Privacy Policy

1. Information we collect

When you create an account, we collect your name, email address, and any profile information you choose to provide. When you use the app, we collect location data (with your permission) to show you nearby CFIs and aircraft. We may also collect usage data to improve the service.

2. How we use your information

We use your information to operate and improve Floks, to connect you with relevant CFIs and aircraft listings, and to communicate with you about your account and bookings. We do not sell your personal information to third parties.

3. Location data

Location access is used only to show you nearby listings. You can deny location permission at any time and still use the app by searching manually.

4. Google user data

When an instructor, aircraft owner, or flight operator connects their Google Calendar to a Floks listing, we request the following OAuth scopes:

• calendar.readonly — to read the owner's calendar busy windows so the listing's availability can automatically reflect existing commitments.
• calendar.events — to create a calendar event on the owner's connected calendar when a guest's booking is confirmed, so the booking appears alongside their other commitments.

We only read busy windows and event metadata necessary to operate these two features. We do not read event titles, descriptions, attendees, or attachments from calendars other than the listing owner's own connected calendars. We never read calendars belonging to guests, students, or anyone other than the connected listing owner.

Limited Use disclosure: Floks' use and transfer of information received from Google APIs to any other app adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically, we do not:

• use Google user data for serving advertising, including retargeted or personalized advertising;
• transfer Google user data to third parties except as necessary to provide or improve the calendar-sync feature, comply with applicable law, or as part of a merger, acquisition, or sale of assets with notice to users;
• allow humans to read Google user data, except (i) with the affirmative agreement of the connected user for specific messages, (ii) for security purposes (e.g., investigating abuse), (iii) to comply with applicable law, or (iv) where the data has been aggregated and anonymized for internal operations.

You can revoke Floks' access to your Google Calendar at any time from myaccount.google.com/permissions or from the Calendar settings on the listing inside the Floks app. Revoking access stops any further reads and stops auto-event creation; previously-created events remain on your calendar unless you delete them.

5. Service providers we use

Floks relies on the following sub-processors. Each handles a specific part of the service and is bound by their own privacy and security commitments:

• Firebase Authentication (Google): account sign-up and sign-in.
• Railway: application hosting and PostgreSQL database (United States).
• Google Calendar API: read busy windows and create events for connected listings (scope-gated, opt-in per-listing).
• Brevo (SMTP): transactional email delivery (booking confirmations, verification codes).

We do not share your personal information with these providers beyond what each one strictly needs to perform its function.

6. Your rights

You have the right to:

• access the personal information we hold about you;
• correct inaccurate information;
• delete your account and associated data (we will erase your data within 30 days of a deletion request, except where retention is required by law);
• export your data in a portable format on request;
• withdraw consent for any optional processing, including disconnecting Google Calendar at any time.

Send any of these requests to hello@flyfloks.com. We respond within 30 days.

7. Data retention

We retain your account data for as long as your account is active. Upon account deletion, personal data is removed within 30 days, except where applicable law requires longer retention (for example, payment or tax records, where applicable). Booking history visible to your past instructors or operators remains in their own records.

Google user data (calendar busy windows and event IDs) is read on-demand and not cached server-side. The Google refresh token granted by you is stored encrypted at rest until you disconnect the calendar or delete your account, at which point it is purged immediately.

8. Data security and protection

We take the security of your information seriously, with particular care for the sensitive Google user data we receive through the Google Calendar OAuth scopes. Specifically:

• Encryption in transit. All traffic between the Floks app, our API, and third-party services (including Google APIs) uses TLS 1.2 or higher. We do not accept plaintext HTTP for any authenticated request.
• Encryption at rest. The application database (PostgreSQL on Railway) is stored on provider-managed encrypted volumes. Google OAuth refresh tokens are encrypted at rest using authenticated symmetric encryption before being written to the database; the encryption key is held in a separate secret store and rotated on credential compromise.
• Minimised retention of Google data. Calendar busy windows and event metadata are fetched on-demand at booking time and are not cached server-side beyond the request that uses them. We persist only the data strictly required to operate the listing — namely the connected calendar IDs you select and the refresh token used to issue subsequent reads.
• Access controls. Production database and secret-store access is limited to a small number of named engineers via individual credentials with two-factor authentication required. No shared accounts; no plaintext password storage anywhere in the stack (Firebase Authentication handles user credentials).
• Scope-of-use enforcement. Our backend requests only the fields needed for the calendar-sync feature (event start/end times, status, and transparency) via Google's API fields parameter — event titles, descriptions, attendees, and attachments are never transmitted to Floks.
• Logging hygiene. Structured application logs exclude calendar event content, refresh tokens, and other sensitive payloads. Logs are retained for 30 days and access is restricted to the same operational engineers.
• Vulnerability response. We monitor dependency advisories and apply security patches on a risk-prioritised basis. Reports of security issues can be sent to hello@flyfloks.com and will be acknowledged within 72 hours.
• Incident notification. In the event of a material security incident affecting your personal information or your Google user data, we will notify affected users without undue delay and in compliance with applicable law.
• Sub-processor diligence. Each of the sub-processors listed in section 5 maintains industry-standard security commitments published in their respective trust documentation, including encryption, access controls, and breach notification.

Despite these measures, no method of electronic transmission or storage is 100% secure. We continue to refine our controls as our service evolves and welcome reports of any concerns.

9. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be announced in-app or by email. Continued use of Floks after the effective date of a change constitutes acceptance of the updated policy.

10. Contact

Questions about this policy or to exercise any of the rights above? Email us at hello@flyfloks.com.