Is this based on real exam questions?

Our questions are based on the Boeing 737 NG FCOM and are designed to mirror the type of questions you'll encounter in your type rating exam. While we can't use actual exam questions, every question includes FCOM page references so you can verify the source material and study deeper.

Will this work for my airline's specific training program?

Yes! The 737 NG systems are standardized across airlines. Our questions cover the aircraft systems knowledge required for any 737 NG type rating, regardless of your operator. The FCOM references we use are from the standard Boeing documentation.

What if I've already started studying with other materials?

737ng.com is designed to complement your existing study materials, not replace them. Many pilots use us alongside their FCOM and training manuals. Our progress tracking helps you identify gaps in your knowledge, no matter where you started.

How does the offline mode work?

737ng.com is a Progressive Web App (PWA). Once you visit the site and log in, all questions and your progress are cached on your device. You can study during layovers, on flights, or anywhere without internet. Your progress syncs automatically when you're back online.

Can I cancel anytime?

All our plans are one-time payments—there's no recurring subscription to cancel. Once you purchase, you have lifetime access to that plan's features. If you're not satisfied within 14 days, contact us for a full refund.

How often are new questions added?

We regularly add new questions and update existing ones based on FCOM revisions and feedback from pilots who've recently completed their type ratings. Premium members get access to new content as soon as it's available.

PRIVACY POLICY

www.737ng.com - Boeing 737 NG Type Rating Preparation Platform

Effective Date: [1st January 2026]
Last Updated: [1st January 2026]

Introduction
Data Controller Information
Scope and Applicability
Personal Data We Collect
How We Collect Personal Data
Legal Basis for Processing
How We Use Your Personal Data
Data Sharing and Third-Party Processors
International Data Transfers
Cookies and Tracking Technologies
Data Retention
Your Data Protection Rights
How to Exercise Your Rights
Data Security
Children's Privacy
Marketing Communications
Changes to This Privacy Policy
Right to Lodge a Complaint
Contact Information

1. INTRODUCTION

1.1 Our Commitment to Privacy

At www.737ng.com, we are committed to protecting your privacy and ensuring the security of your personal data. This Privacy Policy explains how we collect, use, share, and protect your personal information when you use our Boeing 737 NG type rating preparation platform.

1.2 Transparency

We believe in transparency. This Privacy Policy provides you with clear and comprehensive information about:

What personal data we collect
Why we collect it
How we use it
Who we share it with
Your rights regarding your personal data
How to contact us with questions or concerns

This Privacy Policy complies with the General Data Protection Regulation (GDPR) - Regulation (EU) 2016/679, as well as:

French Data Protection Act (Loi Informatique et Libertés)
French Consumer Code (Code de la consommation)
ePrivacy Directive (Directive 2002/58/EC)

By using our Service, you acknowledge that you have read and understood this Privacy Policy. For certain processing activities, we will request your explicit consent where required by law.

2. DATA CONTROLLER INFORMATION

2.1 Who is the Data Controller?

The Data Controller responsible for your personal data is:

Business Name: www.737ng.com (Commercial Name)
Legal Form: Auto-entrepreneur (Sole Proprietorship)
SIRET Number: 800 142 515
Registered Office:
5ème Avenue
60260 Lamorlaye
France

2.2 Contact Details

Email: cgautoentreprise@gmail.com
Postal Address: 5ème Avenue, 60260 Lamorlaye, France

For all data protection inquiries, privacy rights requests, or concerns, please contact us using the above details.

2.3 Data Protection Officer (DPO)

As a small auto-entrepreneur business, we are not currently required to appoint a formal Data Protection Officer under GDPR Article 37. However, all data protection matters are handled directly by the Data Controller at the contact details above.

3. SCOPE AND APPLICABILITY

3.1 When This Policy Applies

This Privacy Policy applies when you:

Visit our website at www.737ng.com
Create an account on our platform
Use our Progressive Web App (PWA)
Subscribe to our paid plans
Contact us via email or support channels
Interact with our Service in any way

3.2 Third-Party Services

This Privacy Policy does not cover:

Third-party websites linked from our Service
Third-party services you may access through our platform (e.g., Google OAuth)
Payment processing by Stripe (covered by Stripe's privacy policy)

We recommend reviewing the privacy policies of any third-party services you interact with.

3.3 Geographic Scope

This Privacy Policy applies to all users worldwide, with specific protections for:

EU/EEA residents: Full GDPR rights
French residents: Additional protections under French law
US residents: Transparency consistent with state privacy laws
Other jurisdictions: Best practices in data protection

4. PERSONAL DATA WE COLLECT

4.1 What is Personal Data?

"Personal Data" means any information relating to an identified or identifiable natural person. This includes information that can directly or indirectly identify you.

4.2 Categories of Personal Data

4.2.1 Account Information

When you create an account, we collect:

Full name
Email address
Password (stored in hashed and encrypted form)
Account creation date
Last login date

4.2.2 Google OAuth Information

If you register or log in using Google OAuth, we collect:

Google User ID
Name (from your Google profile)
Email address (from your Google account)
Profile picture URL (if provided by Google)

We only access information you explicitly authorize through Google's consent screen.

4.2.3 Professional Information (Optional)

You may voluntarily provide:

Current airline or employer
Aircraft type experience (e.g., A320, B737, B777)
Pilot certifications or licenses
Years of flying experience
Current position (e.g., First Officer, Captain)

This information helps us personalize your experience but is not required to use the Service.

4.2.4 Subscription and Billing Information

When you subscribe to a paid plan:

Subscription tier (First Officer, Captain, Examiner)
Subscription start and end dates
Payment status (active, expired, cancelled)
Transaction IDs (from Stripe)
Billing country

Note: We do NOT store credit card numbers, CVV codes, or full payment details. All payment data is securely processed and stored by Stripe, Inc.

4.2.5 Usage and Activity Data

We automatically collect information about how you use the Service:

Questions answered (which questions, correctness, response time)
Study sessions (duration, systems studied, dates)
Progress metrics (mastery scores, weak areas, completion rates)
Exam simulations (scores, time taken, performance analytics)
Study notes accessed (which PDFs viewed, download times)
Feature usage (which parts of the platform you use most)

4.2.6 Technical and Device Information

We automatically collect:

IP address
Browser type and version (e.g., Chrome 120, Safari 17)
Operating system (e.g., iOS 17, Windows 11, macOS 14)
Device type (e.g., iPad Pro, iPhone 15, Windows laptop)
Screen resolution
Language preferences
Time zone
Referring website (how you arrived at our site)
Service Worker status (PWA offline capability)

4.2.7 Cookies and Similar Technologies

We use cookies and similar technologies to collect:

Session identifiers (for authentication)
Analytics data (via PostHog)
Error tracking data (via Sentry)
Preferences (e.g., theme, language)

See Section 10 for detailed cookie information.

4.2.8 Communications Data

When you contact us:

Email correspondence content
Support ticket information
Feedback and suggestions
Bug reports

5. HOW WE COLLECT PERSONAL DATA

5.1 Information You Provide Directly

We collect personal data when you:

Create an account (name, email, password)
Update your profile (professional details, preferences)
Subscribe to a paid plan (billing information via Stripe)
Contact support (email, support tickets)
Provide feedback (surveys, suggestions)

5.2 Information Collected Automatically

We automatically collect data when you:

Visit our website (IP address, browser info)
Use the Service (usage data, activity logs)
Answer questions (performance metrics)
Access study notes (engagement data)

5.3 Information from Third Parties

5.3.1 Google OAuth

If you sign up with Google, we receive:

Basic profile information (name, email, picture)
Authentication tokens
Google User ID

5.3.2 Stripe

For payment processing, Stripe provides us:

Payment confirmation status
Transaction IDs
Subscription status updates
Billing country

We do NOT receive full credit card details from Stripe.

5.3.3 Analytics and Monitoring Services

PostHog: Provides aggregated analytics data
Sentry: Provides error and crash reports

These services may collect technical data independently as outlined in Section 8.

6. LEGAL BASIS FOR PROCESSING

Under GDPR Article 6, we process your personal data based on the following legal grounds:

6.1 Contractual Necessity (Article 6(1)(b))

We process personal data to perform our contract with you, including:

Creating and managing your account
Providing access to questions and study materials
Processing your subscription and payments
Enabling offline functionality via PWA
Tracking your progress and performance
Providing customer support

Without this processing, we cannot provide the Service.

6.2 Legitimate Interests (Article 6(1)(f))

We process personal data based on our legitimate interests, including:

Service improvement: Analyzing usage patterns to enhance features
Security: Detecting and preventing fraud, abuse, and unauthorized access
Technical operations: Maintaining platform performance and reliability
Business analytics: Understanding user behavior to make informed decisions
Error monitoring: Identifying and fixing technical issues

We have conducted a balancing test and determined that these interests do not override your fundamental rights and freedoms.

