Privacy Policy

For different categories of information, HangarOS acts either as a “controller” (we decide why and how we process personal data) or as a “processor” (we process personal data on behalf of our Customer).

• HangarOS as Controller: Information about Customer-side account holders, billing contacts, marketing-site visitors, support correspondents, and individuals who contact us directly.
• HangarOS as Processor: Personal data about Users that a Customer (a flight school) uploads or causes to be created in the Service — including data about student pilots, instructors, mechanics, and staff. The flight school is the controller of that data; we process it on the school's instructions under our Data Processing Agreement.

If you are an individual whose data was added to the Service by a flight school and you have questions about how that data is used, please contact the flight school directly. We will route privacy requests we receive about Customer Data to the relevant Customer.

2.1 Information you give us directly

Account information. Name, email address, password (stored only in hashed form by our identity provider), phone number (optional, used for multi-factor authentication), business name, business address.

Billing information. When you subscribe to a paid plan, our Payment Processor (a third-party payment processor we engage, identified in our Subprocessor List when one is in effect) collects payment card information through hosted fields on your behalf. HangarOS does not see, receive, or store full payment card numbers. We retain billing metadata such as plan, billing cycle, last four digits of the card, card brand, billing address, transaction history, and invoice records.

Profile information. Information you choose to add to your profile, such as display name and avatar.

Communications. Records of your communications with us, including support tickets, emails, chat transcripts, and form submissions.

Customer-uploaded data. Information you upload into the Service in the course of operating your flight school, which may include personal data about:

• Students (name, email, phone, address, date of birth, FAA student pilot certificate number, medical certificate details, TSA AFSP status, lesson reports, endorsements, stage check results, flight hours, training progress, payment history with the school)
• Instructors (name, contact details, certificate type and number, certificate expiry, ratings, currency status, recurrent records, lesson reports authored)
• Mechanics (name, contact details, certificate type and number, certificate expiry, work order signoffs)
• Aircraft owners and other operational contacts

This data is processed by HangarOS as a processor on behalf of the flight school.

2.2 Information collected automatically

Usage and device data. IP address, browser type, operating system, device identifiers, referring URL, pages viewed, features used, timestamps, session duration, clickstream, and approximate location derived from IP address.

Cookies and similar technologies. See our Cookie Policy for details. We use first-party cookies for authentication and CSRF protection and, where you consent, analytics cookies from Google Analytics, PostHog, and Google Ads.

Error and performance telemetry. Crash reports, stack traces, and performance metrics collected by Sentry to help diagnose and fix issues.

Audit logs. The Service generates security and operational audit logs that record account activity (such as logins, permission changes, sensitive-record access, and administrative actions), the actor's role at the time of the event, and IP address.

2.3 Information from third parties

Single sign-on (SSO) and federated login. If you sign in with Google or Microsoft, we receive your name, email address, and the provider's account identifier from that service. We never receive your password.

Payment Processor. Our Payment Processor confirms successful charges, returns transaction identifiers, and reports disputes and chargebacks back to us.

Other connected services. If you connect QuickBooks Online for invoicing, we receive metadata about invoices, customers, and payments needed to keep records in sync.

We use information to:

• (a) provide, maintain, and operate the Service;
• (b) authenticate you and protect your Account, including multi-factor authentication;
• (c) process payments and manage billing;
• (d) provide AI-assisted features that operate on your own Customer Data to serve your own Users;
• (e) communicate with you about your Account, security alerts, product updates, support, and administrative messages;
• (f) detect, investigate, and prevent fraud, abuse, security incidents, and violations of our Terms or Acceptable Use Policy;
• (g) comply with legal obligations, respond to lawful requests, and enforce our rights;
• (h) generate aggregated, anonymized, or de-identified analytics that do not identify any individual;
• (i) measure and improve the Service, including performance, reliability, and usability; and
• (j) send marketing emails to business contacts who have not opted out, where permitted by law.

Legal bases (for individuals in the EEA/UK/Switzerland). We rely on: (i) contractual necessity (Article 6(1)(b)) to provide the Service you have signed up for; (ii) legitimate interests (Article 6(1)(f)) to secure, improve, and market the Service; (iii) legal obligation (Article 6(1)(c)) to comply with law; and (iv) consent (Article 6(1)(a)) where required, such as for non-essential cookies. You may withdraw consent at any time without affecting the lawfulness of prior processing.

No use for marketing or model training. We do not use Customer Data for marketing or to train generative AI or machine learning models, except (a) as you separately authorize in writing or (b) for in-product AI features that operate solely on your own Customer Data to serve your own Users.

We do not sell personal information. We share information only as described below.

4.1 With service providers (subprocessors)

We use third-party service providers (“subprocessors”) to operate the Service. A current list of subprocessors is published at hangaros.com/legal/subprocessors and includes:

• Amazon Web Services, Inc. — cloud hosting (Lambda, S3, SES, Cognito, Secrets Manager) in the United States (us-east-2 region)
• Supabase, Inc. — managed Postgres database
• Vercel, Inc. — frontend hosting and edge network
• Payment processor — to be designated. Subscription payment processing is performed by a third-party Payment Processor we engage; the identity of the current Payment Processor will be listed in our Subprocessor List on at least 30 days' notice before processing begins.
• Intuit Inc. — QuickBooks Online invoicing integration (only if you enable the Invoicing module)
• Sentry, Inc. — error and performance monitoring
• PostHog, Inc. — product analytics (consent required for non-essential analytics where applicable)
• Zoho Corporation — chat widget (Zoho SalesIQ) for customer support on hangaros.com
• Zendesk, Inc. — Help Center / knowledge base hosted at hangaros.zendesk.com
• Google LLC — federated sign-in, Google Analytics 4, and Google Ads conversion tracking (consent required where applicable)
• Microsoft Corporation — Microsoft Entra ID federated sign-in
• Groq, Inc. — large language model inference for AI features

We require subprocessors by contract to protect personal data and to use it only for the purposes for which we engage them.

