Privacy Policy

1. Introduction

This Privacy Policy describes how Distal Systems, LLC, a Colorado limited liability company doing business as PilotTracker.io (“Pilot Tracker,” “we,” “us,” or “our”), collects, uses, shares, and protects personal information when you visit pilottracker.io or use our pilot tracking service (the “Service”). By using the Service, you agree to the practices described in this policy.

PilotTracker.io is a registered trade name of Distal Systems, LLC. When you contract for the Service, your contract is with Distal Systems, LLC. This Privacy Policy is specific to PilotTracker.io; it supplements, and with respect to your use of the Service controls over, the general Distal Systems privacy policy at distalsystems.com.

2. Information We Collect

We collect information in three ways: information you provide to us directly, information we collect automatically when you use the Service, and information we receive from third parties.

2.1 Information You Provide

• Account information. Your name, email address, password (stored only as a cryptographic hash using Argon2), optional company name, and any profile details you add.
• Customer Data. Content you upload or input into the Service, including:
  • Pilot records — stakeholder names, titles, company names, objectives, timelines, tasks, metrics, notes, and other pilot state information;
  • Meeting transcripts — text files you upload in .txt, .md, .pdf, or .docx format;
  • Voice recordings — audio recorded in your browser when you use the voice input feature;
  • Generated documents — pilot agreements, check-in prep notes, and other documents generated by the Service at your request.
• Billing information. If and when you subscribe to a paid tier, payment details are collected and processed by our third-party payment processor. We do not see or store full payment card numbers. We retain limited billing metadata (customer ID, subscription tier, billing period, last four digits of the card) as returned by the processor.
• Communications. Any information you send us by email, through support requests, or via forms on the Service.
• Referrals. If you invite another person to try the Service, we collect the invitee's email address in order to send the invitation.

2.2 Information Collected Automatically

• Device and browser information. IP address, browser type and version, operating system, device identifiers, screen size, language preference, referring URL, and timestamps of access.
• Usage data. Pages viewed, features used, session duration, click paths, error logs, and other interaction data.
• Session recordings. We use LogRocket to record user sessions (page views, click events, scroll position, and console errors) to help us reproduce bugs and understand product usage. LogRocket recordings may include information you enter into forms; we configure LogRocket to mask password fields.
• Analytics. We use Google Analytics 4 to measure aggregate traffic and feature usage. See Section 7 (Cookies and Tracking).
• Cookies and similar technologies. See Section 7.

2.3 Information from Third Parties

• Payment processor. When you pay, our payment processor shares billing metadata (subscription status, last payment date, last four digits of the card) with us.
• AI providers. Our AI providers return outputs that are stored in the Service as part of your Customer Data.

3. How We Use Information

We use the information we collect to:

• Provide and operate the Service — create and manage your Account, authenticate sessions, deliver pilot tracking features, process AI requests, generate documents, and store your Customer Data;
• Bill you — process payments, send invoices, and prevent fraud;
• Communicate with you — send service-related emails (email verification, password reset, billing notices, product updates, and responses to your inquiries);
• Improve the Service — analyze usage patterns, debug issues, investigate reliability problems, and develop new features;
• Protect the Service and its users — detect and prevent fraud, abuse, security incidents, and violations of our Terms of Service;
• Comply with law — respond to lawful requests, enforce our rights, and meet legal, tax, and accounting obligations.

We do not use Customer Data to train machine learning models, we do not sell personal information, and we do not share Customer Data with advertisers.

4. Legal Bases for Processing (GDPR)

If you are located in the European Economic Area, the United Kingdom, or Switzerland, our legal basis for processing your personal information depends on the specific purpose:

• Performance of a contract. Processing your Account information, Customer Data, and billing information is necessary to deliver the Service you have requested.
• Legitimate interests. We process technical and usage data to operate, secure, and improve the Service; to communicate with you about your Account; and to prevent fraud and abuse. We balance these interests against your rights.
• Consent. Where required, we ask for your consent (for example, before setting non-essential cookies or sending marketing emails). You may withdraw consent at any time.
• Legal obligation. We process information as necessary to comply with applicable law.

5. How We Share Information

We share personal information only as described in this policy. We do not sell your personal information.

5.1 Service Providers and Sub-processors

We share information with the following categories of service providers, which act as data processors on our behalf:

As of the date of this policy, our AI providers (Anthropic and OpenAI) commit in their standard API terms not to use customer inputs or outputs to train their models. These commitments can change; we monitor them and will update this policy if we change providers or the terms materially change.

5.2 When Required by Law

We may disclose information if required to do so by law, subpoena, court order, or other legal process, or if we believe in good faith that disclosure is reasonably necessary to (i) comply with law, (ii) protect the safety of any person, (iii) investigate or defend against legal claims, or (iv) investigate fraud or violations of our Terms of Service.

5.3 Business Transfers

If we are involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of all or part of our assets, your information may be transferred as part of that transaction. We will notify you of any such transfer and of any choices you may have regarding your information.

5.4 With Your Consent

We may share information in other circumstances with your consent or at your direction.