6.3 Legal Obligation (Article 6(1)(c))

We process personal data to comply with legal obligations, including:

Tax and accounting requirements: Retaining financial records for 10 years under French tax law (Article L. 102 B of the Tax Procedures Code)
Consumer protection laws: Maintaining records to respond to regulatory inquiries
Anti-money laundering (AML): Complying with EU and French AML regulations
Court orders and legal requests: Responding to valid legal process

We obtain your explicit consent for:

Marketing communications: Sending promotional emails (opt-in required)
Non-essential cookies: Analytics and performance cookies (cookie banner)
Optional data processing: Processing optional professional information

You have the right to withdraw consent at any time without affecting the lawfulness of processing based on consent before withdrawal.

7. HOW WE USE YOUR PERSONAL DATA

7.1 Service Delivery

We use your personal data to:

Authenticate your login and maintain your session
Provide access to questions, study notes, and exam simulations
Track your progress and generate performance analytics
Enable offline study via PWA and IndexedDB
Sync your data across devices
Display personalized study recommendations
Generate mastery scores and weak area analysis

7.2 Subscription Management

We use your personal data to:

Process your subscription payments via Stripe
Manage subscription status (active, expired, cancelled)
Enforce tier-based access limits (FREE, First Officer, Captain, Examiner)
Send subscription confirmation and renewal reminders
Process refund requests (within 14-day withdrawal period)

7.3 Customer Support

We use your personal data to:

Respond to your support inquiries
Troubleshoot technical issues
Investigate and resolve bugs
Provide guidance on using the Service
Handle refund and billing questions

7.4 Service Improvement

We use aggregated and anonymized data to:

Analyze which features are most used
Identify areas for improvement
Test new features and A/B experiments
Optimize platform performance
Enhance user experience based on usage patterns

7.5 Security and Fraud Prevention

We use your personal data to:

Detect and prevent unauthorized account access
Identify suspicious activity (e.g., account sharing, bot usage)
Monitor for technical vulnerabilities
Protect against cyberattacks and data breaches
Enforce our Terms of Service

7.6 Legal Compliance

We use your personal data to:

Maintain financial records for tax authorities
Respond to legal requests and court orders
Comply with data protection regulations
Investigate violations of our Terms of Service

With your explicit opt-in consent, we may:

Send newsletters about new features
Notify you of special promotions or discounts
Share educational content related to type ratings
Invite you to participate in surveys or beta testing

You can opt out of marketing emails at any time by clicking "unsubscribe" in any email or contacting us.

We do NOT:

Sell your personal data to third parties
Share your data with advertisers
Use your data for purposes unrelated to the Service
Share more data than necessary with processors

We only share data with trusted third-party processors who help us deliver the Service.

8.2 Third-Party Processors

8.2.1 Vercel Inc. (United States) - Hosting Provider

Purpose: Application hosting and content delivery
Data Shared:

Technical data (IP addresses, browser info)
Application logs
Performance metrics

Data Transfer Mechanism: EU-US Data Privacy Framework
Privacy Policy: https://vercel.com/legal/privacy-policy
Location: United States

8.2.2 Supabase Inc. (United States) - Database and Authentication

Purpose: User authentication, database storage, file storage
Data Shared:

Account information (name, email, hashed passwords)
User-generated content (progress data, preferences)
Study notes (PDFs stored in Supabase Storage)

Data Transfer Mechanism: Standard Contractual Clauses (SCCs)
Privacy Policy: https://supabase.com/privacy
Location: United States (AWS us-east-1 region)

8.2.3 Stripe Inc. (United States) - Payment Processing

Purpose: Subscription payments and billing
Data Shared:

Email address
Billing country
Subscription tier and dates

Payment Data Stored by Stripe (NOT by us):

Credit card numbers
CVV codes
Full billing addresses

Data Transfer Mechanism: EU-US Data Privacy Framework
Privacy Policy: https://stripe.com/privacy
PCI DSS Compliance: Level 1 (highest security standard)
Location: United States

8.2.4 PostHog Inc. (United States) - Analytics

Purpose: Usage analytics and feature optimization
Data Shared:

Anonymized user IDs
Feature usage events (e.g., "question answered", "study note opened")
Technical data (device type, browser, OS)
Session duration and navigation paths

Data NOT Shared:

Personal names
Email addresses
Payment information
Specific question content or answers

Data Transfer Mechanism: Standard Contractual Clauses (SCCs)
Privacy Policy: https://posthog.com/privacy
Location: United States (Cloud EU option available, but we use US cloud)

8.2.5 Sentry Inc. (United States) - Error Monitoring

Purpose: Technical error tracking and crash reporting
Data Shared:

Error messages and stack traces
User IDs (anonymized in logs)
Technical context (browser, OS, device)
IP addresses (for geolocation debugging)

Data NOT Shared:

Passwords
Payment information
Personal email addresses in logs

Data Transfer Mechanism: EU-US Data Privacy Framework
Privacy Policy: https://sentry.io/privacy/
Location: United States

8.2.6 Google LLC (United States) - OAuth Authentication

Purpose: Optional login via Google account
Data Shared:

We receive: Name, email, profile picture (with your consent via Google's OAuth screen)
Google receives: Login requests from our domain

Data Transfer Mechanism: EU-US Data Privacy Framework
Privacy Policy: https://policies.google.com/privacy
Location: United States

8.3 Service Providers and Subprocessors

All third-party processors are:

Contractually bound to protect your personal data
Required to comply with GDPR (for EU users)
Subject to audit and compliance checks
Prohibited from using your data for their own purposes

8.4 Legal Disclosure

We may disclose personal data if required by law or in response to:

Court orders or subpoenas
Legal process from government authorities
Requests from law enforcement (where legally valid)
Protection of our legal rights or safety of users

We will notify you of legal disclosure requests unless prohibited by law.

8.5 Business Transfers

If www.737ng.com is acquired, merged, or undergoes a business reorganization:

Your personal data may be transferred to the new entity
This Privacy Policy will continue to apply
You will be notified of any material changes

9. INTERNATIONAL DATA TRANSFERS

9.1 Where is Your Data Processed?

Your personal data is transferred to and processed in the United States by our third-party service providers (Vercel, Supabase, Stripe, PostHog, Sentry, Google).

9.2 Legal Safeguards for International Transfers

We ensure appropriate safeguards are in place for international data transfers:

9.2.1 EU-US Data Privacy Framework

The following processors participate in the EU-US Data Privacy Framework (successor to Privacy Shield):

Vercel Inc.
Stripe Inc.
Sentry Inc.
Google LLC

This framework provides adequacy for data transfers from the EU to certified US companies.

More information: https://www.dataprivacyframework.gov

9.2.2 Standard Contractual Clauses (SCCs)

For processors not covered by the Data Privacy Framework, we use Standard Contractual Clauses (SCCs) approved by the European Commission:

Supabase Inc. (SCCs in place)
PostHog Inc. (SCCs in place)

SCCs are legally binding contracts that ensure European-level data protection even when data is processed outside the EU.

9.2.3 Additional Security Measures

Beyond legal mechanisms, we implement:

Encryption in transit (TLS 1.3)
Encryption at rest (AES-256)
Access controls (role-based permissions)
Regular security audits of processors
Incident response plans

9.3 Your Rights Regarding International Transfers

You have the right to:

Request information about safeguards in place for your data
Object to transfers if safeguards are inadequate
Request a copy of SCCs upon request

9.4 Data Residency Options

Currently, all data is processed in the United States. If you require EU data residency:

Contact us to discuss options
We may be able to configure Supabase EU region for future deployments
Note that this may impact Service performance and features

10. COOKIES AND TRACKING TECHNOLOGIES

10.1 What are Cookies?

Cookies are small text files stored on your device when you visit a website. They help us recognize your device and remember certain information about your visit.

10.2 Types of Cookies We Use

10.2.1 Strictly Necessary Cookies (No Consent Required)

These cookies are essential for the Service to function:

Cookie Name	Purpose	Duration	Provider
`sb-access-token`	Supabase authentication session	Session	Supabase
`sb-refresh-token`	Refresh authentication token	Persistent (30 days)	Supabase
`__vercel_live_token`	Development preview tokens	Session	Vercel

Legal Basis: Contractual necessity - required to provide the Service.

