AERO LOGISTICS OS
Legal

Privacy Policy

Last updated: April 2026

Data Sovereignty Guarantee

The Fleet Owner maintains 100% ownership and sovereignty over their operational data. Aero Logistics OS acts solely as a data processor — never a data owner.

1. Overview

Aero Logistics OS (“the Platform”) is a multi-tenant logistics management system. This Privacy Policy describes how we collect, use, and protect information when you use our services. We are committed to transparency and GDPR compliance.

This policy applies to all users of the Platform, including Fleet Owners (Admins), Drivers, and Clients who access the system via web or progressive web applications.

2. Data We Collect

We collect only data necessary for platform operation:

  • Account information: name, email, phone number, role assignment
  • Operational data: job records, status transitions, expenses, proof of delivery
  • Location data: driver GPS coordinates during active jobs only
  • Authentication data: JWT tokens, session metadata (never stored long-term)
  • Audit data: immutable event logs for every system action

3. Data Ownership

The Fleet Owner maintains 100% ownership and sovereignty over their operational data. Aero Logistics OS processes data on behalf of the Fleet Owner and does not claim any rights, title, or interest in customer data.

Data is logically isolated per tenant via PostgreSQL Row-Level Security (RLS) policies. No cross-tenant data access is possible at any layer of the system.

4. Tenant Isolation

Every table in the system enforces tenant_id isolation at the database layer. Access control is verified via JWT claims embedded in every authenticated request. This ensures:

  • Zero cross-tenant data reads under any condition
  • Database-level enforcement — not application-level filtering
  • Independent tenant provisioning and lifecycle management
  • Complete data portability on tenant termination

5. Data Processing

All data mutations flow through server-side RPC calls (handle_job_event). No direct database writes are performed from client applications. Data in transit is encrypted via TLS 1.3. Data at rest is encrypted via AES-256.

6. Data Retention

Event logs are retained indefinitely as part of the immutable audit trail. Operational snapshots (job status) are maintained for the duration of the service agreement. Upon tenant termination, all tenant-scoped data can be exported and is permanently deleted within 30 days.

7. Third-Party Services

We use Supabase (hosted PostgreSQL) as our infrastructure provider. Supabase is SOC 2 Type II certified and GDPR compliant. We do not share, sell, or license customer operational data to any third party.

8. Your Rights

Under GDPR, you have the right to:

  • Access all personal data we hold about you
  • Request correction of inaccurate data
  • Request deletion of your data (subject to legal retention requirements)
  • Export your data in a machine-readable format
  • Object to data processing activities

9. Contact

For privacy-related inquiries, data access requests, or concerns, contact our Data Protection team at privacy@aerologistics.os.