PRIVACY NOTICE

Peak Aviation Academy OOD  |  Peak Aviation OOD  |  Peak Aviation FZC LLC

Effective Date: 22 April 2026  |  Version 1.1

 

This Privacy Notice explains what personal data we collect, why we collect it, how we use it, who we share it with, and what your rights are. We have written it in plain language so it is easy to understand. If you have any questions, email us at [email protected].

 

1.  Who We Are

Peak Aviation operates through three legal entities. Each entity acts as a data controller for the personal data it processes in connection with its own products and services:

 

Entity	Registration	Country	Products / Services
Peak Aviation Academy OOD	Reg. No. 207786682	Bulgaria	Private Pilot Pathway, Certification Module (EASA DTO)
Peak Aviation OOD	Reg. No. 205855051 / VAT BG205855051	Bulgaria	ELP Tests, ATPL Programme, B2B Training
Peak Aviation FZC LLC	UAE free zone company	UAE	Single Subject Modules

 

Registered address for both Bulgarian entities: Puzl CoWorking, Business Centre Vitosha, Cherni Vrah 47A Blvd., Sofia, 1407, Republic of Bulgaria.

Contact email: [email protected]

 

This Privacy Notice covers personal data collected through our website (www.peakaviation.eu), our mobile application ("the App"), and any communications between you and us, including email and social media.

 

2.  What Personal Data We Collect

We collect only what we genuinely need. The table below shows the categories of personal data we collect, grouped by how they arise.

 

2.1  Data you give us directly

• Identity data: your name, date of birth, nationality.
• Contact data: email address, phone number.
• Account credentials: username and password (stored in hashed form).
• Payment data: billing name and address. We do not store card numbers or bank details — these are processed directly by our payment providers (Stripe and Wise).
• Pilot licence data: pilot licence or student licence number, if you submit it for ELP or ATPL enrolment.
• Course submissions: quiz answers, module progress, and any written content you submit through our LMS.
• Communications: messages you send us by email or through our website contact form.

 

2.2  Data we collect automatically

• Technical data: IP address, browser type, operating system, referring URL, pages visited, and session duration. Collected via server logs and cookies.
• Usage data: which course modules you have opened, progress milestones, time spent on content.
• Transaction records: purchase amount, currency, payment method type (card/crypto/bank), and invoice data.

 

2.3  Data from third parties

• Payment confirmation: Stripe and Coinbase Commerce confirm successful transactions to us.
• ELP examination data: Lenguax s.r.o. (our ELP test partner in Slovakia) shares your examination result and, for online sittings, a recording of your session.

 

2.4  Special categories of data

We do not intentionally collect special categories of personal data (health, biometric, racial or ethnic origin, etc.). If you have an accessibility requirement for an in-person ELP exam, you may share relevant information voluntarily — we will use it only to accommodate your needs and will not retain it longer than necessary.

 

2.5  Community and Blog data

Our website includes a community area ("My Community") and a blog. If you post, comment, or interact in those areas, we collect:

• Community content: your display name, profile information, and any posts, comments, or messages you submit to the community area.
• Blog interaction: if you submit a comment on our blog, we collect your name, email address, and the content of your comment.

Community posts and blog comments are visible to other users unless you choose a private setting. Please do not post personal data about yourself or others in public community areas.

 

2.6  Mobile app data

Our mobile application collects some data in addition to the above:

• Device identifiers: device type, operating system version, unique device identifier, and mobile network information.
• Push notification token: if you enable push notifications, we store the token needed to send them to your device.
• App usage data: screens visited, features used, session duration, and crash reports.
• Camera / microphone (optional): only if you consent and only during online ELP examination sessions for identity verification and recording purposes. You will be asked for permission explicitly before use.

You can manage app permissions at any time through your device settings. Revoking camera or microphone permission will prevent you from sitting online ELP examinations through the app.

 

2.7  Minimum age and young learners

Aviation training may begin before the age at which a pilot licence can be issued. We accept students from the age of 15. Students aged 15 to 17 are minors under EU law, and we apply the following protections:

• Parental or guardian consent required: before creating an account for a student aged 15 or 16, we require verifiable consent from a parent or legal guardian. Under GDPR Article 8 and the Bulgarian Personal Data Protection Act (Art. 25a), the national age of digital consent in Bulgaria is 14. For students aged 14 and under, parental consent is also required. We collect the consenting parent or guardian's name and email address for this purpose.
• No marketing to minors: we will not send marketing communications to students who are under 16, and we will not use their data for advertising purposes, including in analytics or ad targeting.
• Parental access rights: a parent or legal guardian may exercise any GDPR right (access, erasure, rectification, etc.) on behalf of a minor student. Please contact us at [email protected] with proof of your relationship to the student.
• Age verification: we verify date of birth at registration. If we discover that a student has misrepresented their age, we will contact the student and their guardian and may suspend the account until consent is confirmed.

If you believe a student under 15 has created an account without parental consent, please contact [email protected] immediately and we will investigate and delete the data if appropriate.

