MySky SA – Privacy Policy
Last updated: April 14, 2026
1. Privacy Policy
MySky SA, Rue du Lion-d'Or 1, 1003 Lausanne, Switzerland ("MySky", "we", "us", "our") is a Swiss software company and provider of a digital platform for aviation spend management and connection services, including Application and Website (collectively, the "Service"). MySky is not an air carrier, aircraft operator, charter broker, or travel agent. MySky provides software and connection tools only. The actual carriage of passengers is performed exclusively by third-party licensed Aircraft Operators under separate agreements. As a Swiss software provider, We process Personal Data in full compliance with the revised Swiss Federal Act on Data Protection (FADP / nFADP, in force since 01 September 2023), and, where applicable, the EU General Data Protection Regulation ("GDPR"). We prioritize compliance with both frameworks, applying the stricter requirements where they overlap, while taking full advantage of the flexibility afforded to private controllers under FADP for non-sensitive data.
By accessing or using the Service, You acknowledge and agree that We may process Your Personal Data in the manner described in this Privacy Policy, which is designed to enable safe, compliant, and efficient software and platform services while minimizing risks to the Company. Where applicable law requires consent for specific processing activities (such as non-essential cookies, location data, or marketing communications), we will obtain Your separate, explicit consent through a clear affirmative action. Your continued use of the Service after any updates to this Policy constitutes acceptance of the revised terms.
2. Scope and Applicable Law
This Privacy Policy applies to all individuals using the MySky Website, Application, or related services, including users, account holders, authorized representatives, and business partners. It covers Personal Data processed by MySky SA in its capacity as a software platform provider .
Primary law: The revised FADP governs processing by Our Swiss entity. Where We offer services to EU residents or monitor their behavior, GDPR applies in parallel.
To the extent that MySky processes Passenger Name Record (PNR) or Advance Passenger Information (API) data on behalf of Aircraft Operators as a data processor, MySky complies with applicable aviation security laws solely in its role as a service provider to those Aircraft Operators. MySky does not process PNR/API data as a controller for its own purposes. This Privacy Policy applies only to the extent required by applicable Swiss law and, where applicable, EU law.
4. Categories of Personal Data Collected
We collect the following categories of personal data depending on your interaction with the Service. The provision of certain data is necessary for the use of the Platform and its features to comply with applicable legal requirements. Failure to provide mandatory data may result in our inability to provide the Service.
| Data | Specific Data Elements | Source |
|---|---|---|
| Account & Contact Data | First name, last name, email address, phone number, company affiliation, billing address. | Directly from you or your organization. |
| Booking Facilitation Data | Travel itinerary information, passenger names, special requests (e.g., catering, medical) entered by the user for transmission to the selected Aircraft Operator, and, where required for international flights, Advance Passenger Information (API) including passport/national ID details, date of birth, and nationality. MySky transmits this data to the Aircraft Operator but does not use it for its own operational purposes. | Directly from you, your representative, or the Aircraft Operator's systems via API integration. |
| Payment & Financial Data | Bank account details, payment card information, transaction history. We do not store full payment card details on our systems. We may share limited billing, tax, fraud-screening, and reconciliation data with payment and financial service providers. | Directly from you; Payment Processors. |
| Identity Verification Data | Copies of passport, national ID card, or utility bill. This data is processed exclusively for compliance with anti-money laundering (AML) regulations, fraud prevention, sanctions screening, and facilitation of identity verification requested by Aircraft Operators. We may request identity verification documents only where necessary for legal compliance, fraud prevention, security, or contractual performance. | Directly from you. |
| Technical & Usage Data | IP address, device type, operating system, browser type, unique device identifiers, crash logs, pages visited, time spent on pages. Usage Data may also be used for security, service integrity, abuse prevention, troubleshooting, and service improvement. | Automatically via the Application and Website. |
| Location Data | Precise geolocation data from your mobile device. This data is only collected with your explicit, prior permission via the device operating system prompt and is used exclusively for Platform features such as flight tracking display, expense logging functionality, and Estimated Time of Arrival calculations provided as a software service. Disability of location may limit core Service functionality. | Mobile Device (with permission). |
5. Purposes and Legal Bases for Processing
We process your personal data only for the specific purposes and on the lawful bases detailed below. We do not use your data for any incompatible "other purposes" without prior notice. We rely primarily on the following legal bases, and we document legitimate interest assessments internally where required and balance them against Your rights.
