RETROFLIGHT
๐Ÿง‘โ€โœˆ๏ธ
RETROFLIGHT
๐Ÿง‘โ€โœˆ๏ธ
Version 1.3
Effective: 2025-12-08

Privacy Policy

Version 1.3 | Effective Date: 2025-12-08

Retroflight ("Retroflight", "we", "us", "our") respects your privacy and is committed to protecting your personal data. This Privacy Policy explains how we collect, use, share, and store your personal data when you use our flight animation service (the Service), and describes your rights.

This Policy applies to:

  • Visitors to the Retroflight website
  • Registered users of the Service

It does not apply to third-party websites or services that we do not control.

1. Data Controller

The data controller for the Service is:

Timo Ufermann โ€“ Retroflight
Email: timo@tiu-webapplications.de
Location: Hong Kong (service infrastructure hosted in the EU, see section 4).

Additional legal information is available in the Imprint on the website.

2. Data We Collect

2.1 Account Data

When you create or use an account, we may process:

  • Email address
  • Display name (if provided)
  • OAuth provider identifiers (e.g., Google, GitHub user ID)
  • Hashed password (for email/password logins)
  • Account creation date and timestamps of legal agreement acceptance

2.2 Payment Data

Payments are processed by Stripe. We receive and store only limited information necessary to manage your purchases, such as:

  • Stripe customer ID and session IDs
  • Purchase history (credits purchased, timestamps, status)
  • Currency and amount

We do not store full payment card numbers or CVV codes; this is handled directly by Stripe.

2.3 Usage Data

When you use the Service, we may automatically collect:

  • Login timestamps
  • IP address and approximate location (country/region)
  • Browser type, device type, operating system
  • Actions within the Service (e.g., hero generated, video rendered, flights uploaded)
  • Credit balances and usage history
  • Error logs and technical event data

2.4 User Content

We process User Content you provide, including:

  • Uploaded images/photos used for hero creation
  • Uploaded flight data files (e.g., Excel/CSV) or manually entered routes
  • Generated hero images and video files
  • Thumbnails and "hero" preview images

2.5 Cookies and Similar Technologies

We use:

  • Essential cookies (e.g., session cookies, CSRF tokens) to operate the Service and keep you logged in.
  • Functional cookies (e.g., remember-me, UI preferences) to provide personalized features only if you give consent.
  • Analytics cookies (e.g., Google Analytics) only if you give consent through our cookie banner.
  • Marketing cookies (e.g., Meta Pixel/Facebook Pixel) only if you give consent to help us understand the effectiveness of our advertising.

When you consent to marketing cookies, we also use the Meta Conversions API (server-side tracking) to send certain events directly from our servers to Meta. This provides more reliable attribution while still respecting your consent choice. See Section 7.4 for details.

You can manage your preferences via the cookie banner or your browser settings.

We process personal data for the following purposes and legal bases under the EU/UK GDPR:

  1. To provide and operate the Service
  2. Create and manage your account, authenticate logins
  3. Process your uploads, run AI hero generation, render videos, and serve them to you
  4. Manage credits and purchases

  5. Legal basis: Contract (Art. 6(1)(b) GDPR)

  6. To secure and maintain the Service

  7. Monitor usage for abuse, fraud, and security issues
  8. Maintain logs and backups

  9. Legal basis: Legitimate Interests (Art. 6(1)(f) GDPR โ€“ keeping the service secure and functional)

  10. To process payments

  11. Process your credit purchases through Stripe
  12. Handle refunds and chargebacks

  13. Legal bases: Contract and Legal Obligations (Art. 6(1)(b), (c) GDPR)

  14. To comply with legal obligations

  15. Keep records of consent to Terms & Conditions / Privacy Policy
  16. Maintain transaction records for tax and accounting

  17. Legal basis: Legal Obligation (Art. 6(1)(c) GDPR)

  18. To analyze and improve the Service

  19. Understand usage patterns (if analytics is enabled)
  20. Improve performance, UX, and features

  21. Legal basis: Legitimate Interests (Art. 6(1)(f) GDPR) for aggregated, pseudonymous data; Consent (Art. 6(1)(a) GDPR) for analytics cookies where required.

