Privacy Policy
Effective from: 9 June 2026
Version: 2.0 · Supersedes: Privacy Policy dated 6 February 2026
Quick reference
| Operator (Data Fiduciary under DPDP Act 2023; Data Controller under GDPR / UK GDPR) | Technit Space and Aero Works Private Limited (CIN U29304UP2019PTC118508) |
| Registered office | B-120, Sector 88, Noida, Uttar Pradesh 201305, India |
| Service | The LogHat flight log analysis platform, accessible at loghat.app and its subdomains (the Platform) |
| Grievance Officer | Listed in Section 11 |
| Primary contact for all enquiries, including privacy | hello@loghat.app |
This Privacy Policy explains, in plain language, what personal data the Platform collects, why we process it, how long we keep it, who we share it with, and the rights you have under the Digital Personal Data Protection Act, 2023 (the DPDP Act), the Information Technology Act, 2000 read with the IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 and the IT (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, and where applicable the EU General Data Protection Regulation (GDPR) and the UK GDPR.
It applies to every visitor to the Platform and every registered user. By using the Platform you confirm that you have read this Policy. Where the law requires consent for a specific processing activity, we will seek that consent separately at the point of collection.
1. Who we are and how to reach us
The Platform is operated by Technit Space and Aero Works Private Limited, a company incorporated under the Companies Act, 2013, with its registered office at B-120, Sector 88, Noida, Uttar Pradesh 201305, India ("we", "us", "the Company"). LogHat is the Company's flight log analysis product. Where this Policy refers to LogHat, it refers to the Platform and the Company in its capacity as its operator.
You can write to us at:
- By email, for any enquiry including privacy questions, statutory rights requests, grievances under Section 11, and security disclosures: hello@loghat.app
- By post: Technit Space and Aero Works Private Limited, B-120, Sector 88, Noida, Uttar Pradesh 201305, India
A single monitored inbox handles every category of communication so you never need to choose between addresses. Mail relating to security disclosures, grievances, statutory rights requests and ordinary support all receive the same acknowledgement timeline.
2. The categories of personal data we process
We collect only what we need to operate the Platform and meet our legal obligations. The categories below describe what is collected, how it arises, and the purpose for which we process it. Each category includes the corresponding lawful basis under the DPDP Act and, where the GDPR applies, under Article 6.
2.1 Account identifiers
- Data: Full name, work or personal email address, phone number (where you opt in to WhatsApp notifications), professional affiliation (optional), country of operation (optional).
- Source: You provide it during sign-up or in your profile.
- Purpose: Account creation, authentication, billing correspondence, transactional notifications, fraud prevention.
- Lawful basis: Performance of our contract with you under the Terms of Service (DPDP Act §7(a); GDPR Art. 6(1)(b)).
2.2 Authentication data
- Data: Hashed password (we never store passwords in clear text), one-time passwords sent for verification, refresh tokens, IP address and user agent of recent sign-ins, two-factor enrolment status.
- Source: Generated by the Platform during sign-in and verification.
- Purpose: Securing the account, detecting credential-stuffing or impossible-travel attempts, complying with reasonable security practices under IT Rules, 2011.
- Lawful basis: Contractual necessity and legitimate interest in account security.
2.3 Flight telemetry and log content
- Data: The contents of the flight log files you upload — typically ArduPilot DataFlash logs (
.bin,.log,.tlog) and PX4 ULog files (.ulg,.ulog). These files commonly contain GPS coordinates and timestamps, altitude, attitude, battery voltage and current, motor outputs, EKF flags, vibration metrics, and pilot inputs. They may also include geographic context from which the location of your flight operation can be inferred. - Source: Uploaded by you, or forwarded to your account through an integration you have authorised.
- Purpose: Generating the 3D flight render, the parameter graphs, the forensic PDF report, and the diagnostic input to the Vector AI feature when you choose to use it.
- Lawful basis: Contractual necessity. Where the log contains identifying information about a third party (for example, an embedded pilot name), we process it on the basis of your instruction; you confirm by uploading the log that you have the right to do so.
2.4 Vector AI interaction data
- Data: Questions you ask Vector AI in chat, the model's responses, the slices of telemetry your question caused the retrieval layer to fetch, and a thumbs-up or thumbs-down rating if you provide one.
- Source: Generated as you use the Vector AI feature.
- Purpose: Producing the response shown to you, sustaining conversational context within the same session, internal quality evaluation of the model, and abuse monitoring of the underlying model provider as required by their terms.
- Lawful basis: Contractual necessity. We do not use your Vector AI interactions to fine-tune or train any model. See Section 7 for detail on the model provider relationship.
