Privacy & Cookie Policy
Last updated: February 2026
1. Who We Are
AirTrace ("we," "us," or "our") operates the AirTrace web application, an AI-powered, community-driven database for air freight handler information. This Privacy & Cookie Policy explains how we collect, use, store, and protect your personal information when you use our service.
2. Information We Collect
2.1 Account Information
When you create an account or subscribe, we collect:
- Email address — used for authentication and account communications
- Full name — used for account identification
- Password — stored in securely hashed form (we never store plain-text passwords)
- Company/organization name — if voluntarily provided
- Phone number — if voluntarily provided
2.2 Usage Data
We automatically collect certain information when you use the service:
- Search queries — AWB prefixes and airport codes you look up
- Login timestamps — when and how frequently you sign in
- IP address — used for rate limiting, session validation, and security
- Suggestion submissions — corrections or additions you contribute
2.3 Payment Information
Subscription payments are processed by Stripe, Inc. We do not store credit card numbers, CVVs, or full payment details on our servers. We only retain your Stripe Customer ID to manage your subscription. Stripe's privacy policy applies to payment processing: stripe.com/privacy.
3. How We Use Your Information
We use collected information to:
- Provide, maintain, and improve the AirTrace service
- Authenticate your identity and manage your account
- Process subscription payments
- Prevent unauthorized account sharing and abuse
- Generate aggregated, anonymized usage analytics to improve the service
- Communicate important service updates, security alerts, and billing notices
- Comply with legal obligations
4. Cookies & Similar Technologies
4.1 What Are Cookies
Cookies are small text files stored on your device when you visit a website. They help the site remember your preferences and session state.
4.2 Cookies We Use
| Cookie | Type | Purpose | Duration |
|---|---|---|---|
| next-auth.session-token | Essential | Keeps you signed into your account | Session / 30 days |
| next-auth.csrf-token | Essential | Prevents cross-site request forgery attacks | Session |
| next-auth.callback-url | Essential | Redirects you to the correct page after sign-in | Session |
| _at_grace | Essential | Session validation for account security | 24 hours |
We do not use advertising cookies, third-party tracking cookies, or social media cookies. All cookies listed above are strictly necessary for the functioning of the service and do not require your consent under applicable data protection law. However, we inform you of their use for transparency.
4.3 Local Storage
We use browser local storage to remember your cookie consent preference. This data stays on your device and is not transmitted to our servers.
5. Data Sharing & Disclosure
We do not sell your personal information. We may share data with:
- Stripe, Inc. — for payment processing
- Hosting providers — to serve the application (data is stored securely)
- Law enforcement — only when required by valid legal process
In the event of a merger, acquisition, or sale of assets, user data may be transferred to the acquiring entity, subject to the same privacy protections described in this policy.
6. Data Retention
- Account data is retained for as long as your account is active
- Usage/activity logs are retained for up to 12 months, then automatically purged
- Search logs are retained for rate-limiting purposes and purged periodically
- Upon account deletion, we remove your personal data within 30 days, except where retention is required by law
7. Data Security
We implement industry-standard security measures including encrypted passwords (bcrypt hashing), HTTPS encryption in transit, CSRF protection, and session validation. No system is 100% secure, and we cannot guarantee absolute security, but we take reasonable steps to protect your data.
8. Your Rights
Depending on your location, you may have the following rights:
- Access — request a copy of the personal data we hold about you
- Correction — request correction of inaccurate personal data
- Deletion — request deletion of your personal data ("right to be forgotten")
- Portability — request your data in a structured, machine-readable format
- Objection — object to processing of your personal data
- Restriction — request that we limit processing of your data
To exercise any of these rights, contact us at privacy@airtrace.app. We will respond within 30 days.
8.1 California Residents (CCPA/CPRA)
If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), including the right to know what personal information we collect, the right to delete, and the right to opt out of the sale of personal information. We do not sell personal information as defined by the CCPA.
8.2 European Economic Area / UK Residents (GDPR)
If you are located in the EEA or UK, our legal basis for processing your data is:
- Contractual necessity — to provide the service you subscribed to
- Legitimate interest — for security, fraud prevention, and service improvement
- Consent — where specifically requested (e.g., marketing communications, if any)
9. Children's Privacy
AirTrace is not directed to individuals under the age of 16. We do not knowingly collect personal information from children. If we learn that we have collected data from a child under 16, we will delete it promptly.
10. Changes to This Policy
We may update this policy from time to time. We will notify registered users of material changes via email or a prominent notice on the site. Your continued use of AirTrace after changes take effect constitutes acceptance of the updated policy.
11. Contact Us
For privacy-related questions or requests, contact us at:
- Email: privacy@airtrace.app
- Website: airtrace.app