  22. To send service-related communications

  23. Account-related messages (e.g., important changes, security notices, deletion warnings)
  24. Legal basis: Contract and/or Legitimate Interests

We do not use your contact details for classic marketing newsletters unless we explicitly ask and obtain your separate consent.

4. Storage Location and International Transfers

4.1 Hosting

We currently host the Service on infrastructure located in the European Union, including:

  • Application servers at Hetzner (Germany)
  • Database via CockroachDB on AWS Frankfurt
  • File storage via Azure Blob Storage in Frankfurt

4.2 Third-Country Transfers

Some providers we use may process data outside the EU/EEA, for example:

  • OpenAI (for AI hero generation and related processing)
  • Stripe (payment processing)
  • Google Analytics (analytics, if consented)
  • Meta/Facebook (advertising attribution, if consented)

When data is transferred to a third country, we rely on appropriate safeguards such as:

  • An adequacy decision of the European Commission, or
  • Standard Contractual Clauses (SCCs) or equivalent mechanisms offered by the provider.

More details are typically available in the providers' own privacy policies.

5. Content Storage and Retention

We retain different categories of data for different periods, following the principle of keeping data only as long as necessary.

5.1 Account Data

  • Stored for as long as your account is active.
  • If you request account deletion, we delete or anonymize most account data, but may retain certain data for legal or security reasons (see 5.4).

5.2 Generated Videos and Flight Animations

  • Generated videos are stored only for a limited time.
  • The expiry date is set exclusively by Retroflight and cannot be configured by you.
  • As of the Effective Date of this Policy, our typical retention period is about 30 days from the date of creation.
  • The Service may show an indicative deletion or expiry date for each video; this is informational and not a guaranteed storage commitment.
  • Videos may be deleted earlier in case of:
  • Account deletion,
  • Legal or security issues, or
  • Technical or operational constraints.

If you want to keep a video, you should download it promptly. We cannot guarantee long-term availability.

5.3 Hero Images and Thumbnails

  • Hero images and thumbnails are usually stored for as long as your account is active, or until you delete them from within the Service.
  • We may perform technical housekeeping (e.g., removing obviously unused or orphaned files) if necessary.

After you delete your account, we may retain for a limited period:

  • Records of your consent to the Terms and Privacy Policy (e.g., version, timestamp, IP address)
  • Masked or hashed versions of your email address (so we can demonstrate that a particular person accepted certain terms, without keeping the raw email)
  • Payment records needed for tax and accounting purposes
  • Security and abuse-prevention logs

These records are kept only as long as necessary for:

  • Legal obligations (e.g., tax, accounting), and
  • The duration of applicable limitation periods for legal claims (typically up to several years under German law).

Where possible, such retained data is minimized, pseudonymized, or anonymized.

6. Data Sharing

We do not sell your personal data. We may share data with:

  1. Hosting and infrastructure providers

  2. Hetzner, AWS, Azure, CockroachDB โ€“ to host the application, databases, and files.

  3. AI providers

  4. For example, OpenAI: we send image data, prompts, and related inputs to generate hero images and content.

  5. These providers may temporarily store inputs and outputs to monitor abuse and improve service; please review their privacy policies for details.

  6. Payment processors

  7. Stripe โ€“ to process your payments securely.

  8. Analytics providers

  9. Google Analytics or similar, only if you consent via the cookie banner.

  10. We aim to configure analytics with IP anonymization where possible.

  11. Advertising and marketing providers

  12. Meta Pixel (browser-side) and Meta Conversions API (server-side), only if you consent via the cookie banner.
  13. Used to measure advertising effectiveness and show relevant content.

  14. Server-side events may include hashed email, hashed user ID, IP address, and browser user agent for attribution purposes.

  15. Service providers and contractors

  16. Developers or operational partners who help operate or improve the Service, bound by confidentiality and data processing agreements.

