At AVORA Aviation Academy, we value your privacy and the trust you place in us. We are committed to handling your personal data with the highest level of care, security, and transparency whenever you visit or interact with our website https://academy.avora.aero/.

Through this Privacy Policy (the “Policy”), we aim to clearly explain the types of personal data we collect when you access or use the Site, the purposes for which we process this information, and the rights you have in relation to your personal data. Our goal is to ensure that you remain fully informed and confident in how your information is managed.

By accessing or using the Site, you confirm that you have read, understood, and agree to the terms of this Privacy Policy. If you do not agree with any part of this Policy, please discontinue using the Site and refrain from providing any personal information.

We may update or modify this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or the functionalities of the Site. Any updates will be published on this page with a revised effective date. Your continued use of the Site after such updates constitutes acceptance of the modified Policy.

Data sharing within affiliated entities:

By visiting the Site and providing personal data, users acknowledge and agree that such data may, where applicable, be shared with and processed by affiliated companies or entities that collaborate with AVORA Aviation Academy for the purpose of service provision, internal administration, customer support, and fulfilment of contractual obligations.

All affiliated entities are required to process personal data in compliance with applicable data protection laws, including Regulation (EU) 2016/679 (GDPR), and must implement appropriate technical and organizational measures to ensure the security and confidentiality of the data.

I. PERSONAL DATA CONTROLLER

The controller responsible for your personal data, as outlined in this Privacy Policy, is […], UIC […], with its seat and management address at [64 Hristofor Kolumb Str., Building A02, office 021, Iskar District, Sofia 1592, Bulgaria] (referred to as the “Company,” “Administrator,”, “AVORA” “we,” or “our,” as applicable).

If you have any questions or concerns regarding how we process your personal data, you are welcome to contact us directly by sending an email to dpo@fly2sky.aero or by mail to: 16, Lyuben Karavelov Str., ap. 2, Sofia 1142, Bulgaria.

II. PERSONAL DATA

What is personal data?

Personal data is any information relating to an identified or identifiable natural person. Various pieces of information, put together that can lead to the identification of a specific individual, also constitute personal data.

What personal data do we collect?

We process personal data that you voluntarily provide to us when using the Site, including when contacting us through the “Contact us” section or when submitting an application through the “Enroll Now” form. The categories of personal data we may collect and process include:

i. Data collected through the Contact section

When you choose to contact us via the contact form, we may collect the following information:

· Full name

· Email address

· Any additional information you choose to provide in the message field (e.g., phone number, company name, or other voluntary details)

This information is used solely for the purpose of responding to your inquiry and providing support or information related to our services.

ii. Data collected through the “Enroll Now” form

When you apply for enrollment through the “Enroll Now” section, we may collect the following categories of personal data:

· Full name

· Date of birth

· Email address

· Phone number

· Nationality

· Current residential address

This information is required to assess your eligibility for the program, communicate with you regarding your application, and initiate the enrollment process.

During the enrollment process we also ask about the current pilot licence you hold and may collect:

· Licence number

· Issuing country

· Total flight hours

This data is necessary to verify your qualifications, review your aviation experience, and determine your suitability for specific training programmes.

iii. Data provided by registering for our newsletter

· Email address

III. PURPOSES AND BASIS FOR PROCESSING. RETENTION PERIODS

To the extent permitted by law, we use your personal data for the following purposes:

· Responding to your requests and enquiries

We process the personal data you submit through the “Contact us” section in order to respond to your messages, provide the information requested, and offer support related to our website, training programmes and services.

Grounds: your explicit consent to be contacted (Art. 6, para. 1, item “a” GDPR).

Retention period: Personal data collected solely for communication purposes is retained for one year after the final conclusion of the communication, unless a longer period is required by law or becomes applicable due to entering into a contractual relationship with us.

· Processing your application and enrolment

Through the “Enroll Now” form, we process personal data required to assess your eligibility, verify your aviation qualifications, and administer your enrolment into our programmes.

Grounds: Your explicit consent to submit an application (Art. 6(1)(a) GDPR) and our legitimate interest in evaluating and admitting candidates to our aviation programmes (Art. 6(1)(f) GDPR).

