Privacy Policy

Effective date: 10.10.2025

Evionica Sp. z o.o. (“Evionica”, “we”, “our”, “us”) is committed to protecting your personal data and complying with Regulation (EU) 2016/679 (General Data Protection Regulation, “GDPR”). This Privacy Policy explains how we collect, use, disclose, and safeguard your personal data. 

1. Who we are

  • Company: Evionica Sp. z o.o. 
  • Registered office: Pl. Bankowy 2, 00-095 Warsaw, Poland 
  • NIP (Tax ID): PL1132981633 
  • REGON: 381091585
  • KRS: 0000745785 
  • Email: office@evionica.com

Depending on the context, Evionica may act as: 

  • Data Controller – for personal data we collect directly (e.g. website visitors, CRM, marketing, cookies, support contacts, training accounts). 
  • Data Processor – for personal data processed on behalf of our clients (e.g. airlines, flight schools, CAMOs) when they use our SaaS services. 

If you have questions, you can contact us at office@evionica.com. 

2. What personal data we process

We may process the following categories of personal data: 

  • Identification and contact details (name, surname, email, phone, address). 
  • Professional data (employer, role, license number etc.). 
  • Account information (login, password, usage logs, preferences). 
  • Technical data (IP address, browser, device, location data). 
  • Training / operational data (records of participation, performance, flight-school records). 
  • Marketing data (consent to receive updates, cookie data, remarketing identifiers). 

3. Purposes and lawful bases

We process your data only when there is a lawful basis under GDPR. The table below shows the purposes and legal bases: 

Purpose 

Lawful basis 

Provide access to and operate our SaaS services (e.g. LMS, Weight & Balance, Best Pilot App) 

Performance of a contract (Art. 6(1)(b)) 

Account setup, access control, authentication 

Performance of a contract (Art. 6(1)(b)) 

Customer support, complaint handling 

Legitimate interest (Art. 6(1)(f)); Performance of a contract (Art. 6(1)(b)); Legal obligation (Art. 6(1)(c)) 

Legal compliance (tax, aviation, record-keeping obligations) 

Legal obligation (Art. 6(1)(c)) 

Marketing communications (e.g. newsletters, product updates) 

Consent (Art. 6(1)(a)) 

Website analytics and remarketing 

Consent via cookie banner (Art. 6(1)(a)) 

Security, audits, fraud prevention 

Legitimate interest (Art. 6(1)(f)) 

4. Third-party processors / sub-processors

To provide our services, we use certain third-party service providers (processors or sub-processors). They act according to contracts with us (or with our customers) that ensure GDPR-level protections, including confidentiality, security, and data protection rights. Below are the main ones we use: 

Third-party Provider 

Role / Service 

Data location / Notes / Safeguards 

AWS (Amazon Web Services) 

Infrastructure hosting, backups, cloud services to support our SaaS products 

We use AWS regions in the EU. AWS provides tools for choosing region, encryption in transit & at rest, and has a GDPR-compliant Data Processing Addendum (with Standard Contractual Clauses) for transfers outside the EEA. 

HubSpot CRM 

Contact and customer relationship management, marketing automation, storing contact records 

HubSpot is used under a Data Processing Agreement, and we use features to track lawful basis for contact data. 

TalentLMS 

Platform used for flight training content delivery and tracking training / learning progress 

TalentLMS is GDPR-compliant, verifies adherence to the EU Cloud Code of Conduct, and uses Standard Contractual Clauses for international transfers. 

Microsoft Office 365, Microsoft Teams, SharePoint and related Microsoft enterprise tools 

Internal collaboration, document storage and sharing, communication (e-mail, video/voice calls, meetings), scheduling, internal workflows 

These tools are used under Microsoft’s GDPR Terms, including a Data Processing Addendum; data is encrypted in transit and at rest. Microsoft offers data residency options in the EU, supports retention policies, audit logs, compliance and security controls. We ensure contractual safeguards (DPAs) are in place and limit access to authorised personnel. 

 

5. Cookies and tracking

Our website uses cookies and similar technologies installed on your device. Cookies are small text files that help us make the site work properly, secure your session, and tailor content to your preferences. The processing of information from cookies is carried out in line with the GDPR and the Polish Electronic Communications Law of 12 July 2024 (Journal of Laws 2024, item 1221). 