10.2.2 Analytics Cookies (Consent Required)

These cookies help us understand how you use the Service:

Cookie Name	Purpose	Duration	Provider
`ph_*`	PostHog analytics tracking	Persistent (1 year)	PostHog
`phc_*`	PostHog user identification	Persistent (1 year)	PostHog

Legal Basis: Consent (opt-in via cookie banner)
What We Track:

Pages visited
Features used
Time spent on platform
Navigation patterns
Device and browser info

What We DON'T Track:

Specific question content
Personal study notes
Payment details
Passwords

10.2.3 Performance Cookies (Consent Required)

These cookies help us monitor technical performance:

Cookie Name	Purpose	Duration	Provider
Sentry session cookies	Error tracking and crash reporting	Session	Sentry

Legal Basis: Consent (opt-in via cookie banner)

10.3 Local Storage and IndexedDB

We use browser local storage and IndexedDB for:

Offline PWA functionality (storing questions for offline study)
User preferences (theme, language, study settings)
Session data (current study session progress)
Cached content (for faster loading)

Local storage is NOT sent to our servers unless you explicitly sync your data while online.

10.4 How to Control Cookies

10.4.1 Cookie Banner

When you first visit www.737ng.com, you will see a cookie consent banner where you can:

Accept all cookies (necessary + analytics + performance)
Reject non-essential cookies (only necessary cookies)
Customize preferences (choose which cookie categories to allow)

10.4.2 Browser Settings

You can control cookies through your browser settings:

Chrome: Settings → Privacy and security → Cookies and other site data
Firefox: Settings → Privacy & Security → Cookies and Site Data
Safari: Preferences → Privacy → Manage Website Data
Edge: Settings → Cookies and site permissions

Note: Disabling necessary cookies will prevent you from using the Service.

10.4.3 Opt-Out of Analytics

To opt out of PostHog analytics specifically:

Use the cookie banner to reject analytics cookies
Or enable "Do Not Track" in your browser settings (we respect DNT signals)

10.5 Third-Party Cookies

We do NOT use third-party advertising cookies or tracking pixels from social media platforms.

If we add new cookies or tracking technologies, we will:

Update this Privacy Policy
Request your consent where required
Provide opt-out options

11. DATA RETENTION

11.1 Retention Principles

We retain personal data only as long as necessary for the purposes outlined in this Privacy Policy, unless a longer retention period is required by law.

11.2 Retention Periods

Data Category	Retention Period	Legal Basis
Account Information	Duration of account + 3 years after closure	Legal claims (French Civil Code Article 2224)
Usage and Progress Data	Duration of account + 2 years	Service improvement and analytics
Payment Records	10 years from transaction date	French tax law (Article L. 102 B)
Support Emails	3 years from last correspondence	Customer service records
Analytics Data	2 years from collection	Service improvement
Error Logs (Sentry)	90 days	Technical troubleshooting
Marketing Consents	Until consent withdrawn + 3 years	Legal claims
Cookies	As specified in Section 10.2	Varies by cookie type

11.3 Account Deletion

When you delete your account:

Your profile and personal data are marked for deletion
Deletion occurs within 30 days
Some data may be retained longer for legal obligations (e.g., payment records for tax purposes)

11.4 Data Anonymization

After retention periods expire, we may:

Delete personal data entirely
Anonymize data by removing all identifiers (aggregated analytics)

Anonymized data is no longer considered personal data under GDPR and may be retained indefinitely.

11.5 Legal Holds

In the event of legal proceedings or disputes:

Relevant data may be retained beyond standard retention periods
You will be notified if your data is subject to a legal hold

12. YOUR DATA PROTECTION RIGHTS

Under the GDPR, you have the following rights:

12.1.1 Right of Access (Article 15)

You have the right to:

Request confirmation of whether we process your personal data
Obtain a copy of your personal data
Receive information about:
- Purposes of processing
- Categories of data processed
- Recipients of your data
- Retention periods
- Your other rights

Response Time: Within 1 month of request

12.1.2 Right to Rectification (Article 16)

You have the right to:

Correct inaccurate personal data
Complete incomplete personal data
Update outdated information

How to Exercise: Update your profile in account settings or contact us

12.1.3 Right to Erasure / "Right to be Forgotten" (Article 17)

You have the right to request deletion of your personal data when:

Data is no longer necessary for the original purpose
You withdraw consent (where processing is based on consent)
You object to processing and there are no overriding legitimate grounds
Data has been unlawfully processed
Data must be deleted to comply with a legal obligation

Exceptions: We may refuse deletion if we need the data for:

Legal obligations (e.g., tax records for 10 years)
Establishing, exercising, or defending legal claims
Compliance with French Consumer Code requirements

12.1.4 Right to Restriction of Processing (Article 18)

You have the right to request that we limit processing of your personal data when:

You contest the accuracy of the data (pending verification)
Processing is unlawful, but you prefer restriction over deletion
We no longer need the data, but you need it for legal claims
You have objected to processing (pending verification of legitimate grounds)

Effect: We will store the data but not use it (except with your consent or for legal claims).

12.1.5 Right to Data Portability (Article 20)

You have the right to:

Receive your personal data in a structured, commonly used, machine-readable format (JSON or CSV)
Transmit that data to another controller

Scope: Applies only to data you provided to us and processed based on consent or contract.

What We Provide:

Account information (name, email, professional details)
Usage data (questions answered, study sessions, progress metrics)
Preferences and settings

Format: JSON export available in account settings

12.1.6 Right to Object (Article 21)

You have the right to object to processing of your personal data based on:

Legitimate interests (Article 6(1)(f))
Direct marketing (including profiling)

Effect: We will stop processing unless we demonstrate compelling legitimate grounds that override your interests, rights, and freedoms.

Marketing Opt-Out: Use the "unsubscribe" link in emails or contact us.

12.1.7 Right Not to be Subject to Automated Decision-Making (Article 22)

You have the right not to be subject to decisions based solely on automated processing (including profiling) that produce legal effects or similarly significant effects.

Our Practices: We do NOT use automated decision-making that produces legal or similarly significant effects. Our analytics are used only for internal service improvement.

12.1.8 Right to Withdraw Consent

Where processing is based on consent, you have the right to:

Withdraw consent at any time
Without penalty or negative consequences

Effect: Withdrawal does not affect the lawfulness of processing before withdrawal.

How to Exercise:

Marketing emails: Click "unsubscribe"
Analytics cookies: Adjust cookie preferences
Other consents: Contact us at cgautoentreprise@gmail.com

12.2 Rights for Non-EU Residents

While GDPR applies primarily to EU/EEA residents, we extend similar rights to all users:

US residents: Consistent with state privacy laws (California CPRA, Virginia CDPA, etc.)
Other jurisdictions: Best practices in data protection

13. HOW TO EXERCISE YOUR RIGHTS

13.1 Contacting Us

To exercise any of your data protection rights, contact us:

Email: cgautoentreprise@gmail.com
Subject Line: "Data Protection Request - [Your Right]"
Postal Address: 5ème Avenue, 60260 Lamorlaye, France

13.2 Information to Include in Your Request

Please provide:

Your full name
Email address associated with your account
Specific right you wish to exercise (e.g., access, deletion, rectification)
Details of your request (be as specific as possible)
Proof of identity (to protect against fraudulent requests)

13.3 Identity Verification

To protect your personal data from unauthorized access, we may request additional information to verify your identity:

Confirmation of account email
Answers to security questions
Copy of government-issued ID (in limited cases, with ID number redacted)

13.4 Response Time

We will respond to your request:

Within 1 month of receiving a valid request
Extended to 3 months for complex requests (we will notify you within 1 month)

13.5 Free of Charge

Exercising your data protection rights is free of charge.