Retention period: Up to [6/12 months] after the completion of the specific admission or selection process for which the data were originally collected, unless you enter into a training agreement with us (in which case a different retention period and legal basis will apply).

· Newsletter registration and communication

If you subscribe to our newsletter, we collect and process your email address to send you updates, academy announcements, and informational content related to our activities.

Grounds: Your explicit consent (Art. 6(1)(a) GDPR).

Retention period: Until you withdraw your consent by clicking the “Unsubscribe” link in any email or by contacting us directly.

· Improving our services and user experience

We may process certain information about your interactions with the Site — including data submitted through forms — in order to improve our services, user interface, and overall visitor experience. We may also invite you to participate in satisfaction surveys or send non-marketing educational emails that help you better navigate and use our services.

Educational emails may include instructions, guidance, or tips for using the Site. They do not contain promotional or marketing content.

Grounds: Our legitimate interest in improving our services and the usability of the Site (Art. 6(1)(f) GDPR), provided this does not override your fundamental rights and freedoms.

If communication occurs via phone, you will always have the option to decline call recording. In such cases, we will process only the information manually noted by our staff.

Retention period: Up to 12 months.

· Direct marketing (where applicable)

If you choose to receive marketing communications, we will use your personal data (such as your email address) to send you promotional messages, updates about our programmes, special offers, or other information related to AVORA Aviation Academy.

You may withdraw your consent at any time by:

· clicking the “Unsubscribe” link included in each marketing email, or

· contacting us using the details provided in this Privacy Policy.

Grounds: your explicit consent to receive such communication (Art. 6, para. 1, item “a” GDPR)

Retention period: until you withdraw your consent.

· Protecting our legitimate interests

We may use or share personal data to protect our rights, ensure the security of the Site, and prevent misuse or unlawful activities. This may include:

- implementing measures to safeguard the Site and its visitors against cyberattacks

- preventing, detecting, and reporting fraud attempts to competent authorities

- managing operational, legal, or security-related risks

Grounds: Our legitimate interest in protecting the operation, integrity, and security of our business (Art. 6(1)(f) GDPR).

In certain cases, processing may also be required to comply with legal obligations (Art. 6(1)(c) GDPR).

Retention period: according to the relevant statutory requirements.

IV. SENSITIVE DATA

AVORA does not intentionally collect or process any sensitive personal data from visitors/users of the Site. “Sensitive data” refers to special categories of personal information, including but not limited to: data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic or biometric data, health-related information, or data concerning criminal convictions and offences.

In certain cases — for example, when applying for specific aviation training programmes — you may be asked to provide health-related information or medical documentation required under applicable aviation regulations (such as medical fitness certificates or other regulatory requirements). In such situations, we will process this information only when necessary, only for the relevant purpose, and based on an appropriate legal basis, such as your explicit consent or a statutory requirement.

We kindly ask that you do not submit sensitive information through the Site or contact forms unless it is explicitly requested and required for regulatory, safety, or training purposes. If such data is provided without necessity, it will be deleted unless a lawful basis for processing applies.

V. DATA OF MINORS AND JUVENILE PERSONS

Our Site is not intended for use by individuals under the age of 18. We do not knowingly collect or process personal data of minors or juvenile persons. If we become aware that we have inadvertently collected personal information from a minor without verified parental consent, we will take appropriate steps to delete such data as soon as possible.

We kindly ask parents or legal guardians to contact us immediately if they believe their child has provided personal data through the Sites.

VI. HOW WE MAY DISCLOSE YOUR PERSONAL DATA

Except as expressly described in this Policy, we do not knowingly disclose personal data collected through the Site to third parties without your explicit consent.

However, to the extent permitted by applicable law and strictly for the purposes for which the data was originally collected, your personal data may be disclosed to the following categories of recipients:

· Third-party service providers
– We may share your personal data with carefully selected external service providers that support the operation, maintenance, and improvement of the Site or assist us in delivering our services. These providers may offer services such as:

- website hosting and cloud infrastructure

- IT and security services

- analytics and performance monitoring

- customer communication and email services

- recruitment and application management tools

- CRM, data storage, or other operational support

These service providers act solely on our behalf, under contractual obligations, and must process your data in accordance with applicable data protection laws.

