Data & privacy

Privacy Policy

Effective: 24 May 2026

1. Who we are

Controller: alpaviation ag (Swiss Aktiengesellschaft)
Address: Flugplatzstrasse 31, 3123 Belp, Switzerland
UID-CHE / VAT: CHE-106.290.512
FOCA ATO: CH.ATO.0147
Phone: +41 31 960 22 22
Email: info@alpaviation.ch

alpaviation ag has operated as a flight training academy at Bern-Belp Airport (LSZB) since 1988. We are the data controller for personal data collected through our website and services.

No separate Data Protection Officer (DPO) has been appointed. All privacy enquiries are handled directly by management and can be directed to info@alpaviation.ch.

2. Scope

This policy applies to:

The website alpaviation.ch and all locale paths (/en, /de, /fr)
Contact forms, newsletter signups, and enquiry flows on that website
Transactional and marketing emails sent by alpaviation ag
The Hänsli AI chat widget embedded on the website

It does not apply to:

Third-party websites we link to (FOCA at bazl.admin.ch, EASA at easa.europa.eu, partner sites). Those sites have their own privacy policies.
Separate written contracts for flight training, aircraft rentals, or aircraft management. Those contracts may contain additional data-processing provisions.

3. Data we collect

Data you provide

Category	Examples	When collected
Identity	Full name, date of birth (training enrolment only)	Contact forms, training enquiries, booking requests
Contact details	Email address, phone number, postal address	Any form submission or enquiry
Aviation data	Licence numbers, ratings held, medical class and expiry (not underlying condition)	Training programme enrolment; required by EASA Part-ORA
Booking preferences	Preferred dates, aircraft type, route interest	Scenic flight and rental booking requests
Communications	Messages sent via contact forms, chat history with Hänsli	Ongoing use of the website
Newsletter	Email address, subscription date, consent timestamp	Newsletter signup (double opt-in)

We do not collect payment card details through the website. Where payment processing is introduced, it will be handled by a PCI-compliant third-party processor; we will receive only a transaction token and the last four digits of the card.

Data collected automatically

Category	Examples	Source
Device and log data	IP address (anonymised for analytics), browser type, operating system, timestamps	Web server / Vercel edge logs
Analytics	Page views, session duration, approximate country, device class, referral source	Google Analytics 4 (loaded only with consent)
Session behaviour	Click maps, scroll depth, anonymised session replays	Microsoft Clarity (loaded only with consent)
Cookies and local storage	Session identifiers, locale preference, consent state	Browser — see /cookies

Data we do not collect

Special category data (racial or ethnic origin, religious beliefs, political opinions, trade union membership, genetic data, biometric data for identification, or data concerning sexual orientation). We have no business reason to collect any of these.
Health or medical records beyond the minimum required by EASA Part-ORA (medical class and expiry date only — never the underlying condition or diagnosis).
Personal data from children under 16, except where a parent or guardian has provided verifiable consent for a teen discovery flight.

4. Why we collect it

Purpose	Legal basis (GDPR Art. 6)	Swiss nFADP basis	Retention
Respond to contact and quote requests	Art. 6(1)(b) — steps prior to contract	Contractual interest	2 years from last contact
Process scenic flight and rental bookings	Art. 6(1)(b) — performance of contract	Contractual	10 years (Swiss CO Art. 958f — accounting obligation)
Manage flight training enrolment and records	Art. 6(1)(b) + 6(1)(c) — contract + legal obligation	Legal obligation	Minimum 5 years post-licence issuance (EASA Part-ORA); accounting records 10 years
Send transactional service emails	Art. 6(1)(b) — contract	Contractual	Duration of the service relationship
Send the newsletter	Art. 6(1)(a) — consent (double opt-in)	Consent	Until you unsubscribe or withdraw consent
Operate the Hänsli AI chat	Art. 6(1)(f) — legitimate interest	Overriding interest	Session only; not stored beyond the session unless you submit a contact form
Analyse website performance	Art. 6(1)(a) — consent (opt-in)	Consent	14 months (GA4 default); 13 months (Clarity)
Prevent fraud, abuse, and spam on forms	Art. 6(1)(f) — legitimate interest	Overriding interest	12 months from the relevant event
Comply with Swiss tax, accounting, FOCA/EASA obligations	Art. 6(1)(c) — legal obligation	Legal obligation	As required by applicable law

