Privacy Policy
Last updated 30 May 2026
This Privacy Policy describes how Aeronautic AI Systems ABN 60 697 274 436 (“we”, “us”, “our”) collects, uses, and protects personal information in connection with our products: AeroReport, 9er.ai, and AirCrashReport (collectively, the “Services”).
We are based in Australia and our primary obligations arise under the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). We also recognise the rights of users in the United Kingdom (UK GDPR), New Zealand (Privacy Act 2020), and the United States under applicable state laws.
1. Information We Collect
Account information. When you create an account or sign in, we collect your email address. If you use Google sign-in, we receive your email address and email verification status from Google.
Usage data. We record queries submitted to the Services, query counts (for quota enforcement), and the date and time of requests. We do not store the content of AI-generated responses beyond the current session.
IP addresses. IP addresses are collected for anonymous trial quota enforcement (limiting free queries per IP per day). They are not linked to authenticated accounts.
Payment information. Payments are processed by Stripe. We do not receive or store your card number or banking details. We receive confirmation of payment status and the associated email address.
Communications. If you contact us by email, we retain that correspondence to respond to your enquiry.
2. How We Use Your Information
We use the information we collect to:
- Authenticate you and maintain your session
- Enforce usage quotas and subscription entitlements
- Process payments and manage your subscription
- Send transactional emails (sign-in links, receipts, subscription notices)
- Monitor and improve the quality of our Services
- Respond to support enquiries
- Comply with legal obligations
We do not use your data for advertising, and we do not sell your personal information to third parties.
3. Third-Party Services
We engage the following sub-processors and service providers:
- Google — optional OAuth sign-in (Google LLC, USA)
- Stripe — payment processing (Stripe, Inc., USA)
- Resend — transactional email delivery (Resend, Inc., USA)
- Vercel — web application hosting (Vercel, Inc., USA)
- Cloudflare — API edge infrastructure and DNS (Cloudflare, Inc., USA)
- Fly.io — background processing infrastructure (Fly.io, Inc., USA)
- Neon — managed PostgreSQL database (Neon, Inc., USA)
- Pinecone — vector database for document retrieval (Pinecone Systems, Inc., USA)
Each provider operates under its own privacy policy and data processing terms. Where required, we have entered into data processing agreements with these providers.
4. Cookies and Local Storage
We use strictly necessary cookies to manage authentication sessions (access token and refresh token). These are httpOnly, secure cookies and cannot be read by client-side scripts.
We use browser localStorage to store your remaining free query count locally on your device. No personal information is stored there.
We do not use advertising cookies or third-party tracking cookies.
5. Data Retention
We retain account information for as long as your account is active or as needed to provide the Services. If you request deletion of your account, we will remove your personal information within 30 days, except where retention is required by law.
Usage counters (query counts) are retained for quota enforcement and are not individually identifiable beyond your account.
6. Your Rights
Depending on your location, you may have the right to:
- Access the personal information we hold about you
- Request correction of inaccurate information
- Request deletion of your personal information
- Object to or restrict certain processing
- Data portability (UK and EU users)
- Lodge a complaint with a relevant supervisory authority
To exercise any of these rights, contact us at privacy@aeronautic.co.
7. Cross-Border Data Transfers
Our service providers are primarily based in the United States. By using the Services, you acknowledge that your information may be transferred to and processed in the USA and other countries whose data protection laws may differ from your own. We take reasonable steps to ensure that such transfers comply with applicable law.
8. Security
We implement industry-standard security measures including encrypted connections (TLS), httpOnly authentication cookies, hashed token storage, and access controls. No method of transmission over the internet is completely secure, and we cannot guarantee absolute security.
9. Children
The Services are not directed to children under the age of 16. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us and we will delete it promptly.
10. Changes to This Policy
We may update this Privacy Policy from time to time. We will post the revised policy at this URL with an updated date. For material changes, we will notify you by email where we hold your address. Continued use of the Services after changes constitutes acceptance of the updated policy.