Your privacy is very important to us. Unifly therefor carefully considers the protection of your personal data during the different personal data processing activities.
This policy aims to tell you which personal data we collect from you, why we collect this data and how your data will be used. In addition, you can find information about your rights as a Data Subject.
The PDF version of the Privacy and Data Protection Policy of Unifly can be found here.
What is personal data and data protection?
The applicable data protection legislation uses specific language and in order to help you to better understand the terminology and this policy, we will explain the most important elements below. If you want more information, you can always check out the website of the European Commission at https://ec.europa.eu/info/law/law-topic/data-protection/reform/rights-citizens_en.
Which data protection regulation is applicable?
The basic principles and obligations are documented in the General Data Protection Regulation (the famous GDPR or in legalese Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data).
In addition to the European regulations, the national data protection legislation still applies to the processing of your personal data. In Belgium, i.a. the Law of 8 December 1992 on the protection of privacy with regard to the processing of personal data and the Law of 13 June 2005 on electronic communications apply.
What is personal data?
Personal data is all the information about an identified or identifiable natural person, also known as the data subject (a.k.a. you). A person is considered ‘identifiable’ when a natural person can be directly or indirectly identified, in particular by reference to an identifier such as:
an identification number;
an online identifier;
or one or more elements that are characteristic of the physical, physiological, genetic, psychological, economic, cultural or social identity of that natural person (article 4, §1 GDPR).
Data relating to race or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership and processing of genetic data, biometric data for the unique identification of a person, or data about health, sexual behaviour or sexual orientation, criminal offences or convictions are considered sensitive data. Unless an organisation can refer to one of the exceptions, the processing of these data is forbidden pursuant article 9 of the GDPR.
We at Unifly, do not process any sensitive personal data. If we would at any time require these types of data for providing you with our services, we will always ask you for your explicit consent and provide you with additional safeguards.
What does processing of personal data mean?
This means any operation or set of operations which is performed on personal data (whether or not by automatic means), such as the:
(art. 4, §2 GDPR).
Controller vs. processor
The controller is a natural or legal person that determines the purposes and means for the processing of personal data. The processor on the other hand, processes this data on behalf of and only on request and with instructions from the controller (art. 4, §7 and §8 GDPR).
Unifly as controller
We act as a controller of data in the context of:
the Unifly app
the Unifly website
our client and supplier management
Unifly as processor
We work with several ANSPs (Air Navigation Service Providers) to provide UTM solutions. In those instances, we act as a processor since our clients (the ANSPs or other entities) determine the purposes and means for the processing of your personal data.
Check out their websites for the applicable privacy policies.
We act as a processor of data for following organisations:
What are the basic principles of data protection?
Personal data must be processed fairly and lawfully with respect to you. In order to process personal data lawfully, a legal basis must exist.
Pursuant article 6 of the GDPR, these legal bases are:
performance and preparation of a contract;
compliance with a legal obligation;
protection of vital interests;
performance of a task carried out in the public interest or in the exercise of official authority;
Unifly ensures that it always refers to at least one of the above-mentioned legal bases when it processes personal data. More about our processing activities and their legal ground can be found below.
The fairness of processing obliges us to only process your accurate (updated) data for specific, explicit and legitimate purposes. Processing incompatible with the initial purpose for which the data were collected, is not allowed.
Data minimisation is also a key principle and limits the processing to what is necessary for the purposes for which the data were collected. This also implies the processing must be limited in time.
You as a data subject must be made aware of the following matters in clear and plain language:
Identity and contact details of the controller;
If a Data Protection Officer is appointed and his or her contact details;
Processing purposes and legal basis;
If the personal data processing is supported by a legitimate interest and an explanation of this interest;
Categories of receivers of the personal data;
Transfer of personal data to third countries (outside the EU) or international organisations (and on what basis);
Time limit for the storage of personal data or the criteria used to determine the time limit;
Your rights (including the right to revoke consent);
The right to lodge a complaint with the supervisory authority;
Explanation when the transmission of personal data is a contractual or legal obligation;
If the personal data is received from a third party, the categories of personal data received and the third party.
Specific legislation may contain exceptions or set additional requirements which the organisation must comply with, with respect to the provision of information to data subjects. These mandatory legal provisions take precedence over this policy.
