Privacy policy.
Version: [POLICY_VERSION]
Effective date: [POLICY_EFFECTIVE_DATE]
Applies to: airworth.app, www.airworth.app (the “Site”)
This document was drafted by an AI language model and has not yet been reviewed by a licensed attorney. Review by a Spanish-licensed AND a US-licensed attorney is required before publication on any production domain. The bracketed placeholders below ([NIF], [ADDRESS], etc.) are intentionally unfilled until counsel signs off.
This Privacy Policy explains how Refugio del Castor SL (“Airworth”, “we”, “us”) collects and processes personal data when you visit the Site or join the Airworth waitlist for our products Airworth Hangar and Airworth Flights. The Airworth product applications (portal.airworth.app, fpl.airworth.app) are governed by their own privacy policies.
We have written this policy to comply with the EU General Data Protection Regulation (Regulation (EU) 2016/679, “GDPR”), the UK GDPR, the Spanish Organic Law 3/2018 on Data Protection (“LOPD-GDD”), the Spanish Information Society Services Law 34/2002 (“LSSI-CE”), and applicable US state privacy laws (California CCPA/CPRA, Virginia VCDPA, Colorado CPA, Connecticut CTDPA).
1. Who we are and how to contact us
The data controller is:
- Refugio del Castor SL (“Airworth”)
- NIF: [NIF]
- Registered address: [ADDRESS]
- Mercantile Registry: [MERCANTILE_REGISTRY]
- Email: [CONTACT_EMAIL]
We have not appointed a Data Protection Officer because our processing does not meet the thresholds in Art. 37(1) GDPR. If this changes, we will appoint a DPO and update this policy. For all data-protection enquiries, contact us at [CONTACT_EMAIL].
For UK data subjects, our controller of record is the same Spanish entity above. We have not appointed a UK representative under Art. 27 UK GDPR; if our processing of UK residents’ data scales materially, we will reconsider.
2. What data we collect and why
| Category | Examples | Source |
|---|---|---|
| Contact data | Email address | You, when you submit the waitlist form |
| Optional profile | Role (e.g. owner, club admin), country | You (optional fields) |
| Consent metadata | Timestamp, truncated IP (IPv4 /24 or IPv6 /64), user-agent, source URL, SHA-256 hash of the consent copy you saw, confirmation timestamp, withdrawal timestamp and method | Automatically when you submit and confirm |
| Preferences | Language preference (lang_pref first-party cookie) | Your browser |
| Security telemetry | Cloudflare Turnstile challenge result (transient) | Your browser |
| Aggregate analytics | Cookieless page-view counts, referrer, country, device type, via Plausible | Automatically |
| Email engagement | Open/click events on transactional and marketing emails | Resend |
We do not collect: government identifiers, payment data, precise geolocation, biometric data, special-category data (Art. 9 GDPR), or data relating to children we have knowingly identified as such.
3. Legal bases (GDPR / LOPD-GDD)
| Processing activity | Lawful basis |
|---|---|
| Sending waitlist confirmation, welcome, and product-update emails | Consent — Art. 6(1)(a) GDPR; LSSI-CE art. 21 |
| Storing the consent log itself | Legal obligation — Art. 6(1)(c) GDPR (Art. 7(1) requires us to demonstrate consent) |
| Operating the Site, language preference, security (Turnstile) | Legitimate interest — Art. 6(1)(f); strictly-necessary cookies under LSSI-CE art. 22.2 |
| Cookieless aggregate analytics (Plausible) | Legitimate interest — Art. 6(1)(f) |
| Responding to data-subject requests | Legal obligation — Art. 6(1)(c) |
| Defending or asserting legal claims | Legitimate interest — Art. 6(1)(f) |
Where the legal basis is consent, you may withdraw at any time without affecting the lawfulness of processing carried out before withdrawal (Art. 7(3) GDPR).
