Privacy Policy
Last updated: 2026-06
Version: 2026-06
1. Introduction
This Privacy Policy describes how topsky.app ("we," "us," "our," or "Service") collects, uses, protects, and discloses your personal data when you use our website and desktop application, including through any mobile applications, features, or content (collectively, "Service").
Please read this policy carefully. By accessing or using topsky.app, you acknowledge that you have read and understood this Privacy Policy and agree to the processing of your personal data as described herein.
2. Data Controller & Contact Information
2.1 Controller Identity
The data controller responsible for your personal data is:
TopSky is a trading name of Mariusz Laszewski, trading as Zatto Dev
United Kingdom
2.2 Data Protection Officer
Not appointed (exemption applies under UK GDPR for small organisations processing limited personal data).
2.3 Contact for Privacy Questions
For any privacy-related inquiries, requests to exercise your rights (Section 8), or to lodge a complaint, contact:
Email: kontakt@top-sky.eu
3. Categories of Personal Data We Collect
We collect the following categories of personal data:
3.1 Account Registration & Authentication
- Username (required)
- Email address (required)
- Password hash (bcrypt-salted, never stored in plaintext)
- Email verification status and timestamp
- Account creation date and last login timestamp
3.2 Profile Information
- Avatar (image file uploaded by you to cloud storage)
- Bio (freeform text, up to 300 characters)
- Roles and permissions (e.g., creator, moderator, admin)
3.3 Activity & Interaction Data
- Download history (which projects/versions you download)
- Ratings and reviews (projects you rate and score given)
- Bug reports (issues you report on projects, including title, description, and any attached images)
- Comments on bug reports (text and metadata)
- Review messages (feedback and messages you send)
- Notifications (in-app alerts; retained for 90 days)
3.4 Technical & Security Data
- IP address (masked: IPv4 last octet zeroed; IPv6 /64 prefix only; used for authentication logging, rate limiting, and abuse prevention)
- Session identifiers (NextAuth JWT tokens)
- Desktop application authentication tokens (if using the desktop app)
- User-Agent and device information (desktop app only, limited to OS family + app version)
3.5 Communication Data
- Email addresses of users with whom you communicate
- Verification and password-reset tokens (hashed before storage)
4. Legal Basis & Purposes for Processing
We process your personal data only on one or more of the following legal bases:
4.1 Contract (Article 6(1)(b) GDPR)
Purpose: To perform our contract with you and provide the Service.
Data processed:
- Account credentials (username, email, password hash)
- Profile information (avatar, bio, roles)
- Activity data (downloads, ratings, bug reports, comments)
- Session tokens
Retention: Until account deletion; inactive accounts retained for service continuity.
4.2 Legitimate Interests (Article 6(1)(f) UK GDPR)
Purpose: To protect the security and integrity of our Service, prevent abuse, and enforce our Terms of Service.
Data processed:
- IP addresses (masked)
- Event logs (authentication, rate limiting)
- Blocked user records
Legitimate interest: Preventing fraud, unauthorized access, spam, and service abuse; investigating security incidents; maintaining audit trails for compliance.
Balancing test: Your privacy interest in not having IP-derived data logged is outweighed by the necessity of preventing abuse and protecting the service for all users.
Retention: IP logs retained in real-time monitoring (no archival); masked IPs in structured logs retained for 30 days.
4.3 Consent (Article 6(1)(a) UK GDPR)
Purpose: For optional features and communications beyond contract performance.
Data processed: To be confirmed based on future opt-in features (e.g., marketing emails, feature announcements).
Your rights: You can withdraw consent at any time via your account settings or by contacting us.
5. Recipients & Sub-Processors
We may share your personal data with the following third parties (sub-processors), who process it on our behalf under Data Processing Agreements:
5.1 Cloud & Infrastructure Providers
| Sub-Processor | Purpose | Data Categories | Location | Agreement |
|---|---|---|---|---|
| MongoDB Atlas | Database hosting & storage | All user data (accounts, activity, profiles) | [confirm EU/UK region] | DPA confirmed; Standard Contractual Clauses (SCC) |
| Cloudflare R2 | Cloud storage for avatars & project images | Avatar files, project thumbnails | EU-auto (multi-region) | DPA confirmed – https://www.cloudflare.com/en-gb/gdpr/ |
| Vercel | Web application hosting, CDN, serverless compute | Session tokens, request metadata | fra1 (Frankfurt, EU) | DPA confirmed – https://vercel.com/legal/dpa |
5.2 Communication Services
| Sub-Processor | Purpose | Data Categories | Location | Agreement |
|---|---|---|---|---|
| Resend, Inc. | Email delivery (account verification, password resets, notifications) | Email address, verification tokens | United States | DPA confirmed – https://resend.com/legal/dpa |
Transfer mechanism: Standard Contractual Clauses (SCC) + UK Addendum; transfers justified by Article 49 GDPR (necessary for contract performance)
5.3 Security & Verification Services
| Sub-Processor | Purpose | Data Categories | Location | Agreement |
|---|---|---|---|---|
| Cloudflare Turnstile | CAPTCHA for abuse prevention (registration, account recovery) | IP address, browser fingerprinting signals | Multiple (Cloudflare global) | DPA confirmed – https://www.cloudflare.com/en-gb/gdpr/ |
5.4 Backup & Disaster Recovery
| Sub-Processor | Purpose | Data Categories | Location | Agreement |
|---|---|---|---|---|
| Self-hosted MinIO | Database backups (daily encrypted dumps) | Full database (including encrypted user data) | [confirm location + at-rest encryption] | Internal – AES-256 at rest (confirm config) |
5.5 No Third-Party Analytics
topsky.app does not use Google Analytics, Plausible, or other third-party analytics platforms. We do not track your behavior for marketing purposes.
