Data protection
GDPR Compliance
DroneBundle holds the operational record of your business: your flight logs, your pilots, your risk assessments, your clients. Protecting that data the way you protect your operations is part of how we build the product.
This page explains how we meet the EU General Data Protection Regulation (GDPR): the data we handle, how we keep it safe, the rights you can exercise, and the third parties that help us run the service. If anything here is unanswered, email privacy@dronebundle.com.
Last updated: June 6, 2026
What we handle
The data inside DroneBundle
We collect what an operation needs to run, and not more. Here is the personal data that can pass through the platform.
Account and workspace
Your name, email, organization, and subscription details, plus the settings for your workspace and team.
Pilots and team
Pilot profiles, certifications and their expiry dates, and the role each person holds in your operation.
Flights and operations
Flight plans and missions, flight logs and telemetry, flight paths, and the locations and airspace authorizations tied to each job.
Safety and compliance records
Risk assessments, incident reports, audit checklists, and the version history of the documents you upload.
Clients and billing
Client and company contacts, your deal pipeline, and invoices.
Usage data
Basic information about how the platform is used, including the device and browser you use to reach it.
How we keep it safe
Security and data protection by design
Data protection is considered from the moment we start building a feature, in line with the principle of data protection by design and by default.
Encrypted everywhere. Your data is encrypted in transit and at rest, consistent with the security expectations in Article 32.
Hosted in the EU. We run on Amazon Web Services in a European region, with content delivery and network protection in front of it.
Access on a need-to-know basis. Only team members who need access to operate the service or support you can reach your data, and that access is controlled.
We never sell your data. DroneBundle does not sell personal data to anyone.
A clear path for incidents. If a breach is likely to put data at risk, we can notify the relevant authority within 72 hours and inform the people affected without undue delay.
Your rights
Your rights, made practical
The GDPR gives you rights over your personal data. Because DroneBundle keeps your records in one place rather than scattered across spreadsheets, most of them are straightforward to act on.
Access. Ask us what personal data we hold about you and we will provide it.
Portability. Export a complete project or your records in a structured, machine-readable format whenever you need them.
Correction. Update pilot, flight, and client records directly in the platform, or ask us to help.
Erasure. Ask us to delete your personal data. It is removed from the live service and purged from backups on their normal cycle.
Restriction and objection. Ask us to pause or stop a particular use of your data.
Automated decisions. We do not make decisions about you by purely automated means that would have a legal or similarly significant effect.
To exercise any of these, email privacy@dronebundle.com. We respond within the timeframe the regulation requires, normally within one month.
Our commitments
How we meet the GDPR
Alongside security and your rights, we hold ourselves to the regulation's requirements for lawful processing and accountability. The references point to the relevant articles so you can check our approach against the law itself.
A documented lawful basis for every activity. We do not process personal data without a valid reason, and each activity is mapped to a basis under Article 6.
A record of how we process data. We keep an up-to-date inventory of what we process, why, who can access it, and how long we keep it, as described in Article 30.
Plain-language transparency. Our Privacy Policy explains what we collect and why, in clear terms and at the point we collect it, in line with Article 12.
Named accountability. Data protection is owned by named people inside DroneBundle, not left to chance.
Agreements with our vendors. We put data processing agreements in place with the vendors that handle data for us, and we provide our own Data Processing Agreement to customers on request.
Representation where required. Where the regulation calls for it, we appoint an EU representative and a Data Protection Officer.
Who we work with
Subprocessors
To run DroneBundle we rely on two third parties that process personal data within the product. Each is bound by a data processing agreement, and we update this list as the service evolves.
Amazon Web Services
European UnionHosting, content delivery, and network security for the application and your operational data.
Stripe
United StatesProcessing subscription payments and billing.
Separately, our marketing website uses a few lightweight analytics tools, such as Plausible and Google Analytics, to understand how visitors find and use it. These handle website usage data rather than the operational data in your account. Our Privacy Policy covers how that works.
Questions
Frequently asked questions
Is DroneBundle a controller or a processor?
It depends on the data. For your account and the people you invite to your workspace, we act as the data controller. For the operational data you put into the platform about your own clients and contacts, we act as a processor on your behalf, under our Data Processing Agreement.
Where is my data stored?
Your operational data is hosted on Amazon Web Services in a European region. Payments are processed by Stripe in the United States, as noted in the Subprocessors section above.
Is personal data ever transferred outside the EU?
Some of our subprocessors operate outside the EU. Where data is transferred, we rely on appropriate safeguards, such as the European Commission's standard contractual clauses, to protect it.
Can I export my data?
Yes. You can export a complete project, or your records, in a structured format at any time, so you can move your data elsewhere or keep your own copy.
How long do you keep flight and operational data?
We keep operational records like flight logs only as long as your operation needs them or the relevant regulations require, then we delete or anonymize them. Some flight and safety records may be held longer where aviation or audit obligations call for it.
What happens to my data if I stop using DroneBundle?
When your agreement ends, we return or delete the personal data we processed on your behalf, according to your instructions and our retention obligations.
Is my data permanently removed when I delete it?
When you delete data it is removed from the live service. Copies may remain briefly in encrypted backups until those backups age out on their normal schedule, after which the data is gone for good.
How will I hear about a data breach?
If a breach is likely to put your data at risk, we notify the relevant supervisory authority within 72 hours and inform affected people without undue delay, unless the data was protected in a way that removes the risk, such as strong encryption.
Do you encrypt my data?
Yes. Personal data is encrypted both in transit and at rest.
Do I need consent to collect someone's personal data?
Consent is good practice, and some laws require it before you collect personal data from certain people, such as those in the EU. Consent is only one of several lawful bases under the GDPR, though. Others include processing that is necessary to perform a contract or to meet a legal obligation. The full set is in Article 6 of the regulation.
This page is provided to help you understand our approach to the GDPR. It is not legal advice. For questions about your own compliance obligations, please speak to your compliance team or a qualified privacy professional.
Contact
Talk to us about your data
For any question about this page, your privacy rights, or our data practices, or to request a signed Data Processing Agreement, contact us at privacy@dronebundle.com.