Privacy Policy

Last updated: March 22, 2026

1. Data Controller

The controller of personal data is:

FLIGHTCORE STUDIOS SPÓŁKA Z OGRANICZONĄ ODPOWIEDZIALNOŚCIĄ ul. Adama Mickiewicza 9/U1, 01-517 Warsaw, Poland NIP: 5252908747, REGON: 522091895 Email: [email protected] Phone: +48 791 730 204

This Privacy Policy applies to websites under the flightcore.pl domain (including edu.flightcore.pl, docs.flightcore.pl, and related subdomains) and services provided by FLIGHTCORE Studios.

2. What Data We Collect — Depending on Who You Are

The scope of data we process depends on how you interact with our services. Below we describe this separately for each category of users.

2.1 Website Visitors

Applies to: anyone who visits our websites, even without filling out forms or contacting us.

Data collected automatically (after consenting to analytics cookies):

• IP address (anonymized for analytics purposes)
• Browser type and operating system
• Screen resolution and browser language
• Referring page (where you came from)
• Pages visited and time spent on site
• Device category (desktop, mobile, tablet)
• Approximate geographic location (country/region based on IP, no precise coordinates)

Interactions we record (after consent):

• Clicks on phone number or email address links
• Copying phone numbers or email addresses to clipboard

If you do not consent to analytics cookies, the above data is not collected. The website works normally without analytics cookies.

Data collected regardless of consent (essential):

• Cloudflare may process basic technical data (IP address, HTTP headers) to ensure security, DDoS protection, and proper website operation. This data is not used for profiling or analytics.

Purpose: web analytics (with consent), security (always). Legal basis: Art. 6(1)(a) GDPR (consent — analytics), Art. 6(1)(f) GDPR (legitimate interest — security). Retention period: 14 months (analytics data), up to 30 days (security logs).

We do not collect your name, email, or phone number at this stage — unless you provide them yourself (see below).

2.2 People Contacting Us

Applies to: anyone who sends a message through the contact form on our website.

Data you provide:

• First and last name
• Email address
• Phone number (optional)
• Message content

Providing your name and email address is voluntary but necessary for us to respond to your inquiry. Without this data, we will not be able to contact you.

Additionally, we process data collected by Google reCAPTCHA to protect the form from spam (IP address, device data, behavior on page).

Purpose: handling your inquiry, spam protection. Legal basis: Art. 6(1)(f) GDPR (legitimate interest of the controller — handling correspondence and spam protection). Retention period: until the inquiry is resolved, maximum 12 months. Data may be retained longer in email correspondence as part of normal communication.

We do not store contact form data in a database — it is forwarded to our email.

2.3 Users with an Account (login.flightcore.pl)

Applies to: anyone who created an account in the FLIGHTCORE system by logging in with email/password or via Google account (SSO).

Data processed during registration/login:

• Email address
• Password (stored as an irreversible hash — we do not have access to your password in plain text)
• First and last name (when logging in via Google — automatically retrieved from your Google account)

Providing an email address and password is required to create an account. Without this data, it is not possible to use services that require login.

Google Login (SSO): If you log in via Google, we use the OAuth 2.0 (PKCE) protocol. We retrieve from your Google account only: email address and first and last name. We do not access your contacts, Google Drive files, browsing history, or any other data from your Google account.

Data stored as part of your account:

• User identifier (UUID)
• Email address
• First and last name
• System role (e.g., client, engineer)
• Account creation date
• Session tokens (temporary, to maintain login state)

Purpose: enabling login, service personalization, booking management, access control. Legal basis: Art. 6(1)(b) GDPR (contract performance — providing account service). Retention period: for the duration of the account. After account deletion, data is removed within 30 days from production systems, except data required by law (e.g., tax documentation — see Sections 2.4/2.5).

Account data is stored on our own servers in Poland. Some data may be processed by entities listed in Section 6 (e.g., Cloudflare for website hosting, Google for SSO login).

2.4 Clients Making a Booking

Applies to: anyone booking a recording session through the booking system on our website.

