INTRODUCTION

At Aviatize we attach great importance to the protection of your Personal Data. This privacy policy sets out how we protect your Personal Data andwho you can turn to for more information or to invoke your legal rights. If you provide us with Personal Data of other persons, such as yourcollaborators or Operators that will be using the Aviatize software, or associated services or other white labeled solutions provided by Aviatize(hereafter the “Tool” and the “Services”), please inform these persons of our privacy policy before entrusting us with their Personal Data. We reserveour right to amend this privacy policy from time to time, if legislation or our internal practices so require. At all times you can find the current versionof our privacy policy on our website http://www.aviatize.com/privacy-policy .

PART I: AVIATIZE AS CONTROLLER

THE CONTROLLER OF THE PROCESSING

The legal entity controlling the processing of your Personal Data is Aviatize BV, a Belgian company with limited liability whose registered office is located at Kerkstraat 106, 9050 Gentbrugge, Belgium, registered under company number 0643.586.288 or any of its affiliates, hereafter collectively“Aviatize”, “us” or “we”. When we refer to our website (“Website(s)”), we mean www.aviatize.com, www.idronect.com, www.app.aviatize.com,www.club.aviatize.com, www.platform.idronect.com ,www.idronect-utm.com or any other dedicated website where we offer access to our Tool and/or Services.

PURPOSES AND LEGAL BASIS FOR THE PROCESSING OF PERSONAL DATA

PURPOSES

Aviatize processes Personal Data of its customers, contact persons of its customers, as well as potential customers for the following purposes: (1)conveying offers, invoicing and administration, management of the customer or sales relationship, as well as legally required purposes linked to this purpose, and (2) direct marketing. Aviatize also processes Personal Data of visitors to our Website that fill out the contact page, for the sole purpose of (3) responding to the visitor’s request sent to us via the contact page. Additionally, on our Website we may use cookies. For more information in relation to cookies, please revert to the cookie policy and pop up to be found on our Website. Apart from the processing that Aviatize performs as processor for the customer (see Aviatize PRIVACY POLICY Part II here below), Aviatize is also processing data of the Users of the Tool for its own purpose of: (4) optimization of the Tool (e.g. making the Tool smarter and better performing).

LEGAL BASIS

The legal basis for these processing operations is respectively:

• For the processing for the purpose of sales:
  
  • To the extent that you are a collaborator of our (potential) customer and your contact details have been provided by the customer for the performance of the contract with the customer or for communicating with or giving follow up to an offer to the customer,our legal basis is the necessity for the purpose of the legitimate interests pursued by Aviatize and the customer to organize, and interact in relation to, the conclusion or performance of a contract. In our view, given the limited use made of your contact details,such interests are not overridden by your interests or fundamental rights and freedoms. Should you consider otherwise, please see below under Your legal rights in relation to privacy.
• For the processing for direct marketing:
  
  • Either the necessity for the purpose of the legitimate interests pursued by Aviatize to promote sales, reinforce the relationship with the customers, enhance customer loyalty, etc. For processing activities which are in general considered little intrusive (e.g.promotion sent by regular mail), such interests are in our view not overridden by your interests or fundamental rights and freedoms. Should you consider otherwise, please see below under Your legal rights in relation to privacy. We may also invoke the same legal basis of our legitimate interest, for newsletters and promotions sent by e-mail to our own customers if your e-mail contact details were received directly from you in the context of a sale, and are only used for the promotion of Aviatize’s own similar products. Every newsletter however carries a link allowing you to unsubscribe from the newsletter
  • Either your consent. For marketing initiatives such as calling you or sending you text messages, we will always first ask your consent. The same is true for e-mail newsletters that do not comply with the aforementioned conditions. Your consent will be asked at the moment that we receive your Personal Data (e.g. on the Website or via a sales representative). You may revoke your consent at any moment in accordance with the paragraphs here below.
• For the processing of Personal Data of visitors of our Website that fill out the contact page, for the sole purpose of responding to the visitor’s request:
  • the necessity for the purpose of the legitimate interests pursued by Aviatize to treat and give follow up to your request. Given your initiative to send your request via the contact page (which we assume you want us to reply to) and the limited use made by us of your contact details to reply, such interests are in our view, not overridden by your interests or fundamental rights and freedoms.Should you consider otherwise, please see below under Your legal rights in relation to privacy.
• For the processing of Personal Data of Users for the purpose of optimization of the Tool:
  
