Skip to main content
Hobbstack

Privacy Policy

Effective Date: April 6, 2026

1. Introduction

Hobbstack LLC (“Hobbstack,” “Company,” “we,” “us,” or “our”), an Arizona limited liability company, operates the marketing website at hobbstack.com and the application at hobbstack.app (collectively, the “Service”). This Privacy Policy explains how we collect, use, disclose, retain, and safeguard your personal information when you use the Service. By using the Service, you consent to the practices described in this Privacy Policy.

2. Information We Collect

2.1 Information You Provide Directly

  • Account information: First name, last name, email address, phone number (optional), and password (stored as a one-way bcrypt hash; we never store plaintext passwords).
  • Pilot credentials: Pilot certificate type (student, private, commercial, ATP, CFI), CFI certificate number, and CFI expiration date (for instructor users).
  • Organization information: Organization name, type, home airport, timezone, logo, and operational settings.
  • Flight data: Reservations, logbook entries (flight times, landings including night full-stop, airports, training descriptions), endorsements, and checkout/dispatch records.
  • Aircraft data: Tail number, type, Hobbs/tach readings, maintenance records (including Airworthiness Directives and MEL deferrals), performance specifications, and photos.
  • Billing data: Billing line items, invoices, payment amounts, and rate information. We do not store credit card numbers. Payment card data is processed and stored exclusively by Stripe.
  • Squawk/maintenance data: Discrepancy descriptions, severity levels, resolution notes, work order information.
  • File uploads: Profile photos, aircraft photos, flight plan templates, and documents (max 5 MB; JPEG, PNG, WebP, or PDF).
  • Signature data: Digital signatures (SVG path data) provided when signing logbook entries.
  • Terms of Service acceptance: Acceptance timestamps, version accepted, and IP address at time of acceptance.
  • Communication data: Notification preferences, push subscription endpoints, and correspondence with our support team.

2.2 Information Collected Automatically

  • Usage data: Pages visited, features used, interaction patterns, and click events collected via PostHog analytics.
  • Device and browser data: Browser type and version, user agent string, operating system, screen resolution, and device type.
  • Network data: IP address, approximate geolocation (city/region level from IP), and referring URL.
  • Authentication data: Login timestamps, session duration, and authentication method.

2.3 Information from Third Parties

  • Stripe: Subscription status and payment success/failure notifications. We do not receive or store your full credit card number.
  • Cloudflare Turnstile: Bot-detection challenge results (no personal data collected).

3. How We Use Your Information

  • Provide the Service: Operate scheduling, fleet management, logbook, billing, dispatch, weather briefing, and all other core platform features.
  • Process transactions: Process subscription payments and generate invoices.
  • Send communications: Deliver transactional emails (account verification, password resets, reservation confirmations, billing statements, maintenance alerts, currency reminders, pre-flight reminders, weekly digests) and push notifications.
  • Automated features: Generate go/no-go flight assessments, logbook description suggestions, and alternate route analysis using anonymized flight operational data (see Section 5.4).
  • Security and fraud prevention: Rate-limit authentication endpoints, detect and prevent unauthorized access, manage token blacklisting, and verify bot challenges.
  • Improve the Service: Analyze usage patterns to improve performance, fix bugs, and develop new features.
  • Compliance: Comply with legal obligations, respond to lawful requests, and enforce our Terms of Service.

4. How We Share Your Information

We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising.

4.1 Within Your Organization

Data you create within an organization is visible to other organization members in accordance with the capability-based permission structure configured by your organization's administrator.

4.2 Service Providers

We use the following third-party service providers who process data on our behalf:

  • Stripe (San Francisco, CA): Payment processing and subscription management. Receives: cardholder name, email, payment amounts, organization name.
  • Resend: Transactional email delivery. Receives: recipient email address, first name, and email content (reservation details, billing summaries, alerts).
  • Anthropic (San Francisco, CA): Automated features (go/no-go assessment, logbook description, route analysis). Receives: anonymized flight operational data only (airport identifiers, aircraft type, weather data, NOTAMs, flight times). We do not send your name, email, or other personally identifiable information to Anthropic.
  • Amazon S3 (or S3-compatible storage): File storage for profile photos, aircraft photos, and documents. Files are stored with UUID-based keys and are not publicly accessible without authorization.
  • aviationweather.gov (NOAA/NWS): Primary source for METAR, TAF, winds aloft, PIREPs, AIRMETs/SIGMETs, and NOTAMs. Receives: airport/station identifiers only.
  • AVWX: Fallback weather data provider. Receives: airport identifiers only.
  • CheckWX: Fallback weather data provider. Receives: airport identifiers only.
  • Cloudflare Turnstile: Bot verification on authentication pages. Receives: challenge token only (no personal data).
  • PostHog: Product analytics. Receives: anonymized usage events, device/browser metadata.
  • Railway: Backend infrastructure hosting.
  • Vercel: Frontend and landing site hosting. Serves static assets; no user data stored at rest.