Confidentiality and integrity
Technical and organisational measures must be taken to ensure the processing of personal data can take place with the appropriate guarantees, so that the data are protected against accidental loss and against unlawful processing, destruction or damage.
What personal data do we process?
The data you actively and knowingly provide us
In principle we at Unifly only process data we have received directly from you, for example when you use one of our products and you register or when you fill in the contact form at our website.
The data you provide to us by the use of our service
You might not be aware of it but by using our service you provide us with some data that might be personal (‘Observed data’), such as your location data, IP address, metadata (data that provides information about other data) and login codes and passwords.
Why do we process your personal data?
Unifly only processes personal data if necessary to achieve a certain objective. That is why we use your personal data when necessary for:
The compliance with a legal obligation which is imposed upon the organisation;
The preparation, execution and termination of an agreement;
The purposes of the legitimate interests of our company in conducting and managing our business to enable us to give you the best service/products and the best and most secure experience.
Otherwise, we will make sure to obtain your explicit consent.
If you have given your consent for a specific processing purpose to Unifly in order to process your data for that purpose, you can withdraw this consent at any time. We will then stop any further processing of your data for which you gave consent and will inform you of the possible consequences of your withdrawal of consent. If Unifly processes your personal data for other purposes and in order to do so it refers to other legal bases, we will still be allowed to process your personal data.
Unifly tries via its current privacy and data protection policy to provide you with this information in order to be as transparent as possible with respect to the processing of your personal data. This general policy must be read together with more specific information notes which give additional information concerning about the organisation’s specific processing purposes.
We process your personal data for the following:
To prepare or execute an agreement with you
To prepare, execute or terminate an agreement, we will need certain personal data which may vary depending on the type of contract. The retention period will depend on the type of agreement and the legal requirements.
Offering our UTM services via our products
We adhere to the principle of data minimisation. Therefore, we provide you with the possibility to use our applications anonymously. Keep in mind that some features may not be accessible when you choose this option (such as the creation of the ability to manage your drones).
When you choose to register, we need your contact details (name, mailing address, address and telephone number), location data, login code and password to offer you our UTM services and/or validate your flights.
If you use the logbook and drone management features, you can enter additional personal data in our application such as your birthdate, possessions (drones), licenses, photographs of drones, etc. We process these data based on legitimate interests. These data are stored as long as necessary for the processing purpose. With regard to the importance in litigations or other procedures, your data is stored for two years after the termination of our service. If you are a paying customer, legal retention periods are applicable which imply a retention period of seven years.
To send direct marketing communications
Sending out our newsletter or other direct marketing communications will only occur based on your explicit consent. Based on our legitimate interest we may also process your profession in order to send you more personal and relevant information. You may unsubscribe at any time.
To inform you about our products/ services
If you ask us for more information via the contact form on our website or by telephone, we need to process your contact information in order to provide you with this information. We will only use this data to provide you with the requested information based on our legitimate interest. For direct marketing communications afterwards, we will ask your consent.
To enhance security
We may use your personal data to enhance the security of our networks and information systems based on our legitimate interest. This means we can monitor your access to our networks and systems and collect some metadata.
In our offices several surveillance cameras are installed to guarantee the safety of our personnel or property. These images are only processed with regard to this security objective and deleted after one month. In addition, we also require visitors to register. For security reasons, this data is stored for one year.
To improve our products
In order for Unifly to improve our products and to understand how people interact with them, we may process your data on the use of our products based on our legitimate interest. For example, we collect data on how many times you have accessed your account.
If we wish to use your data for statistics, we will anonymise this data first.
How do we process your personal data?
We, at Unifly, ensure that your personal data shall be processed:
For specific, explicit and legitimate purposes and may not be processed further in a way incompatible with the initial purposes for which the data were collected. Therefore, we shall clearly communicate the purposes before starting the processing.
We will not ask your personal data in order to validate your flight (purpose A) and use it afterwards to send you newsletters (purpose B). In this specific case, we would first ask your consent to do so.
Limited to what is necessary for the purposes for which the data were collected. If possible, Unifly will anonymise the data or use pseudonyms in order to limit the impact for the data subject as much as possible. This means that the name or identifier will be replaced so that it is difficult (pseudonymisation) or even impossible (anonymisation) to identify an individual.
