Privacy Policy

Effective Date: May 29, 2026

DroneOps Platform is committed to protecting your privacy. This Privacy Policy outlines how we collect, use, and protect your personal data when you use the DroneOps Platform ("App").
Strictly necessary processing happens automatically; any additional storage or third-party service is used only with your explicit, opt-in consent collected through our cookie preferences banner.

In addition to this Privacy Policy, we provide information embedded in our application for features that require or utilize your personal data. This information is displayed when you interact with such features or is available through your account settings.

You can review this Privacy Policy and understand how DroneOps Platform handles your personal data. Contact us if you have any questions.

The controller responsible for processing your personal data under the EU General Data Protection Regulation (Regulation 2016/679, "GDPR") and Romanian Law 190/2018 is:

Alin Fusaru, a natural person operating droneops.ro as a personal, non-commercial project.
Romania
Privacy contact: contact@droneops.ro

DroneOps is operated by an individual on a hobby / non-commercial basis. There is no legal entity behind the service. Despite this, the same GDPR rights and obligations apply, and "we" / "DroneOps" throughout this policy refers to the natural-person controller named above.

For any question about this Privacy Policy, the processing of your personal data, or to exercise your rights under the GDPR, please use the privacy contact address above or our contact form.

A Data Protection Officer (DPO) has not been appointed because the conditions in Art. 37 GDPR (public-authority processing, large-scale systematic monitoring, large-scale special-category processing) are not met for the current scope of processing.

At DroneOps, we strongly believe in fundamental privacy rights, and that these rights should be consistent no matter where you live. That is why we treat any information that relates to an identified or identifiable individual, or that is linked or linkable to them, as “personal data,” regardless of location.

This includes data that directly identifies you, such as your name, email, or phone number. It also includes data that does not directly identify you but can reasonably be used to identify you, such as your country or flight plan details.

Aggregated data, which cannot be linked back to an individual, is considered non-personal data for the purposes of this Privacy Policy.

This Privacy Policy covers how DroneOps Platform collects, uses, and protects personal data when you interact with us through our web and mobile app. It does not apply to how third-party services, websites, or apps define or handle personal data. We encourage you to review their privacy policies and understand your rights before interacting with such services.

  • Email Address: Used to contact users regarding flight plan submissions, updates, and account-related information.
  • First Name and Last Name: Collected for identification purposes.
  • Phone Number: Required so that you can be contacted during active flights or emergencies, typically via the contact details you include in documentation sent to authorities.
  • Electronic Signature: Used for signing official flight-related documents (e.g., Annex forms); securely stored and linked to your account.
  • Flight Data: Records of submitted flight plans for regulatory compliance, investigations, and historical reference.
All collected data is used solely for the purposes outlined in this Privacy Policy and is stored securely.

We collect your phone number to enable urgent voice communication between you and relevant authorities (for example air traffic control units) during active drone flights, in the event of an emergency or for separation purposes. This information is typically included in the documentation (such as Annex forms) that you generate and send to authorities using their official channels.

In our systems, your phone number is encrypted in transit and at rest, and access is strictly limited to authorized system administrators. We do not use your phone number for marketing or any non-safety related purposes.

The DroneOps Platform allows registered users to provide an electronic signature, which may be used to digitally sign flight-related documents (such as Annex 1 and Annex 2 forms) that you then send to the Air Traffic Control (ATC) or other competent authorities using their official communication channels (e.g. email).

Data Collected: Your electronic signature, in the form of a graphical image or digital representation provided by you, is stored securely and associated with your user account.

Purpose of Use: Your signature is used exclusively for the purpose of authenticating your identity on official documents generated by DroneOps. These documents are intended to be transmitted to aviation authorities by you. We may also be required to provide copies to competent authorities when this is mandated by law.

Storage and Security: Signature files are encrypted in transit and at rest. Access is restricted to authorized system processes involved in document generation. The signature cannot be viewed or altered by other users.

Retention: Your signature is retained for as long as your account remains active. If you delete your account or request erasure, your stored signature will be permanently deleted along with your other personal data, unless retention is required by law for compliance purposes.

User Control: You may update or remove your saved signature at any time through your account settings or by contacting our support team.

What Are Cookies and Browser Storage?

Cookies are small files stored on your device by websites you visit. Browsers also expose additional client-side storage (sessionStorage and localStorage) that, under EU ePrivacy rules, is treated the same way as cookies. Both are covered by this section.

Strictly Necessary (always active)

These items are required for the App to function. They are set without prior consent under the ePrivacy "strictly necessary" exception and the GDPR Article 6(1)(f) legitimate-interest basis (security and continuity of the service you requested).

