Last updated: May 2026
I'm Safe SMS, LLC, an Arizona limited liability company ("we," "us," "our") provides the I'm Safe SMS aviation safety management platform (the "Service") to flight schools and air operators. This Privacy Policy explains what personal information we collect, how we use it, and the choices you have. It applies to our marketing website at imsafesms.com and to the Service.
We process personal information in two different capacities, and the distinction matters for your rights:
This Policy covers data we hold in either capacity, but the rights you can exercise directly against us depend on the role we play with respect to a given data set.
We collect only what we need to operate the Service. Categories of personal information (using the framework of the California Consumer Privacy Act, as amended) include:
| Category | Examples | Do we collect? |
|---|---|---|
| Identifiers | Name, email address, phone number, organization name, user account ID, IP address | Yes |
| Customer records | School/operator name, role at the organization, certifications entered into the portal | Yes |
| Commercial information | Subscription tier, billing history (when applicable) | Yes (paid plans only) |
| Internet / network activity | Pages visited, session events, referrer, browser and device type, approximate location derived from IP | Yes |
| Professional or employment-related | Job role within the school, certificate numbers if the school chooses to enter them, training records the school enters | Yes (entered by school) |
| Geolocation (precise) | GPS-level location | No |
| Biometric, genetic, or health information | — | No |
| Government identifiers (SSN, driver's license, etc.) | — | No |
| Financial account numbers | — | No (payment processors hold these directly) |
| Race, religion, sexual orientation, union membership, immigration status | — | No |
| Inferences for advertising or profiling | — | No |
We obtain personal information from:
We use personal information only for the following purposes:
We do not: sell personal information; share personal information for cross-context behavioral advertising; use Customer Data to train artificial-intelligence models other than features that operate solely on Customer's own data for Customer's own benefit; or profile individuals for advertising purposes.
Where the EU General Data Protection Regulation, the UK GDPR, or analogous laws apply, we rely on the following legal bases:
The portal is a multi-tenant platform. Each Customer organization is assigned its own isolated data environment. A Customer's records — including FRAT submissions, safety reports, ASAP reports, training records, surveys, and documents — are accessible only to authenticated Users within that same organization. Users from other organizations cannot access your data, and your Users cannot access data belonging to other organizations. This isolation is enforced at the database level through row-level security policies and authentication tokens.
Our administrative access to individual Customer data is limited, auditable, and used only when necessary to provide support, troubleshoot technical issues, investigate security incidents, or comply with legal obligations. We do not routinely access or review operational safety records.
To support aviation safety accountability and Safety Management System principles, the portal automatically records an activity log for every registered User. This logging is a core feature of the Service and cannot be disabled.
The following actions are logged: account login and logout; Flight Risk Assessment Tool (FRAT) submissions and approval decisions; safety bulletin publications, acknowledgments, and deletions; safety report and ASAP report submissions and status changes; training record additions; document uploads and deletions; and other material portal actions.
Each entry records the action taken, the User's name and role, a timestamp in UTC, and relevant metadata (for example, aircraft identifier, risk score, or report category). Log entries do not record the full content of reports or FRAT submissions — only the action and summary context.
Access to activity logs is restricted to management-level Users within the same organization. Individual instructors, pilots, and students cannot view the organization's full activity log. We do not routinely review individual organizations' activity logs; access by our personnel is limited to support, security, and legal purposes as described in Section 6.
Activity logs are retained for the duration of the Customer's account and for a reasonable period thereafter, consistent with Section 11 and the Customer's safety-recordkeeping needs.
We share personal information only as needed to operate the Service. The current sub-processors that handle personal information on our behalf are:
| Sub-processor | Purpose | Region |
|---|---|---|
| Supabase, Inc. | Database, authentication, and file storage for the portal | United States |
| Cloudflare, Inc. | Website hosting (Cloudflare Pages), DNS, edge network, denial-of-service protection | Global edge network |
| Resend, Inc. | Transactional email delivery (magic-link sign-in, account notifications) | United States |
Each sub-processor handles data under its own terms and privacy practices, and we select sub-processors that maintain industry-standard security controls. Their privacy policies are available at supabase.com/privacy, cloudflare.com/privacypolicy, and resend.com/legal/privacy-policy.
We may add or change sub-processors as the Service evolves. We will update this list, and where required by law, we will provide reasonable advance notice to Customers of material sub-processor changes.
We do not sell, rent, trade, or otherwise commercialize personal information. We may disclose information when (a) required by law, subpoena, court order, or other legal process; (b) necessary to protect the rights, property, or safety of us, our users, or others; (c) in connection with a merger, acquisition, financing, or sale of assets, in which case the acquiring entity will be bound by this Policy or a substantially equivalent policy; or (d) with your consent. Where lawfully permitted, we will make reasonable efforts to notify affected Customers of compelled disclosures.