5. Who we share data with

We do not sell, rent, or trade your personal data. We share it only with the following sub-processors, each bound by a written Data Processing Agreement (DPA) or equivalent contractual safeguards:

Sub-processor	Role	Data region	Transfer mechanism
Vercel Inc.	Website hosting and edge compute	EU edge nodes; US control plane	EU Standard Contractual Clauses (2021/914) + EU-US Data Privacy Framework
Supabase Inc.	Database (PostgreSQL, EU region)	Frankfurt, EU	EU region — no third-country transfer
Resend Inc.	Transactional email and newsletter audiences	US (EU region available)	Standard Contractual Clauses
Google LLC — Gemini API	Hänsli AI chat responses (only data you send to Hänsli; not used for model training when on the paid Gemini API or Vertex AI tier — see note below)	US	Standard Contractual Clauses + EU-US Data Privacy Framework
Google LLC — Maps Embed	Embedded map on the /contact page (loaded only after you accept)	US	Standard Contractual Clauses + EU-US Data Privacy Framework
Google LLC — Analytics 4	Website analytics (anonymised IP)	US	Standard Contractual Clauses + EU-US Data Privacy Framework
Microsoft Corporation — Clarity	Session behaviour analytics	US	Standard Contractual Clauses + EU-US Data Privacy Framework
Counsel, accountants, auditors	Legal advice, financial audit	Switzerland	Bound by professional confidentiality obligations
FOCA, tax authorities, courts	Where legally required	Switzerland	Legal obligation — no DPA required

We notify users of material additions to this list at least 30 days before the new sub-processor begins processing your data. Payment processing and video delivery sub-processors will be disclosed here at least 30 days before they begin processing personal data.

Hänsli sends your name, email, interest, and chat messages to Google's Gemini API in the United States. Google's terms differ between API tiers: the paid Gemini API and Vertex AI tiers do not use customer prompts to train Google's models; free Developer API tiers may. alpaviation operates Hänsli on a billed tier and does not consent to training on user data. If you do not wish your chat content to be processed by Google in the US, do not use the Hänsli widget — write to info@alpaviation.ch instead.

6. International transfers

The majority of data processing occurs within the European Union (Frankfurt region). Where data is transferred to or accessible from the United States or other third countries, we rely on:

EU Standard Contractual Clauses (2021/914), supplemented by the Swiss FDPIC addendum for transfers from Switzerland.
EU-US Data Privacy Framework certification, where the recipient is a certified participant.
Supplementary technical measures: TLS 1.3 encryption in transit, AES-256 encryption at rest, row-level security access controls on all database tables.

These measures ensure that your data receives a level of protection equivalent to that required under Swiss nFADP and EU GDPR.

7. Your rights

Depending on your country of residence, you may have the following rights in relation to your personal data:

Access — obtain a copy of the data we hold about you.
Rectification — correct inaccurate or incomplete data.
Erasure — request deletion ("right to be forgotten"), subject to legal retention obligations.
Restriction — limit how we process your data while a dispute is resolved.
Portability — receive your data in a structured, machine-readable format (where the basis is consent or contract).
Objection — object to processing based on legitimate interest, or to direct marketing at any time.
Withdrawal of consent — withdraw any consent given at any time. Withdrawal does not affect the lawfulness of processing that took place before withdrawal.

How to exercise your rights: Write to us at info@alpaviation.ch or by post to Flugplatzstrasse 31, 3123 Belp, Switzerland. We will respond within 30 days. For complex or multiple requests, we may extend this by a further 60 days and will notify you of the extension.

Supervisory authorities

Switzerland: Federal Data Protection and Information Commissioner (FDPIC) — edoeb.admin.ch
EU: Your national data protection supervisory authority (for example, the CNIL in France, the BfDI in Germany)

8. Cookies

We use cookies and similar tracking technologies on alpaviation.ch. A short summary:

Category	Purpose	Consent required
Strictly necessary	Session management, locale preference, consent state, security	No
Analytics	GA4 (_ga, _ga_*), Microsoft Clarity (_clck, _clsk, MUID)	Yes — opt-in
Marketing	None currently deployed	Not applicable

You can accept, decline, or change your cookie preferences at any time using the "Cookie settings" button in the website footer. See our full Cookie Policy at /cookies for names, durations, and provider details.

9. Security

We implement the following technical and organisational measures to protect your data:

HTTPS across all pages, with HTTP Strict Transport Security (HSTS) enforced.
Encryption at rest (AES-256) on all database and file storage systems.
Row-Level Security (RLS) on every database table, restricting data access to authorised contexts only.
Honeypot fields and timestamp-based anti-bot controls on all public forms.
Webhook signature verification on all inbound external callbacks.
Regular dependency updates and automated vulnerability monitoring.
Point-in-time database backups.

No system is entirely without risk. If we become aware of a personal-data breach that is likely to result in risk to your rights and freedoms, we will notify the FDPIC and relevant EU supervisory authorities within 72 hours of becoming aware, and will contact affected individuals directly where required (GDPR Art. 33–34; nFADP Art. 24).

10. Children

Our website and services are not directed at children under 16. Where a minor wishes to book a discovery flight, a parent or legal guardian must provide written consent. We do not knowingly collect personal data from children under 16 without verifiable parental consent. If you believe we have collected such data in error, contact us at info@alpaviation.ch and we will delete it promptly.

11. Automated decision-making and profiling

We do not make automated decisions that produce legal or similarly significant effects about you within the meaning of GDPR Art. 22.

The Hänsli AI chat widget provides informational responses to website visitors — it does not make enrolment decisions, pricing decisions, or any determination of eligibility. The Pilot Discovery Quiz produces a non-binding career suggestion based on your responses — it is an informational tool only and has no effect on any application or enrolment.

12. Marketing communications

We send marketing emails (newsletter, programme updates, event announcements) only to subscribers who have given explicit double opt-in consent via the signup form. Every marketing email includes a one-click unsubscribe link. To opt out at any time, click that link or write to info@alpaviation.ch.

We do not send marketing by SMS or post unless you separately consent to this.

13. Retention and deletion

We keep your personal data only for as long as is necessary for the purposes described in section 4 or as required by law:

Accounting and financial records: 10 years from the end of the relevant financial year (Swiss CO Art. 958f).
EASA flight training records: minimum 5 years after the training is completed or the licence is issued (EASA Part-ORA).
Contact and enquiry data: 2 years from last contact, unless a training relationship follows.
Analytics data: 14 months from collection (Google Analytics 4 default).
Newsletter subscription data: until you unsubscribe or withdraw consent, then deleted within 30 days.

When the applicable retention period ends, we securely delete or irreversibly anonymise the data. You may request earlier deletion (see section 7); data subject to a mandatory retention obligation will be retained until that obligation is met, but will not be used for any other purpose during that period.

14. Changes to this policy

We may update this policy periodically. When we do, we will update the "Effective date" at the top of this page. For material changes — such as a new sub-processor, a new processing purpose, or a new international transfer — we will notify subscribers by email at least 30 days before the change takes effect, giving you the opportunity to withdraw consent if you wish.

15. Contact

For any question, rights request, or concern relating to this policy:

Email: info@alpaviation.ch
Post: alpaviation ag, Flugplatzstrasse 31, 3123 Belp, Switzerland
Phone: +41 31 960 22 22

Swiss supervisory authority: Federal Data Protection and Information Commissioner (FDPIC) — edoeb.admin.ch