Exception: If your requests are manifestly unfounded, excessive, or repetitive, we may:

Charge a reasonable administrative fee
Refuse to act on the request

13.6 Rejection of Requests

If we refuse your request, we will:

Inform you within 1 month
Provide reasons for the refusal
Inform you of your right to lodge a complaint with CNIL (see Section 18)

14. DATA SECURITY

14.1 Our Security Commitment

We take the security of your personal data seriously and implement appropriate technical and organizational measures to protect against:

Unauthorized access
Accidental loss
Destruction or damage
Alteration or disclosure

14.2 Technical Security Measures

14.2.1 Encryption

Data in Transit: All data transmitted between your device and our servers is encrypted using TLS 1.3 (Transport Layer Security)
Data at Rest: Sensitive data stored in databases is encrypted using AES-256 encryption
Password Storage: Passwords are hashed using bcrypt with salt (never stored in plain text)

14.2.2 Access Controls

Role-Based Access Control (RBAC): Database access restricted to authorized personnel only
Multi-Factor Authentication (MFA): Required for administrative access
Principle of Least Privilege: Users and systems have only the minimum access necessary

14.2.3 Network Security

Firewall Protection: Network-level firewalls protect against unauthorized access
DDoS Protection: Vercel provides DDoS mitigation
Intrusion Detection: Automated monitoring for suspicious activity

14.2.4 Secure Development Practices

Code Reviews: All code changes reviewed before deployment
Dependency Scanning: Regular checks for vulnerable libraries
Security Audits: Periodic security assessments of infrastructure
Penetration Testing: Scheduled third-party security testing

14.3 Organizational Security Measures

14.3.1 Employee Training

Data protection and security training for anyone with access to personal data
Confidentiality agreements and NDAs

14.3.2 Data Minimization

We collect only the personal data necessary for the Service
Regular reviews to delete unnecessary data

14.3.3 Backup and Recovery

Regular automated backups of critical data
Disaster recovery plan in place
Backups encrypted and stored securely

14.4 Third-Party Security

Our processors (Vercel, Supabase, Stripe, PostHog, Sentry) implement:

SOC 2 Type II compliance (industry-standard security audits)
ISO 27001 certification (information security management)
GDPR compliance (for EU data protection)
Regular security audits and penetration testing

14.5 Data Breach Notification

In the event of a personal data breach:

For EU/EEA Residents:

We will notify the CNIL (French supervisory authority) within 72 hours if the breach poses a risk to your rights and freedoms (GDPR Article 33)
We will notify affected users without undue delay if the breach poses a high risk (GDPR Article 34)

For All Users:

We will inform you of the breach, affected data, and mitigation steps
Notification will include:
- Nature of the breach
- Categories of data affected
- Likely consequences
- Measures taken to address the breach
- Contact point for further information

14.6 Limitations of Security

While we implement robust security measures, no system is 100% secure. You acknowledge that:

Internet transmission is not completely secure
You are responsible for maintaining the security of your account credentials
You should use a strong, unique password
You should enable two-factor authentication if available

14.7 Reporting Security Issues

If you discover a security vulnerability:

DO NOT publicly disclose it
Contact us immediately at cgautoentreprise@gmail.com
Subject line: "Security Vulnerability Report"
We will investigate and respond promptly

15. CHILDREN'S PRIVACY

15.1 Age Requirement

The Service is NOT intended for individuals under 18 years of age.

We do not knowingly:

Collect personal data from anyone under 18
Allow individuals under 18 to create accounts
Market our Service to minors

15.2 Verification

During account creation, you represent and warrant that you are at least 18 years old.

15.3 Parental Notification

If you are a parent or guardian and believe your child under 18 has provided personal data to us:

Contact us immediately at cgautoentreprise@gmail.com
Subject line: "Minor's Data - Deletion Request"
Provide proof of parental authority
We will promptly delete the account and associated data

15.4 COPPA Compliance (US)

The Service is not directed at children under 13, and we do not knowingly collect data from children under 13 in compliance with the Children's Online Privacy Protection Act (COPPA).

15.5 Educational Context

While flight training programs may include student pilots aged 18+, the Service is designed for adult professional pilot training and is not suitable for minors.

16. MARKETING COMMUNICATIONS

16.1 Types of Marketing Communications

With your explicit consent, we may send:

Newsletters: Updates about new features and content
Promotional offers: Special discounts or limited-time offers
Educational content: Articles, tips, and resources for type rating preparation
Beta invitations: Early access to new features
Surveys: Feedback requests to improve the Service

16.2 Legal Basis

Marketing communications are sent based on:

Explicit consent (opt-in required)
Soft opt-in (for existing customers regarding similar products/services, with easy opt-out)

16.3 Opt-In Process

When you create an account, you may opt in to marketing communications by:

Checking a box during registration
Subscribing via account settings
Responding to an opt-in confirmation email

16.4 How to Opt Out

You can opt out of marketing communications at any time:

Method 1 - Unsubscribe Link:

Click "Unsubscribe" at the bottom of any marketing email
Instant opt-out with confirmation

Method 2 - Account Settings:

Log in to your account
Go to Settings → Notifications
Disable marketing emails

Method 3 - Email Us:

Send a request to cgautoentreprise@gmail.com
Subject line: "Unsubscribe from Marketing Emails"

Effect: You will stop receiving marketing emails within 5 business days.

16.5 Transactional Emails

Even if you opt out of marketing, you will still receive:

Account confirmation emails
Password reset emails
Subscription receipts and invoices
Important Service updates (e.g., Terms of Service changes)
Security notifications

These are necessary for the Service and cannot be opted out of.

16.6 Frequency

We respect your inbox and limit marketing communications to:

Maximum 1 email per week (unless special promotions)
No spam or unsolicited emails

17. CHANGES TO THIS PRIVACY POLICY

17.1 Right to Modify

We may update this Privacy Policy from time to time to reflect:

Changes in our data processing practices
New features or services
Changes in applicable laws (e.g., new GDPR guidance)
Feedback from users or regulators
Addition or removal of third-party processors

17.2 Notification of Material Changes

For material changes that affect your rights, we will notify you:

a) Email Notification:

Sent to the email address associated with your account
At least 30 days before changes take effect

b) Prominent Notice:

Banner or pop-up on the website
Notification in account dashboard

c) Updated Date:

"Last Updated" date at the top of this Privacy Policy

17.3 Acceptance of Changes

Continued use of the Service after changes take effect constitutes acceptance of the updated Privacy Policy.

If you do not agree to the changes:

Stop using the Service
Delete your account
Contact us to discuss concerns

17.4 Material vs. Non-Material Changes

Material changes include:

New categories of personal data collected
New purposes for processing
Changes to legal basis for processing
Addition of new third-party processors with access to personal data
Changes to data retention periods
Changes to international data transfers

Non-material changes include:

Clarifications or corrections
Formatting or organizational improvements
Updated contact information
Minor editorial changes

Non-material changes do not require advance notice but will be reflected in the "Last Updated" date.

17.5 Review Responsibility

We recommend reviewing this Privacy Policy periodically to stay informed of how we protect your personal data.

Bookmark this page: www.737ng.com/privacy-policy

18. RIGHT TO LODGE A COMPLAINT

18.1 Supervisory Authority

If you believe your data protection rights have been violated, you have the right to lodge a complaint with a supervisory authority.

18.2 French Supervisory Authority (CNIL)

As we are based in France, the competent supervisory authority is:

Commission Nationale de l'Informatique et des Libertés (CNIL)
3 Place de Fontenoy
TSA 80715
75334 Paris Cedex 07
France

Website: https://www.cnil.fr
Phone: +33 1 53 73 22 22
Email: Contact form available on website

How to File a Complaint:

Visit https://www.cnil.fr/fr/plaintes
Complete the online complaint form
Provide details of the alleged violation
Include supporting documentation

18.3 Other EU/EEA Supervisory Authorities

If you are resident in another EU/EEA country, you may lodge a complaint with your local supervisory authority:

List of EU Data Protection Authorities:
https://edpb.europa.eu/about-edpb/board/members_en

18.4 Right to Judicial Remedy

In addition to lodging a complaint with a supervisory authority, you have the right to:

Seek judicial remedy in the courts (see Terms of Service Section 15)
Request compensation for damages caused by GDPR violations

18.5 Contact Us First

Before lodging a complaint, we encourage you to:

Contact us directly at cgautoentreprise@gmail.com
Allow us to address your concerns
Work with us to resolve any issues

We are committed to resolving data protection concerns promptly and amicably.

19. CONTACT INFORMATION

19.1 Data Controller

Business Name: www.737ng.com (Commercial Name)
Legal Form: Auto-entrepreneur (Sole Proprietorship)
SIRET Number: 800 142 515
Registered Office:
5ème Avenue
60260 Lamorlaye
France

19.2 Privacy Contact

For all data protection inquiries, privacy rights requests, or concerns:

Email: cgautoentreprise@gmail.com
Postal Address: 5ème Avenue, 60260 Lamorlaye, France

Recommended Email Subject Lines:

Data access request: "GDPR Access Request"
Data deletion request: "GDPR Erasure Request"
Data portability request: "GDPR Data Portability Request"
General privacy inquiry: "Privacy Inquiry"
Security concern: "Security Issue Report"
Complaint: "Data Protection Complaint"

19.3 Response Time

We aim to respond to all privacy inquiries within:

1 month for GDPR rights requests (may be extended to 3 months for complex requests)
5 business days for general privacy questions
48 hours for urgent security concerns

19.4 French Language

We offer customer support in both English and French. You may send correspondence in either language.

19.5 Third-Party Contacts

For privacy inquiries specific to third-party services:

Vercel: https://vercel.com/legal/privacy-policy
Supabase: https://supabase.com/privacy
Stripe: https://stripe.com/privacy
PostHog: https://posthog.com/privacy
Sentry: https://sentry.io/privacy/
Google: https://policies.google.com/privacy

APPENDIX A: DEFINITIONS

Personal Data: Any information relating to an identified or identifiable natural person (GDPR Article 4(1)).