| Purpose of Processing | Categories of Data | Legal Basis (GDPR) | Legal Justification (Swiss FADP) |
|---|---|---|---|
| Performance of Platform Services Agreement | Account, Booking Facilitation, Payment, Identity Verification. | Art. 6(1)(b) GDPR (Contract). | Fulfillment of contractual obligations and pre-contractual measures (FADP Art. 31). |
| Facilitation of Aviation Security & Border Control Compliance (as Data Processor) | Booking Facilitation, Identity Verification. | Art. 6(1)(c) GDPR (Legal Obligation) on the Aircraft Operator, fulfilled by MySky as Processor . | MySky acts as a data processor on behalf of the Aircraft Operator for this purpose. No independent controller legal basis is asserted. |
| Fraud Prevention & AML Compliance | Identity Verification, Payment, Technical. | Art. 6(1)(c) GDPR (Legal Obligation). | Compliance with Swiss Anti-Money Laundering Act (AMLA) and FINMA requirements (FADP Art. 31). |
| Service Operation & Security | Technical, Usage. | Art. 6(1)(f) GDPR (Legitimate Interest). | Legitimate interest of MySky SA as a Swiss software provider in ensuring network and information security, including alignment with industry best practices (FADP Art. 31). |
| Customer Support & Communication | Account, Booking Facilitation, Communication History. | Art. 6(1)(b) / (f) GDPR. | Contract performance and legitimate interest in client relations and operational continuity.* |
| Service Improvement & Analytics | Anonymized or Aggregated Usage Data only. | N/A (Anonymized Data). | We do not use identifiable personal data for analytics without consent. |
| Marketing & Newsletters (Existing Clients) | Account, Email. | Art. 6(1)(f) GDPR (Legitimate Interest). | Legitimate interest in direct marketing for similar services (with opt-out right per FADP Art. 30). |
| Targeted Advertising & Profiling | Usage, Location, Cookies. | Art. 6(1)(a) GDPR (Consent). | Explicit Consent (FADP Art. 6). We do not engage in high-risk profiling without explicit consent. |
7. Disclosure of Personal Data
We may disclose your personal data to the following categories of recipients, strictly on a need-to-know basis and subject to appropriate confidentiality and data processing agreements:
| Recipient Category | Purpose of Disclosure | Legal Basis for Transfer |
|---|---|---|
| Service Providers (Processors) | IT hosting (AWS), payment processing (Nuvei, Apple), communication tools (Slack), business aviation network services (Avinode). | Data Processing Agreements (DPA) incorporating EU SCCs with Swiss Addendum or Swiss-U.S. DPF certification. Service Providers are bound by written terms and may only process Personal Data on Our documented instructions. |
| Aircraft Operators and Charter Brokers | Transmission of booking requests, passenger information, and special requests necessary for the Passenger to enter into a Carriage Agreement with the selected Aircraft Operator. | Necessary for the performance of the Platform Services Agreement and at the direction of the Passenger. |
| Government & Border Authorities (through Aircraft Operators) | MySky does not disclose Personal Data directly to government or border authorities for PNR/API purposes. Any such disclosure is made by the Aircraft Operator as the data controller. MySky may be required to respond to lawful requests from Swiss law enforcement or supervisory authorities. | Legal Obligation on MySky as a Swiss company. |
| Professional Advisors | Auditors, legal counsel, insurance brokers. | Legitimate Interest / Legal Obligation. |
| Business Transfers | Potential buyers or investors in the event of a merger, acquisition, or asset sale. | Legitimate interest in corporate restructuring to ensure service continuity, subject to confidentiality. We may do so without prior notice where permitted by law or where advance notice is not reasonably practicable. |
We do not "sell" your personal information as that term is defined under the California Consumer Privacy Act (CCPA) or any similar state law. We may disclose Personal Data to Aircraft Operators, payment processors, and other service providers as necessary to provide the Platform services. We may also disclose Personal Data to aviation, security, border, customs, law enforcement, airport, ground-handling, catering, maintenance, or other operational partners where necessary to deliver the Service, comply with law, protect safety, prevent fraud, or meet regulatory obligations.
