How we protect your data

Security

Last updated April 19, 2026

AeroLog holds pilot logbooks, endorsements, medical dates, and files — records you'd hand to the FAA on a checkride. We take protecting them seriously.

Authentication

  • Google Firebase Authentication with support for email/password and Google sign-in.
  • Passwords are never stored by AeroLog — Firebase handles hashing with industry-standard algorithms.
  • Email verification is required before public or org-shared features unlock.

Encryption

  • All traffic is HTTPS/TLS 1.3 end-to-end.
  • Data at rest in Firestore and Cloud Storage is encrypted by Google using AES-256.
  • Third-party API keys (Firebase Admin, PayPal, weather, AI study chat) are kept server-side only — never shipped to the browser.

Access controls

  • Firestore security rules enforce that each user can only read and write their own logbook documents.
  • Organization data is gated by explicit membership — an org admin grants access via the Org page.
  • AeroLog employees do not access user data except when debugging a support ticket you opened, and only with your permission.

Infrastructure

  • Web app hosted on Vercel with automatic TLS certificate rotation.
  • Database and file storage on Google Cloud (Firebase) with multi-region replication.
  • No self-hosted servers — no patching drift, no forgotten keys.

Backups

  • Firestore daily exports retained 30 days.
  • Cloud Storage versioning on — deleted files recoverable for 14 days.
  • Backups are encrypted and stored in a separate region from production.

Payments

  • AeroLog never sees your card number. PayPal is the PCI-DSS-certified processor for every transaction.
  • We store only a subscription reference ID and the plan metadata.

Incident response

  • If we detect a breach affecting user data, we notify affected users within 72 hours, per GDPR standards.
  • Status page and incident reports published at aerolog-status.instatus.com.

Responsible disclosure

Found a security issue? Email team@aerolog.us. We acknowledge within 48 hours, patch critical issues within 7 days, and publicly credit researchers who report in good faith.

What you can do

  • Use a unique, strong password — or sign in with Google.
  • Never share your verification links. AeroLog will never ask for your password by email.
  • Keep your browser up to date.