Privacy Policy — Volio App

This Privacy Policy explains how your personal data is collected, used, and protected when you use Volio App. It applies to all users of the App and, where indicated, to participants of the Beta Testing Program. It is compliant with the EU General Data Protection Regulation (GDPR) and the Swiss Federal Act on Data Protection (nFADP).

1. Data Controller

The data controller responsible for your personal data is:

Issak Zanini (individual developer and owner of Volio App)
Province of Como, Italy
admin@volioapp.it

Once Volio App is incorporated as a legal entity, that entity will become the data controller and you will be notified with updated details.

2. What Data We Collect

a) Account data (all users)

Full name
Email address

b) Flight track and ADS-B data (all users)

Aircraft transponder data sourced from FlightAware's AeroAPI service and associated with your profile, covering aircraft, helicopters, gliders, ultralights, and other flying objects capable of generating ADS-B or equivalent transponder signals. This data is shared with other registered users of the App by design — using the flight tracking feature constitutes your explicit consent to this sharing.

c) Map interaction data (all users)

When you view maps within the App, your device sends requests to Mapbox servers to retrieve map tiles. These requests may include your IP address and the map area being viewed. This data is processed by Mapbox per their own Privacy Policy and is not stored by Volio App.

d) Beta tester signup data (beta testers only)

Prospective beta testers who sign up via the dedicated Microsoft Forms form provide the following additional data at the point of recruitment:

Full name and email address (mandatory)
Phone number (optional — only if consenting to WhatsApp contact for beta coordination)
Timestamped record of consent to these Terms and this Privacy Policy

This data is collected and stored by Microsoft on behalf of Volio App via Microsoft Forms / Microsoft 365. See Section 9 for full details.

e) Usage and analytics data (all users)

In-app actions and feature interactions
Session duration and frequency of use

f) Device and technical information (all users)

Device type and operating system version
App version
Crash logs and error reports
IP address (for connection and security purposes)

3. Purpose and Legal Basis for Processing

Purpose	Legal basis
Managing your account and access to the App	Performance of contract (Art. 6(1)(b) GDPR)
Sourcing and displaying ADS-B flight track data via FlightAware AeroAPI	Performance of contract + explicit consent (Art. 6(1)(b) and (a) GDPR)
Sharing your flight track with other users	Explicit consent (Art. 6(1)(a) GDPR)
Rendering maps via Mapbox	Performance of contract / legitimate interest (Art. 6(1)(b) and (f) GDPR)
Improving and debugging the App	Legitimate interest (Art. 6(1)(f) GDPR)
Processing takedown and wrongful association requests	Legal obligation + legitimate interest (Art. 6(1)(c) and (f) GDPR)
Sending App updates and communications via Brevo	Consent (Art. 6(1)(a) GDPR) — withdrawable at any time
Beta tester signup and consent recording via Microsoft Forms	Legal obligation to document consent (Art. 6(1)(c) GDPR) + legitimate interest (Art. 6(1)(f) GDPR)
Beta tester WhatsApp coordination (optional, phone number only)	Explicit consent (Art. 6(1)(a) GDPR) — withdrawable at any time
Processing beta feedback and usage data for product development	Consent (Art. 6(1)(a) GDPR) — beta testers only
Complying with legal obligations	Legal obligation (Art. 6(1)(c) GDPR)

4. Infrastructure and Hosting — Amazon Web Services (AWS)

The App's backend infrastructure is hosted on Amazon Web Services (AWS), operated by Amazon Web Services EMEA SARL (38 Avenue John F. Kennedy, L-1855 Luxembourg).

✓ All Volio App servers are located in the AWS eu-south-1 region (Milan, Italy). Your personal data is stored and processed exclusively within the European Union and is not transferred outside the EU/EEA as part of our hosting infrastructure.