6. AI Features and Automated Processing

When you use an AI Feature, we transmit the relevant portion of your Customer Data (such as a meeting transcript, voice recording, or pilot state) to our AI providers for processing. The providers return an output which is stored as part of your Customer Data. The operation is logged for debugging and credit-accounting purposes.

AI Features do not make decisions with legal or similarly significant effects on you. AI output is a suggestion that you are responsible for reviewing and verifying before acting on. See Section 7 of our Terms of Service for more information.

7. Cookies and Tracking

We use cookies and similar technologies to operate the Service and measure its use. The cookies we set fall into the following categories:

• Strictly necessary. Required to operate the Service. These include the auth-session cookie that keeps you signed in. You cannot opt out of strictly necessary cookies without losing access to the Service.
• Analytics. We use Google Analytics 4 to understand aggregate usage of the Service. You can opt out of Google Analytics by installing the Google Analytics Opt-out Browser Add-on.
• Session replay. We use LogRocket to capture interaction recordings as described above.

We do not use cookies for advertising or cross-site tracking.

Your browser allows you to clear or block cookies. Blocking strictly necessary cookies may prevent the Service from working.

8. Data Retention

We retain personal information for as long as necessary to provide the Service and to comply with our legal obligations:

• Account information — retained while your Account is active, and for up to ninety (90) days after termination, after which it is deleted or anonymized (subject to legal hold).
• Customer Data — retained while your Account is active; deleted within a reasonable period after Account termination, typically thirty (30) days, unless you request earlier deletion.
• Billing records — retained for at least seven (7) years to meet tax and accounting obligations.
• Server logs and LogRocket session recordings — retained for up to thirty (30) days.
• Google Analytics data — retained per Google Analytics default (currently fourteen months) for user-level data.
• Email communications — retained for up to two (2) years.

You may request earlier deletion at any time; see Section 10.

9. Security

We take reasonable and appropriate technical and organizational measures to protect personal information against unauthorized access, alteration, disclosure, and destruction. These measures include:

• Encryption of data in transit (TLS) and at rest;
• Password hashing using the Argon2 algorithm;
• Session-based authentication with short-lived tokens;
• Access controls limiting employee access to production systems;
• Reputable cloud providers for hosting and database storage.

No system can be made perfectly secure. If we learn of a security breach that compromises your personal information, we will notify you and any applicable regulators as required by law.

10. Your Rights

Depending on where you live, you may have the following rights regarding your personal information:

• Access. Request a copy of the personal information we hold about you.
• Correction. Ask us to correct inaccurate or incomplete information. Most Account details can be corrected from your profile settings.
• Deletion. Ask us to delete your personal information. Canceling your Account will trigger deletion of your Customer Data within the period described in Section 8.
• Portability. Ask us to provide your personal information in a structured, commonly used, machine-readable format.
• Objection. Object to our processing of your personal information based on legitimate interests.
• Restriction. Ask us to restrict how we process your personal information.
• Withdrawal of consent. Where we process based on consent, withdraw that consent at any time.
• Complaint. Lodge a complaint with your local data protection authority.

To exercise any of these rights, email support@pilottracker.io with the subject line "Privacy Request." We will respond within thirty (30) days, subject to legally permitted extensions. To protect your privacy, we may ask you to verify your identity before responding.

10.1 California Residents (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act (together, “CCPA”):

• Right to know. Request disclosure of the categories and specific pieces of personal information we have collected about you, the sources, the purposes, and the categories of third parties with whom we share it.
• Right to delete. Request deletion of personal information we have collected from you, subject to legal exceptions.
• Right to correct. Request correction of inaccurate personal information.
• Right to limit use of sensitive personal information. We do not use or disclose sensitive personal information for purposes other than those permitted by CCPA without your consent.
• Right to opt out of “sale” or “sharing.” We do not sell personal information, and we do not share personal information for cross-context behavioral advertising, as those terms are defined by CCPA.
• Non-discrimination. We will not discriminate against you for exercising any of these rights.

In the preceding twelve months we have collected the following categories of personal information: identifiers (name, email, IP address), internet activity (usage data), professional information (in Customer Data, if you choose to enter it), commercial information (billing records), audio (voice recordings), and inferences (derived from usage). We collect these for the business purposes described in Section 3.

You may designate an authorized agent to make a request on your behalf by providing written authorization. To exercise your CCPA rights, email support@pilottracker.io.

11. Children's Privacy

The Service is not directed to children under 18 years of age and we do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us and we will delete it.

12. International Data Transfers

We are based in the United States, and our service providers may process personal information in the United States and other countries. If you are located outside the United States, your personal information will be transferred to and processed in the United States, which may not provide the same level of data protection as your country.

For transfers from the European Economic Area, the United Kingdom, or Switzerland, we rely on appropriate safeguards permitted by applicable law, including Standard Contractual Clauses where required.

13. Third-Party Links

The Service may contain links to third-party websites. We are not responsible for the privacy practices of those websites. We encourage you to review the privacy policies of any site you visit.

14. Changes to this Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, our Service, or applicable law. If we make material changes, we will notify you by posting the updated policy on the Service and updating the “Last Updated” date. For material changes affecting your rights, we will provide additional notice by email or through the Service.

15. Contact Us

Questions, requests, or complaints about this policy or our data practices? Contact us at: