Data Processing Addendum

1. Subject Matter and Duration

SynthaSkill LLC processes personal data on your instructions for the duration of your subscription to myAviationTools, plus 30 days after termination (grace period for account recovery) as described in our Terms of Service.

2. Nature and Purpose of Processing

We process personal data in order to:

• Provide the Service (authentication, data storage, cross-app integration)
• Fulfill billing and subscription management
• Diagnose errors and improve the Service (via Sentry error tracking)
• Respond to support requests and legal obligations
• Send transactional notifications (via Resend)

3. Type of Personal Data

The categories of personal data we process include:

• Identification data (name, email address)
• Professional data (FAA certificate number, ratings, role)
• Account credentials (hashed password via scrypt)
• Usage and telemetry (page views, feature usage, error events)
• Payment metadata (Stripe customer ID, subscription status — not payment card data)
• Communication data (support tickets, messages within the Service)

4. Categories of Data Subjects

Data subjects whose personal data we process include:

• Account holders (mechanics, pilots, employers)
• Users invited by account holders (team members, employees)
• Individuals referenced in user-submitted records (crew, passengers, maintenance contacts)

5. Controller and Processor Roles

You (the customer) are the data controller. You determine the purposes and means of personal data processing.

SynthaSkill LLC is the processor. We process personal data only on your documented instructions, as set out in this DPA and the Terms of Service.

6. Sub-processors

We may engage third-party sub-processors to assist in providing the Service. A complete list of current sub-processors is available at /subprocessors. We notify you at least 30 days before adding or removing a sub-processor via in-app notification and email. You may object to a new sub-processor by emailing [email protected] within 14 days of notice.

7. Data Subject Rights

You are responsible for fulfilling data subject rights requests (access, correction, deletion, portability, objection, restriction, automated decision-making). We will assist you upon request:

• Access: Users can export their data via Settings → Export
• Correction: Users can edit profile details directly in the app
• Deletion: Users can delete their account; we retain data for 30 days then permanently delete
• Portability: JSON export available on request to [email protected]

We will respond to legally valid requests within 14 business days.

8. International Transfers

All production data is stored in the European Union (Hetzner FSN1-DC11, Helsinki, Finland) and is not transferred outside the EU except where necessary to sub-processors (see section 6 and the sub-processor list).

For sub-processors located outside the EU/EEA, we rely on Standard Contractual Clauses (SCCs) or other appropriate safeguards as required by GDPR Article 46.

9. Security Measures

We implement technical and organizational measures to protect personal data, including:

• Encryption at rest: Database and backup encryption (age — X25519 for backups)
• Encryption in transit: TLS 1.3 on all endpoints with HSTS
• Password security: Hashed via scrypt (Better Auth default)
• Session management: HttpOnly, Secure, SameSite=Lax cookies; 7-day expiration
• Access controls: Role-based access, API authentication
• Audit logging: Administrative action logging (in development)
• Infrastructure security: Hetzner dedicated server with UFW firewall, fail2ban, Cloudflare DDoS protection

Detailed security measures are described in our Privacy Policy.

10. Personal Data Breach Notification

In the event of a confirmed personal data breach, we will notify you within 72 hours of discovery. We will provide:

• Description of the breach and data affected
• Likely consequences for data subjects
• Measures taken or proposed to mitigate the harm
• Contact details of our Data Protection Officer

You are responsible for notifying your data subjects if required by applicable law.

11. Audit Rights

You have the right to audit our compliance with this DPA upon reasonable notice (at least 30 days). We will provide necessary cooperation and documentation. Audits may be conducted no more than once per calendar year unless required by law or a regulator.

Contact [email protected] to request an audit.

12. Return and Deletion of Data

Upon termination of your subscription:

• You may request an export of all your data within the 30-day grace period
• After 30 days, we permanently delete all personal data associated with your account
• You are responsible for archiving any data you wish to retain

Backups may retain data for up to 90 days after account deletion for disaster recovery; these are deleted when the backup retention window expires.

13. Liability

Each party's liability is limited as described in the Terms of Service Section 10 (Limitation of Liability).

14. Governing Law and Amendment

This DPA is governed by the laws of the State of Delaware, without regard to conflict-of-laws provisions. Material changes to this DPA will be announced via email and in-app notification at least 30 days in advance.

15. Contact

For questions about this DPA or to exercise data subject rights:

• Data Protection Officer: [email protected]
• Legal inquiries: [email protected]