the App and notify your organisation.

Scope of This Policy

This Policy covers:

• Personal information collected through the Aeroxperess iOS and Android mobile applications.
• Personal information collected through the Aeroxperess REST API backend services.
• Data stored in our PostgreSQL database infrastructure.
• Data processed in connection with our Enterprise Resource Planning (ERP) system integration.

This Policy does not cover third-party websites, services, or applications that may be linked from within the App.

Who We Are

The data controller and responsible entity for your personal information is:

Under the General Data Protection Regulation (GDPR), AI Lab Technologies acts as the Data Controller for personal data processed through the Aeroxperess Platform. Under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), AI Lab Technologies is the Business. Under the India Digital Personal Data Protection Act 2023 (DPDP Act), AI Lab Technologies is the Data Fiduciary.

Data We Collect

We collect the following categories of personal information. All data is collected in the context of an active employment or contractual relationship with your aviation organisation.

3.1 Identity & Contact Information

3.2 Authentication & Security Data

3.3 Aviation Professional Credentials

3.4 Financial & Payroll Information

3.5 Flight Operations Data

3.6 Post-Flight & Maintenance Records

Post-flight data includes aircraft systems status, fuelling records (quantities, vendor, cost, slip numbers), oil servicing data, cabin safety checks, defect/snag reports, and aircraft utilisation metrics (airframe hours, cycles, engine hours, APU hours). This data is operationally linked to specific crew members and flights.

3.7 Biometric Data — Digital Signatures

The App captures handwritten digital signatures as PNG image files for regulatory sign-off purposes. See Section 9 for full biometric data disclosure.

3.8 Compliance & Documentation Records

3.9 Technical & Audit Data

3.10 Data We Do NOT Collect

• GPS / Real-time Location: We do not collect your device GPS coordinates or real-time location. Airport codes in flight operations refer to planned routes, not your physical position.
• Camera Access: The App does not access your device camera. Signatures are captured using an on-screen drawing interface.
• Third-Party Analytics: We do not use Google Analytics, Firebase Analytics, Mixpanel, Segment, Amplitude, or similar tracking services.
• Advertising Data: We do not collect data for advertising purposes and do not serve advertisements.
• Social Media Data: We do not integrate with social media platforms.
• Minors' Data: We do not knowingly collect data from persons under 18 years of age. See Section 18.

How We Use Your Data

We use collected personal information solely for the following purposes:

Legal Bases for Processing (GDPR)

How We Share Your Data

We do not sell, rent, trade, or otherwise transfer your personal information to third parties for monetary or other consideration. We limit sharing to the following necessary disclosures:

6.1 Your Employer / Licensed Organisation

All personal data processed through Aeroxperess is shared with and accessible to the aviation organisation that has licensed the Platform and employs you or engages you as a contractor. Your employer has authorised access to all data generated through the Platform in connection with your employment.

6.2 Infrastructure Service Providers

We may engage third-party service providers strictly for infrastructure, hosting, and technical operations. All such providers are bound by data processing agreements (DPAs) and are prohibited from using your data for any purpose other than providing services to us. These may include cloud hosting providers, database infrastructure providers, and email delivery services (for OTP delivery).

6.3 Legal & Regulatory Disclosure

We may disclose personal information when required to do so by applicable law, court order, governmental authority, or aviation regulatory body (e.g., DGCA, CAAM, GCAA, CAAS, EASA, FAA) to the extent required for compliance with aviation safety and licensing obligations.

6.4 Business Transfers

In the event of a merger, acquisition, restructuring, or sale of assets, personal information may be transferred as part of that transaction. We will provide notice and, where required by applicable law, seek your consent before personal information is transferred and becomes subject to a different privacy policy.

6.5 With Your Consent

We may share your information with other parties with your explicit prior consent.

Data Retention

We retain personal information for as long as necessary to fulfil the purposes outlined in this Policy, comply with our legal obligations, resolve disputes, and enforce our agreements.

Upon expiry of the applicable retention period, we will securely delete or anonymise personal information. Where deletion is not immediately possible (e.g., backup systems), information is isolated from further processing until it can be deleted.

