Air Transat Virtual
MENU
Home Pilots
Operations
VA Operations Fleet
Community
Ranks FAQ Contact
Resources
Docs Privacy Terms
Join Now Crew Centre
Privacy Header

PRIVACY & GDPR

Your privacy matters. Learn how we collect, use, and protect your personal information in compliance with GDPR and PIPEDA.

Overview Collection Usage Sharing Retention Rights Security Contact

Last Updated: November 27, 2025

Overview and Legal Basis

Air Transat Virtual is a non-commercial flight simulation community operated by volunteers, dedicated to the ethical handling of personal data. We comply with the General Data Protection Regulation (GDPR) for all European users and the Personal Information Protection and Electronic Documents Act (PIPEDA) for Canadian users, ensuring the highest standards of privacy protection worldwide.

By registering with Air Transat Virtual, you explicitly provide Consent (as per GDPR Article 6(1)(a) and PIPEDA) for us to process your data for the purpose of operating your virtual pilot account, tracking your flight activity, and providing access to our community resources.

Our primary legal basis for processing your data is contractual necessity for the performance of the VA's service agreement with you (maintaining your pilot account, flight tracking, and community access). This Privacy Policy explains in detail what personal data we collect, how we use it, how we protect it, your rights under data protection laws, and how to exercise those rights.

Air Transat Virtual is committed to transparency, security, and accountability in all data processing activities. We implement industry-standard technical and organizational measures to safeguard your information and only retain data for as long as necessary to fulfill the purposes outlined in this policy.

What Data We Collect

Account Information (Explicit Consent)

When you register as a pilot, we collect this data based on your explicit consent and our need to fulfill your membership contract. All information is collected through secure encrypted channels:

  • Full Name, Date of Birth, and Email Address: Used for pilot identification, account verification, important communications regarding your membership, and age verification to comply with minimum age requirements (13+). Your email is never shared with third parties and is used solely for VA communications.
  • VATSIM or IVAO Network ID: Verified via those network's API tools to confirm active membership, as required by their policies for VA recognition and to enable integration with online flying networks. This helps maintain the authenticity and credibility of our virtual airline within the flight simulation community.
  • Country of Residence: Collected to determine applicable data protection laws (e.g., GDPR for EU residents, PIPEDA for Canadian residents) and to ensure we meet jurisdiction-specific privacy requirements. This information is also used to display pilot distribution statistics on our roster.
  • Discord Username: Required for community access, real-time communication, event coordination, and official announcements. Discord is our primary communication platform for member engagement and support.
  • Securely Hashed Password: Stored using industry-standard bcrypt hashing algorithm to protect your Crew Centre account. We never store passwords in plain text and cannot retrieve your original password. Password reset is always done through secure token-based email verification.

Operational & Flight Data (Contractual Necessity)

This data is automatically collected via our ACARS system (SmartCARS 3 / VMS ACARS) to provide the core service of a virtual airline (career tracking, statistics, promotions). This is necessary for the performance of your VA membership contract and enables us to maintain accurate flight logs, leaderboards, and pilot rankings:

  • Flight Information: Includes flight route, departure and arrival airports (ICAO codes), assigned flight number, scheduled/actual departure/arrival times, and flight status. This data creates your permanent flight history and contributes to your pilot statistics.
  • Aircraft Details: Aircraft type (e.g., A321neo, A330-300), registration number, and real-time position tracking (latitude/longitude coordinates) during active flights. Position data enables live flight tracking on our map and is retained for replay/review purposes.
  • Performance Metrics: Flight duration, distance flown, fuel consumption, average ground speed, cruising altitude, and landing rate statistics. These metrics are publicly displayed on your pilot profile and contribute to awards, rank progression, and community leaderboards.
  • Connection Data: IP address collected only at the time of flight submission for security and integrity checks (preventing duplicate submissions, detecting fraudulent activity). IP addresses are immediately anonymized or deleted after validation and are never stored long-term or shared with third parties.
  • PIREP Details: Pilot Reports including any notes, remarks, or incident reports filed after flight completion. This information helps our training department provide feedback and maintain operational standards.

Website Analytics (Legitimate Interest)

We use privacy-respecting analytics tools based on our legitimate interest in maintaining and improving our website performance, user experience, and technical infrastructure. This data collection is essential for:

  • Anonymized Traffic Analysis: Includes anonymized IP addresses (last octet removed), browser type and version, device type (desktop/mobile/tablet), screen resolution, and referring website. This helps us optimize site performance and compatibility.
  • Page Visit Metrics: Pages viewed, session duration, bounce rates, and navigation patterns. Used to improve site structure and identify popular content areas.
  • Geographic Data: Country and city-level location data (derived from anonymized IP) to understand our global user base and optimize content delivery networks (CDN).

