Privacy Policy
Draft for legal review · not yet in force1. Who we are
FlightDocket is a product of Southwest UAS Platform (Pty) Ltd, a private company registered in South Africa under the Companies Act (CIPC registration 2025/546036/07).
In this policy, "FlightDocket", "we", "us", and "our" refer to Southwest UAS Platform (Pty) Ltd acting as the Responsible Party under the Protection of Personal Information Act 4 of 2013 (POPIA) with respect to personal information we collect and process through the FlightDocket platform.
2. Scope of this policy
This policy applies to personal information we process in connection with:
- The public FlightDocket website (flightdocket.com), including the onboarding flow.
- The FlightDocket subscription platform used by UASOC-holder tenants for mission governance, compliance administration, and operational record-keeping.
- Direct communications with us by email, telephone, or registered mail.
This policy does not cover third-party websites, regulator systems, or vendor platforms that FlightDocket links to or exchanges data with. Those parties act under their own privacy notices.
3. Information Officer
Information Officer
Southwest UAS Platform (Pty) Ltd
Email: privacy@flightdocket.com
Telephone: +27 83 258 6601
Postal address: to be published at general availability
The Information Officer is registered with the Information Regulator of South Africa. Any request to access, correct, or delete personal information — and any complaint about our handling of personal information — may be directed to the Information Officer at the contact details above.
4. Categories of personal information we process
| Category | Examples |
|---|---|
| Identity information | Name, surname, title, South African ID number or passport number where lawfully required for regulator-mandated record-keeping |
| Contact information | Email address, telephone number, postal address, physical address |
| Regulatory credentials | Remote Pilot Licence (RPL), Remote Pilot Certificate (RPC), medical certificate, English Language Proficiency (ELP) certificate, radio telephony certificate, operating mode endorsements, criminal record check attestations where required |
| Operator and company information | UASOC certificate number and details, CIPC registration number, VAT number, tenant-assigned role, appointed approver designations |
| Operational record information | Mission plans, flight logs, crew assignments, authorisations, operations records, hazard reports, occurrence reports, corrective actions — as generated or attached by the tenant during normal platform use |
| Technical and usage information | IP address, browser and device identifiers, session timestamps, event logs, authentication logs |
| Billing information | Subscription tier, mission credit consumption, invoice reference, payment status (never full card details; payments are processed by the external payment provider subject to PCI-DSS) |
| Client relationship information (Enterprise tier only) | Tenant-provided client legal-entity details, contract references, NDA and DPA references, client contact roles — where the tenant elects to use the Enterprise cost-recovery functionality |
5. Special personal information
We do not intentionally collect special personal information as defined in POPIA (religious beliefs, health information beyond the regulator-mandated medical certificate attestation, race, political affiliation, biometric information beyond secure-device-pairing fingerprints, criminal behaviour beyond the regulator-mandated criminal record check attestation).
Where a regulator-mandated record-keeping obligation requires one of these categories (for example, the fact that a crew member holds a current medical certificate, or the fact that a criminal record check has been completed), we record only the minimum attestation required by the regulation and do not retain underlying medical or criminal information on the platform.
6. Purposes of processing
We process personal information for the following purposes:
- Delivering the platform service — authenticating users, maintaining tenant records, processing missions, generating compliance documents, retaining the seven-year evidence archive, providing usage reporting.
- Regulatory compliance — satisfying SACAA Part 101 and (where applicable) Part 108 record-keeping obligations; producing audit-ready reports; enabling time-bound regulator access under a valid grant.
- Subscription administration — managing tenant subscriptions, billing, credit consumption reporting, and responding to support enquiries.
- Security and abuse prevention — monitoring authentication, detecting account compromise, enforcing the Acceptable Use policy, investigating reported abuse.
- Legal compliance — satisfying obligations under POPIA, PAIA, the Companies Act, SACAA regulations, and the Electronic Communications and Transactions Act.
- Communication with tenants — service notices, compliance alerts, credential-expiry warnings, invoicing, legal notices, and platform updates.
7. Lawful basis for processing (POPIA condition 1)
We rely on one or more of the following lawful grounds in section 11 of POPIA:
- Consent from the data subject, given voluntarily at account creation or when the data subject interacts with the website.
- Performance of a contract with the tenant, including pre-contractual steps during onboarding.
- Compliance with an obligation imposed by law on the responsible party or on the operator tenant, including SACAA Part 101 record-keeping and POPIA itself.
- Legitimate interests of the responsible party or the operator tenant, balanced against data subject rights — including fraud prevention, security monitoring, and integrity of regulatory records.
8. Data minimisation and purpose limitation
We collect only personal information that is adequate, relevant, and not excessive in relation to the purposes for which it is processed. We do not use personal information for purposes that are incompatible with the purpose for which it was originally collected, and we do not sell personal information to any third party under any circumstance.
9. Your rights as a data subject
Under POPIA, you have the right to:
- Be notified that we collect personal information about you (section 18).
