PRIVACY POLICY | AviLabs and Plan3

Last updated 28 March 2022.

We are committed to protecting your safety and privacy, and we take our responsibilities regarding the protection of personal information seriously.
As you use and interact with AviLabs websites, products, and services, we process information from and about you in order to provide you with access to our tools, and to enhance experience and support. That means that we collect, use, and process your information. This privacy policy explains which data we collect, how we use it, how we protect and which rights you have in relation to our processing of your personal data.


1. Who we are
Avilabs is in the business of providing disruption management software and related services to airlines and develops, maintains, operates, and markets a flight monitoring and disruption handling software for the travel industry called Plan3. Therefore, AviLabs is the company behind the Plan3 product.


Any references in this Privacy Policy (the “Policy”) to “AviLabs” “we”, “us” or “our” means AviLabs ehf., a company registered in Iceland with registration number no. 5208192150 and registered office at Nóatún 17, 105 Reykjavik, Iceland.


2. Our relationship with you
Whether we are a data processor or a data controller will depend on our relationship with you. We will be a data processor:

  • when you are a company which has signed up to use the Plan3 product (and are therefore subject to our Terms) and you are uploading personal information of your customer/passengers to the Plan3 product. In this case, you will be the data controller of such personal data, while we will be the data processor. Our Data Processing Addendum will govern such data processing – not this Privacy Policy.
     

  • when you are an individual who has had his personal information uploaded to the Plan3 product by our customer (usually an airline or another travel company who has provided services to you). In this case, our customer is the controller of your information while we are the processor. In other words, our customer (e.g. an airline you’ve flown with) will send us your personal information, and we will be a process your personal data on their behalf, as they decide how any why your information is processed. We recommend that you visit the controller’s own privacy policy for further information about your relationship with him. However, we’ve put together a Processor Privacy Policy which which will apply to our processing of your data.

 

In all other cases when it comes to personal data collected, we will be the “data controller" for the purposes of the Icelandic Data Protection Act and other data protection laws that apply to us, like the EU General Data Protection regulation (the “GDPR”).

This will include when:

  • you visit our webpages, e.g. www.avilabs.is or plan3.aero;

  • if you create an account with us to use access the Plan3 product;

  • when you use the Plan3 account;

  • if you sign up for any marketing materials or email lists;

  • if you send us your employment application (where our Employment Application Privacy Policy shall apply); or

  • if you otherwise communicate with us.
     

This Privacy Policy only applies when we are the data controller.


3. Personal data we collect about you
When we use the term “personal data” in this Policy, we mean any information relating to you and through which you can be identified, directly or indirectly, or in combination with other information that we may hold. We only collect your personal data where it is necessary for the purposes described in this Policy and in accordance with data protection laws. The types of personal data that we collect will depend on our relationship with you, the circumstances of collection and the type of service you are requesting from us.

The personal data we collect and process may include: 

 

(a) Information needed to create a Plan3 account

To be able to use Plan3, you must supply us with information that is needed to create an account for you and manage your ability log in and out of Plan3:

  • identifiers, such as first and last name and email address.

  • your password for Plan3.

  • other information you choose to provide us with, such as your job title or phone number.

 

Please keep in mind that if you an employee of any of our customers which is utilizing the Plan3 platform and has contacted us in relation to use the services, we may process the personal data necessary for such communications.

 

(b) Information processed when you visit our websites or the Plan3 product

When you are using our websites or the Plan3 product, we will be receiving certain information, such as:

  • details about how you use our websites or the Plan3 product, such as information about how you interact with our marketing websites, like AviLabs.com or Plan3.aero, such as where you click, how long you visit a page, your scrolling, mouse hovers, and other data to help us better understand your experience and provide you with the best user experience.

  • internet network activity, cookies, and similar tracking technologies, including data our servers automatically record, such as your web request, IP address, browser type and settings, referring/exit pages and URLs, number of clicks, date and time stamp information, language preferences, and other such information. This may also include derived device geolocation information, such as approximate geographic location inferred from an IP address.

    • We do use cookies on our websites. Please visit our Cookie Policy for more information about the types of information we collect via cookies and how we use it.

