This privacy policy describes which personal data is processed when using SimSoar. The platform is currently under active development. Before public production use, this policy must be legally reviewed and adapted to the actual infrastructure.

1. Controller

SimSoar Project Team

2. Processed data

• user account data, for example user ID, username, display name and email address
• profile information within SimSoar, for example callsign, home airfield, preferred simulator, preferred aircraft, country and profile description
• uploaded IGC files and calculated flight data, for example distance, altitude, speed, thermal data, flight time and track points
• technical operational data, for example server logs, timestamps, IP address, browser data and error logs
• security-relevant events, for example login status, profile changes, uploads, moderation actions and future admin actions

3. Purposes of processing

• providing the SimSoar platform
• authentication and user management
• storing and analyzing virtual gliding flights
• displaying public leaderboards and flight details
• operation, security, troubleshooting and abuse prevention
• moderation of public content and protection of platform integrity

4. Legal bases

Depending on the feature, processing is based on Art. 6(1)(b) GDPR for providing the platform, Art. 6(1)(f) GDPR due to legitimate interests in secure and stable operation, and, where required for optional features, Art. 6(1)(a) GDPR based on consent.

5. Authentication

SimSoar uses OpenID Connect for sign-in. The actual user identity, password policies, MFA settings and central role management are handled by the identity service. SimSoar only processes token information required for sign-in, role checks and user mapping.

6. IGC uploads and public flight data

Uploaded IGC files may contain personal or person-related data, especially if callsigns, names, registrations or position data are included. Public flights may be visible to other users. Private or unlisted flights should only be processed and displayed according to their visibility setting.

7. Server logs and security

During platform operation, technical log data may be processed. This includes IP addresses, timestamps, requested URLs, status codes, error messages and security-relevant events. These data are used for secure operation, troubleshooting and abuse prevention.

8. Recipients and infrastructure

The application is intended for self-hosted infrastructure. Depending on the operating model, web servers, database servers, user management systems, reverse proxy, load balancer, firewall, email systems and storage components may be involved. Specific service providers and processors must be added before production use.

9. Retention period

Personal data are stored only as long as necessary for the stated purposes. User profiles and flight data generally remain stored while the user account is active or until deletion is requested. Technical logs should be rotated regularly and deleted after an appropriate period.

10. Rights of data subjects

• access to stored personal data
• rectification of inaccurate data
• erasure of personal data
• restriction of processing
• data portability
• objection to certain processing operations
• withdrawal of consent with effect for the future
• complaint to a competent data protection supervisory authority

11. Cookies and local storage

SimSoar may use technically necessary cookies or local storage mechanisms, especially for sign-in, session handling, language settings, security functions and future user preferences such as dark mode. Non-essential tracking or marketing cookies are currently not planned.

12. Automated decision-making

Automated decision-making within the meaning of Art. 22 GDPR currently does not take place. Automatic flight evaluation, scoring or thermal analysis is used for the technical presentation of flight data and has no legal effect on users.

13. Privacy contact

Privacy-related requests can be sent to the contact address listed in the legal notice. Before public production use, a dedicated privacy contact address should be added.

Note: This privacy policy is a technical template and does not replace legal review.