Privacy Policy
Last updated: May 2026
1. Controller
The controller responsible for the processing of your personal data under the EU General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG) is:
Joseph Diebolder · Fly With Captain Joe
Rathausstraße 11 · 87448 Waltenhofen · Germany
Email: info@flywithcaptainjoe.com
Contact form: /contact/
A Data Protection Officer is not required under § 38 BDSG given the size and nature of the processing operations.
2. Data we process & purposes
The following categories of personal data are processed, depending on which features of the site you use:
- Server access data (IP address, user-agent, request timestamp, referrer, response status) — automatically logged by our hosting provider for security, abuse prevention, and operational diagnostics. Legal basis: Art. 6(1)(f) GDPR — legitimate interest in a stable, secure service.
- Contact form submissions (name, email, message, selected subjects, Cloudflare Turnstile token) — when you write to us. Legal basis: Art. 6(1)(b) GDPR if your request relates to a (potential) contract, otherwise Art. 6(1)(f).
- Masterclass purchase data (email, name, billing address, payment method, transaction metadata) — when you buy the Future Pilots Masterclass via Stripe Checkout. Legal basis: Art. 6(1)(b) GDPR — contract performance; tax/accounting retention obligations are processed on Art. 6(1)(c) GDPR — legal obligation.
- Skool community access (email, name) — forwarded after a successful purchase so the Skool platform can issue your community invitation. Legal basis: Art. 6(1)(b) GDPR.
- Coaching call bookings (name, email, scheduling info, any details you add) — when you book a call via Calendly. Legal basis: Art. 6(1)(b) GDPR.
- YouTube video views (IP, device data, viewing data) — only after you actively click play on an embedded video (privacy-first "facade" pattern; no Google connection occurs until then). Legal basis: Art. 6(1)(a) GDPR — consent by clicking play.
- Language preference (locale string stored in your browser's localStorage) — to remember EN/DE preference between visits. Legal basis: Art. 6(1)(f) GDPR; classified as "strictly necessary" under § 25(2) Nr. 2 TTDSG.
3. Third-party processors and recipients
We use the following service providers as processors under Art. 28 GDPR. Each acts on our instructions and is bound by a data processing agreement (DPA). Transfers to recipients outside the EU/EEA are protected by Standard Contractual Clauses (SCCs) under Art. 46(2)(c) GDPR plus, where applicable, supplementary measures and the EU-US Data Privacy Framework certification.
| Recipient | Purpose | Data | Location |
|---|---|---|---|
| Stripe Payments Europe, Ltd. | Process Masterclass payments via hosted Checkout | Email, name, billing address, payment method, transaction metadata | Ireland (EU); parent in USA (SCCs + DPF) |
| Skool, Inc. | Host the Future Pilots Masterclass community and issue invitations | Email, name (forwarded after purchase) | USA (SCCs + DPF) |
| Zapier, Inc. | Route purchase data from Stripe webhook to Skool invite action | Email, name, Stripe session ID, amount, currency, timestamp | USA (SCCs + DPF) |
| Cloudflare, Inc. | Cloudflare Turnstile bot-protection on the contact form | IP, browser fingerprint, challenge solve, short-lived token | USA / global (SCCs + DPF) |
| Google Ireland Ltd. (YouTube) | Serve embedded videos via youtube-nocookie.com — only after you click play | IP, device data, viewing data | Ireland (EU); affiliates in USA (SCCs + DPF) |
| Calendly, LLC | Schedule coaching calls | Name, email, scheduling info, optional details you provide | USA (SCCs + DPF) |
| Vercel, Inc. | Web hosting + CDN (server logs, deploy edge) | Server access data (IP, user-agent, request metadata) | USA / global edge (SCCs + DPF) |
| SMTP email provider | Deliver contact-form emails, customer confirmations, and internal admin alerts | Email, subject, message body | EU (configured to a European SMTP service) |
We do not sell personal data to third parties and we do not use it for automated decision-making or profiling within the meaning of Art. 22 GDPR.
4. International data transfers
Some processors listed above are located in the United States. Transfers are made on one or more of the following legal bases:
- EU-US Data Privacy Framework adequacy decision (Commission Implementing Decision (EU) 2023/1795) where the recipient is self-certified.
- Standard Contractual Clauses (Module 2: Controller-to-Processor) under Art. 46(2)(c) GDPR.
- For one-off transfers strictly necessary for the performance of your contract: Art. 49(1)(b) GDPR.
Copies of the SCCs and DPAs are available on request via the contact channels listed in Section 1.
5. Retention
- Contact form submissions: deleted from our SMTP inbox once your inquiry is resolved, at the latest after 12 months.
- Stripe transaction records: retained for the statutory tax/accounting period under § 147 AO and §§ 257 HGB — generally 10 years from the end of the calendar year of the transaction.
- Skool community membership: retained for the lifetime of your membership; you can request removal via Skool or by contacting us.
- Server access logs: retained by Vercel for short security/diagnostic windows according to its own policy.
- Browser localStorage (locale preference): stored on your device until you clear it; never transmitted to our servers.
6. Your rights
You have the following rights, exercisable free of charge:
- Right of access (Art. 15 GDPR)
- Right to rectification (Art. 16)
- Right to erasure / "to be forgotten" (Art. 17)
- Right to restriction of processing (Art. 18)
- Right to data portability (Art. 20)
- Right to object to processing based on legitimate interest (Art. 21)
- Right to withdraw consent at any time without affecting prior lawful processing (Art. 7(3))
To exercise any of these rights, email info@flywithcaptainjoe.com or use the contact form. We respond within one month (Art. 12(3) GDPR).
7. Right to lodge a complaint
You have the right to lodge a complaint with a data protection supervisory authority (Art. 77 GDPR). The competent authority for our establishment is:
Bayerisches Landesamt für Datenschutzaufsicht (BayLDA)
Promenade 18 · 91522 Ansbach · Germany
Website: www.lda.bayern.de
8. Cookies and similar technologies
This site uses only strictly necessary client-side storage, exempt from consent under § 25(2) TTDSG:
- Service worker cache + CacheStorage — to enable offline-capable navigation and faster repeat loads.
- Locale preference in localStorage (EN/DE) — to remember your language choice.
Cloudflare Turnstile and Stripe Checkout may set cookies on their own domains during your interaction with their challenges/checkout flows (third-party context); we do not control or read those.
We do not use analytics, marketing, tracking, retargeting, or advertising cookies.
9. Data security
We use TLS 1.2+ on all connections, isolate secrets via environment variables, verify Stripe webhook signatures, and apply commercially reasonable technical and organizational measures (TOMs) under Art. 32 GDPR. No method of internet transmission is 100% secure.
10. Children
Our services are directed at adults. In line with Art. 8 GDPR and § 12a Sozialgesetzbuch Erstes Buch the consent age in Germany is 16. We do not knowingly process personal data of children under 16 without parental consent; if you believe we have done so inadvertently, please contact us and we will delete the data.
11. Changes to this policy
We may update this Privacy Policy as our processing operations evolve. The current version is always available at /privacy-policy/ with the "Last updated" date above. Material changes will be highlighted on this page for at least 30 days.