  • details related to the actions you take as you use Plan3 (i.e. activity logs), including but not limited to information in relation to your log-ins and use of Plan 3, for example the amount of option packages your account publishes or information in relation to the monitoring activities your account undertakes, which features your account uses and what content it interacts with.

 

(c) Marketing information

You may have signed up for our marketing communications for our services, competitions, surveys, newsletters, promotions or events. In signing up for such communications, we may be collecting personal data in relation to you, such as your e-mail address, name and other information you choose to provide us with, such as your job title or phone number.

 

(d) Other information when you interact with us in other ways

In addition to all the above, you may voluntarily provide us with information when you interact with us in other ways. We may collect any communications or feedback you exchange with us, such as your emails, letters, calls, or your messages or posts on social media directed to us. 

 

4. How do we collect personal data

We will mainly collect your personal data directly from you, e.g. the information you provide us with when creating a Plan3 account, when you communicate with us or when you sign up for our marketing communications. We also collect your personal data whenever you use our services. This includes, for example:

 

  • when you create an account for Plan3;

  • when you use AviLab’s services, including Plan3;

  • when you browse our websites;

  • when you register to receive our newsletters or other communications, enter into one of our competitions, register for a promotion or complete one of our surveys;

  • when you provide us with feedback; or

  • when you interact with us via social media services.

 

However, in some cases we might collect information about you from third parties. If you are an employee of one our customers, he may have contacted us with your personal information as necessary for you to create an account for the customer or for our communications with you.

 

5. Special categories of personal data

We don’t really collect personal data that is considered “special categories of personal data” that is subject to additional protection under the GDPR (for example, information revealing your racial or ethnic origin, physical or mental health, religious beliefs or trade union membership). However, it may happen that you send us such information without us asking in your communications with us. In such instances, we do recognize our legal obligations under article 9 of GDPR.

 

6. Why we use your data

We use your data to operate our product and services, communicate with you or to further develop our products. As such, we may process your information to provide our services and to operate our business. This includes, by way of an example, us processing information to:

 

  • maintain, provide, and improve our products and services;

  • help us better understand user interests and needs, and customize Plan3 for you;

  • analyze and research how you interact with our websites and applications; or

  • report usage in relation to your account.

 

We may also process your information for information security purposes in order to be able to ensure that our product functions properly and to minimize the possibility of any information security related incidents that might affect us, our customer or you as a user. This includes, by way of an example, us processing information to:

 

  • protect Plan3 by securing our systems and products against fraud or unauthorized activity;

  • identify, troubleshoot, and fixing bugs and errors;

  • investigate (in good faith) possible violations of our Terms; or

  • comply with a valid legal subpoena, request, or other lawful process or that we otherwise determine is necessary to respond to.

 

In addition, we process your information in order to communicate with you in various ways. This includes, by way of an example, us processing information to:

 

  • share updates with you in relation to product changes or other necessary notices, such as security and fraud alerts,

  • provide you with support and get your feedback

  • help identify and troubleshoot any issues with the Plan3 account and answer any of your questions.

  • decide and share with you marketing communications for our services, competitions, surveys, newsletters, promotions or events (provided we have your consent!)

 

7. Our lawful basis to process data

We will only process your personal data where we have a legal basis to do so. The legal basis will depend on the reason we collected and our need to process your information. Our legal basis for the processing of your personal data are:  

 

  • the legitimate business interest of improving our products and services, and customer service;

  • the legitimate business interest of providing you with an account in order to use the Plan3 product;

  • the legitimate business interest to protect our business interests, effectively manage our business operations and maintain our reputation.

  • the legitimate business interest to ensure the safety, security and integrity of our operations.

  • to perform our contract with you or our customer (who may be your employer);

  • for communications, we process your data for our, and your, legitimate interests, such as administering your account, responding to your questions, and providing you with customer service; or      

  • consent, i.e. you have given us consent to use your information in a particular manner.

 

As further explained below, where the basis of our processing is consent, you can withdraw your consent to such processing at any time. 

 

8. How long we keep your personal data for

We keep your personal information contained in the Plan3 account for as long as you hold the account. You can change the personal data in your account directly in the account.

