Controller: Aerlon OÜ
Tartu mnt 67/1-13b
Kesklinna linnaosa
10115 Tallinn
Harju maakond, Estonia
Registry code: 17321794
Email: privacy@aerlon.eu
Effective date: 14 Sep 2025
Aerlon OÜ (“Aerlon”, “we”, “us”) provides administrative and coordination services to airlines, aviation partners, and air crew. We process personal data in accordance with the EU General Data Protection Regulation (GDPR) and the Estonian Personal Data Protection Act.
We operate as:
- a controller for data collected via this website and when we deal with you directly (e.g., enquiries, contracting, vendor management); and
- a processor only when we handle personal data on written instructions from a client (e.g., coordinating registrations for crew on the client’s behalf). In those cases, our client is the controller and our processing is governed by a Data Processing Agreement (DPA).
If anything here is unclear, contact us at privacy@aerlon.ee.
1) What data we collect
A. Website & communications
- Contact data: name, email, phone, company, role, and the content of your message.
- Technical data: IP address, device/browser info, pages visited, timestamps, basic diagnostics (server logs).
- Cookies: see Section 9.
B. Business relationship data (B2B)
- Client/vendor records: contact details of client or supplier personnel, contract metadata, correspondence, billing details, payment status.
- Identity/authority data (rare): when necessary for coordination with authorities (e.g., appointment bookings), we may process IDs and reference numbers that you or our client provide.
C. Crew/individual data handled for clients (processor role)
- Identification and contact details, assignment/base information, appointment confirmations, document checklists and statuses. We do not request or provide legal, tax, or financial advice. Special-category data are not intentionally collected; if a client instructs processing that involves such data, we will ensure a GDPR-compliant legal basis (Art. 9) and safeguards are in place via the DPA.
We do not sell personal data.
2) Purposes and legal bases
Purpose | Examples | Legal basis (GDPR Art. 6) |
|---|---|---|
Responding to enquiries | Handling your contact form/email, scheduling a call | 6(1)(f) legitimate interests (operate our business and respond to requests); 6(1)(b) if pre-contractual |
Providing services to clients (controller role) | Contracting, billing, vendor management | 6(1)(b) contract; 6(1)(f) legitimate interests (efficient administration); 6(1)(c) legal obligations (accounting, tax) |
Acting as a processor for clients | Coordinating appointments, document handling per client instructions | 6(1)(b) / 28 GDPR (processing under contract/DPA; client is controller) |
Security & fraud prevention | Server logs, access control, incident response | 6(1)(f) legitimate interests (site and data security) |
Legal obligations | Accounting retention, responding to lawful requests | 6(1)(c) legal obligation |
Marketing to existing B2B contacts (low-volume) | Informing existing clients/contacts of service updates | 6(1)(f) legitimate interests; where required, 6(1)(a)consent (you may opt out anytime) |
Analytics (optional) | Aggregate website metrics | 6(1)(a) consent via cookie banner (if using non-essential analytics) |
Special-category data: We do not seek to collect it. If a client instructs us to handle such data, we rely on Art. 9(2)grounds defined by the client/controller and apply additional safeguards.
Criminal data: We do not process it except if lawfully required by authorities (Art. 10).
3) Where we get data from
Directly from you (forms, email, phone, meetings).
From our clients (when we act as a processor) and their designated partners.
From our service providers (e.g., hosting logs, email delivery diagnostics).
From public sources as needed for business verification.
4) Sharing and recipients
We share personal data only as needed:
Service providers (processors): hosting and cloud services, email and productivity tools, website maintenance, analytics (if enabled). All are bound by data-processing agreements.
Professional partners (independent controllers): e.g., notaries, authorised local agents/registrars, payroll/tax service companies engaged by you or our client.
Authorities or courts: if legally required.
Corporate events: in case of reorganisation, merger, or acquisition, subject to confidentiality and data-protection safeguards.
We never sell personal data.
5) International transfers
Our main systems are hosted within the EEA. If a provider is located outside the EEA (e.g., in the United States), we use one or more of the following safeguards:
an adequacy decision by the European Commission, or
Standard Contractual Clauses (SCCs) and, where appropriate, supplementary measures.
You can request details of current transfer mechanisms at privacy@aerlon.ee.
6) Retention
We keep data no longer than necessary for the purposes stated above. Typical periods are:
Enquiry records: up to 24 months after last contact (unless you become a client).
Contract, billing, and accounting data: 7 years after the end of the financial year, to comply with Estonian accounting rules.
Server logs & security events: typically 6–12 months unless needed longer to investigate incidents.
Client project files (controller role): for the contract term plus up to 3 years for limitation/defence.
Processor role data: as instructed by the client/controller; we return or delete after project closure, except where law requires retention.
7) Your rights
Under the GDPR, you have the right to access, rectify, erase, restrict, object, portability, and (where processing is based on consent) withdraw consent at any time.
To exercise rights, email privacy@aerlon.ee. We may need to verify your identity. We aim to respond within one month(extendable by two months for complex requests).
You also have the right to lodge a complaint with the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon) or with your local EU supervisory authority.
8) Security
We apply appropriate technical and organisational measures, including access controls, need-to-know principles, encryption in transit, secure configuration, regular updates, and staff confidentiality undertakings. No internet service is 100% secure, but we work to minimise risks.
9) Cookies & similar technologies
Our website uses necessary cookies to function (security, load balancing, consent management).
If we enable analytics (e.g., privacy-friendly analytics or Google Analytics), they are non-essential and used only with your consent via the cookie banner. You can change or withdraw consent at any time through the banner link in the footer.
Categories we may use:
Strictly necessary (always on): session, security, consent state.
Analytics (optional): page views, device/browser, approximate geography.
No advertising/remarketing cookies are used on this site.
A detailed cookie list (names, purposes, lifetimes, providers) is available in the cookie banner/popup and will update automatically when our setup changes.
10) Children
Our services are business-to-business. We do not knowingly collect data from children.
11) Acting as a processor (on client instructions)
When Aerlon coordinates administrative steps for a client (e.g., onboarding, appointments, document logistics), we act as a processor. The client is the controller and is responsible for providing privacy information to data subjects. We process only as instructed in the DPA, apply appropriate security, and assist the client with data-subject requests, incident notifications, and deletion/return at the end of the engagement.
12) Changes to this Policy
We may update this Policy from time to time. The latest version and effective date appear at the top of this page. Material changes will be highlighted for a reasonable period.