Privacy Policy
GDPR and Swiss FADP privacy notice for business users, company representatives and platform contacts.
Effective date: 2026-05-12
This document is a professional platform template and operational policy draft. It must be reviewed and adapted by qualified EU/Swiss legal counsel and aviation/export compliance counsel before production use.
Controller identity and scope
This Privacy Policy describes how Gallantis AG, Lettenstrasse 7, 6343 Rotkreuz, Switzerland, processes personal data in connection with Aeroclaim as the legal entity operating and developing the platform. Privacy inquiries may be sent to info@aeroclaim.com unless another contact is published by the Operator.
This Policy applies to business contact persons, account holders, admin users, insurance representatives, buyer/MRO representatives, support contacts and other individuals whose personal data is processed through the Platform. It does not apply to purely non-personal company data except where such data identifies an individual.
Controller, processor and joint controller roles
For account administration, user verification, security, audit logs, legal compliance, platform operation and marketplace administration, the Operator generally acts as an independent controller because it determines the purposes and means of processing.
Where the Operator processes personal data solely on documented instructions of an Insurance User or other business customer, the Operator may act as processor under a Data Processing Addendum. Where parties jointly determine purposes and means, a joint controller arrangement may be required under GDPR Article 26.
Personal data processed
The Platform may process full name, business email, phone number, company name, position, company country, VAT/tax identifiers, certification details, uploaded certificates, login metadata, IP address, user agent, roles, verification status, audit logs, document access logs, offer messages, notification events and support communications.
Users must not upload unnecessary personal data in claim, maintenance, damage, aircraft or transaction documents. Insurance Users are responsible for redacting unrelated personal data, passenger data, crew data, insured-party private information and special-category data unless strictly necessary and lawful.
Purposes and legal bases
Personal data may be processed to create and administer accounts, verify companies, provide access controls, host Listings and Documents, manage offers, operate the deal desk, send notifications, maintain security, enforce terms, comply with legal obligations, support export/sanctions checks and establish, exercise or defend legal claims.
Legal bases may include contract performance, legitimate interests in operating a secure B2B platform, compliance with legal obligations, consent where required and legal claims. Legitimate interests include fraud prevention, document access control, auditability, cybersecurity, business continuity, aviation documentation integrity and compliance recordkeeping.
Recipients and disclosures
Personal data may be disclosed to authorised Platform admins, relevant business counterparties, service providers, hosting providers, storage providers, email providers, professional advisers, insurers, buyers, repair organisations, logistics providers, authorities or courts where necessary and lawful.
Private Documents are not intended for public disclosure. Approved buyers and authorised admins may access them subject to Platform controls, confidentiality restrictions and document access logging.
International transfers
The Platform is intended for EU/EEA and Swiss B2B use and may involve cross-border access. Transfers between the EU/EEA and Switzerland may rely on the European Commission adequacy decision for Switzerland where applicable.
Where data is transferred to jurisdictions without an adequacy decision, appropriate safeguards such as Standard Contractual Clauses, transfer impact assessments, contractual commitments and technical measures should be implemented before production use.
Retention
Personal data is retained for as long as necessary for Platform operation, account administration, verification, legal compliance, transaction evidence, auditability, dispute resolution, aviation traceability, security and legitimate business purposes.
Document access logs, transaction logs, audit logs, offer records and compliance records may be retained for extended periods because they evidence confidentiality, access, chain of custody, export-control review, deal history and legal responsibility. Final retention periods should be approved in the production retention schedule.
Security and breach response
The Operator should maintain technical and organisational measures including authentication, role-based access, private document controls, audit logging, document access logs, secure transport, backups, least-privilege administration and incident response procedures.
Where a personal data breach occurs, the Operator will assess notification obligations. GDPR may require supervisory authority notification within 72 hours where legally required. Swiss FADP may require notification to the FDPIC where a breach is likely to result in high risk to affected individuals.
Individual rights
Individuals may have rights of access, rectification, erasure, restriction, portability, objection and complaint under GDPR or Swiss FADP, subject to applicable exceptions and competing legal obligations.
Requests may be limited or refused where retention is necessary for legal claims, security, aviation documentation, transaction evidence, regulatory compliance, export-control records or protection of rights of other parties.
