Skip to main content

Privacy

Effective June 12, 2026 · Version 2026.06.2

Summary (plain English)

  • We don't sell or share your personal information for advertising.
  • We use a minimal set of first-party cookies and aggregated product analytics.
  • We republish a subset of public US Federal Aviation Administration (FAA) registry records. We don't add phone numbers, emails, or other private contact details.
  • You can ask us to access, correct, delete, or suppress your data — see Your rights.
  • The service is run by a UK company (30M Limited), so UK GDPR applies to our handling of personal data even though our audience is primarily in the United States.

Who we are (data controller)

Sprinkle (sprinkle.com) is operated by 30M Limited, a private limited company registered in England and Wales (Companies House no. 09386561), with its registered office at Office 3 St Anns House, 111 Guildford Road, Lightwater, Surrey, GU18 5RA, United Kingdom. 30M Limited is the “controller” of personal data processed through the site for the purposes of the UK General Data Protection Regulation (UK GDPR), the UK Data Protection Act 2018, and a “business” for the purposes of the California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively, the CCPA).

The site is targeted primarily at users in the United States. Our largest concrete dataset is the FAA civil aircraft registry (311k+ US-registered airframes). Hosting, analytics, and database infrastructure are operated in the United States by our processors (see Service providers).

Scope

This notice describes how we handle personal information collected through sprinkle.com, including our APIs, mobile-optimised pages, and authenticated account areas. It does not cover third-party sites we link to, or the FAA's own publication of registry data at faa.gov.

What we collect, why, and our legal basis

The table below summarises each processing activity.

  • Server logs — IP address, user-agent string, referring URL, requested path, timestamp, response code. Purpose: security, abuse prevention, debugging. Lawful basis (UK GDPR): legitimate interests in operating a secure service (Art. 6(1)(f)). CCPA category: internet/network activity, identifiers.
  • Product analytics — page views, feature interactions, performance metrics, approximate region derived from IP, and session replay (text inputs masked). Tools: PostHog and Google Analytics 4, both configured for measurement only — advertising signals are denied and there is no remarketing. Purpose: understand which pages are useful and how the site performs. Lawful basis: in the UK/EEA, your consent (Art. 6(1)(a)), collected through the opt-in banner and withdrawable at any time; in the US and elsewhere, our legitimate interests (Art. 6(1)(f)) — analytics and replay run by default there, with an always-available opt-out. We configure analytics to avoid cross-site tracking and to minimise identifiers.
  • Error & diagnostic monitoring — when the site errors or runs slowly, our servers record the error, a stack trace, the request path, and the originating IP address. Purpose: security, reliability, and debugging. Lawful basis: legitimate interests in operating a stable, secure service (Art. 6(1)(f)). This runs server-side as a service-operation measure, regardless of your analytics choice, and is never used for advertising or profiling. CCPA category: internet/network activity, identifiers.
  • Account data — email address and authentication identifier supplied by your sign-in method (e.g. Google, magic-link). Purpose: provide the account, personalise saved lists. Lawful basis: performance of a contract (Art. 6(1)(b)) and, where you opt in to email updates, consent (Art. 6(1)(a)).
  • Inbound messages — content of emails you send to our published addresses. Purpose: respond to your request. Lawful basis: legitimate interests, or consent for marketing follow-ups.
  • FAA-registry records — owner name, registered address, aircraft details, status. Purpose: public-interest reference content on aviation. Lawful basis: legitimate interests, balanced against the rights of registered owners (see the Aircraft-owner records section, which includes our balancing test and opt-out route). Under CCPA, this is publicly available information lawfully made available by a government agency, which falls outside the statutory definition of “personal information.”

We do not knowingly process “special category” data (UK GDPR Art. 9) or “sensitive personal information” (CCPA § 1798.140(ae)). We do not use personal information for automated decision-making that produces legal or similarly significant effects, and we do not profile visitors for advertising.

Cookies and similar technologies

We use a small set of first-party cookies for session continuity for signed-in users, recording your privacy choice, and — once permitted — product analytics. We do not run advertising cookies or cross-site tracking pixels. A non-exhaustive list:

  • sb-* — Supabase auth session (HTTP-only, strictly necessary).
  • sprinkle_consent — records your privacy choice and the policy version it was made against (strictly necessary; up to 12 months).
  • sprinkle_region — coarse region only (EU/UK vs rest), carries no identifier and exists solely to show the right consent option (strictly necessary).
  • ph_* (PostHog) — product-analytics cookies, written only after you opt in (EU/UK) or unless you opt out (US/elsewhere).
  • _ga / _ga_* (Google Analytics) — product-analytics cookies, written under the same regime as ph_*: only after you opt in (EU/UK) or unless you opt out (US/elsewhere); persist up to 24 months.
  • sprinkle_preview — selects a demo persona on our preview deployments (functional; not used for visitors on the live site).

Some preferences are kept in your browser's local storage rather than cookies: your light/dark theme choice, a mirror of your sprinkle_consentchoice, and — only after you opt in — PostHog's analytics identifiers.

Your consent choices

What runs on your visit depends on where you are. If you are in the UK or EEA, you see an opt-in banner and nothing non-essential runs until you accept — no analytics identifiers or cookies, no replay, no pre-ticked boxes. (The Google tag library loads in a consent-denied state; until you accept it stores nothing on your device and sends only cookieless consent-status pings.) If you are in the US or elsewhere, there is no banner: product analytics and session replay are on by default, and you have an always-available opt-out. Either way, you can change your choice at any time through the “Your privacy choices” link in the footer.

We honour the Global Privacy Control (GPC)browser signal automatically: in the UK/EEA we treat it as a refusal of non-essential cookies, and in the US (and elsewhere) as a valid opt-out of any “sale” or “sharing” of personal information under the CCPA and equivalent state laws — so you do not have to act on the banner for it to take effect. For the record, we do not sell or share personal information as those terms are defined under the CCPA, regardless of GPC status.

Session replay(text inputs masked) follows your region's regime: in the UK/EEA it runs only if you accept on the banner or enable it in the preferences dialog; in the US and elsewhere it is on by default and can be switched off at any time via “Your privacy choices”. We keep a record of each choice you make (a timestamp and the policy version it was made against) so we can evidence your consent. For UK/EEA visitors we re-ask for consent after 12 months, or sooner if the version of this notice changes.

Aircraft-owner records (FAA registry)

The FAA publishes aircraft registration records — owner name, registered address, and aircraft details — as a public dataset under 49 U.S.C. § 44103 and the implementing regulations at 14 C.F.R. Part 47. Sprinkle republishes a subset of these records, alongside derived analytics (e.g. fleet composition by manufacturer), under the same public-record terms. We do not enrich FAA records with email addresses, phone numbers, financial information, or other private contact details.

UK GDPR balancing test. We have considered whether our legitimate interest in publishing a reference of US civil aviation is overridden by the interests, rights, and freedoms of registered owners. Because the records are already published by a US federal agency under a public-record statute, are widely mirrored by industry databases, and contain no special-category or sensitive financial data, we have concluded that republication is consistent with UK GDPR Art. 6(1)(f). The opt-out mechanism below provides an additional safeguard.

Owner opt-out and correction requests. If you are an FAA-registered owner and want a record reviewed, corrected, or suppressed from on-site search and search-engine indexing, email from the address on file (or include the N-number and aircraft serial). We will acknowledge within 10 business days and action verified requests within 30 days. Note that the underlying record remains publicly available at faa.gov regardless of any action we take on sprinkle.com.

Service providers (processors)

We rely on a small set of US-based infrastructure providers to operate the site. Each processes personal data on our documented instructions under written terms that include UK / EU GDPR-compliant data-processing addenda and, where relevant, the UK International Data Transfer Addendum to the EU Standard Contractual Clauses (SCCs).

  • Vercel Inc. — hosting, edge delivery (US).
  • Supabase Inc. — managed Postgres database, authentication (US).
  • Cloudflare Inc. — CDN, image delivery, DDoS protection (US).
  • PostHog Inc. — product analytics and session replay (US). Receives data only when analytics is permitted for your region/choice.
  • Google LLC — product analytics (Google Analytics 4), configured for measurement only: advertising signals are denied, no remarketing, no ads personalisation (US). Receives measurement data only when analytics is permitted for your region/choice; while consent is denied it receives only cookieless consent-status pings carrying no identifier.
  • Functional Software, Inc. (Sentry) — server-side error and diagnostic monitoring (US): captures errors, stack traces, request metadata, and the originating IP to keep the service reliable and secure.
  • Email service providers — transactional email for account sign-in and replies. We do not use them for marketing campaigns.