Below is a non-exhaustive list of third-party service providers that may process personal data on behalf of AVORA Aviation Academy:

- [name] – [type of service they provide] ([location of servers])

AVORA Aviation Academy may update or expand this list from time to time, depending on the services we use.

· Corporate transactions – Your personal data may be disclosed in connection with corporate events such as: mergers, acquisitions, or reorganisations; joint ventures; sale or transfer of business assets; restructuring or liquidation procedures.

Such disclosures will only take place where permitted by law and where the recipient assumes the same level of data protection obligations.

· Legal and regulatory requirements – we may also disclose your personal data when we believe such disclosure is necessary or appropriate to: a) comply with applicable laws or regulations, including those outside your country of residence; b) comply with lawful requests and legal processes (e.g., subpoenas or court orders); c) respond to requests from public and governmental authorities, including those outside your country of residence; d) protect our operations, rights, privacy, safety, or property, and that of our affiliates, users, or others; e) enforce our terms and pursue available legal remedies; or f) limit any potential damages or liability we may face.

Such disclosures may include authorities or institutions within or outside your country of residence, to the extent permitted by applicable law.

VII. DATA SUBJECTS RIGHTS

1. Access to your personal data

You have the right to access, correct, or delete the personal data we hold about you. To exercise any of these rights, please contact us at dpo@fly2sky.aero.

We will respond to your request free of charge and within one month, in accordance with applicable data protection laws. However, if a request is manifestly unfounded, excessive, or repetitive, we reserve the right to charge a reasonable administrative fee or to refuse the request, as permitted by law.

2. Correction of personal data

If any of the information we hold about you is inaccurate or incomplete, you can ask us to correct or complete it at any time.

3. Your right to erasure or to be forgotten

You can ask us to delete your personal data, but only if:

- It is no longer necessary for the purposes for which it was collected; or

- you have withdrawn your consent (if the data processing is based solely on consent); or

- you exercise a legitimate right to object; or

- it has been unlawfully processed; or

- there is a legal obligation in this regard.

We are not obliged to comply with your request to delete your personal data if the processing is required:

- to comply with a legal obligation; or

- to establish, exercise or defend a legal claim.

There are certain circumstances under applicable law where we may not be obligated to comply with your request to delete personal data. These situations are limited, but they represent the most common reasons why a deletion request might be lawfully denied.

If you wish to request the deletion of your personal data, please contact us at dpo@fly2sky.aero, using the email address associated with you or by otherwise verifying your identity.

Please note that deleting your data is a permanent and irreversible process, including the removal of all associated documents and records. Once deletion is complete, this information cannot be recovered.

4. Restriction of data processing

You have the right to request that we restrict the processing of your personal data, but only in the following circumstances:

- you contest the accuracy of the data, in which case processing will be restricted until we verify its accuracy (see the section on data correction);

- the processing is unlawful, but you prefer restriction over deletion;

- we no longer need the data for the purposes for which it was collected, but you require it for the establishment, exercise, or defence of legal claims;

- you have objected to the processing and we are verifying whether our legitimate grounds override yours.

We may continue to process your personal data during the restriction period only:

- if we have your explicit consent;

- for the establishment, exercise, or defence of legal claims; or

- to protect the rights of the Site owner or another individual or legal entity.

5. Data portability

You have the right to request that we provide your personal data in a structured, commonly used, and machine-readable format, or that we transmit it directly to another data controller, where technically feasible. This right applies only if:

- the processing is based on your consent or on a contract with you; and

- the processing is carried out by automated means (i.e., not manual processing).

6. Right to object

You have the right to object at any time, on grounds relating to your particular situation, to the processing of your personal data where such processing is based on our legitimate interests, if you believe that your fundamental rights and freedoms outweigh those interests.

Additionally, you may object at any time to the processing of your personal data for direct marketing purposes. You can do so by following the unsubscribe instructions included in our marketing emails or by contacting us directly at dpo@fly2sky.aero.

7. Making automatic decisions

The controller does not carry out profiling or automated individual decision-making. In the event of a change, you will be expressly notified of this before the change takes effect.

8. Right to file a complaint with the local supervisory authority

If you believe that we are processing your personal data in an unlawful manner, you may contact us at dpo@fly2sky.aero.

You have the right to file a complaint with your local supervisory authority regarding the processing of your personal data.