Name Type Purpose Duration
sessionid HTTP Cookie (HttpOnly, Secure) Keeps you signed in to your account. 2 weeks (or until sign-out)
__Host-csrftoken HTTP Cookie (HttpOnly, Secure) CSRF protection for form and API requests. 1 year
droneops_consent HTTP Cookie (Secure) Stores your cookie-preferences choice. 12 months
authToken sessionStorage Short-lived token used by the page to call the DroneOps API. Browser session
cf_chl_*, cf_clearance Third-party cookies set by challenges.cloudflare.com Cloudflare Turnstile bot-protection challenge used only on the Contact form. Loaded when the form is rendered and required to submit it. Does not track you across other sites and does not contain advertising identifiers. 30 minutes (challenge state); session for the rest
Functional (opt-in)

Active only after you select "Accept all" or enable the "Functional" category in the cookie preferences modal.

Item Purpose Recipient
IP-based country lookup Pre-selects the right dial code in the phone-number widget on the sign-up and profile pages. If declined, the widget defaults to Romania (RO). ipapi.co
Third-Party Services (opt-in)

Active only after you opt in via the cookie preferences modal. These services are described in detail in the "Third-Party Services" section below.

  • Google Sign-In (accounts.google.com, apis.google.com)
  • Apple Sign-In (appleid.apple.com)
  • Esri Satellite imagery tiles (server.arcgisonline.com, services.arcgisonline.com)

You can change or withdraw your consent at any time using the "Cookie Preferences" link in the footer.

The data collected is used for the following purposes:
  • To facilitate the submission, planning and management of flight plans.
  • To generate and sign official documents that you may send to ATC and other aviation authorities.
  • To enable direct communication with users during active flights, including by authorities using the contact details you have provided.
  • To comply with applicable aviation regulations and provide data to national authorities when required.
  • To support investigations related to drone operations or incidents.

DroneOps does not sell your personal data to third parties. Disclosures are limited to:

  • Processors who handle data on our behalf. For the full list of recipients, see the "Third-Party Services" section below.
  • Authorities, when required to comply with legal obligations or regulatory requirements (in particular Romanian aviation law).
  • Investigators in relation to drone-operation incidents.
  • Signed flight-related documents (Annex forms) that you submit to aviation authorities — either generated and forwarded by us at your request, or sent by you using your own e-mail client.

Any such disclosure complies with the applicable EU and Romanian data-protection rules.

As a user, you have the following rights under the GDPR and Romanian Law 190/2018:
  • Access (Art. 15): The right to obtain confirmation that we process your personal data and a copy of that data.
  • Rectification (Art. 16): The right to have inaccurate or incomplete data corrected.
  • Erasure / "Right to be Forgotten" (Art. 17): The right to have your personal data deleted, subject to retention obligations imposed by aviation or other applicable law.
  • Restriction of processing (Art. 18) and Objection (Art. 21).
  • Data portability (Art. 20): The right to receive your data in a structured, commonly used, machine-readable format.
  • Withdraw consent (Art. 7(3)): Where processing is based on consent, you may withdraw it at any time via the "Cookie Preferences" link in the footer or by contacting us. Withdrawal does not affect lawfulness of processing before withdrawal.
  • Lodge a complaint with the supervisory authority (Art. 77): The Romanian Data Protection Authority is Autoritatea Naţională de Supraveghere a Prelucrării Datelor cu Caracter Personal (ANSPDCP), B-dul. G-ral. Gheorghe Magheru 28–30, Sector 1, Bucureşti, Romania — www.dataprotection.ro. You may also lodge a complaint with the supervisory authority in the EU/EEA member state where you reside or where the alleged infringement occurred.

To exercise any of these rights, contact us at contact@droneops.ro or via the contact form. We will respond within one month of receiving your request, as required by Art. 12(3) GDPR.

We retain personal data only for as long as necessary for the purpose for which it was collected, plus any additional period required by law or by overriding legitimate interest. Concrete retention periods:

Category Retention period Reason
Account profile (name, e-mail, phone, country) Lifetime of the account; deleted within 30 days of an account deletion request. Contractual basis (Art. 6(1)(b) GDPR).
Flight plans and Annex documents 5 years from the date of the flight. Aviation regulatory record-keeping; legal obligation (Art. 6(1)(c) GDPR).
Electronic signature Lifetime of the account; deleted on erasure request unless a longer retention is mandated by law for documents already filed. Contractual basis.
Authentication / security logs 12 months from event date. Legitimate interest in detecting and investigating abuse (Art. 6(1)(f) GDPR).
Cookie consent record (droneops_consent) 12 months from the date of choice (cookie expiry). Demonstrating consent under Art. 7(1) GDPR.
Inactive accounts (no sign-in for 24 months) Notified by e-mail; deleted 30 days after the notice if no sign-in occurs. Data minimisation principle (Art. 5(1)(c), (e) GDPR).

When the period above ends, data is either deleted or anonymised so that it can no longer be linked back to you.

We implement technical and organizational measures to protect your data from unauthorized access, loss, or misuse. These measures include:

  • Secure storage of data using encryption and access controls.
  • Regular checks to ensure data protection measures remain effective.
  • Electronic signatures are stored in encrypted form and accessible only to secure automated processes.

Despite these measures, no system is entirely secure. Users are encouraged to take their own precautions to protect their accounts (for example by using strong passwords and enabling any available security features).