International transfers

Because our processors are located in the United States, personal data we collect from UK/EEA visitors is transferred outside the UK. We rely on the UK's extension to the EU–US Data Privacy Framework where the recipient is certified, and on the UK International Data Transfer Addendum to the EU SCCs where it is not. A copy of the relevant transfer mechanism is available on request to .

How to delete your account

You can delete your Sprinkle account, along with all data we hold about you, in two ways:

  • In-app. Open Sprinkle, go to the Profile tab, and tap Delete Account at the bottom. The deletion is immediate and cannot be undone.
  • By email. If you can't access the app, email from the address associated with your account. We will process the request within 30 days.

Deleting your account removes your authentication record, profile, saved lists, alert subscriptions, inquiries, and any other personal data we hold about you. Records derived from public sources (such as the FAA registry) are unaffected, as they are not tied to your account.

Retention

  • Server logs: up to 30 days, then deleted or aggregated.
  • Aggregated analytics: up to 24 months in non-identifiable form.
  • Account data: retained while the account is active; deleted within 30 days of account closure, subject to legal hold or fraud-prevention needs.
  • Inbound email: retained for up to 24 months for support continuity, unless a longer period is required to handle a legal claim.
  • FAA-registry mirror: retained for as long as the upstream record remains current; superseded snapshots may be retained for historical reference.

Security

All traffic is served over HTTPS with modern TLS. Authentication tokens are issued by Supabase and stored as HTTP-only, Secure cookies. Access to production data is limited to named personnel and gated on multi-factor authentication. We log administrative access, apply principle-of-least-privilege on the database, and review our security posture periodically. No internet service can guarantee absolute security; if we discover a personal-data breach that is likely to result in a risk to your rights, we will notify the UK ICO within 72 hours and, where required, notify affected users directly.

Your rights

If you are a US resident

Under the California Consumer Privacy Act (CCPA/CPRA) and comparable laws in Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Oregon (OCPA), and other states with comprehensive privacy statutes, you may have the right to:

  • Know what personal information we have collected about you and how we use it.
  • Access a portable copy of that information.
  • Correct inaccurate personal information.
  • Delete personal information we hold about you, subject to statutory exceptions.
  • Opt out of any “sale” or “sharing” of personal information, and of targeted advertising. (We do not engage in any of these.)
  • Limit the use of sensitive personal information. (We do not knowingly process such information.)
  • Not be discriminated against for exercising any of these rights.

To exercise a right, email with enough information for us to verify your identity (typically the email on your account, or the N-number for owner requests). We will respond within 45 days, extendable once by a further 45 days where reasonably necessary, and will inform you if we decline any part of the request. You may use an authorised agent; we may ask the agent for written authorisation and may verify your identity directly.

California “Shine the Light”: we do not disclose personal information to third parties for their own direct-marketing purposes.

If you are in the UK or EEA

Under the UK GDPR and the EU GDPR, you have the right to: access your data; correct inaccurate data; erase your data; restrict or object to processing; data portability; and to withdraw consent at any time where processing is based on consent (without affecting prior lawful processing). To make a request, email .

If you are unhappy with how we have handled your personal data, you have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk, or with your local EU supervisory authority. We would appreciate the chance to address your concerns first.

Children

Sprinkle is not directed to children under 13, and we do not knowingly collect personal information from children under 13 in violation of the US Children's Online Privacy Protection Act (COPPA), or from children under 16 in the UK/EEA without verifiable parental consent. If you believe a child has provided us information, email and we will delete it.

Do Not Track

Browsers transmit a “Do Not Track” signal inconsistently and there is no industry consensus on how to interpret it. We honour the GPC signal as described above; we do not separately respond to DNT.

Changes to this notice

We will update the effective date and version above when this notice changes. Material changes will be announced on the site, and where you have an account we will email you before they take effect.

Contact and complaints

For any privacy question, request, or complaint, email , or write to: Privacy — 30M Limited, Office 3 St Anns House, 111 Guildford Road, Lightwater, Surrey, GU18 5RA, United Kingdom. We do not currently appoint a statutory Data Protection Officer (our processing does not meet the UK GDPR Art. 37 threshold), but the privacy address above is monitored by the team member responsible for data protection at 30M Limited. UK / EEA users may also contact the ICO (ico.org.uk).