4.2 With other Users in your organization

Information you create or upload in the Service is visible to other Users in the same flight school Account in accordance with the school's role and permission configuration.

4.3 For legal and safety reasons

We may disclose information when we believe in good faith that disclosure is necessary to (a) comply with applicable law, subpoena, court order, or other legal process; (b) protect the safety, rights, or property of HangarOS, our Users, or others; (c) detect, prevent, or address fraud, security, or technical issues; or (d) enforce our Terms.

4.4 In connection with business transfers

We may disclose information in connection with a merger, acquisition, financing, reorganization, or sale of all or part of our business or assets, subject to standard confidentiality protections.

4.5 With your consent

We may share information for other purposes with your consent.

The Service is hosted in the United States. If you access the Service from outside the United States, your information will be transferred to, stored in, and processed in the United States and other jurisdictions where our subprocessors operate.

For transfers from the European Economic Area, United Kingdom, or Switzerland, we rely on the EU Standard Contractual Clauses (2021/914, Module Two — Controller to Processor), the UK International Data Transfer Addendum, and equivalent Swiss FADP mechanisms, as applicable. We implement supplementary measures including encryption in transit and at rest, role-based access controls, and minimum-necessary access.

We retain personal information for as long as needed to provide the Service, comply with our legal obligations, resolve disputes, and enforce our agreements. Typical retention periods:

When personal information is no longer needed, we delete or de-identify it.

Depending on where you live, you may have the following rights with respect to personal information about you:

• Access — request a copy of the personal information we hold about you
• Correction — request that we correct inaccurate or incomplete information
• Deletion — request that we delete personal information
• Restriction — request that we restrict certain processing
• Portability — request a machine-readable copy of certain information you have provided
• Objection — object to processing based on legitimate interests
• Withdraw consent — withdraw consent where processing is based on consent
• Non-discrimination — not be discriminated against for exercising privacy rights
• Opt out of “sales” or “sharing” — we do not sell personal information or share it for cross-context behavioral advertising

To exercise these rights, email privacy@hangaros.com or legal@hangaros.com. We will verify your identity before responding and will respond within the period required by applicable law (typically 30 to 45 days).

Customer-uploaded data. If your data was added to the Service by a flight school (for example, you are a student pilot), the school is the controller. We will route your request to the school and assist the school in responding.

California residents: Under the California Consumer Privacy Act (CCPA / CPRA) you have additional rights, including the right to know categories and specific pieces of personal information collected, the right to delete, the right to correct, the right to limit use of sensitive personal information, and the right to opt out of “sales” and “sharing.” We do not sell personal information and we do not share personal information for cross-context behavioral advertising. We do not knowingly collect personal information from minors under 16.

Other U.S. state laws: Residents of Virginia, Colorado, Connecticut, Utah, Texas, Oregon, and other states with consumer privacy laws have similar rights. We honor these where applicable.

Global Privacy Control (GPC). We honor GPC browser signals as an opt-out of “sale” and “sharing” where required by law.

Appeals. If we deny your request, you may appeal by replying to our response or emailing privacy@hangaros.com with “Privacy Appeal” in the subject line.

We implement reasonable administrative, technical, and physical safeguards designed to protect personal information, including:

• TLS encryption in transit
• Encryption at rest for sensitive data, including AWS KMS encryption for object storage and AES-256-GCM application-layer encryption for OAuth tokens
• Multi-factor authentication required on every Account
• Role-based access controls and row-level security in our database
• Audit logging of security-relevant events
• Background verification of personnel with administrative access
• Vendor security review for subprocessors
• Object Lock retention on audit logs and CloudTrail logs

No method of transmission or storage is completely secure. We cannot guarantee absolute security. You are responsible for keeping your credentials confidential and for maintaining your own backups of data critical to your operations.

Our public Security Policy has more detail.

The Service is not intended for individuals under 18 years of age, and we do not knowingly collect personal information directly from individuals under 18. If you believe an individual under 18 has provided personal information to us directly, please contact privacy@hangaros.com and we will take steps to delete it.

Flight schools may upload limited information about minors enrolled in their programs in the course of operating the school. That data is processed on the school's instructions, and the school is the controller.

See our Cookie Policy.

The Service may contain links to or integrations with third-party websites and services. We are not responsible for their privacy practices. Please review their policies separately.

We may update this Privacy Policy from time to time. We will post the updated version with a new effective date and, if changes are material, send notice by email to the address associated with your Account. Material changes take effect 30 days after notice; non-material changes take effect immediately upon posting.

Privacy questions and requests: privacy@hangaros.com
General legal: legal@hangaros.com

OrangeTree Technologies LLC d/b/a HangarOS
4801 Glenwood Ave, Suite 200, Mailbox 31
Raleigh, NC 27612
United States

Last updated: May 22, 2026.