Processing: Any operation performed on personal data, including collection, storage, use, disclosure, or deletion (GDPR Article 4(2)).

Data Controller: The entity that determines the purposes and means of processing personal data (GDPR Article 4(7)). In our case: www.737ng.com.

Data Processor: An entity that processes personal data on behalf of the Data Controller (GDPR Article 4(8)). Examples: Vercel, Supabase, Stripe.

Data Subject: The identified or identifiable natural person to whom personal data relates (GDPR Article 4(1)). In our case: You, the user.

Consent: Freely given, specific, informed, and unambiguous indication of agreement to processing of personal data (GDPR Article 4(11)).

Third Party: Any natural or legal person other than the data subject, controller, processor, or persons authorized to process data (GDPR Article 4(10)).

Data Breach: A breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access to personal data (GDPR Article 4(12)).

APPENDIX B: LEGAL REFERENCES

This Privacy Policy is based on the following legal frameworks:

EU and International:

Regulation (EU) 2016/679 (General Data Protection Regulation - GDPR)
Directive 2002/58/EC (ePrivacy Directive)
EU-US Data Privacy Framework
Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914)

French Law:

Loi n° 78-17 du 6 janvier 1978 relative à l'informatique, aux fichiers et aux libertés (French Data Protection Act)
Code de la consommation (French Consumer Code)
Code civil (French Civil Code)
Loi n° 2004-575 pour la confiance dans l'économie numérique (LCEN)

US Law (for transparency):

California Consumer Privacy Act (CCPA) / California Privacy Rights Act (CPRA)
Children's Online Privacy Protection Act (COPPA)
Virginia Consumer Data Protection Act (VCDPA)

END OF PRIVACY POLICY

Last Updated: [INSERT DATE]
Version: 1.0
Effective Date: [INSERT DATE]

PRIVACY POLICY

www.737ng.com - Boeing 737 NG Type Rating Preparation Platform

Effective Date: [1st January 2026]
Last Updated: [1st January 2026]

Introduction
Data Controller Information
Scope and Applicability
Personal Data We Collect
How We Collect Personal Data
Legal Basis for Processing
How We Use Your Personal Data
Data Sharing and Third-Party Processors
International Data Transfers
Cookies and Tracking Technologies
Data Retention
Your Data Protection Rights
How to Exercise Your Rights
Data Security
Children's Privacy
Marketing Communications
Changes to This Privacy Policy
Right to Lodge a Complaint
Contact Information

1. INTRODUCTION

1.1 Our Commitment to Privacy

1.2 Transparency

We believe in transparency. This Privacy Policy provides you with clear and comprehensive information about:

What personal data we collect
Why we collect it
How we use it
Who we share it with
Your rights regarding your personal data
How to contact us with questions or concerns

This Privacy Policy complies with the General Data Protection Regulation (GDPR) - Regulation (EU) 2016/679, as well as:

French Data Protection Act (Loi Informatique et Libertés)
French Consumer Code (Code de la consommation)
ePrivacy Directive (Directive 2002/58/EC)

By using our Service, you acknowledge that you have read and understood this Privacy Policy. For certain processing activities, we will request your explicit consent where required by law.

2. DATA CONTROLLER INFORMATION

2.1 Who is the Data Controller?

The Data Controller responsible for your personal data is:

Business Name: www.737ng.com (Commercial Name)
Legal Form: Auto-entrepreneur (Sole Proprietorship)
SIRET Number: 800 142 515
Registered Office:
5ème Avenue
60260 Lamorlaye
France

2.2 Contact Details

Email: cgautoentreprise@gmail.com
Postal Address: 5ème Avenue, 60260 Lamorlaye, France

For all data protection inquiries, privacy rights requests, or concerns, please contact us using the above details.

2.3 Data Protection Officer (DPO)

3. SCOPE AND APPLICABILITY

3.1 When This Policy Applies

This Privacy Policy applies when you:

Visit our website at www.737ng.com
Create an account on our platform
Use our Progressive Web App (PWA)
Subscribe to our paid plans
Contact us via email or support channels
Interact with our Service in any way

3.2 Third-Party Services

This Privacy Policy does not cover:

Third-party websites linked from our Service
Third-party services you may access through our platform (e.g., Google OAuth)
Payment processing by Stripe (covered by Stripe's privacy policy)

We recommend reviewing the privacy policies of any third-party services you interact with.

3.3 Geographic Scope

This Privacy Policy applies to all users worldwide, with specific protections for:

EU/EEA residents: Full GDPR rights
French residents: Additional protections under French law
US residents: Transparency consistent with state privacy laws
Other jurisdictions: Best practices in data protection

4. PERSONAL DATA WE COLLECT

4.1 What is Personal Data?

"Personal Data" means any information relating to an identified or identifiable natural person. This includes information that can directly or indirectly identify you.

4.2 Categories of Personal Data

4.2.1 Account Information

When you create an account, we collect:

Full name
Email address
Password (stored in hashed and encrypted form)
Account creation date
Last login date

4.2.2 Google OAuth Information

If you register or log in using Google OAuth, we collect:

Google User ID
Name (from your Google profile)
Email address (from your Google account)
Profile picture URL (if provided by Google)

We only access information you explicitly authorize through Google's consent screen.

4.2.3 Professional Information (Optional)

You may voluntarily provide:

Current airline or employer
Aircraft type experience (e.g., A320, B737, B777)
Pilot certifications or licenses
Years of flying experience
Current position (e.g., First Officer, Captain)

This information helps us personalize your experience but is not required to use the Service.

4.2.4 Subscription and Billing Information

When you subscribe to a paid plan:

Subscription tier (First Officer, Captain, Examiner)
Subscription start and end dates
Payment status (active, expired, cancelled)
Transaction IDs (from Stripe)
Billing country

Note: We do NOT store credit card numbers, CVV codes, or full payment details. All payment data is securely processed and stored by Stripe, Inc.

4.2.5 Usage and Activity Data

We automatically collect information about how you use the Service:

Questions answered (which questions, correctness, response time)
Study sessions (duration, systems studied, dates)
Progress metrics (mastery scores, weak areas, completion rates)
Exam simulations (scores, time taken, performance analytics)
Study notes accessed (which PDFs viewed, download times)
Feature usage (which parts of the platform you use most)

4.2.6 Technical and Device Information

We automatically collect:

IP address
Browser type and version (e.g., Chrome 120, Safari 17)
Operating system (e.g., iOS 17, Windows 11, macOS 14)
Device type (e.g., iPad Pro, iPhone 15, Windows laptop)
Screen resolution
Language preferences
Time zone
Referring website (how you arrived at our site)
Service Worker status (PWA offline capability)

4.2.7 Cookies and Similar Technologies

We use cookies and similar technologies to collect:

Session identifiers (for authentication)
Analytics data (via PostHog)
Error tracking data (via Sentry)
Preferences (e.g., theme, language)

See Section 10 for detailed cookie information.

4.2.8 Communications Data

When you contact us:

Email correspondence content
Support ticket information
Feedback and suggestions
Bug reports

5. HOW WE COLLECT PERSONAL DATA

5.1 Information You Provide Directly

We collect personal data when you:

Create an account (name, email, password)
Update your profile (professional details, preferences)
Subscribe to a paid plan (billing information via Stripe)
Contact support (email, support tickets)
Provide feedback (surveys, suggestions)

5.2 Information Collected Automatically

We automatically collect data when you:

Visit our website (IP address, browser info)
Use the Service (usage data, activity logs)
Answer questions (performance metrics)
Access study notes (engagement data)

5.3 Information from Third Parties

5.3.1 Google OAuth

If you sign up with Google, we receive:

Basic profile information (name, email, picture)
Authentication tokens
Google User ID

5.3.2 Stripe

For payment processing, Stripe provides us:

Payment confirmation status
Transaction IDs
Subscription status updates
Billing country

We do NOT receive full credit card details from Stripe.

5.3.3 Analytics and Monitoring Services

PostHog: Provides aggregated analytics data
Sentry: Provides error and crash reports

These services may collect technical data independently as outlined in Section 8.

6. LEGAL BASIS FOR PROCESSING

Under GDPR Article 6, we process your personal data based on the following legal grounds:

6.1 Contractual Necessity (Article 6(1)(b))

We process personal data to perform our contract with you, including:

Creating and managing your account
Providing access to questions and study materials
Processing your subscription and payments
Enabling offline functionality via PWA
Tracking your progress and performance
Providing customer support

Without this processing, we cannot provide the Service.