We process your personal data based on the following legal grounds:

  • Consent: When you have given your explicit consent for us to process your personal data for specific purposes.
  • Contractual Necessity: When processing is necessary for the performance of a contract to which you are a party or to take steps at your request before entering into a contract.
  • Legal Obligation: When processing is necessary for compliance with a legal obligation to which we are subject.
  • Legitimate Interests: When processing is necessary for the purposes of our legitimate interests, provided that such interests are not overridden by your rights and interests.

The recipients below process personal data on our behalf or receive personal data from your browser. Where a service is marked "opt-in", it is contacted by your browser only after you have enabled the corresponding category in the cookie preferences modal.

Recipient Purpose Data flow Location Safeguard
Google LLC (Sign-In) "Sign in with Google" authentication. Browser → Google (opt-in, Third-party category). United States EU–US Data Privacy Framework
Google LLC (Maps APIs) Address autocomplete (Places), reverse geocoding, static maps for Annex documents. Server-to-server; your IP is not sent directly to Google. United States EU–US Data Privacy Framework; processor under Art. 28 GDPR
Apple Inc. "Sign in with Apple" authentication (web and mobile). Browser/app → Apple (opt-in for web, Third-party category). United States EU–US Data Privacy Framework
OpenStreetMap Foundation Base map tiles (default) and Nominatim place search. Browser → OSMF (strictly necessary for the requested map and search service). United Kingdom UK adequacy decision
Esri Inc. Optional satellite imagery base layer and reference labels overlay. Browser → Esri (opt-in, Third-party category). United States Standard Contractual Clauses (SCCs)
Open-Meteo Weather forecasts used by flight-planning features. Server-to-server; your IP is not sent directly. Germany (EU) Processing within the EU
ipapi.co IP-to-country lookup for phone-widget country default. Browser → ipapi.co (opt-in, Functional category). United States / Cloudflare edge Standard Contractual Clauses (SCCs)
Oracle Cloud Infrastructure (Oracle Corporation) Application server hosting, database storage, file storage. Server-side processing; Oracle's Data Processing Agreement applies. European Union — eu-frankfurt-1 (Germany). The tenancy is subscribed to no other region, so personal data cannot be provisioned outside the European Union. Processing within the EU; Art. 28 GDPR processor agreement
Oracle Cloud Infrastructure — Email Delivery Outbound transactional e-mail (account confirmation, password reset, mission notifications). Server-to-server from the DroneOps backend. European Union (eu-frankfurt-1) Processing within the EU; Art. 28 GDPR processor agreement
Cloudflare, Inc. (Turnstile) Bot and spam protection on the Contact form. Verifies that the submission comes from a human browser without using tracking cookies or behavioural profiling for advertising. No personal data from the form fields (name, e-mail, message) is sent to Cloudflare — only the technical challenge token and your IP address. Browser → Cloudflare (strictly necessary; loaded only on the Contact page). United States; processing also occurs at Cloudflare's global edge network including the EU. EU–US Data Privacy Framework; Standard Contractual Clauses; Art. 28 GDPR processor agreement (Cloudflare DPA).
Zoho Corporation (Zoho Mail) Inbound e-mail hosting for contact@droneops.ro and other DroneOps mailboxes. Server-side processing; Zoho's Data Processing Addendum applies. European Union (Zoho EU data centre) Processing within the EU; Art. 28 GDPR processor agreement

Server-to-server calls happen between our backend and the recipient; they do not expose your browser's IP address to the recipient directly. Browser calls only happen when the corresponding feature is loaded after you opt in.

Some recipients listed in the "Third-Party Services" section are established outside the European Economic Area (EEA). Where this is the case, we rely on the following Chapter V GDPR safeguards:

  • EU–US Data Privacy Framework (Adequacy Decision 2023/1795): Google LLC and Apple Inc. are certified under the EU–US Data Privacy Framework, providing an adequate level of protection for transfers to the United States for the relevant categories of data.
  • Standard Contractual Clauses (SCCs): Where a recipient is not covered by an adequacy decision (e.g., Esri Inc., ipapi.co), transfers are governed by the European Commission's 2021 Standard Contractual Clauses, supplemented where appropriate by additional technical and organisational measures.
  • UK adequacy: Transfers to the OpenStreetMap Foundation (United Kingdom) rely on the European Commission's adequacy decision for the UK (Decision 2021/1772).

You may obtain a copy of the relevant transfer mechanism by contacting us at contact@droneops.ro.

Our App is not intended for children under the age of 16. We do not knowingly collect personal data from children under 16. If we become aware that we have collected personal data from a child under 16, we will take steps to delete such data without undue delay.

We may update this Privacy Policy periodically to reflect changes in our practices or applicable laws. Users will be notified of significant updates via email or in-app notifications.

For privacy-related inquiries or to exercise your rights, please contact us at:

Email: contact@droneops.ro

Alternatively, you may use the contact form available within the App.

Last Updated: May 28, 2026