If we wish to use your data for statistics, we will anonymise them as much as possible.
Limited in time and only as necessary for the specific purpose.
Unifly has defined a retention policy.
Accurately, and the data shall be updated when necessary. Unifly shall take all reasonable measures to erase or update the personal data, taking into account the purposes for which they are processed.
Transparently, therefor Unifly shall provide you the required information in a clear and plain language. Depending on the concrete case, we can disclose the information both on a collective and/or individual basis.
Technical and organisational measures
Unifly is committed to keeping your information as secure as possible. Therefor we have implemented various technical and organisational measures (art. 25, §2 GDPR) to protect your personal data from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, etc. We have, when choosing the proper security measures, considered the nature, context, purpose and scope of the processing, the possible risks when processing the personal data, the costs for the implementation of the measures and the state of the art. It is however important to remember that the internet is an open system and we cannot guarantee that unauthorised third parties will never be able to defeat those measures or use your personal data for improper purposes.
Nevertheless, we at Unifly commit ourselves to keep updating and reviewing these measures so that we can offer your personal data an appropriate safety level. You can help us with this by regularly updating the Unifly software as well as other software installed on your devices.
These measures are applicable to the physical access to personal data, access to the personal data via computers, servers, networks or other IT hardware and software applications and databases. Examples of these measures include but are not limited to: the appointment of a Data Protection Officer, Data protection policy and management, retention policy, incident response plan, processor management, regular evaluations of policies, storage of data in controlled facilities with limited access (by e.g. physical access control), confidentiality obligations and awareness trainings for employees, role-based access control systems.
The organisation shall ensure that the third parties that receive personal data from the organisation will comply with the applicable data protection legislation and this policy.
Your rights as a data subject
Unifly adheres great importance to your privacy rights and therefor complies with reasonable effort with these rights, considering the legal limitations in exercising them.
Right of access
Pursuant article 15 of the GDPR, you have the right to obtain confirmation from the organisation of whether or not your personal data are being processed. If your data are being processed, you may request the right to consult your personal data as used/stored by the organisation.
Unifly shall inform the data subject about the following:
the processing purposes;
the categories of personal data concerned;
the receivers or categories of receivers to which the personal data are supplied;
transfer to receivers in third countries or international organisations;
if possible, the period during which it is expected that the personal data will be retained, or if this is not possible, the criteria used to determine this period;
that the data subject has the right to ask the organisation to correct or erase personal data, or to limit the processing of his or her personal data, as well as the right to object to this processing;
that the data subject has the right to lodge a complaint with a supervisory authority;
if the personal data are not collected from the data subject, all available information about the source of the data;
the existence of automated decision-making, including profiling, and meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
Unifly shall also supply a copy of the personal data that are being processed. For any further copies requested by the data subject, the controller may charge a reasonable fee.
Right to rectification
When you establish that Unifly has incorrect or incomplete data about you, you always have the right to inform us of this fact so that appropriate action can be taken to rectify or supplement these data. It is the data subject’s responsibility to provide correct personal data to the organisation (article 16 GDPR).
Right to be forgotten
You as a data subject can ask to have your personal data erased pursuant article 17 of the GDPR if the processing of this data is not in accordance with the data protection legislation and within the limits of the law.
Right to the restriction of processing
You may ask to have the processing restricted (article 18 GDPR) if:
The accuracy of the personal data is contested by the data subject, for a period enabling the controller to check their accuracy;
The processing is unlawful and you oppose the erasure of the data;
The organisation no longer needs the data, but you request that your data are not be removed, given that you might need them for the exercise or defence of legal claims;
You have objected to processing, pending the verification whether the legitimate grounds of the controller override those of the data subject.
Right to data portability
You have the right to obtain your personal data which you provided to the organisation in a structured, commonly-used and machine-readable format pursuant article 20 of the GDPR. You have the right to have those personal data transmitted to another controller (directly by the organisation).
This is possible if you have consented to the processing and if the processing is carried out via an automated process.
Right to object
When personal data are processed for direct marketing purposes (including profiling), you can always object to this processing.
You can also object to processing due to a specific situation regarding yourself as the data subject. Unifly shall stop processing the personal data unless we demonstrate compelling legitimate grounds for the processing which overrides the interests of the data subject or for the exercise or defence of legal claims (article 21 GDPR).