Security Measures

We implement comprehensive technical and organisational security measures appropriate to the sensitivity of aviation operations data:

8.1 Technical Safeguards

• Password Hashing: All passwords are hashed using bcryptjs with 12 salt rounds. Plain-text passwords are never stored or logged.
• Two-Factor Authentication (2FA): All logins require email OTP verification in addition to password (time-limited to 5 minutes).
• Encrypted Device Storage: Authentication tokens are stored using iOS Keychain (iOS) and Android EncryptedSharedPreferences (Android) — device-level hardware encryption.
• Transport Encryption: All API communications use TLS/HTTPS. Unencrypted HTTP connections are rejected.
• HTTP Security Headers: Helmet.js middleware enforces Content Security Policy (CSP), HTTP Strict Transport Security (HSTS), X-Frame-Options, and other OWASP-recommended headers.
• SQL Injection Prevention: All database queries use Sequelize ORM parameterised queries — raw SQL string concatenation is not used.
• Rate Limiting: Login attempts limited to 50 per 5-minute window; OTP requests limited to 3 per minute.
• Account Lockout: Accounts are automatically locked for 2 hours after 5 consecutive failed login attempts.
• HTTP Parameter Pollution Protection: hpp middleware prevents parameter pollution attacks.
• Immutable Audit Trail: Security-critical events are recorded in an append-only audit log table.
• Signature Data Integrity: Biometric signatures are stored as binary data (BYTEA) with server-side base64 encoding/decoding — not as plain-text strings.

8.2 Organisational Safeguards

• Role-based access controls limit data visibility to the minimum necessary for each user role (principle of least privilege).
• CEO and administrative roles see complete organisational data; pilot accounts are filtered to only their assigned operations.
• All access to sensitive financial and biometric data requires authenticated sessions.
• Data processing agreements (DPAs) are in place with all infrastructure providers.

8.3 Breach Notification

Biometric Data — Digital Signatures

9.1 What We Collect

The Aeroxperess App captures handwritten digital signatures using an on-screen drawing interface. Two types of signatures are collected:

• Maintenance Authorisation Signature: Captured by the Maintenance Officer to authorise the pre-flight briefing checklist. Stored in the briefing_signature field.
• Pilot Authorisation Signature: Captured by the Pilot in Command to authorise their pilot briefing checks. Stored in the pilot_signature field.

9.2 How Signatures Are Stored

Signatures are captured as PNG image files on the device and transmitted over HTTPS to our server, where they are stored as binary data (PostgreSQL BYTEA format). The signer's name, designation, and UTC timestamp are recorded alongside each signature. Signatures are not processed for biometric identification or authentication — they serve solely as a legal record of authorisation in the aviation operations workflow.

9.3 Legal Basis

Collection of signatures is:

• Required by aviation regulatory frameworks (ICAO, national civil aviation authority regulations) as part of the mandatory pre-flight and post-flight documentation chain;
• A contractual obligation under your employment or service agreement with your aviation organisation;
• Subject to your explicit in-app consent at the point of signature capture.

9.4 Retention & Deletion

Signature data is retained for a minimum of 3 years post-operation in compliance with aviation regulatory record-keeping obligations. After the applicable retention period, signature data is securely deleted. You may not request deletion of signatures that are subject to ongoing aviation regulatory record-keeping obligations.

9.5 Illinois BIPA / State Biometric Law Compliance

If you are a resident of Illinois, Texas, Washington, or another jurisdiction with specific biometric privacy statutes, please contact us at contact@ailabtech.com.sg for our jurisdiction-specific Biometric Data Collection Notice and to exercise any additional rights available to you under applicable state law.

Financial Data Handling

Financial and payroll data processed through Aeroxperess is done exclusively under the direction of your employer organisation acting as the data controller / data principal for employment purposes. AI Lab Technologies processes this data as a data processor on behalf of your employer.

Access Controls

Payroll and salary data is accessible only to:

• The individual employee (their own payslips only);
• Authorised HR and finance personnel designated by your employer with elevated access roles.

Bank Account Data

Bank account numbers are stored in encrypted form and used solely for salary disbursement coordination. We do not process payment transactions directly — disbursement is managed by your employer's payroll processes.

Multi-Currency Operations

The Platform supports payroll processing in UAE Dirham (AED), Singapore Dollar (SGD), and Indian Rupee (INR). All financial records are denominated and stored in the applicable payroll currency as configured by your employer.

Your Rights — GDPR (EEA / UK)

How to Exercise GDPR Rights

Submit your request in writing to contact@ailabtech.com.sg with the subject line "GDPR Data Subject Request". We will respond within 30 days; this may be extended by a further 2 months for complex requests. Identity verification will be required before processing requests.

Supervisory Authorities

EEA residents may contact their national data protection authority. UK residents may contact the Information Commissioner's Office (ICO) at ico.org.uk. Irish residents may contact the Data Protection Commission (DPC) at dataprotection.ie.

Data Protection Officer (DPO)

We have designated a Data Protection Officer. DPO enquiries may be directed to: contact@ailabtech.com.sg — Subject: "Attention: Data Protection Officer".

