PRIVACY POLICY
last updated: 2026-05-13 · effective: 2026-05-13
1 · Who we are
AirTech Support OS (“AirTech”, “we”, “our”) is a SaaS platform that provides AI-assisted workflows for aviation maintenance teams. We are operated by Fabio Silva (sole proprietor), reachable at [email protected].
This policy covers the data we receive from users of airtechsupport.net, dashboard.airtechsupport.net, the Telegram bots, and the Google Workspace Marketplace listing.
2 · What we collect
We hold the minimum data required to operate the service. In concrete terms:
- Account data — the email you sign up with, your display name, and (for Workspace SSO users) the
hdclaim from your Google ID token, which identifies your organisation. - Case timeline data — for each maintenance case you open via the Telegram bot or dashboard, we store the case reference, aircraft registration, ATA chapter, status, and a short summary (max ~280 characters). This is what populates the War Room timeline.
- OAuth tokens for the Google APIs you authorise (Gmail, Drive, Sheets, Docs, Calendar, Forms). Stored encrypted at rest in n8n's credentials store. Used only when an agent makes a call on your behalf.
- Telemetry — workflow execution logs (timestamp, workflow id, calling agent, duration, success/failure). No artefact content stored.
What we do NOT collect: the full content of your Gmail drafts, Google Docs, Sheets rows, Calendar events, or Forms responses. Those live in your Google Workspace under your OAuth consent. We pass them through; we don't copy them.
3 · Google API services & limited-use policy
AirTech Support OS's use of information received from Google APIs adheres to Google API Services User Data Policy, including the Limited Use requirements.
Specifically:
- We use Google user data only to provide the features described on /partners/google (Gmail drafting, Drive read, Sheets read/write, Docs create/update, Calendar events, Forms).
- We do not transfer Google user data to other parties except as necessary to provide or improve user-facing features, comply with applicable law, or as part of a merger, acquisition, or sale of assets with your notification.
- We do not use Google user data for serving advertisements, ever.
- We do not allow humans to read your Google user data unless (a) we have your affirmative consent for specific items, (b) it's necessary for security purposes (e.g. investigating abuse), (c) it's necessary to comply with applicable law, or (d) the data is aggregated and used for internal operations.
4 · OAuth scopes we request, and why
| Scope | Why we need it |
|---|---|
gmail.compose | Create draft emails on the user's behalf. We never use gmail.send. |
drive.readonly | Read institutional documents (SBs, ADs, AMM revisions, technical bulletins) from a designated Drive folder. |
drive.file | Create new Google Docs as artefacts (MEL memos, NCR reports). Scoped to files our app creates — we cannot read pre-existing files outside the designated folder. |
spreadsheets | Read and append rows in the operational ops workbook (cases, TLB, engineers, outstations, shifts, training, prospects). |
documents | Create new Google Docs and update their body with the agent-generated memo/NCR/briefing content. |
calendar.events | Create/update calendar events for MEL deferral expiries, hangar slot bookings, and post-holder briefings. |
forms.body | Create and edit Google Forms (turnaround inspections, audit checklists, training quizzes). |
forms.responses.readonly | Read Form responses into report generation. Read-only — we do not edit responses. |
userinfo.email | Identify the signed-in user (for sign-in only; we do not access the inbox). |
5 · Data storage, retention, and deletion
- Where the data lives. Case timeline data, OAuth tokens, and telemetry are stored on a single Mac mini in the EU, running encrypted at rest (FileVault on the host + Postgres TDE-equivalent). Backups go to an encrypted off-site volume in the same region.
- Retention. Case timeline data is retained for the duration of your subscription plus 90 days (to allow re-activation if needed). Execution telemetry is retained for 90 days for support and debugging.
- Deletion. You can request data deletion at any time by emailing [email protected]. We complete deletion within 30 days. OAuth tokens are wiped immediately on request, or when you revoke access in
admin.google.com. - Artefact data. Gmail drafts, Google Docs, Sheets rows, Calendar events, and Forms generated by the AI workforce live in your Workspace and are governed by your Workspace data-retention rules — not by us.
6 · Security
We follow these practices:
- TLS 1.3 in transit (Cloudflare Tunnel)
- AES-256-CBC encryption at rest for OAuth credentials
- JWT-based auth with HttpOnly + Secure cookies, scoped to the tenant subdomain
- Server-side permission enforcement at the specialist boundary — not in LLM prompts
- Dual audit trail: AirTech's n8n execution registry + your Google Workspace admin audit log
7 · Sub-processors
We use the following service providers, each bound by their own contractual obligations to handle data lawfully:
- Google LLC — Workspace APIs, Gemini API (when applicable)
- OpenAI — language model inference for the primary agents and specialists
- Telegram Messenger Inc. — Telegram bot messaging interface
- Cloudflare — DNS, tunnel, edge protection
8 · Your rights (GDPR + similar regimes)
You can at any time:
- Request a copy of the data we hold about you
- Request correction of inaccurate data
- Request deletion (right to be forgotten)
- Withdraw OAuth consent at admin.google.com
- File a complaint with your local data protection authority
Email [email protected] for any of the above. We acknowledge within one business day and complete within 30 days.
9 · Changes to this policy
If we change this policy materially, we'll update the “last updated” date at the top and notify active customers by email at least 30 days before the change takes effect.
For any privacy questions, security review requests, or DPA agreements, email [email protected]. We respond within one business day.