  17. Authorities and legal recipients

  18. Where required by law, court order, or to protect our rights or the rights of others.

7. Cookies and Analytics

7.1 Essential Cookies

We use essential cookies to:

  • Keep you logged in,
  • Remember your session and security settings,
  • Prevent CSRF and other attacks.

These cookies are necessary for the Service to function and cannot be turned off in our systems.

7.2 Functional Cookies

With your consent, we may use functional cookies and local storage to:

  • Keep you logged in for extended periods ("Remember me"),
  • Store your UI preferences (e.g., hero orientation, AI provider choice).

7.3 Analytics Cookies

With your consent, we may use analytics tools such as Google Analytics to:

  • Understand how users interact with the Service,
  • Improve performance and usability.

If enabled, these tools may set cookies in your browser and collect pseudonymous usage data. We configure Google Analytics with IP anonymization enabled and use Google Consent Mode v2 to respect your cookie choices.

7.4 Marketing Cookies and Server-Side Tracking

With your consent, we may use marketing tools to measure advertising effectiveness:

Browser-side (Meta Pixel): - Meta Pixel (Facebook Pixel) may set cookies in your browser (_fbp, _fbc, fr) to track interactions with our Service and show you relevant advertisements on other platforms.

Server-side (Meta Conversions API): - We also use the Meta Conversions API to send certain events directly from our servers to Meta. This provides more reliable attribution, especially when browser tracking is limited. - Server-side events are only sent when you have consented to marketing cookies. - Events that may be sent server-side include: - Registration (when you create an account) - Initiate Checkout (when you start a credit purchase) - Purchase (when a payment is completed) - Data sent to Meta via the Conversions API includes: - Hashed email address (SHA-256, not readable by Meta) - Hashed user ID (SHA-256) - IP address and browser user agent (for attribution) - Facebook click ID (_fbc) and browser ID (_fbp) cookies if present - Event details (e.g., purchase value, currency)

Both browser-side and server-side tracking respect your consent choice. If you withdraw consent via the cookie banner, no further marketing data is collected or sent.

You can:

  • Withdraw your consent at any time via the cookie banner or "Cookie Settings" link in the footer,
  • Block non-essential cookies using your browser settings or browser add-ons.

For more information about how Meta processes your data, see Meta's Privacy Policy.

8. Your Rights

If you are in the EU/EEA, the UK, or another jurisdiction with similar rights, you may have the following rights regarding your personal data:

  • Right of access โ€“ obtain a copy of your personal data.
  • Right to rectification โ€“ correct inaccurate or incomplete data.
  • Right to erasure โ€“ request deletion of your data under certain conditions.
  • Right to restriction of processing โ€“ request we limit how we use your data.
  • Right to data portability โ€“ receive your data in a structured, commonly used, machine-readable format.
  • Right to object โ€“ object to certain processing based on legitimate interests or direct marketing.
  • Right to withdraw consent โ€“ where processing is based on consent (e.g., analytics or marketing cookies), you can withdraw consent at any time; this does not affect processing already carried out.

To exercise your rights, please contact us at timo@tiu-webapplications.de. We may need to verify your identity before fulfilling requests.

You also have the right to lodge a complaint with a supervisory authority, in particular in the EU/EEA member state of your habitual residence, place of work, or alleged infringement.

9. Children's Privacy

The Service is not intended for children under 13. We do not knowingly collect personal data from children under 13.

If you believe a child has provided us with personal data, please contact us so we can delete it.

10. Changes to This Policy

We may update this Privacy Policy from time to time.

If we make material changes, we will:

  • Update the Effective Date and version at the top, and
  • Inform you via the Service (e.g., banner, in-app message) and/or email, where appropriate.

If you continue to use the Service after the updated Policy takes effect, you agree to the changes. If you do not agree, you should stop using the Service and may request account deletion.

11. Contact

If you have questions about this Privacy Policy or our data practices, you can contact us at:

Email: timo@tiu-webapplications.de

We will do our best to respond within a reasonable time.

โ† Back to App