Your Rights — CCPA / CPRA (California)

12.1 Categories of Personal Information Collected

Under the CCPA/CPRA, over the past 12 months, we have collected the following categories of personal information:

12.2 Sensitive Personal Information (CPRA — Civil Code §1798.121)

Under the CPRA, the following categories of information we collect are classified as Sensitive Personal Information (SPI):

• Government-issued identifiers: pilot licence number, ARN, passport number
• Financial information: bank account numbers, salary, deductions
• Biometric data: handwritten digital signatures
• Health-related data: medical certificate status and expiry

We do not use or disclose Sensitive Personal Information for any purpose other than those permitted under CPRA Section 1798.121(a), namely: providing the services reasonably expected by the consumer; ensuring security; short-term transient use; performing services on our behalf; undertaking internal research; and verifying quality of our services.

You have the right to limit the use and disclosure of your Sensitive Personal Information to these permitted purposes. To exercise this right, contact us at contact@ailabtech.com.sg.

12.3 Sources of Personal Information

We collect personal information:

• Directly from you: Account credentials, signature capture, profile updates, post-flight data entry.
• From your employer: HR records, crew assignments, payroll data imported from the ERP system.
• Automatically: IP addresses, HTTP access logs, device information, authentication timestamps.

12.4 Business or Commercial Purposes for Collection

Personal information is collected for the business purposes described in Section 4 of this Policy. We do not use personal information for cross-context behavioural advertising.

12.5 Categories of Third Parties Receiving Personal Information

As described in Section 6, we may disclose personal information to: your employer organisation, infrastructure service providers (under DPA), and regulatory authorities (when legally required).

12.6 Your CCPA/CPRA Rights

12.7 Do Not Sell or Share My Personal Information

12.8 How to Submit a CCPA/CPRA Request

Submit verifiable consumer requests to:

• Email: contact@ailabtech.com.sg — Subject: "California Privacy Rights Request"

We will acknowledge receipt within 10 business days and respond within 45 calendar days. If we require additional time (up to 90 days), we will notify you. You may submit up to two requests in any 12-month period. We will verify your identity before processing requests.

12.9 Authorised Agent

You may designate an authorised agent to make CCPA/CPRA requests on your behalf. The agent must provide signed written authorisation and you must verify your identity directly with us. We may deny requests from agents who do not submit proof of authorisation.

12.10 12-Month Lookback

Your Right to Know extends to personal information collected in the 12-month period preceding your request.

12.11 Financial Incentive Programmes

We do not offer financial incentives, price differences, or service differences in exchange for personal information.

Your Rights — CalOPPA (California)

13.1 Conspicuous Posting

This Privacy Policy is conspicuously posted and accessible from the Aeroxperess App and any associated web properties. It is available directly within the App and on our company website prior to account creation.

13.2 Effective Date

This Privacy Policy has an Effective Date of 18 March 2026, which is clearly displayed at the top of this page.

13.3 How to Review and Request Changes to Your Information

California residents may review and request changes to personal information held about them by:

1. Logging into the Aeroxperess App and accessing Profile settings to update name, email address, and phone number directly.
2. Submitting a written request to contact@ailabtech.com.sg specifying the information you wish to review or have corrected.
3. Contacting your employer's HR or administrative designee who manages your Aeroxperess account.

13.4 How We Respond to "Do Not Track" Signals

See Section 17 for our complete Do Not Track disclosure.

13.5 Third-Party Tracking

We do not permit third parties to collect personally identifiable information about users' online activities over time and across different websites or apps through our Platform. We do not use, or permit the use of, tracking pixels, web beacons, or third-party analytics trackers within the Aeroxperess App.

Your Rights — India DPDP Act 2023

14.1 Basis for Processing

We process personal data on the following bases under the DPDP Act:

• Consent: Where you have voluntarily provided consent for specific processing activities (e.g., signature capture).
• Legitimate Uses: Processing for employment purposes, legal compliance, public interest safety obligations, and other legitimate uses as defined under Section 7 of the DPDP Act.

14.2 Notice to Data Principals

As required under Section 5 of the DPDP Act, we provide this notice in English. The personal data we collect, the purposes for which it is processed, and the manner in which you may exercise your rights are set out in this Policy.

14.3 Rights of Data Principals

14.4 Grievance Officer

In accordance with Section 13 of the DPDP Act, our Grievance Officer can be reached at:

AI Lab Technologies
15 Gowtham Nagar, Tamil Nadu, India 613001
Email: contact@ailabtech.com.sg
Subject: "DPDP Grievance – [Your Name]"

We will acknowledge grievances within 48 hours and endeavour to resolve them within 30 days.