- Request access to the personal information we hold about you (section 23, following the process in our PAIA Manual).
- Request correction or deletion of personal information that is inaccurate, misleading, or obtained unlawfully (section 24).
- Object to the processing of personal information on reasonable grounds (section 11(3)).
- Object to direct marketing by unsolicited electronic communications (section 69).
- Withdraw consent, where processing is based on consent.
- Lodge a complaint with the Information Regulator (section 74).
Requests should be directed to the Information Officer (see section 3). The standard response timeframe is thirty calendar days from receipt, extendable once by a further thirty days where the request is complex or involves a large volume of records.
10. Third parties with whom we share personal information
We share personal information only with:
- The South African Civil Aviation Authority (SACAA) or another relevant civil aviation authority, where a regulator holds a valid time-bound grant of access issued through the platform's regulator-access mechanism, or where we are legally compelled to disclose.
- Operator-appointed recipients where the operator tenant elects to share specific records (for example, insurers, auditors, or contracted compliance consultants). Such sharing occurs under the operator's control, not ours.
- Service providers that process personal information on our behalf strictly for the purposes set out in section 6. All such service providers are bound by a written operator-processor agreement that imposes POPIA-aligned obligations on them.
- Courts, regulators, and law enforcement where required by a valid court order, statutory obligation, or recognised regulatory investigation.
We do not sell personal information. We do not trade personal information. We do not use personal information for targeted advertising.
11. Cross-border transfer
Personal information we process is hosted within the Republic of South Africa or within jurisdictions that provide adequate protection for personal information in terms of POPIA section 72. Where cross-border transfer is necessary for service delivery (for example, redundancy, disaster recovery, or specific cloud-region workloads), we ensure one of the following applies:
- The recipient jurisdiction is subject to a law, binding corporate rules, or binding agreement that provides an adequate level of protection equivalent to POPIA.
- The data subject has given explicit consent to the transfer.
- The transfer is necessary for the performance of a contract between the data subject and the responsible party.
12. Retention periods
| Data category | Retention |
|---|---|
| Mission records and evidence artefacts | Seven (7) years from mission closure, per SACAA Part 101 record-keeping requirements |
| Personal credentials and regulatory attestations | Retained while the data subject is an active user, plus three (3) years for audit continuity, thereafter archived in the read-only evidence archive for the 7-year Part 101 window |
| Billing and financial records | Five (5) years per Tax Administration Act and Companies Act obligations |
| Authentication and session logs | Twelve (12) months rolling, then deleted from primary storage; aggregated security-event summaries retained in the audit archive |
| Marketing and enquiry correspondence (pre-onboarding) | Two (2) years from last contact, then deleted unless the data subject opts in for continued contact |
| POPIA request records (access, correction, deletion, complaint) | Five (5) years from closure of the request |
Upon tenant offboarding, tenant-facing platform access is terminated while the read-only seven-year archive remains in place for the regulator record-keeping window. After seven years, evidence artefacts are securely deleted or irreversibly anonymised.
13. Security of personal information
We maintain reasonable technical and organisational safeguards appropriate to the nature of the personal information processed and the identifiable risks, including:
- Encryption of personal information in transit (TLS 1.2 or higher) and at rest (industry-standard symmetric encryption).
- Role-based access control with least-privilege defaults.
- Mandatory multi-factor authentication for platform access.
- Tenant isolation enforced at the database and application layer.
- Cryptographic integrity (SHA-256) applied to evidence artefacts at point of capture.
- Append-only evidence storage with immutability guarantees for the seven-year retention window.
- Independent operator-processor agreements with all service providers.
- Incident response plan with notification to the Information Regulator and affected data subjects where a compromise of personal information occurs, per POPIA section 22.
14. Cookies and similar technologies
The FlightDocket public website uses only strictly-necessary cookies for session management, security tokens, and accessibility preferences. We do not use third-party analytics cookies, third-party advertising cookies, or cross-site tracking. Preference detail is published in a separate cookie notice at general availability.
15. Children
FlightDocket is a professional-grade compliance platform intended for use by adult holders of SACAA UASOC certificates. We do not knowingly collect personal information from individuals under the age of 18. Any such collection, if it comes to our attention, will be deleted without undue delay.
16. Complaints
If you are not satisfied with our handling of your personal information, you may lodge a complaint with:
Information Regulator (South Africa)
JD House, 27 Stiemens Street, Braamfontein, Johannesburg 2001
PO Box 31533, Braamfontein, Johannesburg 2017
Complaints: complaints.IR@justice.gov.za
Enquiries: inforeg@justice.gov.za
Website: inforegulator.org.za
17. Changes to this policy
We review this policy at least annually and whenever changes to POPIA, the regulatory environment, or the platform materially affect personal information processing. Material changes are notified to active tenants at least thirty (30) days before they take effect. The current version of this policy is always published at flightdocket.com/legal/privacy-policy.html.