6.2 Legitimate Interests (Article 6(1)(f))

We process personal data based on our legitimate interests, including:

Service improvement: Analyzing usage patterns to enhance features
Security: Detecting and preventing fraud, abuse, and unauthorized access
Technical operations: Maintaining platform performance and reliability
Business analytics: Understanding user behavior to make informed decisions
Error monitoring: Identifying and fixing technical issues

We have conducted a balancing test and determined that these interests do not override your fundamental rights and freedoms.

6.3 Legal Obligation (Article 6(1)(c))

We process personal data to comply with legal obligations, including:

Tax and accounting requirements: Retaining financial records for 10 years under French tax law (Article L. 102 B of the Tax Procedures Code)
Consumer protection laws: Maintaining records to respond to regulatory inquiries
Anti-money laundering (AML): Complying with EU and French AML regulations
Court orders and legal requests: Responding to valid legal process

We obtain your explicit consent for:

Marketing communications: Sending promotional emails (opt-in required)
Non-essential cookies: Analytics and performance cookies (cookie banner)
Optional data processing: Processing optional professional information

You have the right to withdraw consent at any time without affecting the lawfulness of processing based on consent before withdrawal.

7. HOW WE USE YOUR PERSONAL DATA

7.1 Service Delivery

We use your personal data to:

Authenticate your login and maintain your session
Provide access to questions, study notes, and exam simulations
Track your progress and generate performance analytics
Enable offline study via PWA and IndexedDB
Sync your data across devices
Display personalized study recommendations
Generate mastery scores and weak area analysis

7.2 Subscription Management

We use your personal data to:

Process your subscription payments via Stripe
Manage subscription status (active, expired, cancelled)
Enforce tier-based access limits (FREE, First Officer, Captain, Examiner)
Send subscription confirmation and renewal reminders
Process refund requests (within 14-day withdrawal period)

7.3 Customer Support

We use your personal data to:

Respond to your support inquiries
Troubleshoot technical issues
Investigate and resolve bugs
Provide guidance on using the Service
Handle refund and billing questions

7.4 Service Improvement

We use aggregated and anonymized data to:

Analyze which features are most used
Identify areas for improvement
Test new features and A/B experiments
Optimize platform performance
Enhance user experience based on usage patterns

7.5 Security and Fraud Prevention

We use your personal data to:

Detect and prevent unauthorized account access
Identify suspicious activity (e.g., account sharing, bot usage)
Monitor for technical vulnerabilities
Protect against cyberattacks and data breaches
Enforce our Terms of Service

7.6 Legal Compliance

We use your personal data to:

Maintain financial records for tax authorities
Respond to legal requests and court orders
Comply with data protection regulations
Investigate violations of our Terms of Service

With your explicit opt-in consent, we may:

Send newsletters about new features
Notify you of special promotions or discounts
Share educational content related to type ratings
Invite you to participate in surveys or beta testing

You can opt out of marketing emails at any time by clicking "unsubscribe" in any email or contacting us.

We do NOT:

Sell your personal data to third parties
Share your data with advertisers
Use your data for purposes unrelated to the Service
Share more data than necessary with processors

We only share data with trusted third-party processors who help us deliver the Service.

8.2 Third-Party Processors

8.2.1 Vercel Inc. (United States) - Hosting Provider

Purpose: Application hosting and content delivery
Data Shared:

Technical data (IP addresses, browser info)
Application logs
Performance metrics

Data Transfer Mechanism: EU-US Data Privacy Framework
Privacy Policy: https://vercel.com/legal/privacy-policy
Location: United States

8.2.2 Supabase Inc. (United States) - Database and Authentication

Purpose: User authentication, database storage, file storage
Data Shared:

Account information (name, email, hashed passwords)
User-generated content (progress data, preferences)
Study notes (PDFs stored in Supabase Storage)

Data Transfer Mechanism: Standard Contractual Clauses (SCCs)
Privacy Policy: https://supabase.com/privacy
Location: United States (AWS us-east-1 region)

8.2.3 Stripe Inc. (United States) - Payment Processing

Purpose: Subscription payments and billing
Data Shared:

Email address
Billing country
Subscription tier and dates

Payment Data Stored by Stripe (NOT by us):

Credit card numbers
CVV codes
Full billing addresses

Data Transfer Mechanism: EU-US Data Privacy Framework
Privacy Policy: https://stripe.com/privacy
PCI DSS Compliance: Level 1 (highest security standard)
Location: United States

8.2.4 PostHog Inc. (United States) - Analytics

Purpose: Usage analytics and feature optimization
Data Shared:

Anonymized user IDs
Feature usage events (e.g., "question answered", "study note opened")
Technical data (device type, browser, OS)
Session duration and navigation paths

Data NOT Shared:

Personal names
Email addresses
Payment information
Specific question content or answers

Data Transfer Mechanism: Standard Contractual Clauses (SCCs)
Privacy Policy: https://posthog.com/privacy
Location: United States (Cloud EU option available, but we use US cloud)

8.2.5 Sentry Inc. (United States) - Error Monitoring

Purpose: Technical error tracking and crash reporting
Data Shared:

Error messages and stack traces
User IDs (anonymized in logs)
Technical context (browser, OS, device)
IP addresses (for geolocation debugging)

Data NOT Shared:

Passwords
Payment information
Personal email addresses in logs

Data Transfer Mechanism: EU-US Data Privacy Framework
Privacy Policy: https://sentry.io/privacy/
Location: United States

8.2.6 Google LLC (United States) - OAuth Authentication

Purpose: Optional login via Google account
Data Shared:

We receive: Name, email, profile picture (with your consent via Google's OAuth screen)
Google receives: Login requests from our domain

Data Transfer Mechanism: EU-US Data Privacy Framework
Privacy Policy: https://policies.google.com/privacy
Location: United States

8.3 Service Providers and Subprocessors

All third-party processors are:

Contractually bound to protect your personal data
Required to comply with GDPR (for EU users)
Subject to audit and compliance checks
Prohibited from using your data for their own purposes

8.4 Legal Disclosure

We may disclose personal data if required by law or in response to:

Court orders or subpoenas
Legal process from government authorities
Requests from law enforcement (where legally valid)
Protection of our legal rights or safety of users

We will notify you of legal disclosure requests unless prohibited by law.

8.5 Business Transfers

If www.737ng.com is acquired, merged, or undergoes a business reorganization:

Your personal data may be transferred to the new entity
This Privacy Policy will continue to apply
You will be notified of any material changes

9. INTERNATIONAL DATA TRANSFERS

9.1 Where is Your Data Processed?

Your personal data is transferred to and processed in the United States by our third-party service providers (Vercel, Supabase, Stripe, PostHog, Sentry, Google).

9.2 Legal Safeguards for International Transfers

We ensure appropriate safeguards are in place for international data transfers:

9.2.1 EU-US Data Privacy Framework

The following processors participate in the EU-US Data Privacy Framework (successor to Privacy Shield):

Vercel Inc.
Stripe Inc.
Sentry Inc.
Google LLC

This framework provides adequacy for data transfers from the EU to certified US companies.

More information: https://www.dataprivacyframework.gov

9.2.2 Standard Contractual Clauses (SCCs)

For processors not covered by the Data Privacy Framework, we use Standard Contractual Clauses (SCCs) approved by the European Commission:

Supabase Inc. (SCCs in place)
PostHog Inc. (SCCs in place)

SCCs are legally binding contracts that ensure European-level data protection even when data is processed outside the EU.

9.2.3 Additional Security Measures

Beyond legal mechanisms, we implement:

Encryption in transit (TLS 1.3)
Encryption at rest (AES-256)
Access controls (role-based permissions)
Regular security audits of processors
Incident response plans

9.3 Your Rights Regarding International Transfers

You have the right to:

Request information about safeguards in place for your data
Object to transfers if safeguards are inadequate
Request a copy of SCCs upon request

9.4 Data Residency Options

Currently, all data is processed in the United States. If you require EU data residency:

Contact us to discuss options
We may be able to configure Supabase EU region for future deployments
Note that this may impact Service performance and features

10. COOKIES AND TRACKING TECHNOLOGIES

10.1 What are Cookies?

Cookies are small text files stored on your device when you visit a website. They help us recognize your device and remember certain information about your visit.

10.2 Types of Cookies We Use

10.2.1 Strictly Necessary Cookies (No Consent Required)

These cookies are essential for the Service to function:

Cookie Name	Purpose	Duration	Provider
`sb-access-token`	Supabase authentication session	Session	Supabase
`sb-refresh-token`	Refresh authentication token	Persistent (30 days)	Supabase
`__vercel_live_token`	Development preview tokens	Session	Vercel

Legal Basis: Contractual necessity - required to provide the Service.