AWS acts as a data processor on our behalf under a GDPR Art. 28-compliant Data Processing Addendum. For more information: https://aws.amazon.com/compliance/gdpr-center/

5. FlightAware AeroAPI — Flight Data Provider

The App sources aircraft transponder (ADS-B) data from FlightAware LLC via its AeroAPI service (Eleven Greenway Plaza, Suite 2900, Houston, TX 77046, USA). FlightAware is an independent data controller for the data it processes in delivering AeroAPI. API requests from our EU-based servers to FlightAware's US infrastructure are covered by FlightAware's incorporated Standard Contractual Clauses (SCCs).

For more information: https://flightaware.com/about/privacy

⚠ Important: ADS-B data must not be used for safety-of-life activities, real-time navigation, collision avoidance, air traffic control, or any safety-critical aviation purpose.

6. Mapbox — Map Rendering Service

Maps within the App are rendered using the Mapbox platform, operated by Mapbox Inc. (740 15th Street NW, Washington DC 20005, USA). When you view a map in the App, your device sends requests directly to Mapbox servers to load map tiles. These requests may include:

Your IP address (used by Mapbox to serve map tiles and for security purposes)
The map area being viewed (approximate geographic location)
Technical metadata such as device type and SDK version

Volio App does not receive, store, or have access to the data sent directly from your device to Mapbox. EU Standard Contractual Clauses (SCCs) apply to this US transfer.

For more information: https://www.mapbox.com/legal/privacy

7. Email Communications — Brevo

Your email address is managed using Brevo (formerly Sendinblue), operated by Sendinblue SAS (7 rue de Madrid, 75008 Paris, France).

✓ Brevo is a French company with servers located within the European Union. Email communications via Brevo do not involve any transfer of your personal data outside the EU/EEA.

We use Brevo to send you communications related to the App, new features, and future releases. You can unsubscribe at any time using the unsubscribe link in any email or by contacting admin@volioapp.it. For more information: https://www.brevo.com/legal/privacypolicy/

8. Data Sharing and International Transfers

Your personal data is not sold to third parties. It is shared only with:

Amazon Web Services (AWS, eu-south-1 Milan) — hosting. EU-based. No international transfer.
Brevo / Sendinblue SAS (France) — email communications. EU-based. No international transfer.
FlightAware LLC (US) — ADS-B data provider. SCCs apply.
Mapbox Inc. (US) — map tile requests from your device. SCCs apply.
Microsoft Corporation (US) — beta tester signup form and consent records via Microsoft Forms. EU data boundary applies; SCCs in place. Beta testers only.
Meta / WhatsApp (Ireland/US) — phone number only, for beta testers who optionally consent to WhatsApp coordination. SCCs apply. Beta testers only.
Analytics/crash reporting tools — for improving App stability.
Other App users — your flight track data, once associated with your profile, is visible to other registered users.
Legal or regulatory authorities — where required by law.

✓ The majority of your data is processed within the EU (AWS Milan + Brevo France). Limited transfers to US-based processors (FlightAware, Mapbox, Microsoft, and optionally Meta/WhatsApp) are each covered by Standard Contractual Clauses.

Beta Testing Program

9. Additional Privacy Information for Beta Testers

This section applies exclusively to users who have been invited to participate in the Volio App Beta Testing Program and have completed the signup via Microsoft Forms. If you have not been specifically invited as a beta tester, this section does not apply to you.

9.1 How beta tester data is collected

Beta testers are recruited via LinkedIn, Instagram, other social platforms, or personal invitation. Upon expressing interest, candidates are directed to a dedicated Microsoft Forms signup form. Data collected through this form includes name, email address, and optionally phone number. The form records a timestamped consent entry — this constitutes the formal, auditable record of your agreement to these Terms and this Privacy Policy, as required by GDPR Art. 7(1).

No personal data is collected from social media profiles themselves — only the information you actively provide in the Microsoft Forms signup form is processed by Volio App.

9.2 Microsoft Forms and Microsoft 365

The beta signup form is hosted on Microsoft Forms, a service provided by Microsoft Corporation (One Microsoft Way, Redmond, WA 98052, USA). Form responses — including your name, email, phone number (if provided), and consent timestamp — are stored in the Volio App Microsoft 365 account.

