Legal

Privacy & Data Handling Policy

Last updated: 20 June 2026

XPGuard ("we", "the service") provides controllable runway stop bars for X-Plane 12, together with a website where contributors can map and edit airport hold-short positions. This policy explains what data we collect, why, and how we protect it. XPGuard is an independent, community project and is not affiliated with or endorsed by VATSIM or Laminar Research.

1. Who we are

XPGuard is operated by the XPGuard project maintainer. For any privacy request, contact [email protected].

2. What we collect

VATSIM Connect sign-in: when you log in with VATSIM, we receive — only for the scopes you approve — your VATSIM CID, full name, email address, and ratings/division.
Email sign-up (alternative): your email address and a securely hashed password (we never store passwords in plain text).
Contributions: the airport hold edits you submit (positions, runway assignments, names) and which account submitted them, for attribution and review.
Technical: a session cookie to keep you signed in, and minimal server logs (IP address, timestamps) for security and debugging.

3. Why we use it

To authenticate you and keep you signed in.
To attribute and review your contributions before they are published.
To operate, secure and improve the service.

Our legal basis is your consent (given when you sign in / sign up) and our legitimate interest in running a secure service.

4. How it is stored & protected

Data is stored on our own server (hosted at DigitalOcean) in a private database. All traffic is encrypted in transit (HTTPS/TLS). Passwords are hashed. We do not sell your data and do not share it except with the infrastructure providers needed to run the service (see below).

5. Third parties

VATSIM — sign-in (VATSIM Connect OAuth).
DigitalOcean — server hosting.
Cloudflare — DNS.
An email delivery provider — verification & password-reset emails (email sign-up only).

6. Retention & your rights

We keep your account data while your account is active. You may request access, correction, or deletion of your data at any time by emailing [email protected]; we will delete your account and personal data on request (published contributions may be retained in anonymised form).

7. Cookies

We use a single, essential, http-only session cookie to keep you signed in. We do not use advertising or third-party tracking cookies.

8. Changes

We may update this policy; the "last updated" date above will change. Material changes will be announced on the site.

This document is provided as a clear, good-faith description of our data handling. It is not legal advice; if you have specific legal requirements (e.g. GDPR / KVKK), please review it against your jurisdiction.