8. International Data Transfers
Your personal data is primarily processed in Switzerland and the European Economic Area (EEA). However, as a software provider with global customers and service providers , we may transfer data to third countries, including the United States, the United Kingdom, and other jurisdictions where our Service Providers or the Aircraft Operators selected by Passengers are located.
When transferring personal data to countries without an adequacy decision by the Swiss Federal Council or the European Commission, we rely on the following appropriate safeguards:
- United States: Transfers to certified U.S. organizations are based on the Swiss-U.S. Data Privacy Framework (effective September 15, 2024) or the EU-U.S. Data Privacy Framework. For transfers to non-certified U.S. entities, or as a contractual fallback, we utilize the European Commission's Standard Contractual Clauses (SCCs) supplemented by the Swiss Addendum as mandated by the Federal Data Protection and Information Commissioner (FDPIC).
- Other Non-Adequate Countries (e.g., UAE, Saudi Arabia, China): We implement the EU Standard Contractual Clauses (2021) with the Swiss Addendum and conduct a documented Transfer Impact Assessment (TIA) to ensure that local laws do not impinge on the effectiveness of these safeguards.
- Brazil: Pursuant to the Swiss-Brazil mutual adequacy decision effective January 2026, transfers to Brazilian service providers do not require additional safeguards.
You acknowledge that some third-party service providers and Aircraft Operators may be located in jurisdictions with different data protection standards, and that access, disclosure, or storage in such jurisdictions may be necessary for service delivery, support, or connection to aviation services, or compliance. For further details on the specific safeguards applied to your data, please contact privacy@mysky.com.
9. Data Retention
We retain personal data only for as long as necessary to fulfill the purposes outlined in this policy or to comply with legal retention obligations. We apply the following specific retention criteria, and we may also retain records to establish, exercise, or defend legal claims:
| Data Category | Retention Period / Criteria | Legal Basis for Retention |
|---|---|---|
| Booking Facilitation & Platform Usage Records | 10 years (or as required for accounting and tax purposes under Swiss law). | Swiss Code of Obligations (Art. 958f) / Accounting Records. |
| Identity Verification (Passport Copy) | Duration of the business relationship plus 5 years (or longer if required by AMLA/FINMA). | Anti-Money Laundering Due Diligence. |
| Payment Transaction Data | 10 years | Financial Audit Requirements. |
| Marketing Consents | Until consent is withdrawn. | Consent Management. |
| Usage Data / Logs | 12 months (unless required longer for security incident investigation or compliance purposes). | Legitimate Interest / Security / Industry Best Practice |
11. Data Breach Notification
In the event of a personal data breach, We will assess the risk to Your rights and freedoms. We will notify the relevant supervisory authority (FDPIC in Switzerland) and affected data subjects where required by applicable law and where the breach is likely to result in a high risk. Notification may be delayed or limited where necessary for security or law enforcement investigations. We maintain an internal breach response plan consistent with applicable data protection requirements
12. Security of Your Personal Data
We implement appropriate technical and organizational measures (TOMs) designed to ensure a level of security appropriate to the risk, consistent with industry standards for software providers. These measures include encryption of data in transit (TLS 1.3) and at rest (AES-256), access controls, role-based permissions, regular vulnerability scanning, logging, backup procedures, and employee data protection training. We require our service providers to maintain equivalent security standards through binding contractual agreements.
However, no method of transmission over the Internet, or electronic storage method is 100% secure. By using the Service, You acknowledge this inherent risk, particularly in the context of digital platform services, and that transmission and storage of information necessarily involve residual risk.
17. Contact Us
MySky SA
Rue du Lion-d'Or 1
1003 Lausanne
Switzerland
Email: privacy@mysky.com
Supervisory Authority (Switzerland): Federal Data Protection and Information Commissioner (FDPIC), Feldeggweg 1, 3003 Bern, Switzerland (www.edoeb.admin.ch).
Additional Compliance Note: As a Swiss software provider, We maintain records of processing activities (ROPA), conduct Data Protection Impact Assessments for high-risk processing (e.g., App location data or profiling), and rely on Swiss-U.S. DPF/EU-U.S. DPF for certified U.S. providers, adequacy decisions, and SCCs with Swiss Addendum as needed. MySky acts solely as a data controller for Platform-related data and as a data processor on behalf of Aircraft Operators for PNR/API and certain booking data. Detailed information on retention criteria, transfer safeguards, and third-party recipients is available upon justified request to privacy@mysky.com.