2.5 Billing and tax data
- Data: Razorpay order and payment identifiers, amount, currency, GST treatment, GSTIN (if you are a business customer who provides one), billing address, place of supply, refund identifiers, and invoice numbers.
- Source: Generated by Razorpay and recorded by us at the moment of a successful payment or refund event.
- Purpose: Issuing GST-compliant invoices, statutory record retention under the Companies Act, 2013 and the CGST Act, 2017, handling refunds, and reconciliation.
- Lawful basis: Performance of contract and compliance with legal obligations (DPDP Act §7(c); GDPR Art. 6(1)(b) and 6(1)(c)).
2.6 Support correspondence
- Data: Email content you send to hello@loghat.app or reply with to a notification, attachments you include, the metadata of the message thread.
- Source: You.
- Purpose: Resolving your query, improving the Platform, and forming an audit trail of the request.
- Lawful basis: Legitimate interest in operating a support function and, where the request concerns rights under this Policy, performance of a legal obligation.
2.7 Usage analytics and device data
- Data: Pages visited, referrer, session-level interaction patterns, browser type and version, operating system, viewport size, IP address, approximate location derived from IP.
- Source: Your browser, recorded with cookies and similar technologies described in our Cookie Policy.
- Purpose: Measuring engagement, debugging the user interface, detecting fraud and abuse, and improving the Platform.
- Lawful basis: Where the cookie is strictly necessary, contractual necessity. Where the cookie is analytics or marketing, your consent recorded via the cookie banner (DPDP Act §6; GDPR Art. 6(1)(a)).
2.8 Public chat (visitors without an account)
- Data: The text of your messages to the public chat widget, an anonymous session identifier, your IP address (used only for rate limiting), and a 24-hour rolling counter of your message usage.
- Source: Recorded as you interact with the widget.
- Purpose: Returning the response and preventing abuse of the unauthenticated endpoint.
- Lawful basis: Legitimate interest in offering an evaluation surface and preventing abuse.
We do not collect special-category personal data (information about your health, political views, sexual orientation, religious belief, biometric or genetic data). If you place such data into a free-text field by accident, write to hello@loghat.app and we will remove it.
We do not sell, rent, license, or trade your personal data or your flight telemetry to any third party for marketing or any other purpose.
3. How we use your data — and what we do not do with it
The express commitments below form part of this Policy and override any inconsistent statement elsewhere in our marketing material or interface.
- No model training on your logs. We do not use your uploaded flight logs, your Vector AI questions, or your Vector AI responses to train, fine-tune, or otherwise improve any AI model — ours or a third party's. Where our model provider (Azure OpenAI Service) is contractually bound by Microsoft not to use customer prompts for training, that contractual bar applies to our use.
- No co-mingling at processing time. Vector AI's retrieval context is scoped to the single flight log under analysis. Your log content is not pooled with another customer's log content during processing.
- No sale of data. We do not sell or rent any category of personal data described in Section 2.
- No third-party advertising profiles built from your logs. We do not transmit log content, derived telemetry, or Vector AI interactions to advertising networks. We do use marketing cookies for visitor analytics on our public pages, governed by the Cookie Policy and contingent on your consent.
- No backdoor disclosure. We disclose data to a law enforcement authority only on a written, lawful request that names the legal provision under which it is made. Section 8 covers this in detail.
4. How long we keep your data
| Data category | Retention period |
|---|---|
| Account profile, authentication, billing | While your account is active and for thirty (30) days after account closure, after which the data is purged by the deletion cascade described in Section 6. Statutory financial records (invoices, GST records, refund records) are retained for eight (8) years as required by section 36 of the CGST Act, 2017 and section 128 of the Companies Act, 2013. |
| Flight telemetry and log files | While your account is active. On account deletion, deleted irrecoverably after the seven-day grace window described in Section 6. |
| Vector AI chat history | Same as flight telemetry, unless you delete a specific conversation earlier from the dashboard. |
| Razorpay payment metadata in our records | Eight (8) years to support GST and corporate audit. Razorpay itself retains payment data under its own RBI-licensed obligations. |
| Application logs that contain hashed identifiers (no raw PII) | Up to twelve (12) months, then rotated. |
| Cookie-based analytics data | As specified in the Cookie Policy. Microsoft Clarity recordings, where loaded, are retained for thirty (30) days. |
| Deletion request audit trail | Twelve (12) months after the deletion cascade completes, retained without identifying log content, to satisfy regulator audit requests. |
The retention periods reflect the actual configuration of the production system. Where law requires longer retention of a specific record (for example, financial records), the statutory period prevails.
