Privacy Policy

Last updated: February 23, 2026

1. Introduction

Avyo Inc. (“Avyo,” “we,” “us”) operates an aircraft rental marketplace that connects certificated pilots with aircraft owners. This Privacy Policy explains how we collect, use, disclose, and protect your personal information when you use our platform at avyo.io and related services (collectively, the “Platform”).

2. Information We Collect

2.1 Account Information

When you create an account, we collect:

  • Name, email address, and password (for email-based registration).
  • Name, email address, and profile photo (when you sign in with Google OAuth).
  • Phone number (when provided for verification or communication).
  • Business name (for owner accounts).
  • Role selection (renter, owner, or both).

2.2 Aviation-Specific Information

To facilitate aircraft rentals and meet FAA-related requirements, we collect:

  • For renters: Pilot certificate details, medical certificate status, and flight qualifications.
  • For owners: Aircraft information (make, model, year, tail number/ N-Number, home base airport, performance data, hourly rates, fuel policy), insurance documentation (Certificate of Insurance, policy expiration, covered tail numbers, coverage amounts).

2.3 Verification Documents

For identity and document verification, we temporarily process:

  • Government-issued identification (driver's license, passport, or state ID) for identity verification.
  • Insurance documents (COI or Policy Declaration) for insurance verification.
  • Pilot certificate images for credential verification.

These documents are processed by our AI-powered verification system, which extracts relevant data (name, date of birth, expiration dates, tail numbers) and cross-references it with your profile. Raw document images are purged after verification. Only the verification status and extracted metadata (such as expiration dates) are retained.

2.4 Payment and Financial Information

  • Renters: Payment card information is collected and processed directly by Stripe. Avyo does not store full payment card numbers. We retain a Stripe Customer ID to manage your payment methods.
  • Owners: Bank account information and identity verification data are collected by Stripe Connect for payout processing. Avyo retains a Stripe Account ID but does not store bank account details.

2.5 Booking and Trip Data

  • Departure and destination airports.
  • Flight dates and rental duration.
  • Cost breakdown (rental, fuel, repositioning, platform fee).
  • Booking status and history.

2.6 Communications

  • In-app messages between renters and owners.
  • Message attachments uploaded through the Platform.
  • Email communications (booking confirmations, flight reminders, payment receipts, notifications).

2.7 Files and Media

  • Aircraft photos uploaded to listings.
  • Profile photos / avatars.
  • Documents uploaded for verification.

2.8 Automatically Collected Information

  • Browser type, device information, and IP address.
  • Pages visited and interactions with the Platform.
  • Cookies and session tokens (JWT-based authentication).

3. How We Use Your Information

We use your information to:

  • Create and manage your account.
  • Facilitate aircraft search, booking, and rental transactions.
  • Calculate trip costs (rental, fuel, repositioning, platform fee) using aircraft performance data and airport coordinates.
  • Process payments and payouts through Stripe.
  • Verify your identity, pilot credentials, and insurance documentation using AI-powered verification.
  • Verify your phone number via SMS one-time passcode.
  • Send transactional emails (booking confirmations, payment receipts, flight reminders) and marketing communications (newsletters, announcements).
  • Enable in-app messaging between renters and owners.
  • Sync bookings to your Google Calendar (when you connect your Google account).
  • Manage membership plan subscriptions.
  • Enforce our Terms of Service and community guidelines.
  • Prevent fraud, abuse, and unauthorized access.
  • Improve the Platform and develop new features.

4. Information Sharing

We do not sell your personal information. We share information only in the following circumstances:

4.1 Between Users

When a booking is made, we share relevant information between the renter and owner to facilitate the rental (names, contact information, booking details, verification status). Your full address, payment details, and government ID are never shared with other users.

4.2 Service Providers

We share information with third-party service providers that help us operate the Platform:

  • Stripe — Payment processing, Stripe Connect owner payouts, and subscription billing. Stripe receives payment card data, bank account data, and identity verification data as needed.
  • Resend — Transactional and marketing email delivery. Resend receives your email address and name.
  • Cloudflare — CDN, DNS, and DDoS protection. Cloudflare processes request metadata (IP address, request headers) but does not access application data.
  • Cloudflare R2 — File storage for aircraft photos, profile images, and documents.
  • Google APIs — Calendar integration (when you connect your Google account). Google receives booking event data for calendar sync.

4.3 Legal Requirements

We may disclose your information when required by law, regulation, legal process, or governmental request, including requests from the FAA or NTSB in connection with accident or incident investigations.

4.4 Safety and Fraud Prevention

We may share information to protect the safety of users, investigate potential violations, or prevent fraud.

5. Data Security

We implement technical and organizational security measures to protect your information:

  • Passwords are hashed using bcrypt (one-way hash). We never store plaintext passwords.
  • Sensitive data such as multi-factor authentication secrets and backup codes are encrypted at rest using AES-256 encryption.
  • All data in transit is encrypted via TLS/HTTPS.
  • Verification documents are purged after processing. Only verification status and relevant metadata are retained.
  • Payment card data is handled entirely by Stripe and never touches Avyo servers.
  • Rate limiting is applied to authentication attempts, bookings, payments, uploads, and API requests to prevent abuse.
  • Content Security Policy headers are configured to prevent cross-site scripting and injection attacks.

6. Data Retention

  • Account data: Retained for the duration of your account, plus a reasonable period after deletion to resolve any pending transactions or disputes.
  • Booking and transaction records: Retained for 7 years for tax and legal compliance.
  • Verification documents: Raw documents are purged after verification. Verification status and extracted metadata (expiration dates, tail numbers) are retained for the duration of your account.
  • Messages: Retained for the duration of your account.
  • Uploaded files: Aircraft photos, profile images, and documents are retained until you delete them or your account is closed.

7. Cookies and Session Management

Avyo uses JWT (JSON Web Token) session tokens for authentication. These tokens are stored in browser cookies and contain your user ID, email, name, and role. Session tokens do not contain sensitive data such as passwords or payment information.

We also store your theme preference (light/dark mode) in browser localStorage. This data remains on your device and is not transmitted to our servers.

8. Google Calendar Integration

If you choose to connect your Google Calendar, we request the following OAuth scopes:

  • calendar.events — To create booking events on your calendar.
  • calendar.readonly — To read your calendar for availability.

We store OAuth access and refresh tokens to maintain the connection. You can disconnect your Google Calendar at any time from your dashboard settings, which deletes the stored tokens.

9. Your Rights

Depending on your location, you may have the following rights regarding your personal information:

  • Access: Request a copy of the personal information we hold about you.
  • Correction: Request correction of inaccurate or incomplete information. You can update most information directly from your profile settings.
  • Deletion: Request deletion of your account and personal information, subject to legal retention requirements (such as transaction records retained for tax compliance).
  • Opt-out: Unsubscribe from marketing emails at any time using the unsubscribe link in any email, or from your notification settings.

To exercise these rights, contact us at [email protected]. We will respond within 30 days.

10. California Residents (CCPA)

If you are a California resident, the California Consumer Privacy Act (CCPA) provides you with additional rights:

  • Right to Know: You may request the categories and specific pieces of personal information we have collected about you.
  • Right to Delete: You may request that we delete your personal information, subject to legal exceptions.
  • Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights.
  • No Sale of Personal Information: We do not sell personal information to third parties as defined by the CCPA.

11. Children's Privacy

The Platform is not intended for individuals under the age of 18. We do not knowingly collect personal information from children. FAA pilot certificates require a minimum age of 17 for Private Pilot and 16 for Student Pilot. If we learn that we have collected information from a child under 18, we will delete it promptly.

12. FAA Registry and Public Records

Certain aircraft information displayed on the Platform, including tail numbers (N-Numbers), aircraft registration data, and airworthiness status, may be derived from or cross-referenced with the FAA Aircraft Registry, which is a public record maintained by the FAA.

13. Data Breach Notification

In the event of a data breach that affects your personal information, we will notify affected users promptly via email and, where required by law, notify the appropriate regulatory authorities within the legally mandated timeframe.

14. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify users of material changes via email or through a notice on the Platform. The “Last updated” date at the top of this page reflects when the policy was most recently revised.

15. Contact Us

If you have questions about this Privacy Policy or want to exercise your data rights, contact us at [email protected] or through our Contact page.