6. International Data Transfers
6.1 UK/EU Processing
The majority of your data is processed within the United Kingdom or European Union on servers located in the EU (MongoDB Atlas EU region, Vercel fra1, Cloudflare R2 EU jurisdiction).
6.2 Transfers to the United States
Resend, Inc. is a US-based email service provider. Transfers of email addresses to Resend are justified by Standard Contractual Clauses (SCC) and UK Addendum, supplemented by Article 49 UK GDPR (necessary for contract performance).
Supplementary safeguards: Encryption in transit (HTTPS/TLS), contractual audit rights, and standard data protection provisions in SCC.
6.3 Your Rights Regarding Transfers
You have the right to request further information about international transfers and the mechanisms in place to protect your data. Contact kontakt@top-sky.eu with details.
7. Data Retention
We apply the following retention periods:
| Data Category | Retention Period | Justification |
|---|---|---|
| Unverified accounts (no email confirmation) | 7 days (automatic deletion) | UK GDPR Art. 5(1)(e) (storage limitation); TTL index on MongoDB |
| User account & profile | Until deletion by user or account suspension | Contract duration |
| Download history | Indefinite (while account exists) | Business requirement (user activity history) |
| Ratings & reviews | Indefinite (while account exists) | Business requirement (platform integrity & creator history) |
| Bug reports & comments | Indefinite (while account exists) | Business requirement (project history & creator reputation) |
| Notifications | 90 days (automatic deletion) | UK GDPR Art. 5(1)(e) (storage limitation) |
| IP addresses in logs | 30 days (then deleted) | Abuse prevention, audit trail |
| Password reset & email verification tokens | 24 hours from creation (auto-expire) | Security (token expiry) |
| Desktop application tokens | 37 days from creation (automatic deletion) | Session management best practice |
| Database backups (MinIO) | [confirm location + at-rest encryption] | Disaster recovery; lifecycle rule enforced |
8. Your Data Subject Rights
Under GDPR and equivalent data protection laws, you have the following rights:
8.1 Right of Access (Article 15 UK GDPR)
What: You can request a copy of all personal data we hold about you.
How: Click the "Download My Data" button in your account settings (Account page) or contact kontakt@top-sky.eu.
Format: JSON file containing your profile, download history, ratings, bug reports, and notifications.
Timeframe: Within 30 calendar days of the request (or longer if technically complex).
8.2 Right to Rectification (Article 16 UK GDPR)
What: You can request correction of inaccurate or incomplete data.
How: Update your username, email, avatar, or bio directly in your account settings. For other corrections, contact kontakt@top-sky.eu.
Timeframe: Processed without undue delay.
8.3 Right to Erasure ("Right to be Forgotten") (Article 17 UK GDPR)
What: You can request deletion of your personal data, except where we have a legal obligation to retain it.
How: Click the "Delete Account" button in your account settings → confirm with your password. This triggers:
- Immediate deletion of your user profile, account credentials, avatar, and session data
- Cascade deletion of associated data (bug reports, comments, ratings, downloads, notifications, desktop tokens)
- Removal of your avatar file from cloud storage
Exceptions: We may retain anonymized data necessary for legal compliance or fraud prevention; we do not retain personal creator/moderator attribution after account deletion.
Timeframe: Processed without undue delay (within 30 days).
Note: This action is irreversible. Data in database backups (MinIO) will be deleted according to backup retention policy [confirm location + lifecycle rule].
8.4 Right to Restrict Processing (Article 18 UK GDPR)
What: You can restrict processing of your data while a complaint or correction is under investigation.
How: Contact kontakt@top-sky.eu with details of your restriction request.
Effect: We will cease processing except for storage and where necessary to establish, exercise, or defend legal claims.
