Security
Your data is yours. We treat it that way.
FlightReady handles flight data — routes, departure times, performance parameters — that operators consider sensitive. Our security practices reflect that responsibility.
Security Principles
Built for operators who take data seriously.
Six foundational commitments that govern how FlightReady handles your flight data.
No training on user data
Flight data entered into FlightReady is never used to train AI models, improve models, or transferred to any AI provider for training purposes. Your route analyses, logbook entries, and preflight sessions are your data.
Encryption in transit
All data transmitted between your device and FlightReady servers is encrypted using TLS 1.3. We enforce HTTPS across all endpoints. Certificate pinning is applied for mobile clients.
Encryption at rest
User data is stored encrypted at rest using AES-256. Database backups are encrypted separately. Encryption keys are managed via a hardware security module (HSM).
Minimal data collection
We collect only what is required to provide the service. We do not sell data, share data with third-party analytics providers, or retain data beyond operational necessity.
Authentication security
Authentication is managed by Supabase with JWT tokens and OAuth2 support. Sessions expire automatically. Brute-force protection and suspicious login detection are active.
Infrastructure security
FlightReady is deployed on Supabase-managed infrastructure and Vercel edge network. Infrastructure-level DDoS protection, automated vulnerability scanning, and dependency auditing are active.
Compliance & Standards
Practices aligned with industry expectations.
FlightReady follows established data protection standards and maintains transparent policies for how flight data is handled.
Data protection by design
We collect only what is required to operate FlightReady. Flight routes, logbook entries, and AI session context are stored for product functionality — never sold or used for model training.
Encryption standards
TLS 1.3 for all data in transit. AES-256 encryption at rest with HSM-managed keys. Encrypted database backups stored separately from production data.
Account lifecycle
When you delete your account, personal data is removed within a 30-day window. We do not retain flight data beyond operational necessity after deletion.
Third-party infrastructure
FlightReady runs on Supabase (database, authentication) and Vercel (edge hosting). Both providers maintain SOC 2 Type II certifications. We do not share your flight data with AI training providers.
Data Handling
What we collect — and what we never do.
What we collect
- Email address (authentication)
- Pilot certificate type (optional, for context)
- Home airport ICAO (optional)
- Flight routes analyzed (stored for history feature)
- AI chat queries (stored for session context)
- Logbook entries (if provided)
- Usage telemetry (page views, feature usage — no PII)
What we never do
- Sell user data to any third party
- Share flight data with AI training providers
- Use your routes to train or fine-tune models
- Retain data after account deletion (30-day window)
- Track your location or device without consent
- Share data with advertisers
- Store plaintext passwords (bcrypt + Supabase auth)
Technical Controls
Defense in depth.
Responsible Disclosure
Vulnerability reporting
If you discover a security vulnerability in FlightReady, please report it privately via email before public disclosure.
We commit to acknowledging receipt within 24 hours and providing a resolution timeline within 5 business days.
We do not pursue legal action against researchers who discover and responsibly disclose vulnerabilities in good faith.
Security Inquiries
Questions about our security practices?
Reach out directly. We respond to all security inquiries.