  • the necessity for the purpose of the legitimate interests pursued by Aviatize to make the Tool smarter and better performing.Before analysing the Users’ Personal Data, Aviatize will aggregate and pseudonymise this data. Given the nature of the Personal Data processed, which is basic, no sensitive information, and the appropriate safeguards taken by Aviatize, in particular the pseudonymisation of the Personal Data, such interests are in our view not overridden by your interests or fundamental rights and freedoms. Should you consider otherwise, please see below under Your legal rights in relation to privacy.
• We may also process your Personal Data if required for legal reasons, compliance or tax and accounting reasons. The legal basis of our processing is then to be found in European or national law.

THE PERSONAL DATA PROCESSED AND THE CASE BEING, THE NECESSITY OF THE PROVISION THEREOF

For customers:

• Name of the customer* (1)(2)
• Address* (1)(2)
• For a company customer: contact persons* (1)(2)
• E-mail address* (1)(2)
• Telephone and/or mobile number * (1)(2)
• Company entity and legal form* (1)(2)
• Company number* (1)
• VAT number* (1)
• Financial data* (1)
• Login/password (1)
• Contract related information (1)

And the case being:

• Customer complaints and details of the complaints (1)

The Personal Data (1) are processed for the purpose of sales. The Personal Data (2) are processed for direct marketing purposes. The aforementioned Personal Data indicated with a * have to be provided if the customer wants to engage in a sales relationship. The provision of the other Personal Data is entirely on a voluntary basis.

For visitors to the websites:

• Name
• Contact details
• Data filled out on the contact page
• Response to request

The provision of these data is entirely on a voluntary basis. However, if you decide to submit a request, you have to fill in a name and electronic contact details. The data are only processed to properly deal with your request.

For Users:

• Log Data, such as IP address, operating system, browser type and version, pages visited, time and date of visit, time spent on pages, statistics.

DURATION OF THE PROCESSING AND RETENTION OF DATA

For customers:

We process your Personal Data for the purpose of sales, as long as necessary in the context of the contracts entered into with you or with your organisation. Personal Data of inactive customers, being after termination of our contracts, are retained for as long as necessary for legal, compliance or tax and accounting reasons or for as long as your purchases could give rise to legal claims. We process your Personal Data for direct marketing purposes until you oppose the processing of your Personal Data for that purpose, or if the processing was based on your consent, until you withdraw your consent.

For visitors to the website that fill in the contact page:

We process your personal data as long as necessary to deal with and give follow up to your request. The data are not retained afterwards (unless the case being, in the context of another processing for another purpose as detailed in this Privacy Policy).

For Users:

Your data are processed and stored as long as this is useful for the optimization of the Tool subject to appropriate technical and organizational measures in order to safeguard your rights and freedoms, such as in particular pseudonymisation.

CATEGORIES OF RECIPIENTS AND TRANSFER OF PERSONAL DATA

Following Personal Data may be shared in accordance with this Privacy Policy :

1. All Personal Data with third party processors that provide services for us e.g. suppliers of IT and hosting services who are acting on behalf of Aviatize and with whom Aviatize has entered into adequate processor contracts. These processors will only use the data for the purposes determined by Aviatize and in accordance with this Privacy Policy.

Notwithstanding the foregoing, it is possible that Aviatize must disclose your Personal Data :

2. To the competent authorities(i) when Aviatize is obliged to do so under the law or in the context of legal proceedings and (ii) for the protection and defense of our rights.

TRANSFER OF PERSONAL DATA

Aviatize shall not transfer Personal Data, to a country outside the European Economic Area, unless it will make sure to have taken sufficient measures in accordance with GDPR in order to justify this transfer of personal data outside of the EEA. Aviatize will either enter into standard contractual clauses controller to processor as approved by the EC Commission with the data importer, either only transfer to a data importer that is covered by an adequacy decision.