5. Who we share your data with — our subprocessors
We use a small number of professional service providers to operate the Platform. Each is bound to process personal data only on our instructions and is subject to a written agreement that imposes confidentiality and security obligations equivalent to the standards in this Policy. We update this list at least quarterly.
| Subprocessor | Purpose | Where processed |
|---|---|---|
| Microsoft Azure (Container Apps, Blob Storage, Cosmos DB) | Hosting the Platform, storing flight logs and the application database. | Primary: Central India. Failover: South India. |
| Azure OpenAI Service | Powering Vector AI inference and the public chat widget. Subject to Microsoft's contractual undertaking not to use customer prompts for model training. | Microsoft-administered region we have provisioned. |
| Qdrant (vector search) | Storing knowledge-base embeddings used by Vector AI's retrieval layer. | Self-hosted on Azure in the same region as the Platform. |
| Razorpay Software Private Limited | Payment processing for credit-pack purchases. RBI-licensed Payment Aggregator. | India. |
| ZeptoMail (Zoho Corporation Private Limited) | Transactional email delivery. | India. |
| OpenClaw, Inc. (WhatsApp Business API gateway) | Sending WhatsApp notifications, only to numbers you have opted in. | India. |
| Open-Meteo | Retrieving historical weather conditions for the geographic point and time of your flight. Only latitude, longitude and timestamp are sent; no account identifier is transmitted. | EU. |
| Google reCAPTCHA Enterprise | Bot protection on sign-in and signup flows. | United States. |
| Google Tag Manager and Google Analytics 4 | Visitor analytics on the public pages of loghat.app. Loaded only after you accept analytics cookies. | United States. |
| Microsoft Clarity | Aggregate usage heatmaps on the public pages of loghat.app. Loaded only after you accept analytics cookies. Form inputs and credentials are masked by configuration. | United States. |
| Meta Pixel (Facebook) | Measurement of advertising effectiveness on the public pages of loghat.app. Loaded only after you accept marketing cookies. | United States. |
If you wish to be notified by email when we add or replace a subprocessor, write to hello@loghat.app and we will add you to the subprocessor-notice list.
6. The rights you have under this Policy
You have a defined set of rights over the personal data we hold about you. We will respond to every valid request within the timeframes set out below. We will not charge a fee for a first request in any 12-month period.
| Right | What it means | How to use it | Our response time |
|---|---|---|---|
| Access | A copy of your account profile, billing history, and flight log metadata in a machine-readable format. | In-app: Profile → "Export my data". Or write to hello@loghat.app. | Within seven (7) calendar days. |
| Correction and completion (DPDP §11; GDPR Art. 16) | Update or correct your account details. | Edit in the Profile screen, or write to hello@loghat.app. | Within seven (7) calendar days. |
| Deletion / erasure (DPDP §13; GDPR Art. 17) | Permanent deletion of your account and all flight logs you have uploaded. The deletion cascade is automated. | In-app: Profile → "Delete account". Or write to hello@loghat.app from the registered email. | Acknowledgement within 72 hours. The account is suspended immediately on receipt and entirely irrecoverable seven (7) calendar days after the request. You may cancel within the grace window from the dashboard. |
| Withdraw consent (DPDP §6(4); GDPR Art. 7(3)) | Withdraw consent for any processing that relied on consent. | In-app: Profile → "Notification preferences", or the cookie banner footer link. | Effective immediately for prospective processing. |
| Data portability (GDPR Art. 20) | Receive your data in a structured, machine-readable format. | Same as "Access". | Within seven (7) calendar days. |
| Nomination (DPDP §14) | Nominate another natural person to exercise your rights in the event of your death or incapacity. | Write to hello@loghat.app with a notarised statement identifying the nominee. | We will record and acknowledge within fourteen (14) calendar days. |
| Object / restrict (GDPR Art. 21, 18) | Object to processing based on legitimate interest. | Write to hello@loghat.app with the basis for the objection. | We will reply within seven (7) calendar days. |
The detailed mechanics of deletion (grace window, cancellation, post-grace irreversibility, fallback for support-routed requests) are documented in our internal Data Subject Request Runbook. The runbook is the authoritative description of what actually executes when you request deletion; we maintain it under change control.
If you are dissatisfied with our response to any request, you may escalate as described in Section 11 (Grievance redressal).
7. Cross-border data transfers
The Platform stores customer data in the Central India region of Microsoft Azure as the primary location. For specific subprocessor functions described in Section 5 (Azure OpenAI inference, Google reCAPTCHA, Google Analytics, Microsoft Clarity, Meta Pixel), data is processed outside India in jurisdictions notified by the Indian Government from time to time under the DPDP Act, and elsewhere in the United States or the European Union as the table records.