Data you provide:

• First and last name
• Email address
• Phone number
• Selected studio, engineer, date and time
• Session notes (optional)
• Discount code (optional)

Providing your name, email address, and phone number is required to make a booking and enter into a service agreement. Without this data, we cannot fulfill the booking or contact you about the session.

Payment data (card number, BLIK, P24) is transmitted directly to the payment processor Stripe and is not processed or stored by us (see Section 5).

Purpose: booking fulfillment and service agreement, schedule confirmation, session-related communication, tax records. Legal basis:

• Art. 6(1)(b) GDPR — contract performance (booking fulfillment),
• Art. 6(1)(c) GDPR — legal obligation (accounting and tax documentation),
• Art. 6(1)(f) GDPR — legitimate interest (defense against potential claims).

Retention period:

• Service-related data: duration of service + statute of limitations for civil claims (up to 6 years),
• Accounting and tax documentation: 5 years from the end of the calendar year in which the tax payment deadline expired.

We track aggregated data about the booking process (e.g., how many people start vs. complete a booking) for optimization. This data is generally not used to identify specific individuals (see Section 3.4).

2.5 Clients Purchasing Vouchers or Registering for Workshops

Applies to: anyone purchasing a recording voucher or registering for workshops (edu.flightcore.pl).

Data you provide:

• First and last name
• Email address
• Phone number
• Mailing address (street, postal code, city)
• Company details: company name, tax ID (optional, for invoicing)
• Selected package and payment method

Providing your name, email, phone number, and address is required to complete the purchase and enter into an agreement. Providing company details (tax ID) is optional and required only for issuing a VAT invoice.

Purpose: purchase fulfillment, issuing sales documents, organizational communication, tax records. Legal basis:

• Art. 6(1)(b) GDPR — contract performance,
• Art. 6(1)(c) GDPR — legal obligation (accounting and tax documentation),
• Art. 6(1)(f) GDPR — legitimate interest (defense against claims).

Retention period: same as Section 2.4.

2.6 Clients Attending a Recording Session at the Studio

Applies to: anyone who physically comes to the studio for a recording session.

Audio recordings: As part of the session, we record audio materials. Voice recordings constitute personal data. We do not use voice recordings for biometric identification — they serve solely for the purpose of the recording service. The client (commissioner) is the owner of the recordings.

• Recordings are stored on our servers for a guaranteed period of 2 years from the session date
• Upon client request, the storage period may be extended
• Clients may request deletion of their recordings at any time — data is removed from production systems immediately, from backups during natural backup rotation (typically up to 30 days)
• Recordings are delivered to clients via secure download link or physical media

For sessions commissioned by companies, labels, or agencies, data processing terms may be governed by a separate data processing agreement, in which FLIGHTCORE Studios may act as a data processor.

Video surveillance: Video surveillance (image only, no audio) is used at the studio entrance for the safety of people and property. Recording rooms are not covered by surveillance. Surveillance footage is stored for up to 7 days.

Legal basis:

• Art. 6(1)(b) GDPR — contract performance (audio recordings),
• Art. 6(1)(f) GDPR — legitimate interest (video surveillance).

3. Cookies and Tracking Technologies

3.1 What Are Cookies

Cookies are small text files stored on your device by the web browser. They are used to ensure proper website operation, remember preferences, and collect analytics data.

3.2 Types of Cookies Used

Essential cookies (always active — no consent required):

Analytics cookies (require your consent):

Analytics cookies are set only after consent is given via the cookie banner.

3.3 Web Analytics

We use Google Analytics 4 combined with Cloudflare Zaraz technology, which enables server-side analytics processing. This means:

• Most data processing occurs on servers, not in your browser
• Collected data includes: pages visited, visit duration, traffic source, device type, approximate location
• As a rule, we do not use this data for direct user identification
• Analytics data is retained for 14 months

3.4 Conversion Tracking (E-commerce)

To analyze the effectiveness of our offerings, we track aggregated events related to the purchase flow, such as: viewing offers, selecting a package, starting and completing payment. This data is generally not used to identify specific individuals and serves primarily for statistical analysis.