YOUR LEGAL RIGHTS IN RELATION TO PRIVACY

In relation to the Personal Data that are processed by Aviatize, you have a number of legal rights:

• You have a right to get access to your Personal Data and to have these data corrected.
• You may ask Aviatize to erase your Personal Data, or to restrict the processing thereof.
• To the extent that the processing is based on the legal basis of a legitimate interest or the processing is done for direct marketing purposes,you have the right to oppose that processing.
• To the extent that the processing is based on your consent, you have the right to revoke your consent at any time.

Within a duration of maximum 1 month after receipt of your request, we will act upon your request and reply. If for some reason we cannot accommodate your request, we will inform you of the reasons thereof. If we are not in a position to identify you properly, we may ask you to provide a proof of your identity as a prerequisite to treating your request.

CONTACT AVIATIZE IN RELATION TO DATA PROCESSING

In order to invoke your rights, please contact us at our dedicated privacy e-mail address: tom@aviatize.com, or send us a letter at Aviatize bv, Privacy, Kerkstraat 106, 9050 Gentbrugge, Belgium. If on the other hand you have any questions, remarks or complaints in relation to our privacy policy or how we process your data, do not hesitate to contact us, either by telephone or e-mail.

Privacy manager: Tom Verbruggen

Tel: +356 999 300 69

E-mail: tom@aviatize.com

If you have any complaints in relation to how Aviatize processes your Personal Data, you may file a complaint with the Supervisory Authority: www.gegevensbeschermingsautoriteit.be

PART II: AVIATIZE AS PROCESSOR (PROCESSOR POLICY)

SUBJECT MATTER OF THE PROCESSING

The processing considered here below is the processing by Aviatize and/or in the Tool of Customer Personal Data such as data of Users as defined in the Terms of Service. These Customer Personal Data are processed on behalf of the Customer and for the Customer’s purposes. This processing either forms an inherent part of the Customer’s use of the Tool, either relates to Aviatize’s support given for the Tool in the event of incidents. Specific processing operations relate to for instance authentication, reading, creation and submission of flight and business related information, sending of data, monitoring the usage of the software, supporting incidents and customization. With regard to this processing, Aviatize processes the relevant Customer Personal Data on behalf of its Customer. Therefore Aviatize qualifies as processor for such processing.

The Customer of Aviatize takes the initiative for the processing: it decides to use the Tool. Hence, it is the Customer that determines the purposes and means of the processing of the Customer Personal Data and thus qualifies as controller with regard to such processing. Aviatize shall only process the Customer Personal Data for the same Customer Purposes upon request of the Customer and in accordance with its instructions.

The Customer in its capacity as controller shall be responsible to comply with all (legal) obligations vested in the controller, in particular the obligation to inform the data subjects on the purposes of its processing.

CUSTOMER PURPOSES FOR THE PROCESSING OF CUSTOMER PERSONAL DATA AND NATURE OF THE PROCESSING OPERATIONS

Aviatize processes Customer Personal Data on behalf of its Customer for the purposes of the Customer.

In the context of these Customer Purposes, Aviatize shall perform the following processing operations for the customer:

The delivery of services to the Customer in accordance with the Terms of Service, being amongst others:

• Customisation of the Tool
• Authentication on parts of the Tool
• Reading, creation and submission of flight and business related information
• Sending of data
• Granting permissions
• Supporting incidents
• Improving safety

OVERVIEW OF THE CUSTOMER PERSONAL DATA, WHICH PARTIES EXPECT TO PROCESS

The categories of data subjects are the following:

• Customer’s employees, members or students
• Operators as defined in the Terms of Service

The following data is processed:

For Customer’s employees, members or students:

• Name contact person
• E-mail address
• Company name
• Equipment
• Age
• Documentation needed for flight approvals such as but not limited to licenses, insurance certificates, manuals

For Operators:

• Name
• Address
• E-mail address
• Telephone and/or mobile number
• Company entity and legal form
• Company number
• VAT number
• Login/password
• Age
• Flight permit
• Equipment
• Documentation needed for flight approvals such as but not limited to licenses, insurance certificates, manuals.

DURATION OF THE PROCESSING AND RETENTION PERIOD

Aviatize shall retain the Customer Personal Data as long as the Agreement is ongoing. Once the Agreement has been terminated, the Customer Personal Data shall be deleted within six months.