Automated individual decision-making
Since Unifly does not make automated individual decisions, this paragraph is only meant to inform data subjects of the full range of actions that can be taken under article 22 of the GDPR.
You as a data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you such as by evaluating personal aspects with respect to the performance of work, reliability, creditworthiness, etc.
This right not to be subjected to such automated decision-making does not exist when the decision is permitted by a mandatory legal provision.
Nor may you invoke this right when the decision is necessary for entering into, or the performance of, a contract between the data subject and the organisation or is based on the data subject's explicit consent. In these last two cases, you do have the right to obtain human intervention from someone at the organisation and you have the right to make your point of view known and to challenge the automated decision process.
The right to withdraw consent
If you have given your consent for a specific processing purpose to Unifly in order to process your data, you can withdraw this consent at any time by adjusting your privacy settings or by sending an e-mail to firstname.lastname@example.org.
Procedure for exercising your rights
You may exercise your rights by:
Adjusting your privacy settings in the app or on the website; or
Sending an e-mail to the Data Protection Officer via email@example.com.
Since we want to make sure you are really you, we can ask you to identify yourself. That way we can ensure that it is indeed the data subject requesting to exercise his or her rights.
If you have any questions about the application of the principles or the organisation’s (legal) obligations, you can always contact the Data Protection Officer via firstname.lastname@example.org .
In principle Unifly shall respond to the data subject’s request within one month. If not, we shall inform you why the request received no response or why it did not receive a response in good time. Unifly shall take the necessary measures to inform the receivers of the data subject’s personal data about exercising the right to correction, right to erasure or the limitation of processing by the data subject.
Exercising your rights is in principle free, but in the event you exercise of multiple and/or unreasonable requests, we can ask a reasonable fee.
Right to lodge a complaint with the supervisory authority
You have the right to lodge a complaint with the competent supervisory (data protection) authority. The contact details are:
Belgian Data Protection Authority (‘Gegevensbeschermingsautoriteit’)
Address: Drukpersstraat 35, 1000 Brussels, Belgium
Tel.: +32 (0)2 274 48 00
Do we share your personal data?
In some cases, it may be necessary to transfer your personal data to third party receivers. However, your personal data will not be sold or rented to third parties.
We can share your personal data, based on our legitimate interest, to third party providers who help us with our products and services. Examples include third parties hosting our web servers, providing marketing assistance, and providing customer service. These processors will have access to your personal data but only when strictly necessary to perform their functions on instructions from Unifly and they may not use that data for any other purpose.
Our Processor Management implies that we make sure these processors also comply with the legal requirements pursuant data protection legislation and observe the necessary security measures when transferring the data and with respect to the receivers, in order to guarantee the confidentiality and integrity of the personal data. Processing agreements containing obligatory clauses are conducted with our processors.
We can also share your personal data with any third party you have asked us to share your personal data with, such as Facebook or any other social media site you have asked us to connect with your account.
We may disclose your personal data to enforce our policies, to comply with our legal obligations or in the interests of security, public interest or law enforcement in any country where we have entities or affiliates. For example, we may respond to a request by a law enforcement agency or regulatory or governmental authority. We may also disclose data in connection with actual or proposed litigation, or to protect our property, security, people and other rights or interests.
In the event that the business of Unifly is sold or integrated with another business, your details will be disclosed to any prospective purchaser’s adviser and will be transferred to the new owners of the business. In this case, we will implement the appropriate safeguards to ensure the integrity and confidentiality of your personal data. However, use of your personal information will remain subject to this Policy.
Transfer to third countries
It is also possible for the organisation to transfer your personal data to parties (processors) that are based in third countries, these are countries outside the European Economic Area (i.e. The European Union, Norway, Iceland and Liechtenstein).
Such a transfer is possible if the country where the receiver offers sufficient legal guarantees to protect your personal data and which the European Commission has assessed as being adequate.
In other cases, the organisation has concluded a standard contract with the receiver so that equivalent or similar protection to that offered in Europe is offered. Unifly ensures to have such safeguards in place when transferring your data to third countries.
Website and apps
We monitor traffic patterns on the website and gather broad demographic information for aggregate use to analyse trends and administer the website. This enables us to improve its layout and design and permits for website personalisation and streamlining to create the best experience we can for our users.
