Data Handling
00:00:00 UTC
WorldFlight 2026 will take place between October 31st and November 7th. Visit the Full Schedule page for detailed information about each sector.

Data Handling

Last updated: 2026-04-20

This page describes, in plain terms, how WorldFlight Planning stores, protects, and processes the data submitted to the site. It sits alongside our Privacy Policy and goes into more technical detail about where your data lives and who touches it.

Where data is stored

  • Primary database: a managed PostgreSQL instance hosted on Railway (EU/US region depending on your deployment), accessible only to the application process and authorised operators.
  • Application server: Node.js process running on Railway with restricted network access. No raw database access is exposed externally.
  • Static caches: airport / route / FIR data is cached on the server filesystem for performance; contains no personal data.

Who can access it

  • You: any data tied to your CID is visible to you when logged in.
  • WorldFlight administrators: a small number of trusted volunteers, listed in the WorldFlight organisational chart, with accounts tied to their VATSIM CID.
  • No one else: third parties do not have production database access. Infrastructure providers (e.g. Railway) have the same operational access they offer any customer and are bound by their own data-processing agreements.

Data we process when you use the site

Login

When you log in with VATSIM, your browser is redirected to VATSIM Connect, you approve the application, and VATSIM returns a short-lived authorisation code. We exchange that code for a token, fetch your public VATSIM profile, and store it in your session. We do not retain the underlying OAuth token beyond what's needed to complete login.

Suggestions & bookings

When you submit an airport suggestion or slot booking, your CID, name, role, and reason are recorded alongside your entry. Admins use this to organise the event. You can request removal of your entries at any time.

SimBrief integration

When you click Plan with SimBrief, your browser opens a SimBrief dispatcher URL pre-populated with route details. No credentials pass through our server; we never see your SimBrief password. Fetching a generated plan only happens at your explicit request and uses the Pilot ID you've supplied to the browser.

Email (optional)

We only send email when you opt in — for example, by subscribing to the mailing list or enabling route notifications on a suggestion. Emails are delivered via Gmail SMTP on behalf of contact@worldflight.center. You can unsubscribe at any time.

Security measures

  • All web traffic is served over HTTPS (terminated by Railway).
  • Sessions are signed with a secret known only to the server.
  • Passwords are never stored — authentication is delegated to VATSIM.
  • Database connections are restricted to the application host.
  • Admin-only endpoints check the requester's CID against a whitelist.

Data exports and deletion

Email contact@worldflight.center from the address registered with your VATSIM account (or include your CID so we can verify) to request an export of your data or deletion of your account. We aim to respond within 14 days.

Incidents

In the unlikely event of a security incident affecting your personal data, we will notify affected users and the VATSIM community as soon as reasonably practical and take steps to contain, investigate, and remediate the incident.

Changes

This page will be updated as the system evolves. Any material changes will be announced via the site banner and the mailing list.