Privacy Policy

Version 1.0 · Effective 13 May 2026 · Operated by Dutch Aviation Services Sp. z o.o. (90-369 Łódź, Poland)

This Privacy Policy explains how Dutch Aviation Services Sp. z o.o. ("we", "us", "the Controller") collects, uses, and protects personal data of users of the mywingman.eu website and recipients of MyWingman services.

This Policy is issued in compliance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 ("GDPR") and, in Polish jurisdiction, the Polish Personal Data Protection Act of 10 May 2018 ("RODO", Dz.U. 2018 poz. 1000).

1. What data we collect

We collect personal data in three contexts:

(a) When you visit our website

• Standard server-log data (IP address, browser type, pages visited, referring URL, timestamp) for the purpose of security, fraud prevention, and aggregate analytics. Retained for up to 12 months.
• Cookies, as described in our Cookie Policy.

(b) When you submit a contact form or place an order

• Identification data: name, email, phone number, nationality;
• Service-specific data: the service you have selected, your stated goals or timeline, any information you choose to add to the message field;
• Consent records: the consents you ticked + timestamp + IP address (kept as proof of valid consent).

(c) When you receive a service

This varies by service. The special category data (Art. 9 GDPR) category applies to MyWingman. Detail follows below.

Special category data (Art. 9 GDPR / RODO)

Where our services involve psychometric or psychological assessment, the resulting reports may contain information relating to your mental and psychological characteristics, which qualifies as special category data under Article 9 GDPR.

We process such data on the legal bases of:

• Your explicit consent (Art. 9(2)(a) GDPR), obtained at the point of purchase and re-confirmed at the start of any recorded session;
• Establishment, exercise, or defence of legal claims (Art. 9(2)(f) GDPR), where required to respond to disputes or regulatory inquiry; and
• Where applicable to particular services, the management of health services and systems (Art. 9(2)(h) GDPR) under contract with a qualified aviation psychologist.

You may withdraw consent at any time. Withdrawal does not affect processing that has already occurred. Records that we are required to retain under applicable health-data or sectoral law remain retained for the legally mandated period.

Audio and video recording of consultations

Where your service includes a one-to-one consultation conducted via video conference, we may, with your prior consent, audio- and/or video-record the session for the limited purpose of quality assurance, accurate report preparation, and professional review. The recording is not used for marketing, not shared with third parties, and is securely deleted within 12 months of the consultation unless retention beyond that point is required to defend a legal claim or comply with sector regulation.

You may decline the recording without any negative impact on the assessment outcome. You may withdraw consent during the session or afterward by contacting us.

Third-party assessment platform

The psychometric assessment is delivered through Symbiotics Ltd (United Kingdom), an aviation-industry-recognised assessment provider operating the ADAPT platform.

Symbiotics acts as a processor for the assessment data on our behalf, under a written data processing agreement consistent with Art. 28 GDPR. Personal data shared with Symbiotics is limited to what is necessary to deliver the assessment (typically: name, email, the licence code we issue, and the assessment responses you complete).

Because the United Kingdom benefits from a UK Adequacy Decision under Art. 45 GDPR, transfers of personal data to Symbiotics in the UK occur under that adequacy mechanism without additional safeguards being required.

2. Why we process your data (legal bases)

Purpose	Legal basis (GDPR)	Retention
Respond to your enquiry; provide pre-contractual information	Art. 6(1)(b) — pre-contractual measures	12 months from last contact
Deliver the service you have purchased	Art. 6(1)(b) — performance of contract	Duration of contract + 6 years (statute of limitations)
Issue invoices and fulfil tax obligations	Art. 6(1)(c) — legal obligation (Polish Accounting Act, VAT Act)	5 years from end of tax year
Marketing communications (where you opted in)	Art. 6(1)(a) — consent	Until consent is withdrawn, max 36 months from last engagement
Defend legal claims; respond to regulatory inquiry	Art. 6(1)(f) — legitimate interest; Art. 9(2)(f) for special category	Until limitation period expires (typically 6 years)
Aviation regulatory record-keeping (where applicable)	Art. 6(1)(c); aviation sectoral law (EASA Part-FCL, applicable national law)	As required by the regulation (typically 5–10 years)

3. Who has access to your data

Inside our organisation, access is limited to those individuals who need the data to perform their role.

Outside our organisation, we share data with the following categories of recipient, each operating either as a processor under Art. 28 GDPR or as an independent controller where they determine their own purposes:

• Hosting and IT infrastructure providers (web hosting, email, document storage) — processors, EU-based or under adequacy decisions;
• Customer relationship management platform (CRM) — processor, EU-based;
• Payment service providers (bank, future online-payment integration) — independent controllers for payment data, processors for transaction metadata;
• Accountancy and tax advisors — processors;
• Aviation regulatory authorities (EASA, national CAA) — independent controllers, where statutory disclosure applies;
• Legal advisors and dispute-resolution bodies — only as required.

A full sub-processor list is available on request. We do not sell your personal data and we do not share it for the purpose of cross-context behavioural advertising.

4. International transfers

Where data is transferred outside the European Economic Area, we rely on the following safeguards:

• Adequacy decisions (Art. 45 GDPR) — applies to transfers to the UK, Switzerland, Israel, and other adequacy-listed countries;
• Standard Contractual Clauses (Art. 46(2)(c)) — for transfers to other third countries where applicable;
• Your explicit consent (Art. 49(1)(a)) — only in limited cases that you specifically agree to.

5. Your rights

Under GDPR / RODO you have the following rights:

• Access (Art. 15) — request a copy of your data;
• Rectification (Art. 16) — correct inaccurate or incomplete data;
• Erasure (Art. 17) — "right to be forgotten", subject to legal retention obligations;
• Restriction of processing (Art. 18) — limit how we use your data while a dispute is resolved;
• Data portability (Art. 20) — receive your data in a structured machine-readable format;
• Object (Art. 21) — to processing based on legitimate interests or direct marketing;
• Withdraw consent at any time, for any processing based on consent — without affecting prior lawful processing;
• Lodge a complaint with the Polish supervisory authority (Prezes Urzędu Ochrony Danych Osobowych (UODO)) or your local EU data protection authority.

Detailed information about your rights and how to exercise them is on our GDPR Rights page.

6. Automated decision-making and profiling

We do not make decisions about you that are based solely on automated processing and that produce legal or similarly significant effects on you. Where psychometric assessments are involved, results are interpreted by a qualified human professional before any recommendation is communicated.

7. Security

We implement technical and organisational measures appropriate to the risk: TLS encryption for data in transit, encryption at rest where supported by the platform, role-based access controls, regular access reviews, incident-response procedures, and personnel-confidentiality undertakings. Breach notification follows Art. 33–34 GDPR — within 72 hours to the supervisory authority where required, and without undue delay to you where the breach is likely to result in a high risk to your rights.

8. Contact us about this Privacy Policy

Email: [email protected] (subject: "Privacy request")

Post: Dutch Aviation Services Sp. z o.o., ul. Piotrkowska 222/3, 90-369 Łódź, Poland

We respond to data-subject requests within one calendar month, extendable by a further two months for complex requests (in which case we will tell you within the first month).

9. Supervisory authority

10. Changes to this Policy

This Policy is Version 1.0, effective 13 May 2026. Material changes are notified by email to active customers; the current version and effective date are always shown at the top of this page.