 

3.  How and Why We Use Your Data

We process your personal data only where we have a valid lawful basis under the GDPR. The table below sets out each processing activity, its lawful basis, the data involved, and how long we keep it.

 

Purpose	Lawful Basis	Data Involved	Retention
Providing and managing your course access	Contract performance	Identity, contact, account credentials, course progress	Duration of subscription + 2 years
Processing payments and issuing VAT invoices	Contract performance + Legal obligation (Bulgarian Accountancy Act, VAT law)	Identity, contact, billing address, transaction records	10 years from invoice date
Delivering online ELP examinations	Contract performance	Identity, licence data, examination recordings	Recordings: 12 months. Results: 5 years (EASA regulatory requirement)
Delivering in-person ELP examinations (Sofia)	Contract performance	Identity, photo ID verification, result data	5 years (EASA regulatory requirement)
Customer support and complaints handling	Contract performance + Legitimate interests	Identity, contact, communications	3 years from last contact
Fraud prevention and security	Legitimate interests (protecting our business and customers)	Technical data, transaction records	12 months for logs; fraud flags reviewed annually
Website analytics and improvement	Legitimate interests (understanding how our site is used)	Technical data, usage data (aggregated)	26 months (Google Analytics default)
Operating the My Community area and blog comments	Legitimate interests (providing a community learning environment)	Display name, profile, posts, comments	Until account deletion or post removal; inactive accounts reviewed after 3 years
Sending push notifications via the mobile app	Consent	Push notification token, device identifier	Until you disable notifications or delete the app
Collecting parental/guardian consent for minor students (aged under 16)	Legal obligation (GDPR Art. 8; Bulgarian PDPA Art. 25a)	Guardian name, email address, relationship to student	Duration of the student's account + 2 years
Sending marketing emails (with your consent)	Consent (not available to students under 16)	Name, email address	Until you unsubscribe or withdraw consent
Complying with legal obligations	Legal obligation	As required by applicable law	As required by applicable law

 

You can withdraw consent for marketing emails at any time using the unsubscribe link in any email we send, or by emailing [email protected]. Withdrawal does not affect the lawfulness of processing before withdrawal.

 

4.  Who We Share Your Data With

We do not sell your personal data. We share it only with the processors listed below, each of whom acts under our instruction and under a data processing agreement, and with authorities where required by law.

 

Processor	Country	Purpose	Transfer Safeguard
Kajabi Inc.	USA	Learning management system (LMS): hosts course content, manages student accounts and progress, sends transactional emails	EU Standard Contractual Clauses (SCCs)
Stripe, Inc.	USA	Card payment processing, invoice generation	EU SCCs + EU–US Data Privacy Framework (DPF)
Coinbase Commerce	USA	Cryptocurrency payment processing	EU Standard Contractual Clauses (SCCs)
Google LLC	USA	Google Analytics (website analytics); Google Ads (advertising and conversion tracking)	EU SCCs + EU–US Data Privacy Framework (DPF)
Cloudflare, Inc.	USA	Content delivery network (CDN), DDoS protection, web security	EU SCCs + EU–US Data Privacy Framework (DPF)
Wise Payments Ltd	Belgium (EU)	Banking and international payments for invoices and refunds	Within the EU/EEA — no transfer safeguard required
Lenguax s.r.o.	Slovakia (EU)	ELP examination delivery partner: conducts exams, shares results and recordings	Within the EU/EEA — governed by Data Processing Agreement

 

We may also disclose personal data to: (a) competent courts, regulators, or law enforcement agencies when required by law; (b) professional advisors (lawyers, accountants, auditors) under duties of confidentiality; and (c) any acquirer of our business, in which case we will notify you in advance.

 

5.  International Transfers

Some of our processors are based outside the European Economic Area (EEA), primarily in the United States. Where personal data is transferred outside the EEA, we ensure it is protected by one or more of the following safeguards:

• Standard Contractual Clauses (SCCs): European Commission-approved contract terms that bind the recipient to GDPR-equivalent protections.
• EU–US Data Privacy Framework (DPF): A US Department of Commerce adequacy framework. We use this only with processors that are certified under the DPF. You can verify certification at www.dataprivacyframework.gov.

 

You can request a copy of the specific safeguards applicable to your data by emailing [email protected].

 

6.  Cookies, Tracking Technologies, and Mobile App Permissions

Our website uses cookies and similar tracking technologies. Cookies are small text files placed on your device when you visit our site. Our mobile app uses equivalent SDK-level tracking, as well as device permissions you grant explicitly.

 

Cookie Type	Example	Purpose	Lawful Basis
Strictly necessary	Session, CSRF token	Log you in, keep your cart, protect against fraud. Cannot be turned off.	Necessary for contract performance — no consent required
Functional	Language preference	Remember your settings between visits.	Legitimate interests (improving your experience)
Analytics	Google Analytics (_ga)	Count visits and measure how pages are used, in anonymised and aggregated form.	Consent (you can opt out via our cookie banner)
Marketing	Google Ads (_gcl), Meta Pixel	Show you relevant ads on other platforms. Track conversions.	Consent (you can opt out via our cookie banner)

 

You can manage your cookie preferences at any time via our cookie banner or your browser settings. Note that blocking strictly necessary cookies will affect your ability to use the website. For full details, see our Cookie Policy at www.peakaviation.eu/cookie-policy.

 

Mobile app permissions

The app requests the following permissions, each of which is optional unless stated:

• Camera and microphone (optional): requested only when you start an online ELP exam. Used for identity verification and session recording. You can decline and use the website instead.
• Push notifications (optional): used to send you course reminders, exam confirmations, and important account updates. You can turn these off at any time in your device settings.
• Internet access (required): needed to load course content, stream video, and sync progress.

We do not access your contacts, location, photos, or any other device data beyond the above.

 

7.  Your Rights Under the GDPR

If you are based in the EU, EEA, or UK, you have the following rights in relation to your personal data. We will respond to all requests within 30 days (extendable to 3 months for complex requests, with notice to you).

 

Your Right	What It Means
Access	Request a copy of the personal data we hold about you and information about how we use it.
Rectification	Ask us to correct any inaccurate or incomplete data we hold about you.
Erasure ("right to be forgotten")	Ask us to delete your data where it is no longer necessary for the purpose it was collected, or where you withdraw consent and there is no other lawful basis.
Restriction	Ask us to pause processing of your data in certain circumstances, for example while we verify a rectification request.
Data portability	Receive your data in a structured, machine-readable format (applies to data processed by consent or contract performance).
Object	Object to processing based on legitimate interests. We will stop unless we can demonstrate compelling legitimate grounds.
Withdraw consent	Where processing is based on consent (e.g. marketing emails), withdraw it at any time without affecting past processing.
Automated decisions	We do not make any solely automated decisions that produce legal or similarly significant effects about you.

 

Exercising your rights is always free. We may ask you to verify your identity before processing a request, to protect your data from unauthorised access.

 

8.  How to Exercise Your Rights

To exercise any of the rights above, or to ask a question about your data, please contact us:

 

Peak Aviation — Data Privacy Requests Email: [email protected]  (subject line: "Privacy Request") Post: Puzl CoWorking, Cherni Vrah 47A Blvd., Sofia, 1407, Bulgaria Response time: within 30 days of receiving your request

 

9.  Data Security

We take the security of your personal data seriously. Our measures include:

• All data transmitted between your browser and our website is encrypted using TLS (HTTPS).
• Passwords are stored in hashed form — we never store plain-text passwords.
• Payment card data is never stored by us; it is processed directly by Stripe, which is PCI DSS Level 1 certified.
• Access to personal data within our systems is restricted to authorised personnel only.
• Our website is protected by Cloudflare, which provides DDoS mitigation and web application firewall services.
• Our mobile app communicates with our servers over encrypted connections only. The app does not store sensitive personal data locally on your device beyond session tokens, which are invalidated on sign-out.

 

No method of transmission over the internet or electronic storage is 100% secure. If you have reason to believe that your interaction with us is no longer secure, please contact us immediately at [email protected].

 

10.  Data Retention

We keep personal data only for as long as it is needed for the purpose for which it was collected, or as required by law. The key retention periods are set out in Article 3 above. Once the retention period expires, we securely delete or anonymise your data.

You may request earlier deletion of your data at any time (see Article 7 — Right to Erasure), subject to our legal obligations (for example, we are required to retain VAT invoices for 10 years under Bulgarian law).

 

11.  Links to Other Websites and Social Media

Our website contains links to third-party websites and social media platforms (including Facebook, Instagram, LinkedIn, YouTube, and TikTok). This Privacy Notice does not apply to those sites. We encourage you to read their privacy policies before sharing any personal data with them.

When you interact with our social media pages, the relevant platform will process your data in accordance with its own privacy policy. Any personal data you send us via direct messages on social media will be handled in accordance with this Privacy Notice.

 

12.  Complaints

We hope to resolve any privacy concern you raise with us directly. However, if you are not satisfied with our response, you have the right to lodge a complaint with the relevant supervisory authority:

 

Bulgarian supervisory authority (primary)	Commission for Personal Data Protection (CPDP / КЗЛД) www.cpdp.bg  |  [email protected]  |  +359 (02) 91-53-518 2 Prof. Tsvetan Lazarov Blvd., Sofia, 1592, Bulgaria
UK residents	Information Commissioner's Office (ICO) — www.ico.org.uk
Other EU/EEA residents	The supervisory authority in the EU/EEA country where you live or work, or where the alleged infringement occurred.

 

13.  Changes to This Privacy Notice

We review this Privacy Notice periodically and update it when our practices change or when required by law. The current version is always available at www.peakaviation.eu/privacy-policy.

For material changes — those that meaningfully affect how we use your data or your rights — we will give you at least 30 days' notice by email before the changes take effect. For minor or clarificatory changes, we will update the version date at the top of this document.

 

End of Privacy Notice — Peak Aviation | Version 1.1 | Effective 22 April 2026