4.3 Payment Processing

Hobbstack uses Stripe to process subscription payments. Your payment information is handled directly by Stripe and subject to Stripe's Privacy Policy.

4.4 Legal Requirements

We may disclose your information if required to do so by law, regulation, legal process, or enforceable governmental request, or if we believe in good faith that disclosure is necessary to protect the rights, property, or safety of Hobbstack, our users, or the public.

4.5 Business Transfers

In the event of a merger, acquisition, reorganization, or sale of assets, your personal information may be transferred. We will notify you via email and/or a prominent notice before your information is subject to a different privacy policy.

5. Cookies and Tracking Technologies

5.1 Essential Cookies

The Service uses three httpOnly, Secure cookies to maintain your session: an access token (30 minutes), a refresh token (7 days), and a CSRF token (paired with the access token). These cookies are essential for the Service to function and cannot be disabled. The cookies use SameSite=None with the Secure flag set, which is required because the marketing site (hobbstack.com) and the application (hobbstack.app) are served from different subdomains. Refresh tokens are rotated on every use, and any detected reuse triggers immediate revocation of the entire token family.

5.2 Analytics

We use PostHog for product analytics on hobbstack.app. The marketing site (hobbstack.com) may use analytics to understand traffic patterns.

5.3 No Third-Party Advertising Cookies

We do not use third-party advertising cookies or tracking pixels. We do not participate in ad networks or serve targeted advertisements.

5.4 Automated Data Processing

When you use automated features (go/no-go assessments, logbook suggestions), the Service sends flight operational data to Anthropic's API for processing. This data includes airport identifiers, aircraft type, weather observations, NOTAMs, and flight parameters. We strip all personally identifiable information (your name, email, account ID) before sending data to Anthropic. Responses are cached temporarily and are not stored permanently.

6. Data Security

We implement the following security measures to protect your information:

  • Encryption in transit: All data transmitted between your browser and our servers is encrypted using TLS/SSL (HTTPS).
  • Password security: Passwords are hashed using bcrypt with automatic salting. We never store or log plaintext passwords.
  • Authentication: JWT tokens in httpOnly cookies with Redis-backed token blacklisting for logout and password change invalidation.
  • Access control: Capability-based permission system ensuring users only access data within their authorized scope.
  • Rate limiting: Redis-backed rate limiting on authentication endpoints to prevent brute-force attacks.
  • Input validation: All API inputs are validated through Pydantic schemas before processing.
  • Bot protection: Cloudflare Turnstile CAPTCHA on public authentication endpoints.
  • Infrastructure: Backend hosted on Railway with managed PostgreSQL and Redis. Automatic database backups. CORS restricted to explicit origin allowlist.
  • File security: Uploaded files are validated by MIME type and magic bytes, stored with UUID-based keys, and served with appropriate security headers.

While we implement reasonable security measures, no method of transmission over the Internet or method of electronic storage is 100% secure. We cannot guarantee absolute security.

7. Data Retention

7.1 Active Accounts

We retain your personal information for as long as your account is active or as needed to provide the Service.

7.2 Flight Records

Flight logbook entries, endorsements, and billing records are retained for the life of your account and for a minimum of 7 years after account deletion for regulatory compliance purposes.

7.3 Deleted Accounts

When you delete your account, we soft-delete your data immediately (making it inaccessible to other users). After 90 days, personally identifiable information is anonymized while non-identifiable operational records may be retained for compliance and audit purposes.

7.4 Temporary Data

  • Email verification tokens: 24 hours
  • Password reset tokens: 1 hour
  • Weather data cache: 5 minutes (METAR) to 1 hour (NOTAMs)
  • Rate limiting counters: varies by endpoint (1 minute to 1 hour)
  • JWT blacklist entries: until token expiration (24 hours max)

8. Your Rights

Depending on your jurisdiction, you may have the following rights:

  • Access: Access the personal information we hold about you. Most data is accessible directly through the Service.
  • Correction: Correct inaccurate personal information through the Service at any time.
  • Deletion: Request deletion of your personal information, subject to our legal retention obligations.
  • Data Portability: Receive your data in a structured, machine-readable format (CSV, PDF export).
  • Objection/Restriction: Object to or request restriction of certain processing.
  • Notification Preferences: Manage email and push notification preferences by category (reservations, weather, currency, maintenance, members, billing, notices, endorsements). Transactional emails cannot be disabled.

To exercise these rights, contact privacy@hobbstack.com.

9. California Residents (CCPA/CPRA)

If you are a California resident, you have additional rights under the CCPA as amended by the CPRA:

  • Right to Know: Request disclosure of what personal information we collect, the sources, the purposes, and the third parties we share it with.
  • Right to Delete: Request deletion of your personal information, subject to certain exceptions.
  • Right to Correct: Request correction of inaccurate personal information.
  • Right to Opt-Out of Sale/Sharing: We do not sell personal information or share it for cross-context behavioral advertising.
  • Right to Non-Discrimination: We will not discriminate against you for exercising your rights.