 

If you are a customer of ours, we will simply delete your personal data when you terminate our contract, as per our Terms.

 

Otherwise, if you decide to delete the Plan3 account, we will delete your personal data within 3 months. However, we may need to retain non-personal data related to the account, e.g. in relation to account usage, as necessary for our legitimate business purposes – for example for us to proof to our customers that certain activity by a Plan3 account resulted in fees for them.  

‍‍

When our use of your personal data is based on your consent, you have the option to withdraw your consent of our processing and delete your personal data at any time. You can do this by submitting your request to us.

 

9. Protecting personal data

We are committed to protecting the personal data we hold and we have implemented appropriate technical and organisational measures against unauthorised, accidental or unlawful access, loss, destruction or damage of such data.

 

In addition, we only allow access to your data to our employees, agents, contractors or other parties who have a business need to know. When we trust third parties to process your data on our behalf, we require that they will protect your data the same way we do and that they comply with appropriate security standards.

 

We have procedures and policies in place in the event of a security breach related to personal data. Where relevant, we will notify you or our supervisory authority of a security breach when we are under the duty to do so under the GDPR.

 

10. Sharing personal data

We do not share your information with third parties for their own direct marketing purposes. We do not sell your information as defined under applicable law. However, we use and share the categories of information we collect from and about you consistent with the various business purposes we discuss throughout this Privacy Policy. Such parties can be categorized as follows:

 

  • Service Providers and Subprocessors. We may provide access to or share your information with select third parties that use the information on our behalf to assist in providing AviLab’s services and website. They perform operations or work on our behalf and on our instructions as data processors. These service providers help us to run our business and improve our services. They provide a variety of services to us, including without limitation sales, marketing, provision of content and features, advertising, analytics, research, data storage, security, and other services.

  • Our Customers. If you’re using Plan3 on behalf of a customers of ours, the customer (i.e. your employer) can restrict, suspend, or terminate your access to or ability to use the services, access information about you, access or retain information stored with us (including log data about your use of Plan3), and restrict your ability to edit, restrict, modify, or delete information associated with your use of our products and services.

11. Your data protection rights

You have specific rights under the GDPR that allow you to understand and, to certain extent, control the way we process your personal data:

 

  1. The right to access your data: you have the right to receive a copy of the personal data we hold about you and to receive information about how we process such data.

  2. The right to correct your data: you have the right correct your data. If you suspect that we hold inaccurate or incomplete information about you, please let us know so that we can update and complete our records.

  3. The right to delete: in certain instances, you have the right to request that we delete your data. Please note that we will automatically delete or anonymise your data after its retention period has passed and as such, you do not need to submit a specific request for this.

  4. The right to restrict processing: in limited circumstances, you may request that we do not process your data, but only store it, e.g. while you are seeking us to correct your data.

  5. The right to withdraw consent: in limited circumstances, you may have the right to withdraw your consent for our processing of your personal data, where we are utilizing your consent as a basis for our processing. In such instances, we will respect your choice and stop processing your data further.

  6. The right to object: you may consider that you have reasons to object to the use of your personal data when such use is only based on our legitimate interests as described in this Policy. Before using your data for legitimate interests, we have balanced these interests against your rights and freedoms. However, if you consider that you have grounds to object to the use of your data, you can explain to us your particular situation and we will individually review your request.

  7. Rights in relation to automated decision making: we do not take decisions about individuals process based solely on automated processing. As such, this right is not applicable.

  8. The right to data portability: where the processing of your data is based on consent or on a contract and the processing is carried out by automated means, you have the right to receive such data in a structured, commonly used, machine-readable format.

 

You can exercise your above rights by contacting our Data Protection Officer. For more information, see section 13 below.

 

12. Updates to this Policy

We will modify this Privacy Policy when there is a change to the way we process your data and when we need to ensure that the information we provide to you is up to date and in accordance with the relevant data protection laws. Any new version of this Policy will be published on this website.

13. Contact information

Questions or comments in relation to this Policy, and/or requests concerning your rights under GDPR, should all be directed to our Data Protection Officer in writing to the following email: dpo@avilabs.is, or to our address: AviLabs ehf., Nóatúni 17, 105 Reykjavík, Iceland.