Purposes of cookies: 

  • essential – enable the website to function correctly and securely, maintain logged-in sessions, and adapt the interface; 
  • optional – support analytics, performance measurement, and advertising/remarketing. 

When you first visit our website, we display information about the use of cookies. You may change your chosen scope of cookie use at any time in the website’s settings. 

Cookies do not alter the configuration of your device. However, disabling them in your browser may restrict some website functionalities (e.g. session maintenance). 

Non-essential cookies are used only after you provide consent through the banner. You can change or withdraw your consent at any time in the preference settings on the website or in your browser. Most browsers allow you to check, delete, or block cookies. The data collected through essential cookies are processed based on our legitimate interest (Art. 6(1)(f)). For optional cookies, the legal basis is your consent (Art. 6(1)(a)). 

We use cookies to optimise your experience, ensure correct operation, and maintain the security of the website. In this process, we also rely on trusted third-party tools that may place their own cookies and act as separate or joint data controllers.For more details about opting out of Google Analytics, Google Marketing Platform, or other tracking tools, see: 

  • Google Marketing Platform opt-out 
  • Network Advertising Initiative opt-out 
  •  

6. Data sharing and international transfers

We share your personal data only with trusted service providers (processors/sub-processors) bound by contractual terms.  

If it is necessary to transfer your personal data outside the European Economic Area (EEA), we do so only when appropriate safeguards are in place to ensure an adequate level of protection, in particular by: 

  • cooperating with entities located in countries covered by a European Commission adequacy decision; 
  • using the Standard Contractual Clauses approved by the European Commission; 
  • applying binding corporate rules approved by the competent supervisory authority; 

If you have concerns about a specific provider/location, you may contact us to receive more details. 


7. Data retention

The period for which we process personal data depends on the type of service and the purpose of processing. As a rule, we keep data only for as long as necessary to respond to an enquiry, perform a contract, or provide a service. 

Typical retention periods include: 

  • Account and service data – for the duration of the contract and for a period corresponding to the applicable limitation period for potential claims 
  • Financial and tax records – for the period required by applicable accounting and tax regulations 
  • Marketing data – until you withdraw consent or unsubscribe 
  • Backup and operational data (e.g. training records) – in accordance with aviation authority and safety requirements 

In all cases, the retention period may be extended if processing is necessary to establish, exercise or defend legal claims, and thereafter only for as long as required by applicable law.  

After these periods, data is either securely deleted or anonymized. 

8. Data subject rights

Under GDPR, you have the following rights: 

  • Right of access – obtain a copy of your personal data. 
  • Right to rectification – correct inaccurate or incomplete data. 
  • Right to erasure (“right to be forgotten”). 
  • Right to restriction of processing. 
  • Right to data portability. 
  • Right to object to processing based on legitimate interest or for marketing. 
  • Right to withdraw consent where processing is based on consent. 

To exercise your rights, contact us at office@evionica.com. You also have the right to lodge a complaint with the President of the Personal Data Protection Office (UODO), Poland.

9. Security

We implement appropriate technical and organizational measures to protect personal data, including: 

  • Encryption in storage and transit. 
  • Access control and authorization policies. 
  • Pseudonymisation where feasible. 
  • Firewalls, antivirus, intrusion and threat detection. 
  • Regular backups and disaster recovery procedures. 
  • Security audits, testing and continuous monitoring. 

10. AI-assisted features

In line with Regulation (EU) 2024/1689 (AI Act): 

  • Our systems do not perform prohibited AI practices. 
  • We do not operate high-risk AI systems as defined under the AI Act. 
  • Any AI-assisted outputs (e.g. Best Pilot suggestions, generated graphics) are flagged and always human-reviewed before publication. 

11. Changes to this Policy

We may update this Policy from time to time. The latest version will always be available at https://evionica.com. In case of material changes, we may also notify you by email. 

12. Contact

If you have any questions or concerns about how we process your personal data, please contact us: 

  • Email: office@evionica.com 
  • Post: Evionica Sp. z o.o., Pl. Bankowy 2, 00-095 Warsaw, Poland