Privacy-First Approach: We do not use intrusive tracking cookies, cross-site tracking, or advertising trackers. We do not sell analytics data to third parties. Our analytics are aggregated and anonymized, meaning individual users cannot be identified or tracked across websites.

Cookies & Session Data

Air Transat Virtual uses minimal, essential cookies to provide core functionality:

  • Authentication Cookies: Strictly necessary session cookies that keep you logged into the Crew Centre. These expire when you close your browser or log out.
  • Preference Cookies: Store your site preferences (e.g., dark mode, language selection) to improve your experience. These are optional and can be cleared at any time.

We do NOT use: Third-party advertising cookies, social media tracking pixels, or any form of behavioral tracking cookies.

How We Use Your Data

Your personal data is used strictly for the operation and management of the Air Transat Virtual community, based on the principles of necessity (PIPEDA) and legitimate interest/contractual necessity (GDPR). We are committed to data minimization—collecting only what is essential—and purpose limitation—using data only for explicitly stated purposes:

  • Pilot Account Management To create, maintain, and secure your pilot account; track your flight activity for accurate career progression; manage rank promotions based on flight hours and performance; and maintain your pilot profile with up-to-date statistics and achievements.
  • Network Integration & Verification To verify your active status on VATSIM or IVAO as required by those networks' policies for VA recognition and credibility. This ensures our VA maintains good standing with online flying networks and enables seamless integration for events and group flights on those platforms.
  • Community Access & Communications To provide secure access to our Crew Centre portal, training academy, downloadable resources, and Discord community server. To send essential operational notifications about system maintenance, policy updates, and security alerts. To communicate optional promotional content about events, tours, and community activities (with opt-out available).
  • Statistical Analysis & Improvement To generate aggregated, anonymized statistical reports for internal analysis; identify trends in flight operations and pilot activity; improve the quality, performance, and usability of our services; and develop new features based on community needs and usage patterns.
  • Security & Fraud Prevention To detect and prevent fraudulent PIREP submissions, duplicate accounts, and abuse of our systems. To maintain the integrity of our flight tracking and ranking systems. To investigate and resolve security incidents or policy violations.
  • Legal Compliance To comply with applicable data protection laws (GDPR, PIPEDA); respond to lawful requests from authorities when legally required; and maintain records for accountability and audit purposes as mandated by privacy regulations.

Absolute Commitment: We will never sell, rent, lease, or trade your personal data to third parties for their marketing purposes. We will never use your data for commercial advertising or profiling beyond what is necessary for VA operations. Your data is yours, and we respect that.

Data Sharing & Disclosure

Public Roster & Profile Information

To promote community activity, transparency, and healthy competition, the following information is publicly displayed on our Roster page and pilot profiles, as explicitly accepted upon registration:

  • Pilot ID, Callsign, and Display Name: Your unique pilot identifier and chosen display name/callsign
  • Rank and Status: Current pilot rank (Second Officer, First Officer, Captain, etc.) and account status (Active, On Leave, Retired)
  • Flight Statistics: Total flight hours, number of flights completed, distance flown, and average landing rate
  • Network Affiliation: Your VATSIM/IVAO ID and associated nickname/name (if provided and if you've chosen to display it publicly)
  • Recent Flight History: List of recent flights including routes, aircraft used, and dates
  • Awards & Achievements: Any badges, certificates, or recognition earned within the VA

Note: Your email address, date of birth, Discord username, and IP address are never publicly displayed. You may request to hide specific profile elements by contacting our Data Protection Officer.

Third-Party Service Providers

We work with carefully selected third-party service providers to deliver our services. These partners are bound by strict data processing agreements and are only permitted to process data on our behalf for specified purposes:

  • Hosting Providers: Our servers and databases are hosted with GDPR and PIPEDA-compliant providers in Canada or EU data centers with appropriate security certifications (ISO 27001, SOC 2).
  • Email Services: Transactional emails (password resets, notifications) are sent through secure email service providers that comply with data protection regulations.
  • Security Services: DDoS protection and web application firewall (WAF) services that process connection data for security purposes only.
  • Analytics Platforms: Privacy-respecting analytics tools that process anonymized traffic data without cross-site tracking or advertising purposes.

We do NOT share personal data with: Marketing agencies, advertising networks, data brokers, or any third party for their commercial purposes.