10.2.2 Analytics Cookies (Consent Required)

These cookies help us understand how you use the Service:

Cookie Name	Purpose	Duration	Provider
`ph_*`	PostHog analytics tracking	Persistent (1 year)	PostHog
`phc_*`	PostHog user identification	Persistent (1 year)	PostHog

Legal Basis: Consent (opt-in via cookie banner)
What We Track:

Pages visited
Features used
Time spent on platform
Navigation patterns
Device and browser info

What We DON'T Track:

Specific question content
Personal study notes
Payment details
Passwords

10.2.3 Performance Cookies (Consent Required)

These cookies help us monitor technical performance:

Cookie Name	Purpose	Duration	Provider
Sentry session cookies	Error tracking and crash reporting	Session	Sentry

Legal Basis: Consent (opt-in via cookie banner)

10.3 Local Storage and IndexedDB

We use browser local storage and IndexedDB for:

Offline PWA functionality (storing questions for offline study)
User preferences (theme, language, study settings)
Session data (current study session progress)
Cached content (for faster loading)

Local storage is NOT sent to our servers unless you explicitly sync your data while online.

10.4 How to Control Cookies

10.4.1 Cookie Banner

When you first visit www.737ng.com, you will see a cookie consent banner where you can:

Accept all cookies (necessary + analytics + performance)
Reject non-essential cookies (only necessary cookies)
Customize preferences (choose which cookie categories to allow)

10.4.2 Browser Settings

You can control cookies through your browser settings:

Chrome: Settings → Privacy and security → Cookies and other site data
Firefox: Settings → Privacy & Security → Cookies and Site Data
Safari: Preferences → Privacy → Manage Website Data
Edge: Settings → Cookies and site permissions

Note: Disabling necessary cookies will prevent you from using the Service.

10.4.3 Opt-Out of Analytics

To opt out of PostHog analytics specifically:

Use the cookie banner to reject analytics cookies
Or enable "Do Not Track" in your browser settings (we respect DNT signals)

10.5 Third-Party Cookies

We do NOT use third-party advertising cookies or tracking pixels from social media platforms.

If we add new cookies or tracking technologies, we will:

Update this Privacy Policy
Request your consent where required
Provide opt-out options

11. DATA RETENTION

11.1 Retention Principles

We retain personal data only as long as necessary for the purposes outlined in this Privacy Policy, unless a longer retention period is required by law.

11.2 Retention Periods

Data Category	Retention Period	Legal Basis
Account Information	Duration of account + 3 years after closure	Legal claims (French Civil Code Article 2224)
Usage and Progress Data	Duration of account + 2 years	Service improvement and analytics
Payment Records	10 years from transaction date	French tax law (Article L. 102 B)
Support Emails	3 years from last correspondence	Customer service records
Analytics Data	2 years from collection	Service improvement
Error Logs (Sentry)	90 days	Technical troubleshooting
Marketing Consents	Until consent withdrawn + 3 years	Legal claims
Cookies	As specified in Section 10.2	Varies by cookie type

11.3 Account Deletion

When you delete your account:

Your profile and personal data are marked for deletion
Deletion occurs within 30 days
Some data may be retained longer for legal obligations (e.g., payment records for tax purposes)

11.4 Data Anonymization

After retention periods expire, we may:

Delete personal data entirely
Anonymize data by removing all identifiers (aggregated analytics)

Anonymized data is no longer considered personal data under GDPR and may be retained indefinitely.

11.5 Legal Holds

In the event of legal proceedings or disputes:

Relevant data may be retained beyond standard retention periods
You will be notified if your data is subject to a legal hold

12. YOUR DATA PROTECTION RIGHTS

Under the GDPR, you have the following rights:

12.1.1 Right of Access (Article 15)

You have the right to:

Request confirmation of whether we process your personal data
Obtain a copy of your personal data
Receive information about:
- Purposes of processing
- Categories of data processed
- Recipients of your data
- Retention periods
- Your other rights

Response Time: Within 1 month of request

12.1.2 Right to Rectification (Article 16)

You have the right to:

Correct inaccurate personal data
Complete incomplete personal data
Update outdated information

How to Exercise: Update your profile in account settings or contact us

12.1.3 Right to Erasure / "Right to be Forgotten" (Article 17)

You have the right to request deletion of your personal data when:

Data is no longer necessary for the original purpose
You withdraw consent (where processing is based on consent)
You object to processing and there are no overriding legitimate grounds
Data has been unlawfully processed
Data must be deleted to comply with a legal obligation

Exceptions: We may refuse deletion if we need the data for:

Legal obligations (e.g., tax records for 10 years)
Establishing, exercising, or defending legal claims
Compliance with French Consumer Code requirements

12.1.4 Right to Restriction of Processing (Article 18)

You have the right to request that we limit processing of your personal data when:

You contest the accuracy of the data (pending verification)
Processing is unlawful, but you prefer restriction over deletion
We no longer need the data, but you need it for legal claims
You have objected to processing (pending verification of legitimate grounds)

Effect: We will store the data but not use it (except with your consent or for legal claims).

12.1.5 Right to Data Portability (Article 20)

You have the right to:

Receive your personal data in a structured, commonly used, machine-readable format (JSON or CSV)
Transmit that data to another controller

Scope: Applies only to data you provided to us and processed based on consent or contract.

What We Provide:

Account information (name, email, professional details)
Usage data (questions answered, study sessions, progress metrics)
Preferences and settings

Format: JSON export available in account settings

12.1.6 Right to Object (Article 21)

You have the right to object to processing of your personal data based on:

Legitimate interests (Article 6(1)(f))
Direct marketing (including profiling)

Effect: We will stop processing unless we demonstrate compelling legitimate grounds that override your interests, rights, and freedoms.

Marketing Opt-Out: Use the "unsubscribe" link in emails or contact us.

12.1.7 Right Not to be Subject to Automated Decision-Making (Article 22)

You have the right not to be subject to decisions based solely on automated processing (including profiling) that produce legal effects or similarly significant effects.

Our Practices: We do NOT use automated decision-making that produces legal or similarly significant effects. Our analytics are used only for internal service improvement.

12.1.8 Right to Withdraw Consent

Where processing is based on consent, you have the right to:

Withdraw consent at any time
Without penalty or negative consequences

Effect: Withdrawal does not affect the lawfulness of processing before withdrawal.

How to Exercise:

Marketing emails: Click "unsubscribe"
Analytics cookies: Adjust cookie preferences
Other consents: Contact us at cgautoentreprise@gmail.com

12.2 Rights for Non-EU Residents

While GDPR applies primarily to EU/EEA residents, we extend similar rights to all users:

US residents: Consistent with state privacy laws (California CPRA, Virginia CDPA, etc.)
Other jurisdictions: Best practices in data protection

13. HOW TO EXERCISE YOUR RIGHTS

13.1 Contacting Us

To exercise any of your data protection rights, contact us:

Email: cgautoentreprise@gmail.com
Subject Line: "Data Protection Request - [Your Right]"
Postal Address: 5ème Avenue, 60260 Lamorlaye, France

13.2 Information to Include in Your Request

Please provide:

Your full name
Email address associated with your account
Specific right you wish to exercise (e.g., access, deletion, rectification)
Details of your request (be as specific as possible)
Proof of identity (to protect against fraudulent requests)

13.3 Identity Verification

To protect your personal data from unauthorized access, we may request additional information to verify your identity:

Confirmation of account email
Answers to security questions
Copy of government-issued ID (in limited cases, with ID number redacted)

13.4 Response Time

We will respond to your request:

Within 1 month of receiving a valid request
Extended to 3 months for complex requests (we will notify you within 1 month)

13.5 Free of Charge

Exercising your data protection rights is free of charge.

