Privacy Policy

Last updated: March 2026

1. Who We Are

LMS Plus is an EASA PPL training platform. We are the data controller for personal data processed through this service.

• Controller contact: support@lmsplus.eu
• Full legal entity details to be added before production launch.

2. Data We Collect

• Identity: name, email address, organisation membership
• Training activity: quiz scores, response times, session data, spaced repetition state
• Technical: login timestamps, IP addresses (for consent records and security logging)

3. Legal Basis

• Platform operation: legitimate interest (Art. 6(1)(f))
• Training records & audit logs: legal obligation under EASA Part ORA (Art. 6(1)(c))
• Consent tracking: consent (Art. 6(1)(a))

4. How We Store It

Data is hosted on Supabase (EU region) with the following protections:

• Encrypted at rest and in transit
• Access restricted to authenticated users via row-level security policies
• Service-role access limited to server-side administrative operations

5. Cookies

We use essential cookies only:

• An authentication session cookie (required to keep you signed in)
• A consent record cookie (tracks which document versions you have accepted)

No analytics, advertising, or tracking cookies are used.

6. Data Retention & EASA Compliance

Training records (quiz sessions, scores, and responses) are retained as required by EASA Part ORA for regulatory auditing purposes.

• These records must identify the student and cannot be anonymised or deleted
• Deactivated accounts remain subject to this retention requirement
• Non-training data is retained only while your account is active

7. Who Has Access

• Flight school administrators:can view their students' progress and export student data
• Platform operators: access data only for support and maintenance

8. Your GDPR Rights

Right of access & data portability (Articles 15 & 20)

You can download a copy of all your data in JSON format from your Settings page at any time.

Right to rectification (Article 16)

You can update your name and other profile information from your Settings page.

Right to restrict processing (Article 18)

You may request account deactivation by contacting your flight school administrator or support@lmsplus.eu.

Right to erasure (Article 17)

Under GDPR Article 17(3)(b), the right to erasure does not apply where processing is necessary for compliance with a legal obligation. EASA Part ORA requires retention of identified training records for regulatory auditing. Training data cannot be deleted or anonymised while this obligation applies.

Other rights

To exercise any other right or raise a concern, contact us at dpo@lmsplus.eu.

9. Changes to This Policy

We may update this policy. When we do, you will be asked to review and re-consent on your next login.

10. Contact

• General enquiries: support@lmsplus.eu
• Data Protection Officer: dpo@lmsplus.eu