14.5 Data Breach Notification

In the event of a personal data breach, we will notify the Data Protection Board of India and affected Data Principals in accordance with the requirements of the DPDP Act and associated rules.

Your Rights — Singapore PDPA

15.1 Purpose Limitation

We collect, use, and disclose personal data for the purposes for which consent was given or that fall within legitimate purposes under the PDPA. We will not use personal data collected for a different purpose without obtaining fresh consent.

15.2 Rights Under PDPA

• Right of Access: Request information about personal data held about you and how it has been used or disclosed in the 12 months preceding the request.
• Right of Correction: Request correction of personal data that is inaccurate or incomplete.
• Right to Withdraw Consent: Withdraw consent for collection, use, or disclosure of personal data (subject to legal/contractual consequences).
• Right to Data Portability: (Where applicable under PDPA amendments) receive personal data in a commonly used machine-readable format.

15.3 Data Protection Officer (DPO)

Our DPO for Singapore PDPA purposes may be contacted at: contact@ailabtech.com.sg — Subject: "Singapore PDPA Request".

15.4 Mandatory Data Breach Notification

In accordance with the PDPA mandatory data breach notification obligation, we will notify the Personal Data Protection Commission (PDPC) and affected individuals if a data breach is likely to result in significant harm to affected individuals or is of a significant scale.

International Data Transfers

AI Lab Technologies is headquartered in India and operates services that may involve processing personal data across multiple jurisdictions. Your personal data may be stored and processed in India and potentially in other countries where our infrastructure providers operate.

16.1 Transfers from the EEA/UK

16.2 Transfers from Singapore

For transfers of personal data from Singapore to recipients in third countries, we comply with the PDPA's transfer limitation obligation and ensure comparable protection standards are contractually in place with data intermediaries and sub-processors.

16.3 Cross-Border Transfers within Aviation Operations

Flight crew data (names, roles, routes) may be accessible to operator organisations in different countries as part of international aviation operations. This is inherent to the aviation context and constitutes a legitimate use necessary for the performance of the aviation service contract.

Do Not Track (CalOPPA)

The Aeroxperess App is a dedicated professional mobile application, not a web browser. However, we provide the following disclosures in accordance with California Online Privacy Protection Act (CalOPPA) requirements:

• The Aeroxperess App does not currently respond to browser DNT signals, as it is a native mobile application operating outside a browser context.
• The App does not track users across third-party websites or online services over time.
• The App does not engage in cross-context behavioural advertising or third-party tracking.
• Server-side HTTP access logs are collected for security and operational purposes only and are not used for cross-site tracking. These logs are retained for a maximum of 90 days.
• IP address logging is limited to the briefing audit trail for regulatory compliance and aviation safety purposes.

If industry-wide DNT standards for mobile applications are adopted and we update our practices, we will revise this disclosure accordingly.

Children's Privacy

The Aeroxperess App is designed exclusively for licensed aviation professionals and is not directed at or intended for use by persons under the age of 18 years.

We do not knowingly collect, solicit, or process personal information from any person under 18 years of age. If you believe that we have inadvertently collected personal information from a minor without appropriate parental consent, please contact us immediately at contact@ailabtech.com.sg and we will promptly delete such information.

All aviation personnel using Aeroxperess must, by the nature of their professional qualifications (minimum age requirements for commercial pilot licences vary by jurisdiction but are typically 18–21 years), be legal adults at the time of account creation.

Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our data practices, applicable law, or Platform functionality. We are committed to transparency about such changes.

How We Notify You of Changes

• Material Changes: For changes that are material to your rights or our data practices, we will provide at least 30 days' advance notice through a prominent in-app notification and/or email to your registered address.
• Minor Changes: For non-material updates (e.g., typo corrections, clarifications), we will update the "Last Updated" date at the top of this Policy without separate notification.
• GDPR Users: Where material changes affect legal bases or processing purposes for EEA/UK users, we will seek fresh consent where required.
• CCPA/CPRA Users: We will provide at least 30 days' advance notice of material changes to our CCPA/CPRA disclosures.

How to Review Changes

The current version of this Policy is always available within the Aeroxperess App under Settings → Privacy Policy, and at our company website. The "Effective Date" and "Last Updated" dates at the top of this document indicate when the Policy was last revised.

Your continued use of the App following the effective date of a revised Policy constitutes your acceptance of the updated terms.

Policy Version Archive

Prior versions of this Privacy Policy are available upon request by emailing contact@ailabtech.com.sg with the subject "Privacy Policy Version Request".

Contact & Data Protection Officer

For any questions, concerns, or requests relating to this Privacy Policy or our data practices, please contact us through the following channels:

Response Timelines