Privacy Policy
Last updated: 2 June 2026
This privacy policy explains how Auto-Briefingsheet ("we", "us", "the Service") collects, uses, stores, and protects your personal data when you use the website https://briefingsheet.ch. It is written to comply with the EU General Data Protection Regulation (GDPR) and the revised Swiss Federal Act on Data Protection (revFADP / revDSG).
Auto-Briefingsheet is an aviation tool that compiles personalised pilot briefing sheets from Crew Briefing PDF packages. It is operated by a private individual ("the Controller").
1. Who we are
Controller: Roland Bieg Switzerland
For privacy requests: please use our contact form.
We are not legally required to appoint a Data Protection Officer (DPO) and have not done so. You can contact the Controller directly for any data protection matter.
2. What personal data we collect
When you use Auto-Briefingsheet we collect and process the following categories of personal data:
Account data - Email address - Password (stored only as a salted hash; we never see your plaintext password) - Account creation date, email verification status
Third-party service credentials (optional) - Your Crew Briefing username and password - Your Augur (Eurocontrol RAIM) username and password - These credentials are encrypted at rest using AES with a server-side key. They are decrypted only in memory when you trigger a briefing-sheet generation, and only to log in to those services on your behalf.
Authentication and security data - Login events: timestamp, IP address, success/failure, user agent - Email-verification and password-reset tokens (short-lived, single-use)
Technical data - Server access logs containing IP address, request time, URL, response status, and user agent
We do not collect: location data beyond IP, contact lists, biometric data, data about minors (the Service is not intended for users under 16), advertising identifiers, or special-category data under Art. 9 GDPR.
3. How we collect your data
You provide most of the data directly when you:
- Register an account
- Verify your email address
- Save Crew Briefing or Augur credentials in your settings
- Log in
- Use the Service to generate briefing sheets
We collect technical data automatically through your browser (server logs, session cookie) when you interact with the Service.
We do not receive personal data about you from third parties.
4. How and why we use your data
We process your data only for the following purposes and only on the legal bases listed.
| Purpose | Data used | Legal basis |
|---|---|---|
| Create and operate your account | Email, password hash | Contract (Art. 6(1)(b) GDPR) |
| Verify your email address | Email, verification token | Contract (Art. 6(1)(b)) |
| Reset a forgotten password | Email, reset token | Contract (Art. 6(1)(b)) |
| Automatically retrieve your briefing package from Crew Briefing / Augur | Encrypted third-party credentials | Contract (Art. 6(1)(b)) — only if you save those credentials |
| Detect and prevent abuse, brute-force attacks, and unauthorised access | Login events, IP, server logs | Legitimate interest in service security (Art. 6(1)(f)) |
| Send transactional emails (verification, password reset) | Contract (Art. 6(1)(b)) | |
| Comply with legal obligations | Account data | Legal obligation (Art. 6(1)(c)) |
We do not use your data for marketing, profiling, or automated decision-making with legal or similarly significant effect.
5. Where and how we store your data
The Service is self-hosted in Switzerland on Synology hardware operated by the Controller. The database is encrypted at rest where supported by the platform, and AES encryption is applied to particularly sensitive fields (Crew Briefing and Augur credentials).
Backups are stored on the same Synology system and rotated regularly.
Access to the production system is restricted to the Controller and protected by SSH key authentication. The application enforces HTTPS, salted password hashing, and CSRF protection.
6. Recipients and processors
We share your personal data only with the following processors, each of whom acts on our written instructions and is bound by a data-processing agreement where required:
| Processor | Purpose | Location |
|---|---|---|
| Mailjet (Sinch Email) | Outbound transactional email relay | France / EU |
| Synology Inc. (hardware vendor) | Local server hardware (no cloud storage of user data) | Server located in Switzerland |
| Open-Meteo | Public weather data API for arrival weather icon — no personal data is sent, only airport coordinates | Germany |
| green.ch AG | Domain registrar for briefingsheet.ch |
Switzerland |
We do not sell your data, share it for advertising, or transfer it to data brokers.
7. International data transfers
All processors used by the Service operate within Switzerland or the European Economic Area. We currently do not transfer your personal data to any third country. Should this change in the future, we will update this policy and ensure transfers are protected by Standard Contractual Clauses or another recognised safeguard.
8. How long we keep your data
| Data | Retention period |
|---|---|
| Account data (email, password hash, settings) | Until you delete your account, or after 24 months of inactivity |
| Encrypted third-party credentials | Until you remove them in settings or delete your account |
| Login events / authentication logs | 90 days, then automatically purged |
| Email-verification tokens | 1 hour, single-use |
| Password-reset tokens | 1 hour, single-use |
| Server access logs | 30 days |
When you delete your account, we delete your account data without undue delay.
9. Your data protection rights
Under GDPR and revFADP you have the following rights:
- Right to access — Request a copy of the personal data we hold about you.
- Right to rectification — Ask us to correct inaccurate or incomplete data.
- Right to erasure ("right to be forgotten") — Ask us to delete your data, subject to legal retention obligations.
- Right to restrict processing — Ask us to limit how we process your data in specific circumstances.
- Right to object — Object to processing based on legitimate interests.
- Right to data portability — Receive your data in a structured, machine-readable format.
- Right to withdraw consent — Where processing is based on consent, you can withdraw it at any time without affecting prior lawful processing.
- Right to lodge a complaint — See section 13.
Most of these rights you can exercise yourself in the settings area: change your email or password, remove saved third-party credentials, or delete your account. For anything else, contact us via the form linked in section 1. We will respond within one month.
10. Cookies and similar technologies
We use only strictly necessary cookies:
| Cookie | Purpose | Duration |
|---|---|---|
| Flask session cookie | Keeps you signed in and protects against CSRF | Session / up to 30 days if "remember me" is enabled |
We do not use analytics, advertising, tracking, or third-party cookies. Because all cookies we set are strictly necessary for the Service to function, no consent banner is required under the ePrivacy Directive.
You can delete cookies in your browser settings at any time, but you will then be signed out and unable to use the Service.
11. Links to other websites
Our Service may contain links to third-party websites (e.g. Eurocontrol AIS, Crew Briefing, Augur). This privacy policy applies only to our Service. We are not responsible for the privacy practices of other websites and recommend you read their privacy policies.
12. Changes to this privacy policy
We review this policy regularly and may update it to reflect changes in our Service or in applicable law. The "Last updated" date at the top shows when it was last revised. For material changes that affect your rights we will notify registered users by email.
13. How to contact us and how to complain
For any question about this policy, your data, or to exercise your rights:
Online: contact form
If you believe we have not handled your data lawfully you have the right to lodge a complaint with a supervisory authority:
Switzerland: Federal Data Protection and Information Commissioner (FDPIC / EDÖB) Feldeggweg 1, CH-3003 Bern https://www.edoeb.admin.ch
European Union: The data protection authority of the EU/EEA member state where you live, work, or where the alleged infringement took place. A list is available at https://edpb.europa.eu/about-edpb/about-edpb/members_en.