The Service is operated from the United States, and our primary data storage and processing occurs in the United States. If you access the Service from outside the United States, you understand that your personal information will be transferred to, stored in, and processed in the United States, which may have data-protection laws that differ from those of your home jurisdiction. By using the Service, you consent to such transfer to the extent permitted by applicable law. Where required, we rely on appropriate safeguards (such as Standard Contractual Clauses or equivalent mechanisms).
We use cookies and similar technologies only where they are strictly necessary to operate the Service — for example, to maintain authenticated sessions and remember portal preferences. We do not use third-party advertising cookies, do not participate in any cross-site advertising network, and do not currently use third-party behavioral analytics. If we add analytics in the future, we will update this Policy and use a privacy-respecting tool that does not enable cross-site profiling.
You may disable cookies in your browser settings, but parts of the Service (especially authenticated portal access) will not function without them. We honor Global Privacy Control signals where applicable.
We retain personal information only as long as needed for the purposes described in this Policy. Indicative retention periods:
Customers may request earlier deletion of Customer Data by contacting us at info@imsafesms.com; we will comply unless retention is required by law. Deletion may affect a Customer's ability to demonstrate historical compliance activity.
We implement reasonable technical and organizational measures to protect personal information from unauthorized access, disclosure, alteration, or destruction. These include encrypted data transmission (HTTPS/TLS), database-level row-level security, token-based authentication, sub-processors with industry-standard security practices, and access controls on administrative tooling. However, no method of transmission over the internet or method of electronic storage is 100% secure, and we cannot guarantee absolute security.
In the event of a confirmed personal-data breach affecting your information, we will notify you and any required authorities without undue delay, in accordance with applicable law. Where we act as a processor for Customer Data, we will notify the relevant Customer (controller) so that the Customer can fulfill its own notification obligations to data subjects and regulators.
Subject to applicable law and the controller/processor distinction described in Section 1, you have the right to:
To exercise these rights, email info@imsafesms.com with the subject “Privacy Request.” We will respond within 45 days (or sooner where required by law). We may need to verify your identity before fulfilling a request. If you are an end user whose data appears in the portal because a school added it, please direct your request to your school's administrator first — your school controls that data; we will assist them in fulfilling the request.
We will not retaliate against, or deny equivalent goods or services to, anyone who exercises a privacy right.
If you are a California resident, you have the following rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act:
The categories of personal information we have collected in the preceding twelve months, and the categories of recipients, are summarized in Sections 2 and 8 of this Policy. We collect personal information for the business and commercial purposes described in Section 4. We do not knowingly collect personal information from individuals under 18 (see Section 16).
Submit a verifiable request to info@imsafesms.com with the subject “California Privacy Request.” We will verify your identity using account information or other reasonable means. You may use an authorized agent if you provide written permission and proof of identity. We will respond within the timeframes required by California law (generally 45 days, extendable by an additional 45 days where reasonably necessary).
If you are in the European Economic Area, the United Kingdom, or Switzerland, you have the rights set out in Section 13 above, plus the right to lodge a complaint with the supervisory authority in the country of your residence, place of work, or alleged infringement. The data controller for marketing-website data is I'm Safe SMS, LLC. Where we process personal information about you as a processor on behalf of a Customer, the Customer is the controller, and your rights should generally be exercised against the Customer. We do not currently have an EU or UK representative; if you are an EEA or UK data subject, please email info@imsafesms.com and we will assist directly.
The Service is restricted to individuals who are at least 18 years of age. The Service is not directed to, and we do not knowingly collect personal information from, anyone under 18. Customers are required to ensure that no User under 18 is granted access to the Service through their account.
If you believe a minor has provided us with personal information, please contact us at info@imsafesms.com and we will promptly delete the information and disable the account.
We do not share safety records, ASAP reports, incident reports, training records, or other operational data with the FAA, NTSB, DOT, or any other government authority unless compelled to do so by law, subpoena, or court order. Safety data submitted through the portal is not automatically forwarded to any regulatory body. Customers retain full control over what, if anything, they submit to regulatory authorities.
We may update this Privacy Policy from time to time. For material changes, we will provide at least 30 days' notice by email to account administrators or by an in-portal notice before the change takes effect. The “Last updated” date at the top of this Policy reflects the most recent version. Continued use of the Service after a revised Policy takes effect constitutes acceptance of the revised Policy. If you object to a material change, your remedy is to terminate your account before the change takes effect.
Questions about this Privacy Policy, or to exercise any of the rights described above, email info@imsafesms.com with the subject “Privacy.”
I'm Safe SMS, LLC · Arizona, United States · imsafesms.com