4. Sub-processors
| Sub-processor | Role | Data location | Transfer mechanism | DPA |
|---|---|---|---|---|
| Cloudflare, Inc. | Edge hosting, DNS, Turnstile, D1 (consent log) | EU edge + EU D1 | EU–US DPF + 2021 SCCs | Yes |
| Resend (Resend, Inc.) | Transactional and marketing email; eu-west-1 | EU sending region; account/metadata in US | EU–US DPF + 2021 SCCs | Yes |
| Sentry (Functional Software, Inc.) | Application error monitoring | US | EU–US DPF + 2021 SCCs | Yes |
| Plausible Insights OÜ | Cookieless aggregate analytics | EU (Frankfurt) | N/A (intra-EEA) | Yes |
We do not sell your personal data and we do not share it for cross-context behavioral advertising as those terms are defined under the California CCPA/CPRA.
5. International transfers (Resend, Cloudflare)
Where data is transferred outside the European Economic Area (EEA) or the United Kingdom, we rely on:
- The EU Commission’s adequacy decision implementing the EU–US Data Privacy Framework (Implementing Decision (EU) 2023/1795), where the recipient is DPF-certified.
- The 2021 EU Standard Contractual Clauses (Implementing Decision (EU) 2021/914) as fallback or complementary safeguard.
- For UK transfers, the UK ICO IDTA or the UK Addendum to the EU SCCs.
We have considered Schrems II (CJEU C-311/18) and are satisfied that, given the limited scope of personal data transferred (a contact email and consent metadata), the safeguards above provide an essentially equivalent level of protection. SCCs available on request to [CONTACT_EMAIL].
6. Retention periods
| Data | Retention |
|---|---|
| Waitlist email + optional profile | Until you unsubscribe / withdraw consent, then deleted within 30 days |
| Consent log (for the email above) | 3 years after withdrawn_at, then deleted |
| Email engagement events | 13 months rolling |
| Cookieless analytics (Plausible) | Aggregated; no individual records |
| Sentry error logs | 90 days |
| Backups | Up to 35 days, then overwritten |
We may retain a minimal record beyond these periods only where strictly necessary to comply with a legal obligation or to defend a legal claim, in line with Art. 17(3) GDPR.
7. Your rights and how to exercise them
Under the GDPR / UK GDPR / LOPD-GDD you have rights of access, rectification, erasure, restriction, portability, objection, withdraw consent, not be subject to automated decision-making, and to lodge a complaint with a supervisory authority.
If you are a California resident, you also have the rights under the CCPA/CPRA to know, delete, correct, opt out of sale or sharing (we do neither), limit use of sensitive personal information (we do not collect it), and not be retaliated against. Virginia, Colorado, Connecticut, Texas, Utah residents have substantively equivalent rights under their respective state laws.
To exercise rights: email [CONTACT_EMAIL] from the address that appears in our records, or include enough information for us to verify your identity. We will respond within one month (GDPR Art. 12(3)) or 45 days (CCPA), extendable once where justified by complexity or volume.
8. Marketing and waitlist consent
If you join the waitlist, we send a double-opt-in (DOI) confirmation email. Only after you click the confirmation link do we add you to the relevant Resend Audience and send waitlist updates.
You can unsubscribe at any time by clicking the unsubscribe link in any email, visiting /preferences to manage per-product preferences (Airworth Hangar and Airworth Flights are independent), or emailing [CONTACT_EMAIL]. We honor unsubscribes immediately and at the latest within 10 business days (CAN-SPAM 15 U.S.C. §7704(a)(4)).
9. Cookies
The Site uses only strictly necessary cookies, exempt from prior-consent under LSSI-CE art. 22.2. See our Cookies notice for the full list.
10. Changes to this policy
We may update this Policy. The version number and effective date at the top reflect the current edition. For material changes, we will post the updated Policy on the Site at least 15 days before it takes effect and, where the change materially affects your rights, notify waitlist subscribers by email. Prior versions are available on request.
You may lodge a complaint with the AEPD (Spain), ICO (UK), your national EEA supervisory authority, the California Privacy Protection Agency, or the equivalent state authority. We would, however, appreciate the chance to address your concerns first by emailing [CONTACT_EMAIL].
Contact
- Email: [CONTACT_EMAIL]
- Post: Refugio del Castor SL, [ADDRESS]