Privacy Policy

Hilo Aviation, Inc. ("Hilo," "we," "our," or "us") provides the Hilo Aviation Training Operating System (ATOS) and related modules and services (collectively, the "Services"). This Privacy Policy describes how we handle information collected through our website at hiloaviation.com and the Services.

When Hilo processes information about your students, staff, or operations under a customer agreement, your organization is the "controller" of that data and Hilo acts as a "processor." This policy explains Hilo's own practices; your organization's privacy notice governs what it collects from its users.

Account information. Name, work email, phone, organization, job title, and credentials needed to access the Services.

Training and operational data. Flight records, lesson progress, certifications, schedules, aircraft utilization, maintenance events, risk reports, and related operational inputs. We process this data under customer direction.

Usage data. Device information, IP address, browser, log data, feature usage, and performance telemetry.

Communications. Messages, support tickets, and feedback you send us.

Billing information. Collected and processed through our payment processors; Hilo does not store full card numbers.

• To provide, operate, secure, and support the Services.
• To authenticate users and administer accounts and access.
• To improve the Services, develop new features, and conduct product research using de-identified and aggregated data.
• To communicate service updates, security alerts, and support responses.
• To comply with legal, regulatory, and contractual obligations, including aviation record-keeping requirements where applicable.
• To detect, prevent, and respond to fraud, abuse, and security incidents.

We share information only as described here: service providers that help us operate the Services (hosting, analytics, email, payments, support), under contracts that limit their use of the data; affiliates and successors in connection with a corporate transaction such as a merger, acquisition, or financing; legal and protective disclosures when required by law or to protect rights, safety, or the integrity of the Services; with your direction or consent, including when a customer directs us to share information with a designated third party.

We do not sell personal information, and we do not share personal information for cross-context behavioral advertising.

Hilo is based in the United States. If you use the Services from outside the U.S., your information may be transferred to, stored in, and processed in the U.S. or other jurisdictions with different data protection laws. Where required, we use appropriate safeguards such as Standard Contractual Clauses.

We use administrative, technical, and physical safeguards designed to protect the information we hold, including encryption in transit, access controls, logging, and regular reviews. No system is perfectly secure. We encourage the use of strong, unique passwords and SSO where your organization supports it.

We retain information as long as necessary to provide the Services and to meet legal, regulatory, contractual, and aviation record-keeping obligations (including FAA, UK CAA, EASA, and similar authority retention standards where applicable). When we no longer need information, we delete or de-identify it.

Depending on your location, you may have rights to access, correct, delete, or port your personal information; to object to or restrict certain processing; or to withdraw consent. To exercise these rights, contact us using the details below.

If you are an instructor, student, or staff member at a flight training organization that uses Hilo, please direct requests about your data to your organization first. We will support your organization in responding.

The Services are intended for flight training organizations and their authorized users. Hilo does not knowingly collect personal information directly from children under 13. Where a customer enrolls training candidates under 18, Hilo processes that information solely at the customer's direction and as a processor.

California (CCPA/CPRA). California residents have rights to know, delete, correct, and limit the use of sensitive personal information. We do not sell or share personal information as defined under California law.

European Economic Area and United Kingdom (GDPR/UK GDPR). We rely on legal bases including contract performance, legitimate interests, legal obligation, and consent where applicable. You have the right to lodge a complaint with a supervisory authority.

We may update this Policy from time to time. Material changes will be announced on this page with a revised effective date and, where appropriate, by additional notice.