In order to perform analysis permitting such personalisation and improvement of site design and user experience, we may employ suitable third parties with whom we share the information necessary to accomplish these objectives. Where appropriate, we share aggregated statistical information with our business partners. These statistics however, include no personally identifying information.
You may also choose to provide additional/optional information when completing forms on our website or when communicating with us by telephone, e-mail or at trade fairs or events.
What are cookies?
Cookies are text files which contain small pieces of information, sent by a web server to a web browser which allows the server to store different types of information on the web browser’s device. They will be stored on your computer, tablet or phone when you visit a website. Cookies may contain identifying information.
Categories of used cookies
We use the following categories of cookies on our website:
Strictly Necessary Cookies
These cookies are essential in order to help you to move around the website and use its features. Without these cookies, services you have asked for such as remembering your login details cannot be provided.
These cookies collect anonymous information on how people use our Website. For example, we use Google Analytics cookies to help us understand how customers arrive at our site and how they browse and use our site. These cookies also highlight areas where we can improve such as the site navigation, the shopping experience and our marketing campaigns. These cookies never include personal details from which your individual identity can be established.
These cookies remember choices you make such as the country you visit our website from, language and search parameters such as size, colour or product line. These can then be used to provide you with an experience more appropriate to your selections and to make the visits more tailored and pleasant based on our legitimate interest. The information these cookies collect may be anonymised and they do not track your browsing activity on other websites.
Targeting cookies or advertising cookies
These cookies collect information about your browsing habits in order to make advertising more relevant to you and your interests. They are also used to limit the number of times you see an advert as well as help measure the effectiveness of an advertising campaign. The cookies are usually placed by third party advertising networks. They remember the websites you visit and that information is shared with other parties such as advertisers. For example, we use third party companies such as Facebook (Custom Audience), Twitter, LinkedIn and Google (Google AdWords, Google Match, Adobe Audience Manager and DoubleClick) to provide you with more personalised adverts when visiting other websites.
Social Media Cookies
Facebook social plug-in
If you click on the Facebook "Share" button the relevant information is transmitted directly from your browser to Facebook and stored there. Furthermore, Facebook will make the shared content public on your Facebook profile.
If you do not want Facebook to link data about you via our website to your Facebook profile you have to log out of your Facebook profile before you visit our website and change the retargeting settings within your Facebook profile.
Twitter and LinkedIn social plug-ins
We also use third party services such as Google Analytics and Sumo to collect information about visitors of our websites. This information is aggregated to determine number of visits, average time spent, pages viewed, etc. We use this information to measure site usage, as well as to improve the content and value of our site.
Managing your cookies
Each browser has specific settings to manage cookies. Find out more on the website of your browser or at http://www.allaboutcookies.org/manage-cookies/. Keep in mind that changing your cookie settings may impact the way our website or apps work.
Cookies we use
This cookie helps with site security in preventing Cross-Site Request Forgery attacks.
This cookie is associated with Google Analytics. This cookie is used to distinguish unique users by assigning a randomly generated number as a client identifier. It is included in each page request in a site and used to calculate visitor, session and campaign data for the sites analytics reports.
This cookie name is associated with Google Universal Analytics. It stores and update a unique value for each page visited.
This cookie is associated with Google Analytics. This cookie is used to distinguish unique users by assigning a randomly generated number as a client identifier. It is included in each page request in a site and used to calculate visitor, session and campaign data for the sites analytics reports.
More information and Data Protection Officer
Unifly has appointed a Data Protection Officer (‘DPO’) who is independent in the performance of his or her tasks with respect to the protection of personal data. This means that he or she is not bound by instructions from managers in the performance of his or her tasks. The DPO will, in addition to advising the company, also supervise the company’s compliance with data protection legislation, this policy and any other related policies.
If you wish to obtain more information regarding the processing of your personal data or your rights, please contact our DPO.
Data Protection Officer: Luna Vanderispaillie
Telephone: +32 3 446 01 00
Audit and review
The organisation reserves the right to adjust and review this policy when it deems necessary and to remain coherent with the legal obligations and/or recommendations of the competent supervisory authority for data protection.
The organisation shall inform the data subject when it is impossible for it to comply with this policy due to mandatory legal provisions which are imposed upon the organisation.
Entry into force
This policy applies as of May 25th, 2018.