FireFlightLog
FireFlightLog

Privacy Policy

Effective: 19 May 2026

FireFlightLog (“FireFlightLog”, “we”, “us”, “our”) is based in Western Australia and operates the FireFlightLog platform at fireflightlog.com.au. We take the privacy of the emergency-services personnel who use our platform seriously. This policy explains what personal information we collect, how we use it, and the rights you have in relation to it. We handle personal information in accordance with the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).

1. Scope

This policy applies to personal information we collect through the FireFlightLog website, the application, and account-related communications such as invitations, transactional emails, and support correspondence.

2. What we collect

  • Account & profile information — first and last name, work email address, organisation membership, role (administrator or member), and an optional profile photo.
  • Flight log data — aircraft and tail-number details, mission type, engine start and stop times, flight duration, operational context, and any attachments (PDFs or images) you upload.
  • Qualification records — certification names, issue and expiry dates, and uploaded certificate documents.
  • Allowance records — generated allowance PDFs derived from your flight data, including the metadata required to reproduce them.
  • Audit records — an automatic, immutable record of every mutation (who, when, what changed) made to flight logs, qualifications, allowances, members, and invitations. This supports CASA/ATSB chain-of-custody expectations.
  • Technical telemetry — IP address, browser and device information, performance metrics, and error logs collected to keep the platform secure and reliable.
  • Communications — any messages you send us through support channels.

3. How we collect it

We collect personal information:

  • Directly from you, when you accept an invitation, sign in, update your profile, or contact us.
  • From your use of the platform — for example, the flight logs and qualifications you record.
  • Automatically, through technical telemetry the platform emits when you use it.
  • From your organisation administrator, who controls invitations and seat allocations.

4. Why we collect it and how we use it

We use personal information to:

  • Provide and operate the platform on behalf of your organisation.
  • Maintain auditable records that satisfy aviation and emergency-services regulatory expectations.
  • Authenticate users, control access, and protect the security of the platform.
  • Send service-related communications, such as invitations, password resets, and important notices.
  • Respond to support enquiries and troubleshoot issues you report.
  • Improve the platform, including diagnosing errors and understanding usage patterns at an aggregate level.

We do not sell personal information. We do not use personal information for third-party advertising or marketing.

5. Sensitive information

Emergency-services workforce records can identify individuals and link them to operationally sensitive activity. We treat that information with elevated care: it is never sold, never disclosed for marketing purposes, and never used for purposes unrelated to delivering the service to your organisation.

6. Disclosure and sub-processors

To deliver the service we use a small set of trusted sub-processors. Each handles your data under its own privacy obligations and contractual terms with us.

  • Supabase — database hosting and file storage, on AWS infrastructure in the Sydney region.
  • Vercel — web hosting and serverless compute for the application and website. Vercel is headquartered in the United States and operates global edge infrastructure.
  • Resend — transactional email delivery (invitations, password resets, and similar service emails).
  • Axiom — error and observability logging used to diagnose platform issues.

We do not disclose personal information to third parties for unrelated purposes. We may disclose information where required or permitted by law — for example, in response to a lawful request from an Australian regulator or court.

7. Cross-border data flow

Some of our sub-processors store or process data outside Australia (for example, Vercel and Resend operate global infrastructure that may include data centres in the United States and Europe). By using the platform you consent to this transfer. We select reputable providers and take reasonable steps to ensure the information remains protected to a standard consistent with the Australian Privacy Principles.

8. Storage and security

We protect personal information with measures including:

  • Private storage buckets with per-organisation row-level security.
  • Encryption in transit (TLS) and encryption at rest at the storage layer.
  • Short-lived signed URLs for file access, so links cannot be reused indefinitely.
  • A two-phase upload pattern that prevents orphaned files when uploads fail.
  • Strict role-based access control inside the application, with administrator and member roles scoped to your organisation.

No platform can be guaranteed completely secure. We continually improve our security practices and notify users where required by law if a breach occurs.

9. Retention

Audit-log records are retained for seven (7) years to meet CASA/ATSB chain-of-custody expectations. Account and operational data is retained while your account is active. If your account is closed or your organisation’s subscription ends, we keep your data for 30 days to support export, then purge it — except where retention is required by law or where the data remains within the audit-log retention window described above.

10. Your rights

Under the Privacy Act, you may:

  • Request access to the personal information we hold about you.
  • Request that we correct information that is inaccurate, out of date, incomplete, or misleading.
  • Request that we delete personal information, subject to our retention obligations (including the 7-year audit-log retention).
  • Withdraw consent for any optional processing at any time.

To exercise any of these rights, contact us at admin@fireflightlog.com.au. We will respond within a reasonable period.

11. Complaints

If you are concerned about how we handle your personal information, please contact us first at admin@fireflightlog.com.au so we can work through the issue with you. If you remain dissatisfied, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au.

12. Children

FireFlightLog is intended for emergency-services personnel aged 18 years or over. We do not knowingly collect personal information from anyone under 18. If you believe a minor has provided us with personal information, please contact us so we can delete it.

13. Cookies and tracking

We use essential session cookies to keep you signed in and to remember the organisation you have selected if you belong to more than one (the ffl_active_org cookie). We also collect aggregate analytics — page views and Web Vitals — via Vercel Analytics and Vercel Speed Insights, scoped to improving the product. We do not use third-party advertising trackers.

14. Notifiable data breaches

We comply with the Notifiable Data Breaches scheme under Part IIIC of the Privacy Act. If a data breach is likely to result in serious harm to affected individuals, we will notify those individuals and the Office of the Australian Information Commissioner without undue delay.

15. Changes to this policy

We may update this policy from time to time. When we do, we will update the effective date at the top of the page. Material changes will be communicated to your organisation administrator.

16. Contact

Questions or requests about this policy should be sent to admin@fireflightlog.com.au.