VATSIM/IVAO Network Partners

We may share anonymized, aggregated flight data (e.g., total number of flights, total hours flown by all pilots) with our VATSIM or IVAO partners for recognition, promotional purposes, or event coordination, as per their Terms of Service and VA partnership agreements. Individual personally identifiable information is never shared without explicit consent. This sharing supports our VA's standing with these networks and enables participation in official events.

Legal Disclosure Requirements

We may disclose your personal data if required by law, court order, legal process, or governmental request. We will notify you of such disclosures unless legally prohibited from doing so. In the event of a business transfer, merger, or acquisition (hypothetical, as we're a non-commercial entity), we would notify affected users and ensure continued data protection under equivalent privacy standards.

International Data Transfers

Your data is primarily stored on servers located within Canada or GDPR-compliant jurisdictions (EU/EEA). If data must be transferred outside these regions, we ensure adequate safeguards are in place through:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Adequacy decisions recognizing equivalent data protection standards
  • Binding Corporate Rules (BCRs) where applicable

Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected and to satisfy any legal, accounting, or reporting requirements. This principle of storage limitation ensures we don't keep data longer than needed:

Active Pilot Accounts

Data is retained for the duration of your active membership and includes:

  • All account information (name, email, network IDs)
  • Complete flight history with detailed statistics
  • Awards, achievements, and rank progression records
  • Communication preferences and profile settings

Inactive Accounts (Automatic Suspension)

Accounts that show no flight activity for 12 consecutive months without an approved Leave of Absence (LOA) will be automatically flagged for suspension. You will receive email notifications at 9, 10, and 11 months of inactivity warning of impending suspension. After 12 months, your account will be suspended, and after an additional 30-day grace period, all personally identifiable information (email, name, DOB, Discord ID, VATSIM/IVAO ID) will be permanently deleted. Flight data will be anonymized and retained in aggregated form for statistical reporting (see below).

Anonymized Flight Data (Statistical Purposes)

After account deletion, anonymized flight records (without any personal identifiers) may be retained indefinitely for legitimate statistical and operational purposes, including:

  • Historical VA statistics (total flights operated, popular routes, fleet utilization)
  • Performance benchmarking and trend analysis
  • System optimization and capacity planning

Importantly: Anonymized data cannot be traced back to individual pilots and contains no personal identifiers.

Deletion Requests (Right to Erasure)

You may request immediate account deletion at any time by contacting privacy@transatvirtual.com. Upon receiving your request, we will:

  • Permanently delete all identifying personal data within 30 days
  • Anonymize remaining flight records for statistical purposes
  • Send confirmation of deletion to your registered email

Exception: If required by law or legitimate legal claims, some data may be retained in secure backups until the legal obligation expires.

Backup and Disaster Recovery

For business continuity and disaster recovery purposes, encrypted backups containing personal data are retained for up to 90 days. Deleted data may persist in backups until the backup retention period expires, after which it is permanently purged. Backups are stored securely with encryption and restricted access.

Your Rights (GDPR & PIPEDA)

Under GDPR (for EU residents) and PIPEDA (for Canadian residents), you have comprehensive rights regarding your personal data. Air Transat Virtual is committed to honoring these rights promptly and transparently:

Right to Access

(GDPR Art. 15 / PIPEDA Principle 9)

Request a complete copy of all personal data we hold about you, including account information, flight history, and communication records. We will provide this in a structured, commonly used format (PDF or CSV) within 30 days of your request, free of charge for the first request.

Right to Rectification

(GDPR Art. 16 / PIPEDA Principle 6)

Correct any inaccurate or incomplete personal information in your account. You can update most information directly through the Crew Centre. For changes requiring verification (e.g., VATSIM/IVAO ID), contact our support team.

Right to Erasure ("Right to be Forgotten")

(GDPR Art. 17 / PIPEDA: Withdrawal of Consent)

Request deletion of your account and associated personal data. We will permanently erase your information within 30 days, except where retention is required by law or for legitimate legal claims. Anonymized flight statistics may be retained for historical records.

Right to Data Portability

(GDPR Art. 20)

Receive your personal data in a structured, machine-readable format (JSON/CSV) to transfer to another virtual airline or service. This includes flight logs, pilot statistics, and account information.

Right to Object

(GDPR Art. 21 / PIPEDA: Withdrawal of Consent)

Object to processing of your data for specific purposes, particularly for direct marketing or profiling. You can opt-out of promotional communications at any time by adjusting your Crew Centre notification preferences or contacting us.

Right to Restrict Processing

(GDPR Art. 18)

Request temporary restriction on how we process your data in specific circumstances (e.g., while verifying accuracy of disputed data, during legal proceedings). Your account will remain accessible but processing will be limited.

Right to Withdraw Consent

(GDPR Art. 7(3) / PIPEDA Principle 3)

Withdraw your consent for data processing at any time. This will result in account closure, as consent is necessary for VA membership. You can withdraw consent by requesting account deletion.

Right to Lodge a Complaint

(GDPR Art. 77 / PIPEDA)

File a complaint with your local data protection authority if you believe your rights have been violated. EU: Contact your national Data Protection Authority. Canada: Office of the Privacy Commissioner of Canada (OPC).

How to Exercise Your Rights

To exercise any of these rights, please submit a request via one of the following methods:

Email (Preferred)
privacy@transatvirtual.com

Response Time: We will acknowledge your request within 72 hours and provide a complete response within 30 days as required by GDPR and PIPEDA. Complex requests may take up to 60 days with prior notification. All requests are handled free of charge unless manifestly unfounded or excessive.

Data Security

Air Transat Virtual implements comprehensive industry-standard technical and organizational security measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. Our multi-layered security approach includes:

Encryption & Transport Security

  • TLS 1.3 Encryption: All data transmitted between your browser and our servers is encrypted using modern TLS 1.3 protocol
  • Database Encryption: All personal data at rest is encrypted using AES-256 encryption
  • Secure Backups: Encrypted backups stored in geographically distributed locations

Authentication & Access Control

  • Bcrypt Password Hashing: Passwords hashed with industry-standard bcrypt algorithm (cost factor 12+)
  • Role-Based Access: Staff access limited on need-to-know basis with audit logging
  • Multi-Factor Authentication: Optional 2FA for enhanced account security

Infrastructure Security

  • Firewall Protection: Network-level firewalls restricting unauthorized access
  • DDoS Mitigation: CloudFlare protection against distributed denial-of-service attacks
  • Server Hardening: Minimal software installation, disabled unnecessary services, regular patching

Application Security

  • SQL Injection Prevention: Parameterized queries and prepared statements
  • XSS Protection: Input sanitization and output encoding to prevent cross-site scripting
  • CSRF Tokens: Protection against cross-site request forgery attacks

Ongoing Security Practices

  • Regular Security Audits: Periodic vulnerability assessments and penetration testing
  • Software Updates: Prompt application of security patches and framework updates
  • Activity Monitoring: Real-time logging and alerting for suspicious activities
  • Incident Response Plan: Documented procedures for responding to security breaches
  • Staff Training: Regular security awareness training for all team members with data access

Important Security Notice

While we implement comprehensive security measures and continuously work to protect your data, no method of electronic storage or transmission is 100% secure. We cannot guarantee absolute security against all possible threats, including sophisticated cyber-attacks, zero-day vulnerabilities, or insider threats.

In the unlikely event of a data breach affecting your personal information, we commit to:

  • Notify affected users within 72 hours as required by GDPR
  • Report to relevant data protection authorities as legally mandated
  • Provide transparent information about what data was affected and recommended actions
  • Implement immediate remediation measures and strengthen security controls

Your Role in Security

You play an important role in protecting your account. Please follow these best practices:

  • Use a strong, unique password for your Crew Centre account
  • Enable two-factor authentication (2FA) if available
  • Never share your password with anyone, including VA staff
  • Log out after using shared or public computers
  • Report suspicious activity immediately to security@transatvirtual.com

Contact Us

To exercise any of your rights, ask questions about our privacy practices, or report a data protection concern, please contact our Data Protection Officer:

Email (Official Requests)
privacy@transatvirtual.com

For formal data requests, complaints, and privacy inquiries. Responses within 72 hours.

Discord Community
Join Server

Open a privacy ticket for quick support and general questions. Real-time assistance available.

Response Commitments

  • Initial Acknowledgment: Within 72 hours of receiving your request
  • Complete Response: Within 30 days as required by GDPR and PIPEDA
  • Complex Requests: Up to 60 days with prior notification if additional time needed

Supervisory Authorities: If you are not satisfied with our response, you have the right to lodge a complaint with your local data protection authority. EU residents: Contact your national DPA. Canadian residents: Office of the Privacy Commissioner of Canada (OPC) at priv.gc.ca

Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or technological developments. Any material changes will be communicated to all active pilots via email at least 30 days before taking effect. The "Last Updated" date at the top of this policy indicates when the most recent changes were made. Continued use of Air Transat Virtual services after policy updates constitutes acceptance of the revised terms. We encourage you to review this policy periodically to stay informed about how we protect your data.