SUB-PROCESSORS

The Customer generally authorizes Aviatize to appeal to sub-processors for the processing of Personal Data for the Customer Purposes specified underthis policy. The Customer approves the following sub-processors:

‍

These sub-processors are at least bound by the same obligations by which Aviatize is bound under this Policy. Aviatize shall update this list from time to time as required. Aviatize shall inform the Customer of any intended changes concerning the addition or replacement of other sub-processors,thereby giving the Customer the opportunity to object to such changes.

TRANSFER OF PERSONAL DATA

Aviatize shall not transfer Customer Personal Data, to a country outside the European Economic Area, unless it will make sure to have taken sufficient measures in accordance with GDPR in order to justify this transfer of personal data outside of the EEA. Aviatize will either enter into standard contractual clauses processor to processor as approved by the EC Commission with the data importer, either only transfer to a data importer that is covered by an adequacy decision.

RIGHTS IN RELATION TO THE PROCESSING OF CUSTOMER PERSONAL DATA

Aviatize commits to assist the Customer, taking into account the nature of the processing, with:

1. the fulfillment of the Customer’s duty to answer a request of a data subject for exercising the data subject's rights laid down in Chapter III of the GDPR;
2. taking the appropriate measures for the safety of the Customer Personal Data and reporting any breaches to the safety and security of Customer Personal Data;
3. carrying out a data protection impact assessment, in case the Customer considers such assessment to be (legally) required.

In case a situation occurs in which the Customer wishes to call upon the assistance of Aviatize, the Customer will promptly notify Aviatize by e-mailand by telephone.

TECHNICAL AND ORGANISATIONAL SECURITY MEASURES

Aviatize undertakes to implement the following appropriate technical and organisational security measures necessary for the protection of Customer Personal Data:

• HTTPS SSL/TLS Secured connection to the platform
• Password Protected login

When determining the appropriate technical and organisational security measures, Aviatize shall take into account (i) the state of the art, (ii) the implementation costs related to these measures, (iii) the nature, scope, context and purposes of the processing, (iv) the risks involved for the data subjects’ rights and freedoms, in particular in case of accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or non-authorised access to Customer Personal Data transmitted, stored or otherwise processed, and (v) the probability that the processing shall have an impact on the rights and freedoms of the Data Subjects. Aviatize shall update these measures on a regular basis.

NOTIFICATION OF SECURITY BREACHES

Aviatize shall implement technical measures to:

• monitor security events in relation to Customer Personal Data, and
• detect data breaches

In the event of a data breach, Aviatize shall notify the Customer without undue delay after becoming aware of the data breach and shall provide – to the extent possible - the Customer with all information needed to inform the competent authorities if deemed necessary by the Customer.

The Customer however shall be responsible for its notification obligations toward the competent authorities and/or data subjects. Aviatize shall retain any incident logs related to a data breach for six (6) months.

RETURN AND DELETION OF CUSTOMER PERSONAL DATA

Prior to termination of the Agreement, the Customer has the possibility to export all Customer Personal Data to another IT-system. After termination of the Agreement, Aviatize may, and will within six months, delete all Customer Personal Data.

CONFIDENTIALITY CLAUSE

Aviatize shall maintain the Customer Personal Data confidential and thus not disclose any Customer Personal Data to third parties, without the prior written agreement of the Customer. Aviatize will ensure that its employees and sub-processors, engaged in the performance of the Agreement, are informed about the confidential nature of the Customer Personal Data,and are bound by similar confidentiality obligations.

AUDITS

The Customer is entitled to control Aviatize’s compliance with this Processor Policy at any given moment. During Aviatize’s regular business hours, and provided that the Customer has given Aviatize at least one month’s prior notice of the date of the audit, Aviatize will allow the Customer to visit the premises where the Customer Personal Data is processed in order to verify compliance with this Processor Policy. The costs for the performance of such an audit are borne by the Customer, unless the result of the audit shows that Aviatize has committed serious shortcomings in the implementation of this Processor Policy.

PRIVACY MANAGER

Privacy manager: Tom Verbruggen

Tel: +356 999 300 69

E-mail: tom@aviatize.com