3.5 Managing Cookie Consent

On your first visit, we display a banner informing you about cookies. You can:

• Accept all cookies — including analytics
• Reject analytics cookies — the website works normally, but we do not collect analytics data
• Change your decision at any time by deleting cookies in your browser settings

Essential cookies (security, preference storage) are always active, regardless of your decision.

4. Spam Protection

Our forms are protected by Google reCAPTCHA. This service may process: IP address, device data, and user behavior on the page. This data is processed by Google LLC per Google’s Privacy Policy.

5. Payments

Payments for services (bookings, vouchers, workshops) are processed through Stripe, Inc. We do not process or store payment card data — it is transmitted directly to Stripe.

Stripe acts as an independent data controller for payment processing. Details: Stripe Privacy Policy.

Supported payment methods: credit/debit card, BLIK, Przelewy24 (P24).

6. Who We Share Data With

Personal data may be shared with the following categories of entities:

Data processors acting on our behalf:

• Cloudflare, Inc. (USA) — website hosting, CDN, server-side analytics, DDoS protection. Processes: visitor technical data, website content.
• Google LLC (USA) — web analytics (Google Analytics), spam protection (reCAPTCHA), SSO login, organizational tools. Processes: analytics data, SSO login data, reCAPTCHA data.
• Stripe, Inc. (USA) — online payment processing. Processes: payment data, email address.
• Cyberfolks S.A. (Poland) — email services. Processes: email correspondence.

Other entities:

• Public authorities, if required by law.

We do not sell personal data to third parties. We do not share data for third-party marketing purposes.

7. Data Transfer Outside the EEA

Some of our sub-processors (Cloudflare, Google, Stripe) may process data outside the European Economic Area (EEA), particularly in the United States. In such cases, data transfer is based on:

• European Commission adequacy decisions under the EU-US Data Privacy Framework (Cloudflare, Google, and Stripe are participants in this program)
• Standard Contractual Clauses approved by the European Commission

User account data and audio recordings are stored on our own servers in Poland.

Information about data transfer safeguards is available upon request at [email protected].

8. Data Security

We apply appropriate technical and organizational measures to protect personal data, including:

• Encryption of data transmission (HTTPS/TLS)
• Security headers (HSTS, X-Frame-Options, Content-Security-Policy)
• Password hashing using modern cryptographic algorithms
• Access controls to data processing systems
• Regular backups
• DDoS protection

9. Minors

Our services are intended for adults. Persons under 16 may use our services only under supervision and with the consent of a parent or legal guardian. We do not knowingly collect personal data from children under 16 without guardian consent.

10. Your Rights

Under GDPR, you have the following rights:

• Right of access to your personal data (Art. 15)
• Right to rectification of inaccurate data (Art. 16)
• Right to erasure — “right to be forgotten” (Art. 17), noting this does not apply to data whose retention is required by law
• Right to restriction of processing (Art. 18)
• Right to data portability in a structured format (Art. 20) — applies to data processed on the basis of contract or consent in an automated manner
• Right to object to processing based on legitimate interest, including web analytics (Art. 21)
• Right to withdraw consent at any time (e.g., consent for analytics cookies) — withdrawal does not affect the lawfulness of processing carried out before withdrawal (Art. 7(3))
• Right to complain to the President of the Personal Data Protection Office (ul. Stawki 2, 00-193 Warsaw, www.uodo.gov.pl)

To exercise your rights: [email protected] or +48 791 730 204. We respond without undue delay, no later than within one month. For complex requests, the deadline may be extended by a further two months, about which you will be informed.

11. Changes to Privacy Policy

We reserve the right to update this Privacy Policy due to changes in legislation, new services, or technology changes. The last update date is shown at the top. We inform about significant changes via the website.

12. Contact

For data protection matters:

FLIGHTCORE STUDIOS SP. Z O.O. ul. Adama Mickiewicza 9/U1, 01-517 Warsaw, Poland Email: [email protected] Phone: +48 791 730 204