Where data transfers are made from a country whose laws require specific safeguards (for example, the EU Standard Contractual Clauses or the UK International Data Transfer Agreement for transfers out of the EEA / United Kingdom), we put those safeguards in place before any transfer is made and maintain them under review.
We will not transfer personal data to any country that the Central Government has prohibited for the purpose by notification under DPDP Act §16.
8. Disclosure to law enforcement and government authorities
We disclose personal data to a law enforcement agency, regulator, or court only when:
- We receive a written legal demand that names the statutory provision (typically section 91 of the Bharatiya Nagarik Suraksha Sanhita, 2023 or its predecessor section 91 of the Code of Criminal Procedure, 1973; section 65A or 69 of the IT Act, 2000; or the equivalent in the requesting jurisdiction); and
- The demand is signed by an officer of the rank specified by that statute; and
- The scope of the demand is no wider than what the statute authorises.
We log every such request internally and, except where the demand is accompanied by a non-disclosure order or where law prohibits notification, we notify the affected user before complying so they may take legal advice and contest the demand.
9. Security measures
- Encryption in transit. All client-to-server traffic is served over TLS 1.2 or later with HSTS enabled.
- Encryption at rest. Cosmos DB and Azure Blob Storage encrypt data at rest using AES-256 with Microsoft-managed keys.
- Access control. The application uses role-based access with least-privilege defaults. Operational access to the production database is gated through a break-glass workflow with audit logging.
- Secret hygiene. Application secrets are held in Azure Key Vault and rotated on a defined schedule.
- PII redaction in operational logs. Email addresses, phone numbers and user identifiers are masked in application logs before they reach our log aggregator.
- Backup and recovery. Cosmos DB Continuous Backup with point-in-time-restore is enabled with a 30-day window.
- Vulnerability management. Application dependencies are scanned on every commit. The platform is audited internally before each release and externally on a periodic basis.
- Bug-bounty / responsible disclosure. See our Security Disclosure Policy.
No security regime is absolute. We take reasonable steps and we tell you promptly when something goes wrong.
10. Personal data breach
If we determine that a personal data breach has occurred that is likely to result in a risk to your rights, we will:
- Notify the Data Protection Board under DPDP Act §8(6) within the time and in the manner prescribed by the Board, and any other regulator to whom we are bound to report (including, where applicable, the Indian Computer Emergency Response Team under CERT-In Directions dated 28 April 2022 within six (6) hours);
- Notify you by email at the address registered on your account, in plain language, what data was affected, what the likely consequences are, what we are doing about it, and what you can do to protect yourself;
- Publish a public notice if the breach affects a wide enough group that individual notice is impracticable.
11. Grievance redressal
If you have a grievance about how we process your personal data, please write to the Grievance Officer named below, identifying yourself and the nature of the grievance.
Grievance Officer
Director, Technit Space and Aero Works Pvt Ltd, appointed under Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules 2021, Rule 3(2) and the Digital Personal Data Protection Act 2023, Section 8(9).
Email: hello@loghat.app (subject line: "Attn: Grievance Officer")
Post: Grievance Officer, Technit Space and Aero Works Private Limited, B-120, Sector 88, Noida, Uttar Pradesh 201305, India
The Grievance Officer will acknowledge your grievance within 24 hours of receipt and dispose of it within 15 days, as required by IT Rules 2021 Rule 3(2)(c). For grievances under the DPDP Act, the same timelines apply.
If you are not satisfied with the Grievance Officer's response, or do not receive a response in the timelines above, you may approach the Data Protection Board of India under DPDP Act §13. If you are a resident of the European Economic Area or the United Kingdom, you may also lodge a complaint with your local data protection supervisory authority.
12. Children
The Platform is intended for users aged 18 years or older. We do not knowingly collect personal data from children. If you are a parent or guardian and you believe a child under 18 has provided personal data to the Platform, please write to hello@loghat.app and we will delete the account.
Where the DPDP Act §9 applies and a verifiable parental consent is provided, we may process the personal data of a minor on the terms set out in the consent. We do not undertake behavioural profiling, targeted advertising, or behavioural tracking of children in any circumstances.
13. International users
If you are accessing the Platform from outside India, you understand that your data will be processed in India and in the other jurisdictions noted in Section 5, which may have data protection laws that differ from your home jurisdiction.
If your use is subject to the GDPR or UK GDPR, the references to the Company in this Policy include the Company in its capacity as Data Controller; the rights you have under the GDPR are listed in Section 6 in addition to those under the DPDP Act.
14. Changes to this Policy
We will update this Policy from time to time. Material changes (a change to subprocessors, retention, lawful basis, or the rights mechanism) will be notified to you by email at least 14 days before they take effect. Non-material changes will be published with an updated version number and effective date.
This Policy was last updated on 9 June 2026.