Deutsche Kraniche Virtual

Privacy Policy

Last updated: 7 March 2026

See also our Terms of Service.

The short version. We collect what we need to run the platform, we don't sell your data, and we don't track you on the marketing site.

EU representative. As a small, non-commercial project that does not process special category data at scale, we believe we are exempt from the requirement to designate an EU representative under Art. 27(2) GDPR. If you have questions about this, please contact us.

What we collect at registration. Name, email address, and a password (stored hashed, never in plaintext).

What we collect as you use the platform. Flight data, account preferences, and an optional avatar image.

What we collect automatically. IP address, browser, and device info — for security (login monitoring, abuse prevention) and session management. Every login, password change, and security event is logged with IP and user agent. Marketing pages are sessionless and collect nothing.

Why we process your data (legal basis).

  • Contract (Art. 6(1)(b) GDPR) — the data necessary to provide the service you signed up for.
  • Legitimate interest (Art. 6(1)(f) GDPR) — security logging (IP addresses, user agents), error monitoring, and abuse prevention. Our interest is keeping the platform secure and operational.
  • Consent (Art. 6(1)(a) GDPR) — optional avatar upload and third-party OAuth application connections. You can withdraw consent at any time (see "Your rights" below) without affecting the lawfulness of prior processing.

Cookies. Authenticated pages set encrypted session cookies. Marketing pages set no cookies. We don't use analytics, advertising, or third-party tracking cookies.

Who sees your data.

  • Other members can see your name and flight data on your profile.
  • Amazon Web Services (email sending) and Google (email receiving) process your email address when we send you notifications or you send us emails.
  • Cloudflare processes all request traffic (IP addresses, headers) as our CDN and security proxy.
  • Sentry receives IP addresses, user agents, request URLs, and error context for error monitoring and platform stability.
  • We don't sell, rent, or share your data with advertisers or data brokers.

Third-party applications. If you connect a third-party application to your account, it can access your data according to the permissions you granted. You can disconnect it from your account settings at any time.

Live tracking. During active flights, your position in the simulator may be visible to other members.

Passkeys and biometrics. If you use a passkey, biometric verification happens entirely on your device. We only store a cryptographic public key — never your fingerprint or biometric data.

Data retention.

  • Security logs (IP address, user agent) are retained for 90 days, then automatically deleted.
  • Your last login IP address is stored on your account and retained until you delete your account.
  • Session data is cleared within 120 minutes of logout or expiry.
  • Soft-deleted accounts are permanently deleted after 30 days.

Data export. You can export your personal data from your account settings. The export includes all data associated with your account.

Account deletion. You can delete your account from your account settings. Your account is soft-deleted (deactivated and hidden) and permanently removed after 30 days. Flight data is anonymized — stripped of all identifying information — and retained for aggregate platform statistics under our legitimate interest in maintaining operational data.

Security measures. We protect your data with encrypted connections (TLS), hashed passwords, two-factor authentication, security headers, and regular security monitoring.

Data breach notification. In the event of a personal data breach that poses a risk to your rights, we will notify the relevant authorities and inform you directly, in accordance with applicable law.

Do Not Track. We do not respond to Do Not Track browser signals because we do not engage in cross-site tracking. No third parties collect personal information about your online activities over time and across different websites through our platform.

Your rights. You have the right to:

  • Access your personal data and receive a copy (GDPR Art. 15).
  • Correct inaccurate personal data (GDPR Art. 16).
  • Delete your personal data (GDPR Art. 17).
  • Export your data in a portable format (GDPR Art. 20).
  • Restrict processing of your data in certain circumstances (GDPR Art. 18).
  • Object to processing based on legitimate interest (GDPR Art. 21).
  • Withdraw consent at any time for consent-based processing, without affecting the lawfulness of prior processing (GDPR Art. 7(3)).
  • Lodge a complaint with your local data protection authority.

You can exercise most of these from your account settings. For anything else, email privacy@dkvirtual.com.

Automated decision-making. We do not use automated decision-making or profiling that produces legal effects concerning you.

Where your data is stored. Your data is stored in the European Union. Some service providers may process data in the United States under applicable data privacy frameworks (including the EU-US, UK Extension, and Swiss-US Data Privacy Frameworks) or Standard Contractual Clauses.

Children. This platform is not intended for anyone under 16.

Changes. We'll notify you of significant changes via email or platform notification.

Questions? Email privacy@dkvirtual.com.