8.5 Right to Data Portability (Article 20 UK GDPR)
What: You can obtain your data in a portable, machine-readable format and transmit it to another service.
How: Click the "Download My Data" button in your account settings (Account page). You receive a JSON file.
Format: Structured JSON containing profile, downloads, ratings, and bug reports.
Rate limit: Maximum 3 exports per hour per user (abuse prevention).
8.6 Right to Object (Article 21 UK GDPR)
What: You can object to processing based on legitimate interests.
How: Contact kontakt@top-sky.eu with your objection. We will cease processing unless we can demonstrate compelling legitimate interests or legal obligations.
8.7 Right to Lodge a Complaint (Article 77 UK GDPR)
What: If you believe we are violating your privacy rights, you have the right to file a complaint with the UK Data Protection Authority.
How: Contact the Information Commissioner's Office (ICO):
Information Commissioner's Office (ICO)
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, United Kingdom
Website: https://ico.org.uk
Phone: 0303 123 1113 (local rate)
Email: casework@ico.org.uk
9. Security Measures
We implement the following technical and organizational measures to protect your personal data:
9.1 Encryption
- In transit: HTTPS/TLS 1.2+ for all data transmission
- At rest:
- Password hashes: bcrypt (salted, never reversible)
- Database: MongoDB Atlas encryption at rest (standard)
- Backups: AES-256 at rest (confirm config on MinIO)
9.2 Access Controls
- Role-based access control (RBAC): Only authorized staff (admin, creator, moderator) can access relevant data
- Authentication: Username/password + optional 2FA
- API rate limiting: Per-user and per-IP rate limits to prevent abuse
9.3 Monitoring & Logging
- Audit logs: Authentication events logged with masked IPs
- Intrusion detection: Standard abuse prevention via rate limiting and IP masking
9.4 Data Minimization
- We collect only data necessary to provide the Service
- Simulator file paths (MSFS2020Path, MSFS2024Path) are deprecated and not transmitted via API
- Tokens are hashed before storage
10. Cookies & Tracking
10.1 Cookies Used
topsky.app uses strictly necessary cookies only:
| Cookie Name | Purpose | Lifetime | Consent Required |
|---|---|---|---|
__Secure-next-auth.session-token | NextAuth session token (authentication) | 7 days or until logout | No (necessary for service function) |
__Secure-next-auth.callback-url | NextAuth redirect URL (security) | Session | No (necessary for service function) |
10.2 Third-Party Cookies
- Cloudflare Turnstile may set cookies for CAPTCHA verification (security)
See Cloudflare Cookie Policy
10.3 Cookie Notice
Although strictly necessary cookies do not require consent under ePrivacy law, we provide this notice as transparency. You can control cookies via your browser settings, but disabling necessary cookies will impair the Service's functionality.
10.4 No Analytics Cookies
We do not use Google Analytics, Plausible, or third-party analytics platforms.
11. Children's Privacy
topsky.app is not intended for children under 13 years of age (or the equivalent minimum age in your jurisdiction). We do not knowingly collect personal data from children. If we become aware that a child has provided personal data, we will take steps to delete such data and terminate the child's account. Contact [privacy email] if you are aware of unauthorized use by a minor.
12. California & Other Jurisdictions
12.1 California Consumer Privacy Act (CCPA)
If you are a California resident, you have additional rights under the CCPA:
- Right to know what personal data is collected, used, shared, or sold
- Right to delete personal data
- Right to opt out of the "sale" of personal data
- Right to non-discrimination for exercising your rights
topsky.app does not sell personal data. To exercise CCPA rights, contact [privacy email].
12.2 Other Jurisdictions
This Privacy Policy applies to all users regardless of location. Where your local law provides stronger protections, those protections prevail.
13. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of material changes by:
- Posting the updated policy here with a new "Last updated" date
- Continued use of topsky.app after posting updates constitutes acceptance of the revised Privacy Policy
14. Compliance Framework
This Privacy Policy is designed to comply with:
- UK GDPR (General Data Protection Regulation, as retained in UK law)
- Data Protection Act 2018 (UK primary data protection statute)
- Privacy and Electronic Communications Regulations 2003 (ePrivacy)
- CCPA (California Consumer Privacy Act, if applicable to users)
15. Data Processing Agreement (DPA)
For B2B customers or those who need a formal Data Processing Agreement, contact [privacy email]. We maintain DPAs with all sub-processors as required by Article 28 GDPR.
16. Questions & Contact
For questions, requests, or complaints regarding this Privacy Policy or your personal data:
Email: kontakt@top-sky.eu
We aim to respond to all inquiries within 15 business days. For formal complaints, you may also contact the Information Commissioner's Office (Section 8.7).
End of Privacy Policy