Privacy Policy
Last updated: May 9, 2026
This declaration explains what personal data is collected, why, where it is stored, who it may be shared with, and what your rights are when you use the aerosim.ca website and its tools (CDU, Log Analyzer, Earth Airports, FlightDeck).
1. Data controller
- Publisher: AeroSim — a natural person operating under this trade name in Quebec, Canada.
- Person in charge of personal information protection (DPO): reachable at [email protected]. This is also the point of contact for any request related to this declaration and to the Quebec Act respecting the protection of personal information in the private sector (Law 25).
- Hosting: Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen, Germany (EU).
- CDN / WAF: Cloudflare, Inc. (United States and global points of presence).
2. Principles
- We never sell your personal data.
- We display no advertising and use no advertising cookies or third-party trackers.
- We apply a principle of minimization: only data strictly necessary for the operation of the tools is collected.
- The third-party API keys you provide (Cesium Ion, FlightPlanDatabase, NVIDIA NIM) are encrypted before storage (AES-GCM 256-bit, master key kept outside the database).
3. Data collected at sign-up
When creating an account on /auth/register.php, we collect:
| Data | Required | Purpose |
|---|---|---|
| Email address | Yes | Login identifier, service communication, password reset |
| Display name | No | Interface personalization |
| Password | Yes | Stored only as a hash (never in clear text) |
| Cloudflare Turnstile validation | Yes | Protection against automated sign-ups (CAPTCHA) |
| Creation date / last login | Auto | Security and audit |
Optional communications. From your user profile you can enable or disable at any time:
- the reception of informational emails (product announcements, news, major updates);
- the participation in software solution testing developed by AeroSim (beta program, invitation to take part in targeted trials).
Both options are disabled by default. No commercial email will be sent without your explicit activation, in accordance with Canada's Anti-Spam Law (CASL). You can withdraw consent at any time from your profile or by replying to any concerned email.
Session cookie: an AEROSIM_SID cookie (HttpOnly, Secure, SameSite=Lax) is set after authentication to maintain the session. It contains no advertising identifier.
4. Data collected by each tool
4.1. AeroSim CDU
The CDU is an avionics panel that communicates directly between your browser and your local X-Plane 12 installation. The following data remains stored on aerosim.ca:
- User layouts (
user_layouts): placement and configuration preferences for the CDU screens. - Bridge token (
users.bridge_token): a short-lived token allowing the X-Plane FlightDeck-Bridge plugin to authenticate.
Real-time X-Plane dataref values (position, speed, etc.) are never transmitted to or stored on our servers — they only travel between your browser and your local machine (localhost:8086).
4.2. Earth Airports
- Access whitelist (
user_app_access): indication that your account has access to the application. - User API tokens (
user_tokens, AES-GCM encrypted): Cesium Ion token and FlightPlanDatabase API key, entered by you in Settings ⚙. - Current flight plan: stored exclusively in your browser's
localStorage(departure, arrival, mode). No server-side copy.
Real-time flight data (altitude, heading, speed) read from X-Plane is consumed only by your browser and is neither logged nor transmitted to aerosim.ca.
4.3. AeroSim Log Analyzer
The analyzer takes as input the X-Plane Log.txt file you upload (20 MB limit). For each analysis, the following are stored:
| Data | Source | Sensitivity |
|---|---|---|
| SHA-256 hash of the log | computed server-side | deduplication only |
| Original filename | upload | low |
| X-Plane version, OS, CPU, GPU, graphics API, RAM, VRAM | extracted from the log | technical |
| Structured report (JSON) | analysis | technical |
| Risk level, confidence score | computed | technical |
| AI summary and recommendations, LLM model used | optional | textual |
| Email address (encrypted) and its hash | account | identity |
| NVIDIA NIM API key (AES-GCM encrypted) | user input | secret |
| AI disclaimer acceptance + version | legal obligation | compliance |
Automated decision and generative AI: the textual content of your Log.txt may be sent to NVIDIA NIM (api.nvidia.com) for AI-based explanation, only if you have configured your own NIM API key and accepted the AI disclaimer. The request is billed to your key. In accordance with article 12.1 of Law 25, you are informed that this is automated processing; the recommendations produced do not replace human judgment, and you may at any time request additional explanations from us.
4.4. FlightDeck
- Bridge token shared with the CDU (above).
- WebSocket flows between X-Plane (local plugin) and your browser are relayed through our server (
/flightdeck/ws), but no session content is logged persistently — only the technical nginx logs (cf. §6) keep a short-term trace.