In Bulgaria, the contact details of the supervisory authority for personal data protection are as follows:

Personal Data Protection Commission

Bulgaria, Sofia 1592, 2 Prof. Tsvetan Lazarov Blvd.

Phone: + 359 2 915 35 18

Email: kzld@cpdp.bg

VIII. OTHER INFORMATION

Other information we may collect

“Other information” is any information that does not reveal your specific identity, such as:

- browser and device information, operator, internet connection

- server log information and Sites’ logs

- information collected through cookies, pixel tags and other technologies

- demographic information and other information provided by you

- location information

We may use and disclose Other Information for any purpose, except as required to do otherwise by applicable law. If we are required to treat Other Information as personal data by applicable law, then we may use and disclose Other Information for all purposes for which we use and disclose personal data.

IX. DATA SECURITY METHODS

To protect user data from unauthorized or accidental disclosure, we implement reasonable and appropriate technical and organizational measures.

Technical measures: We employ technologies designed to prevent unauthorized third-party access to personal data. As part of our security protocols, we apply encryption to user and end-user data—this includes but is not limited to: all data stored on our servers.

Organizational measures: We have adopted internal policies and procedures that govern how our employees handle personal data. These are part of our internal regulations and are considered confidential for security reasons.

Where servers are hosted in data centres operated by third parties, we ensure that equivalent technical and organizational safeguards are in place and applied by those providers.

Data Storage Location: All personal data is stored on servers located within the European Union (and […]).

X. TRANSFER OF PERSONAL DATA TO A THIRD COUNTRY OR INTERNATIONAL ORGANIZATION

All personal data is generally stored on servers located within the European Union. However, if and when transfers of personal data outside the EU/EEA occur, such transfers are carried out in full compliance with Article 46 of the GDPR. In particular, we rely on:

- Standard Contractual Clauses (SCCs) adopted by the European Commission; and/or

- Certification under the EU–US Data Privacy Framework, where applicable.

These safeguards ensure that your data continues to receive an adequate level of protection, even when processed in countries outside the European Economic Area (EEA).

XI. THIRD PARTY SITES

The Sites may contain links to websites, mobile applications, and other online services operated by third parties. Please note that this Privacy Policy does not apply to the privacy, data handling, or other practices of such third parties. We are not responsible for the content, security, or privacy practices of any third party, including those whose services are linked to or accessible from within the Sites. The inclusion of a link in the Sites should not be interpreted as an endorsement of the linked website or service by us.

We are also not responsible for the data collection, use, or disclosure practices (including data security measures) of other organizations or platforms—such as Facebook, Apple, Google, Microsoft, or any other application developers, service providers, social media platforms, operating system providers, wireless service providers, or device manufacturers. This includes any personal data you choose to share with such organizations through or in connection with our presence on social media or third-party platforms.

XII. COOKIE POLICY

Our use of cookies and similar tracking technologies is governed by a separate Cookie Policy, which provides detailed information about:

· the types of cookies used on the Site;

· the purposes for which they are deployed;

· the data they collect;

· how long such data is stored;

· how you can manage or disable cookies.

You can review the full Cookie Policy [insert link or reference here].

This Cookie Policy forms an integral and inseparable part of this Privacy Policy. Both documents should be read together, as they collectively explain how AVORA Aviation Academy processes personal data collected through cookies and other tracking technologies.

XIII. GOVERNING LAW AND JURISDICTION

This Privacy Policy is governed by and interpreted in accordance with:

· Regulation (EU) 2016/679 (General Data Protection Regulation – GDPR), and

· the applicable data protection laws of the Republic of Bulgaria, including the Personal Data Protection Act.

Any disputes arising in connection with this Privacy Policy or the processing of personal data shall fall within the jurisdiction of the competent courts of the Republic of Bulgaria, unless otherwise required by applicable law.

XIV. CHANGES TO THE PRIVACY POLICY

We may update or modify this Privacy Policy at any time. The most current version will always be available within the Site.

If we make any material changes to the way we process your personal data, we will notify you by displaying a prominent notice within the Site before the changes take effect. We confirm that such changes will not apply retroactively.

We encourage you to review this Privacy Policy periodically while visiting the Site, so that you remain informed about how your data is being protected.

Last updated on: 26.02.2026