Exception: If your requests are manifestly unfounded, excessive, or repetitive, we may:

Charge a reasonable administrative fee
Refuse to act on the request

13.6 Rejection of Requests

If we refuse your request, we will:

Inform you within 1 month
Provide reasons for the refusal
Inform you of your right to lodge a complaint with CNIL (see Section 18)

14. DATA SECURITY

14.1 Our Security Commitment

We take the security of your personal data seriously and implement appropriate technical and organizational measures to protect against:

Unauthorized access
Accidental loss
Destruction or damage
Alteration or disclosure

14.2 Technical Security Measures

14.2.1 Encryption

Data in Transit: All data transmitted between your device and our servers is encrypted using TLS 1.3 (Transport Layer Security)
Data at Rest: Sensitive data stored in databases is encrypted using AES-256 encryption
Password Storage: Passwords are hashed using bcrypt with salt (never stored in plain text)

14.2.2 Access Controls

Role-Based Access Control (RBAC): Database access restricted to authorized personnel only
Multi-Factor Authentication (MFA): Required for administrative access
Principle of Least Privilege: Users and systems have only the minimum access necessary

14.2.3 Network Security

Firewall Protection: Network-level firewalls protect against unauthorized access
DDoS Protection: Vercel provides DDoS mitigation
Intrusion Detection: Automated monitoring for suspicious activity

14.2.4 Secure Development Practices

Code Reviews: All code changes reviewed before deployment
Dependency Scanning: Regular checks for vulnerable libraries
Security Audits: Periodic security assessments of infrastructure
Penetration Testing: Scheduled third-party security testing

14.3 Organizational Security Measures

14.3.1 Employee Training

Data protection and security training for anyone with access to personal data
Confidentiality agreements and NDAs

14.3.2 Data Minimization

We collect only the personal data necessary for the Service
Regular reviews to delete unnecessary data

14.3.3 Backup and Recovery

Regular automated backups of critical data
Disaster recovery plan in place
Backups encrypted and stored securely

14.4 Third-Party Security

Our processors (Vercel, Supabase, Stripe, PostHog, Sentry) implement:

SOC 2 Type II compliance (industry-standard security audits)
ISO 27001 certification (information security management)
GDPR compliance (for EU data protection)
Regular security audits and penetration testing

14.5 Data Breach Notification

In the event of a personal data breach:

For EU/EEA Residents:

We will notify the CNIL (French supervisory authority) within 72 hours if the breach poses a risk to your rights and freedoms (GDPR Article 33)
We will notify affected users without undue delay if the breach poses a high risk (GDPR Article 34)

For All Users:

We will inform you of the breach, affected data, and mitigation steps
Notification will include:
- Nature of the breach
- Categories of data affected
- Likely consequences
- Measures taken to address the breach
- Contact point for further information

14.6 Limitations of Security

While we implement robust security measures, no system is 100% secure. You acknowledge that:

Internet transmission is not completely secure
You are responsible for maintaining the security of your account credentials
You should use a strong, unique password
You should enable two-factor authentication if available

14.7 Reporting Security Issues

If you discover a security vulnerability:

DO NOT publicly disclose it
Contact us immediately at cgautoentreprise@gmail.com
Subject line: "Security Vulnerability Report"
We will investigate and respond promptly

15. CHILDREN'S PRIVACY

15.1 Age Requirement

The Service is NOT intended for individuals under 18 years of age.

We do not knowingly:

Collect personal data from anyone under 18
Allow individuals under 18 to create accounts
Market our Service to minors

15.2 Verification

During account creation, you represent and warrant that you are at least 18 years old.

15.3 Parental Notification

If you are a parent or guardian and believe your child under 18 has provided personal data to us:

Contact us immediately at cgautoentreprise@gmail.com
Subject line: "Minor's Data - Deletion Request"
Provide proof of parental authority
We will promptly delete the account and associated data

15.4 COPPA Compliance (US)

The Service is not directed at children under 13, and we do not knowingly collect data from children under 13 in compliance with the Children's Online Privacy Protection Act (COPPA).

15.5 Educational Context

While flight training programs may include student pilots aged 18+, the Service is designed for adult professional pilot training and is not suitable for minors.

16. MARKETING COMMUNICATIONS

16.1 Types of Marketing Communications

With your explicit consent, we may send:

Newsletters: Updates about new features and content
Promotional offers: Special discounts or limited-time offers
Educational content: Articles, tips, and resources for type rating preparation
Beta invitations: Early access to new features
Surveys: Feedback requests to improve the Service

16.2 Legal Basis

Marketing communications are sent based on:

Explicit consent (opt-in required)
Soft opt-in (for existing customers regarding similar products/services, with easy opt-out)

16.3 Opt-In Process

When you create an account, you may opt in to marketing communications by:

Checking a box during registration
Subscribing via account settings
Responding to an opt-in confirmation email

16.4 How to Opt Out

You can opt out of marketing communications at any time:

Method 1 - Unsubscribe Link:

Click "Unsubscribe" at the bottom of any marketing email
Instant opt-out with confirmation

Method 2 - Account Settings:

Log in to your account
Go to Settings → Notifications
Disable marketing emails

Method 3 - Email Us:

Send a request to cgautoentreprise@gmail.com
Subject line: "Unsubscribe from Marketing Emails"

Effect: You will stop receiving marketing emails within 5 business days.

16.5 Transactional Emails

Even if you opt out of marketing, you will still receive:

Account confirmation emails
Password reset emails
Subscription receipts and invoices
Important Service updates (e.g., Terms of Service changes)
Security notifications

These are necessary for the Service and cannot be opted out of.

16.6 Frequency

We respect your inbox and limit marketing communications to:

Maximum 1 email per week (unless special promotions)
No spam or unsolicited emails

17. CHANGES TO THIS PRIVACY POLICY

17.1 Right to Modify

We may update this Privacy Policy from time to time to reflect:

Changes in our data processing practices
New features or services
Changes in applicable laws (e.g., new GDPR guidance)
Feedback from users or regulators
Addition or removal of third-party processors

17.2 Notification of Material Changes

For material changes that affect your rights, we will notify you:

a) Email Notification:

Sent to the email address associated with your account
At least 30 days before changes take effect

b) Prominent Notice:

Banner or pop-up on the website
Notification in account dashboard

c) Updated Date:

"Last Updated" date at the top of this Privacy Policy

17.3 Acceptance of Changes

Continued use of the Service after changes take effect constitutes acceptance of the updated Privacy Policy.

If you do not agree to the changes:

Stop using the Service
Delete your account
Contact us to discuss concerns

17.4 Material vs. Non-Material Changes

Material changes include:

New categories of personal data collected
New purposes for processing
Changes to legal basis for processing
Addition of new third-party processors with access to personal data
Changes to data retention periods
Changes to international data transfers

Non-material changes include:

Clarifications or corrections
Formatting or organizational improvements
Updated contact information
Minor editorial changes

Non-material changes do not require advance notice but will be reflected in the "Last Updated" date.

17.5 Review Responsibility

We recommend reviewing this Privacy Policy periodically to stay informed of how we protect your personal data.

Bookmark this page: www.737ng.com/privacy-policy

18. RIGHT TO LODGE A COMPLAINT

18.1 Supervisory Authority

If you believe your data protection rights have been violated, you have the right to lodge a complaint with a supervisory authority.

18.2 French Supervisory Authority (CNIL)

As we are based in France, the competent supervisory authority is:

Commission Nationale de l'Informatique et des Libertés (CNIL)
3 Place de Fontenoy
TSA 80715
75334 Paris Cedex 07
France

Website: https://www.cnil.fr
Phone: +33 1 53 73 22 22
Email: Contact form available on website

How to File a Complaint:

Visit https://www.cnil.fr/fr/plaintes
Complete the online complaint form
Provide details of the alleged violation
Include supporting documentation

18.3 Other EU/EEA Supervisory Authorities

If you are resident in another EU/EEA country, you may lodge a complaint with your local supervisory authority:

List of EU Data Protection Authorities:
https://edpb.europa.eu/about-edpb/board/members_en

18.4 Right to Judicial Remedy

In addition to lodging a complaint with a supervisory authority, you have the right to:

Seek judicial remedy in the courts (see Terms of Service Section 15)
Request compensation for damages caused by GDPR violations

18.5 Contact Us First

Before lodging a complaint, we encourage you to:

Contact us directly at cgautoentreprise@gmail.com
Allow us to address your concerns
Work with us to resolve any issues

We are committed to resolving data protection concerns promptly and amicably.

19. CONTACT INFORMATION

19.1 Data Controller

Business Name: www.737ng.com (Commercial Name)
Legal Form: Auto-entrepreneur (Sole Proprietorship)
SIRET Number: 800 142 515
Registered Office:
5ème Avenue
60260 Lamorlaye
France

19.2 Privacy Contact

For all data protection inquiries, privacy rights requests, or concerns:

Email: cgautoentreprise@gmail.com
Postal Address: 5ème Avenue, 60260 Lamorlaye, France

Recommended Email Subject Lines:

Data access request: "GDPR Access Request"
Data deletion request: "GDPR Erasure Request"
Data portability request: "GDPR Data Portability Request"
General privacy inquiry: "Privacy Inquiry"
Security concern: "Security Issue Report"
Complaint: "Data Protection Complaint"

19.3 Response Time

We aim to respond to all privacy inquiries within:

1 month for GDPR rights requests (may be extended to 3 months for complex requests)
5 business days for general privacy questions
48 hours for urgent security concerns