5. Third-party services contacted
Use of the tools may trigger calls to third-party services, sometimes directly from your browser, sometimes relayed through our server. Each of these third parties has its own privacy policy.
| Service | Data transmitted | Initiator |
|---|---|---|
| Cloudflare (CDN/WAF/Turnstile) | IP, HTTP headers, captcha challenge | All visitors |
| Cesium Ion / Bing Maps / Google Photorealistic 3D Tiles | IP, queried tile coordinates | Browser, via your Cesium token |
| NASA GIBS, RainViewer | IP, tile coordinates | Browser (weather overlays) |
| X-Plane Scenery Gateway | Queried ICAO code | aerosim.ca server (proxy) |
| AviationWeather.gov (NOAA) | ICAO code for METAR/TAF | aerosim.ca server (proxy) |
| FlightPlanDatabase | Departure/arrival ICAO codes, your API key | Server (POST) or browser (GET) depending on the case |
| NVIDIA NIM | Excerpts from your Log.txt, your NIM key | aerosim.ca server (Log Analyzer) |
| OpenStreetMap Nominatim | Airport search terms | Browser |
6. Cookies and local storage
aerosim.ca uses only strictly necessary cookies:
AEROSIM_SID— session cookie (HttpOnly, Secure, SameSite=Lax);__cf_bm,cf_clearance— Cloudflare cookies for security and bot protection.
No advertising cookies, no third-party pixels, no behavioral analytics tools (Google Analytics, Facebook Pixel, etc.) are deployed.
In accordance with applicable cookie requirements in Quebec, Europe, and Canada, a cookie consent banner appears on your first visit. Strictly necessary cookies are activated without prior consent (they are essential for service operation); any non-essential cookie added later will require your explicit consent.
aerosim.ca also uses the browser's localStorage to store your interface preferences, your Earth Airports flight plan (earthAirports.flightPlan), and your CDU layouts. This data never leaves your browser.
7. Technical logs
The web server (nginx) keeps access and error logs containing: IP address, timestamp, requested URL, HTTP status code, user agent. These logs are used for security, diagnostics, and abuse prevention, and are retained as long as necessary for these purposes, after which they are deleted or anonymized.
8. Security
- In-transit encryption: HTTPS (TLS 1.2+) on the entire site, Let's Encrypt certificate.
- At-rest encryption of sensitive secrets (third-party API tokens, NIM keys, emails in Log Analyzer) via AES-GCM 256-bit; the master key resides in
/etc/aerosim/earth-airports.envwith restricted permissions and is never committed to source code. - Passwords: hashed (never stored in clear text).
- Session cookies:
HttpOnly,Secure,SameSite=Lax. - Application firewall Cloudflare upstream.
- Backups encrypted off-site according to internal project rules.
No system is fully shielded against intrusion; in case of a confidentiality incident affecting your personal information, you will be notified without undue delay, in accordance with article 3.5 of Quebec Law 25.
9. Retention periods
Your data is kept for as long as necessary for the purposes described in this declaration, then deleted or anonymized. As an indication:
| Data | Retention |
|---|---|
| User account (email, password hash, profile) | While the account is active |
| Communication preferences (info emails, beta program) | Until you change them |
Active session (AEROSIM_SID) | Until expiration or sign-out |
| CDU layouts, local flight plans (localStorage) | Until erased by the user |
| Log Analyzer reports | While the account is active and the reports are useful to you |
| User API tokens (Cesium / FPD / NIM) encrypted | Until revoked by the user in Settings |
| nginx logs | As long as necessary for security, then purged |
Upon account deletion, associated data (reports, tokens, layouts) is deleted by cascade within a maximum of 30 days, except for elements that the law requires us to retain.
10. Your rights
In accordance with Law 25 (Quebec), PIPEDA (Canada), and where applicable GDPR (EU), you have the following rights:
- Right of access to your personal data;
- Right of rectification of inaccurate or incomplete data;
- Right to erasure ("right to be forgotten") of your account and associated data;
- Right to portability of your data in a structured and commonly used technological format;
- Right to cessation of dissemination or de-indexing (article 28.1 of Law 25);
- Right to object to a processing operation;
- Right to withdraw consent at any time (notably for the AI features of the Log Analyzer and for informational emails / beta program);
- Right to be informed of any automated processing affecting you (cf. §4.3);
- Right to file a complaint with the Commission d'accès à l'information du Québec (CAI) or any other competent authority.
To exercise these rights, write to [email protected] from the email address associated with your account. A reply will be provided within a maximum of 30 days.
11. Transfers outside Quebec
Your data is stored in Germany (Hetzner). Cloudflare operates a global network and traffic may transit through points of presence outside Quebec and outside the EU. The third-party services listed in §5 are operated from various countries (mainly the United States for Cesium Ion, NVIDIA, NOAA, FPD; international for Cloudflare).
In accordance with article 17 of Law 25, AeroSim has assessed that these transfers offer adequate protection of personal information, notably thanks to:
- systematic in-transit encryption (TLS) and at-rest encryption of sensitive data;
- minimization of data sent to each third party;
- choice of providers subject to recognized frameworks (GDPR for Hetzner and Cloudflare-EU, commercial contracts for US services).
By using the tools, you consent to these transfers.
12. Minors
The aerosim.ca services are not intended for persons under 14 years old (the threshold applicable in Quebec for autonomous consent). We do not knowingly collect data concerning minors under 14. If you believe an account belongs to such a minor, contact us so we can delete it.
13. Changes to this declaration
This declaration may evolve. Any substantial change will be announced on the home page and/or by email. The date at the top of this page reflects the last revision.
14. Contact
For any question relating to confidentiality, to exercise your rights, or to file a complaint with the DPO: