Privacy Policy

Last updated: 1 April 2026

1. Data controller

Aeromedical SRL, with headquarters in Romania, operates the Naviqa platform as personal-data controller under GDPR (Regulation EU 2016/679).

2. Data collected

Identification data

• First name, last name, email, phone
• Date of birth, nationality, country of residence
• Passport / national ID number (encrypted)

Professional data

• Licence type, crew type
• Flight hours, licensing authority
• Position, specialisations

Psychometric data (sensitive — Art. 9 GDPR)

• Responses to testing instruments (10 tests)
• Computed scores, psychological profile
• Clinical conclusion, fitness decision
• AI-generated report (pseudonymised)

3. Purpose of processing

• Mandatory psychological assessment under EASA / national civil-aviation authority requirements
• Generation of clinical reports and fitness certificates
• Administration of aviation company ↔ examining company relationships
• Compliance monitoring and audit trail

4. Legal basis

• Art. 6(1)(c) — legal obligation (mandatory EASA assessment)
• Art. 6(1)(f) — legitimate interest (platform administration)
• Art. 9(2)(h) — health data for occupational-medicine purposes

5. Security

• AES-256-GCM encryption for sensitive data
• Candidate pseudonymisation (NVQ-ID instead of name)
• EU (Frankfurt, Germany) hosting on Supabase
• HSTS, CSP, RLS (Row-Level Security) on all tables
• Optional MFA for staff users

6. Your rights

Under GDPR you have the right to:

• Access — you can request a copy of your data
• Rectification — you can correct inaccurate data
• Erasure — you can request deletion of your data (subject to legal exceptions)
• Portability — you can receive your data in a structured format
• Objection — you can object to certain processing
• Contest — you can contest automated decisions

To exercise these rights, contact: dpo@naviqa.aero

7. Retention period

Psychometric data is retained per EASA requirements (minimum 5 years). Account data is retained for the duration of service usage. When an account is deleted, personal data is anonymised (soft delete).

8. International transfer

Data is NOT transferred outside the EEA. All servers are in the EU (Frankfurt). The AI (Anthropic Claude) receives only pseudonymised data (no PII).

9. DPO contact

Data Protection Officer: dpo@naviqa.aero
Aeromedical SRL, Romania