UASecure

Draft, pending counsel review.

UASecure is preparing this documentation for licensed-counsel review. The text below reflects our intended terms and is binding on use of the service, but it has not yet been certified by counsel. If you have questions, email legal@uasecure.com.

Privacy Policy

Last updated: 2026-05-25

What this policy covers

This Privacy Policy applies to uasecure.com and to the UASecure service (the "Service"). It describes the Personal Data we collect, how we use it, who we share it with, how long we retain it, and the rights you have over your information. In this policy, "Personal Data" means information that identifies, or can reasonably be linked to, an identifiable natural person. References to "we", "our", and "us" mean UASecure; references to "you" mean the individual using the Service or, where you are acting on behalf of an organization, both you and that organization.

Information we collect

We collect Personal Data directly from you when you create an account, when you operate the Service, and automatically as you interact with our systems.

Account info

When you create or maintain an account, we collect your name, email address, organization name, role within the organization, and a salted hash of your password. We do not store your password in cleartext.

Mission and operational data

To deliver the Service we store the data you create within it: mission records (including planning answers, geometry, and stage progress), hangar inventory, crew assignments, training logs, and any KML files you upload. This data is treated as customer data under our Terms of Service and the DPA at /dpa.

Billing info

When you subscribe to a paid plan, we record your Stripe customer id, the last four digits of your payment card, and the billing address you provide. Full card numbers, expiration dates, and CVV values are handled by Stripe under PCI DSS and never reach our servers.

Technical telemetry

As you use the Service we automatically collect technical information needed to operate, secure, and debug the platform. This includes your IP address, browser user agent, stack traces from errors, and server-side request logs written via pino structured logging (which may include user emails, user ids, and request paths). Server-side captures sent to Sentry may include local variables present at the moment of an error. We also operate a first-party /api/observability/client-error endpoint that receives unhandled browser errors directly from the Service, with no third-party flow.

Cookies and similar technologies

We use cookies and similar technologies for authentication, security, and analytics. The full inventory and your choices are described in our Cookie Policy.

How we use the information

We use Personal Data to operate the Service and to support our relationship with you. Specifically:

  • to operate and maintain the Service, including authentication, mission and fleet workflows, billing, and security
  • to communicate with you about your account, transactional notifications, and material changes to our policies
  • to comply with law and to respond to valid legal process
  • to improve the product, including diagnosing bugs and measuring feature performance

We do not train AI models on customer data. We do not sell or rent Personal Data to third parties.

Sub-processors

We rely on a limited set of vendors (sub-processors) to operate the Service. By category, these cover hosted database, hosting and edge runtime, payment processing, transactional email, mapping and geocoding, error monitoring, and analytics. The current named list, including the type of data each receives and the regions where data is processed, is available at Sub-processors. We update that page when sub-processors change, and the change history is preserved there.

Data retention

We keep Personal Data only for as long as we have an operational, contractual, or legal reason to do so:

  • Account data: 6 months after account cancellation, then purged unless retained for legal hold.
  • Mission and compliance records: 5 years, which aligns with FAA Part 107 and 49 USC 44807 recordkeeping expectations.
  • Billing records: 7 years (IRS recordkeeping).
  • Error monitoring data in Sentry: 90 days.
  • Google Analytics data: 14 months.
  • Consent audit log: retained indefinitely, because it is the legal basis for any processing we rely on consent for.

Sharing

We do not sell or rent Personal Data. We share it with our sub-processors strictly to the extent needed to operate the Service, under written agreements that bind them to confidentiality and security obligations consistent with this policy and the DPA. We may disclose information to law enforcement or other authorities when required by valid legal process, and we will notify the affected customer where the law permits us to do so.

International transfers

The Service is operated from, and Personal Data is stored in, the United States. For transfers of Personal Data from the European Economic Area, the United Kingdom, or Switzerland to the United States, we rely on the EU Standard Contractual Clauses (Module 2, Commission Implementing Decision (EU) 2021/914 of 4 June 2021) and, for UK transfers, the UK International Data Transfer Addendum. These are incorporated by reference in the Data Processing Addendum at /dpa, with Annexes that identify the parties, categories of data, technical and organizational measures, and sub-processors.

Your rights

Depending on where you live, you have rights over the Personal Data we hold about you. We honor these rights regardless of whether they apply automatically under the law that governs you.

EU GDPR and UK GDPR

If you are in the EEA or the UK, Articles 15 to 22 of the GDPR (and the corresponding UK GDPR provisions) give you the right to access your Personal Data, to have inaccurate data rectified, to have data erased in defined circumstances, to restrict processing, to receive your data in a portable format, to object to processing, and to seek review of solely-automated decisions that produce legal or similarly significant effects. We do not engage in solely-automated decision-making that produces legal effects on you.

California (CCPA and CPRA)

If you are a California resident, you have the right to know what Personal Data we have collected about you, to delete it, to correct inaccurate data, to opt out of any "sale" or "sharing" of Personal Data, and to limit the use and disclosure of sensitive Personal Data. We do not sell or share Personal Data as those terms are defined under the CCPA.

Other US state privacy laws (VCDPA, CPA, CTDPA, UCPA, TDPSA, OCPA)

If you are a resident of Virginia, Colorado, Connecticut, Utah, Texas, or Oregon, you have rights to access your Personal Data, correct it, delete it, opt out of targeted advertising, and opt out of the sale of Personal Data, as defined under your state's law. We honor these rights through the same intake described below.

Quebec Law 25

If you are a Quebec resident, you have corresponding rights of access, rectification, withdrawal of consent, portability, and de-indexing under Law 25, and we will honor those rights on the same intake.

How to exercise these rights

To exercise any of the rights above, email privacy@uasecure.com with proof of identity sufficient to confirm the request is yours. We respond within 30 days, with one extension of up to 15 additional days for complex requests (45 days total). We do not charge a fee unless a request is excessive or repetitive, in which case we will tell you in advance.

Children's privacy

UASecure is a business-to-business service for commercial drone operators. It is not directed at children under 16, and we do not knowingly collect Personal Data from children. If you believe a child has provided us with Personal Data, email privacy@uasecure.com and we will delete it.

Security

We protect Personal Data in transit with TLS and at rest with encryption provided by Neon (for the database) and Vercel Blob (for file storage). Two-factor authentication is available on every account and we strongly recommend enabling it. Internal access to customer data is scoped by role on a need-to-know basis, logged, and reviewed. In the event of a Personal Data breach, we will notify affected customers and, where required, supervisory authorities within 72 hours of becoming aware of the breach, consistent with GDPR Article 33.

Changes to this policy

We may update this Privacy Policy from time to time. We will provide at least 30 days' notice of material changes by email to the address associated with your account and by an in-app banner. Your continued use of the Service after the effective date of a change constitutes acceptance of the updated policy. Non-material changes (such as clarifications, formatting, or typo fixes) take effect on publication.

Contact

For privacy questions, contact legal@uasecure.com. For account or billing questions, contact support@uasecure.com. For security disclosures or vulnerability reports, contact security@uasecure.com. Mailing address: UASecure, Scottsdale, AZ. The full mailing address is available on request to legal@uasecure.com.