To exercise these rights, contact privacy@hobbstack.com. We will respond within 45 days as required by law.

9.1 Categories of Personal Information (CCPA)

  • Identifiers: Name, email address, phone number, IP address, account ID
  • Customer records: Billing records, subscription information, payment history
  • Commercial information: Flight reservation records, aircraft usage, service purchases
  • Internet/electronic activity: Browsing history on our Service, search history, interaction data
  • Professional information: Pilot certificate type, CFI certificate number, flight qualifications
  • Geolocation: Approximate location derived from IP address; airport identifiers provided by you

10. Arizona Residents

Arizona does not currently have a comprehensive consumer data privacy statute equivalent to the CCPA. However, Arizona residents are entitled to the same rights described in Section 8. Hobbstack LLC is organized under the laws of the State of Arizona and voluntarily extends data access, correction, and deletion rights to all users regardless of jurisdiction.

11. International Users

The Service is hosted in the United States and is primarily intended for use within the United States. If you access the Service from outside the United States, you consent to the transfer of your personal information to the United States, which may have different data protection laws than your country of residence.

For users subject to the EU/UK GDPR, we process your personal information on the legal bases of: (a) contract performance; (b) legitimate interests; and (c) consent (where applicable). You may exercise your GDPR rights by contacting privacy@hobbstack.com.

12. Children's Privacy

The Service is not directed to children under 13 years of age. We do not knowingly collect personal information from children under 13. If we become aware that we have collected personal information from a child under 13 without parental consent, we will delete that information promptly. Users between 13 and 18 may use the Service with parental or guardian consent, consistent with the minimum age requirements for student pilot certificates under 14 CFR § 61.83.

13. Push Notifications

The Service supports Web Push notifications via the VAPID protocol. When you opt in, we store:

  • Your push subscription endpoint URL (provided by your browser's push service)
  • Encryption keys (p256dh and auth) for secure message delivery
  • Your browser user-agent string

Push notification data is encrypted end-to-end. We do not use a third-party push notification intermediary. You may revoke push notification permissions at any time through your browser settings or the Service's notification preferences.

14. Calendar Subscription (iCal) Feeds

The Service offers optional iCal subscription feeds for syncing your flight schedule with external calendar applications. When enabled:

  • A unique, random token (UUID) is generated and serves as authentication for your feed. Anyone with this URL can view your schedule.
  • The iCal feed displays flight times, aircraft tail numbers, and activity types.
  • You may regenerate your token at any time to invalidate previous URLs.
  • The iCal feed is opt-in and is not enabled by default.
  • We recommend treating your iCal subscription URL as a password.

14a. Roadmap Interest Notifications

The public roadmap page (hobbstack.com/roadmap) offers a per-item “Email me when this ships” affordance. When you click it, we collect:

  • Your email address — lowercased and stored against the single roadmap item you subscribed to.
  • Your IP address — captured for spam triage; NULLed after 90 days by an automated retention sweep.
  • Your browser's user-agent string — truncated to 500 characters, used for spam triage.
  • A small browser cookie (hobbstack_roadmap_interest) — holds the slugs of items you've confirmed, so the page can show the “you're subscribed” state without a server round-trip. The cookie holds slugs only — never your email. 90-day expiry, Secure, SameSite=Lax.

Purpose: to email you exactly once when that specific roadmap item ships. We do NOT aggregate this list for general marketing — each subscription is scoped to one item and one notification.

Confirmation: you must click the confirmation link in the email we send before we’ll add you to the notification list. Unconfirmed subscriptions are deleted after 7 days.

Unsubscribe: every email includes an RFC 8058 one-click unsubscribe link (compatible with Gmail and Apple Mail's native one-click unsubscribe surface). Clicking it removes you from that item's notification list immediately — no login required.

Retention: subscription rows are kept until you unsubscribe (or until the item ships and we send the notification). IP addresses are NULLed after 90 days regardless of status. Email addresses are retained on confirmed/notified rows until you click the per-item unsubscribe link.

15. Data Breach Notification

In the event of a data breach that compromises your personal information, we will:

  • Notify affected users via email within 72 hours of becoming aware of the breach, where feasible.
  • Provide details about the nature of the breach, types of information affected, and steps we are taking.
  • Notify applicable regulatory authorities as required by law (including the Arizona Attorney General's Office as required by A.R.S. § 18-552).
  • Provide guidance on steps you can take to protect yourself.

16. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by: (a) updating the Effective Date; (b) displaying a prominent notice in the Service; and (c) where appropriate, by email. Your continued use of the Service after the effective date constitutes acceptance of the changes.

17. Contact Us

If you have questions about this Privacy Policy, please contact us:
Hobbstack LLC
Email: privacy@hobbstack.com
General support: support@hobbstack.com
Website: hobbstack.com

For data access, correction, or deletion requests, please include your registered email address and a description of the data you are requesting. We will respond within 30 days (45 days for CCPA requests).

This Privacy Policy is effective as of April 6, 2026 and supersedes all prior versions.