Microsoft has implemented its EU Data Boundary commitment, meaning that for Microsoft 365 customers based in the EU, data is stored and processed within the EU/EEA. EU Standard Contractual Clauses are also in place as an additional safeguard. For more information: https://www.microsoft.com/en-us/trust-center/privacy

9.3 WhatsApp coordination (optional)

Beta testers who optionally provide their phone number in the signup form and consent to WhatsApp contact may be added to a private WhatsApp group used exclusively for beta coordination. WhatsApp is operated by Meta Platforms Ireland Limited (4 Grand Canal Square, Dublin 2, Ireland). Data may be transferred to Meta's US infrastructure under EU Standard Contractual Clauses. For more information: https://www.whatsapp.com/legal/privacy-policy

Beta testers may leave the WhatsApp group at any time. Upon leaving or upon request to admin@volioapp.it, the phone number will be deleted from our records within 7 days.

9.4 Additional data collected during testing

In addition to the data described in Section 2, beta testers' App interactions may be recorded in greater detail for product development, including specific feature usage patterns, error logs, and feedback or bug reports submitted during the program.

9.5 Retention of beta testing data

Microsoft Forms signup records (name, email, consent timestamp) will be retained for the duration of the beta program and for up to 24 months afterwards to demonstrate compliance with GDPR consent requirements. Phone numbers will be deleted within 7 days of leaving the WhatsApp group or upon request. Detailed beta usage logs may be retained in anonymised form indefinitely for product analysis.

9.6 Withdrawal of beta consent

You may withdraw your consent to beta testing participation at any time by contacting admin@volioapp.it. Withdrawal will end your participation in the beta program and will trigger deletion of your identifiable beta data, except where retention is required by law or for legitimate interest in demonstrating prior consent.

10. Data Retention

Your personal data will be retained for as long as your account is active and for up to 12 months after account closure, unless you request deletion earlier or a longer retention period is required by law.

Email address: retained until you unsubscribe or request deletion.
Flight track and ADS-B data: may be retained in anonymised or aggregated form for product development. Raw ADS-B data is not stored beyond 30 days.
Map interaction data: not stored by Volio App — processed solely by Mapbox.
Beta signup records (Microsoft Forms): retained up to 24 months for GDPR compliance purposes.
Beta tester phone numbers: deleted within 7 days of leaving the WhatsApp group or upon request.

11. Your Rights

Under the GDPR and Swiss nFADP, you have the right to:

Access — request a copy of the personal data we hold about you.
Rectification — ask us to correct inaccurate or incomplete data.
Erasure — request deletion of your data ("right to be forgotten").
Restriction — ask us to limit processing in certain circumstances.
Data portability — receive your data in a structured, machine-readable format.
Object — object to processing based on legitimate interest.
Withdraw consent — at any time for email communications, flight data sharing, or beta testing participation, without affecting prior processing.
Flight data takedown — request removal of wrongly associated flight data (see Section 12).

To exercise any of these rights, contact: admin@volioapp.it. We will respond within 30 days.

EU residents may lodge a complaint with the Garante per la protezione dei dati personali at www.garanteprivacy.it. Swiss residents may contact the FDPIC at www.edoeb.admin.ch.

12. Wrongful Association — Your Right to Request Removal

If you believe that a flight track or ADS-B data relating to a flying object you piloted or operate has been wrongly associated with another user's profile without your consent, contact us at admin@volioapp.it with the subject line "Flight Data Takedown Request". We will review and action all such requests within 72 hours.

13. Data Security

We implement appropriate technical and organisational measures to protect your personal data, including hosting on AWS infrastructure certified to ISO 27001 and SOC 2 standards within the EU. However, no system is completely secure. Please do not share sensitive information beyond what is required to use the App.

14. Children

The App is strictly for users aged 18 and over. We do not knowingly collect personal data from minors. If you believe a minor has registered, please contact us at admin@volioapp.it immediately.

15. Changes to This Policy

This Privacy Policy may be updated to reflect changes in the App, our processors, or applicable law. If changes are material, you will be notified by email at least 14 days in advance.

16. Contact

Issak Zanini — Volio App
admin@volioapp.it