Privacy Policy
00:00:00 UTC
WorldFlight 2026 will take place between October 31st and November 7th. Visit the Full Schedule page for detailed information about each sector.

Privacy Policy

Last updated: 2026-04-20

Privacy Policy (VATSIM Compliance-Aligned)

1. Data Controller

The WorldFlight Planning portal (planning.worldflight.center) is operated by the WorldFlight volunteer team (“WorldFlight”, “we”, “us”, “our”). For the purposes of Regulation (EU) 2016/679 (General Data Protection Regulation, “GDPR”), WorldFlight acts as the data controller.

Single point of contact for all data protection matters:
Email: contact@worldflight.center

All data subject requests must be submitted via this address.

2. Scope and Applicability

This service is provided to members of the VATSIM network in support of the WorldFlight event. Processing of personal data is limited strictly to what is necessary for:

  • Authentication via VATSIM Connect
  • Event coordination and operational planning
  • Compliance with VATSIM policies, including the Code of Conduct

No processing is performed for commercial, advertising, or profiling purposes.

3. Personal Data Processed

We process only the following categories of personal data:

  • Identity Data (via VATSIM Connect): CID, full name, email address, rating, division
  • Session Data: authenticated session identifier, login state, callsign (if provided), OAuth verification data
  • User-Provided Content: slot bookings, airport suggestions, uploaded documents, and other voluntary submissions
  • Technical Data: IP address, timestamps, request metadata, and error logs

No special category data (Article 9 GDPR) is collected or processed.

4. Lawful Basis for Processing

Processing is conducted in accordance with Article 6 GDPR:

  • Art. 6(1)(b) – Contractual necessity: provision of authentication and event services
  • Art. 6(1)(f) – Legitimate interests: service security, abuse prevention, and operational integrity
  • Art. 6(1)(a) – Consent: optional communications and integrations explicitly initiated by the user
  • Art. 6(1)(c) – Legal obligation: compliance with applicable law and VATSIM network policies

Legitimate interest processing is limited and proportionate, and does not override user rights.

5. Purpose of Processing

Personal data is processed exclusively to:

  • Authenticate users via VATSIM Connect
  • Associate bookings and submissions with a VATSIM identity
  • Facilitate planning, scheduling, and execution of the WorldFlight event
  • Communicate with users where explicitly requested or required
  • Maintain platform security and enforce VATSIM policies

6. Data Sharing and Disclosure

  • User identity (name and CID) is visible to authenticated users where operationally required (e.g. bookings)
  • Administrative access is restricted to authorised WorldFlight personnel
  • Data is not sold, rented, or disclosed to third parties for commercial purposes
  • Data sharing is limited to:
    • VATSIM services where required for authentication or compliance
    • Service providers strictly necessary for functionality

7. Third-Party Services

The service integrates with:

  • VATSIM Connect (authentication and identity data)
  • SimBrief (optional, user-initiated flight planning)
  • OpenStreetMap / Overpass API (geospatial data)

These services operate as independent data controllers.

8. International Data Transfers

Due to the global nature of VATSIM, personal data may be processed outside the UK/EEA. Where applicable, transfers are conducted with appropriate safeguards consistent with GDPR requirements.

9. Data Retention

  • Account-linked data: retained for the duration of user participation in WorldFlight
  • Event data: retained across events for continuity; anonymised where practicable
  • Technical logs: retained only for the minimum period necessary for security and diagnostics

Data is not retained longer than necessary for its stated purposes.

10. Data Subject Rights

Under GDPR, you have the right to:

  • Access your personal data
  • Rectify inaccurate data
  • Erase personal data
  • Restrict processing
  • Object to processing
  • Data portability
  • Withdraw consent where processing is based on consent

Requests will be acknowledged without undue delay and fulfilled within 30 days, unless legally extended.

You have the right to lodge a complaint with a supervisory authority, including the UK Information Commissioner’s Office (ICO) or your local EU authority.

11. Cookies

A single essential cookie is used:

  • Name: worldflight.sid
  • Purpose: authentication and session management
  • Attributes: HttpOnly, SameSite=Lax
  • Retention: session-only

No tracking, analytics, or advertising cookies are used.

12. Automated Decision-Making

No automated decision-making or profiling as defined under Article 22 GDPR is performed.

13. Policy Updates

This policy may be updated to reflect operational or regulatory changes. Material changes will be clearly communicated where appropriate.