Skip to main content
Legal

Privacy

Effective May 20, 2026 · Version 2026.05

Summary (plain English)

  • We don't sell or share your personal information for advertising.
  • We use a minimal set of first-party cookies and aggregated product analytics.
  • We republish a subset of public US Federal Aviation Administration (FAA) registry records. We don't add phone numbers, emails, or other private contact details.
  • You can ask us to access, correct, delete, or suppress your data — see Your rights.
  • The service is run by a UK company (30M Limited), so UK GDPR applies to our handling of personal data even though our audience is primarily in the United States.

Who we are (data controller)

Sprinkle (sprinkle.com) is operated by 30M Limited, a private limited company registered in England and Wales (Companies House no. 09386561), with its registered office at Office 3 St Anns House, 111 Guildford Road, Lightwater, Surrey, GU18 5RA, United Kingdom. 30M Limited is the “controller” of personal data processed through the site for the purposes of the UK General Data Protection Regulation (UK GDPR), the UK Data Protection Act 2018, and a “business” for the purposes of the California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively, the CCPA).

The site is targeted primarily at users in the United States. Our largest concrete dataset is the FAA civil aircraft registry (311k+ US-registered airframes). Hosting, analytics, and database infrastructure are operated in the United States by our processors (see Service providers).

Scope

This notice describes how we handle personal information collected through sprinkle.com, including our APIs, mobile-optimised pages, and authenticated account areas. It does not cover third-party sites we link to, or the FAA's own publication of registry data at faa.gov.

What we collect, why, and our legal basis

The table below summarises each processing activity.

  • Server logs — IP address, user-agent string, referring URL, requested path, timestamp, response code. Purpose: security, abuse prevention, debugging. Lawful basis (UK GDPR): legitimate interests in operating a secure service (Art. 6(1)(f)). CCPA category: internet/network activity, identifiers.
  • Product analytics — aggregated page views, performance metrics, approximate region derived from IP. Purpose: understand which pages are useful and how the site performs. Lawful basis: legitimate interests; we configure analytics to avoid cross-site tracking and to minimise identifiers.
  • Account data — email address and authentication identifier supplied by your sign-in method (e.g. Google, magic-link). Purpose: provide the account, personalise saved lists. Lawful basis: performance of a contract (Art. 6(1)(b)) and, where you opt in to email updates, consent (Art. 6(1)(a)).
  • Inbound messages — content of emails you send to our published addresses. Purpose: respond to your request. Lawful basis: legitimate interests, or consent for marketing follow-ups.
  • FAA-registry records — owner name, registered address, aircraft details, status. Purpose: public-interest reference content on aviation. Lawful basis: legitimate interests, balanced against the rights of registered owners (see the Aircraft-owner records section, which includes our balancing test and opt-out route). Under CCPA, this is publicly available information lawfully made available by a government agency, which falls outside the statutory definition of “personal information.”

We do not knowingly process “special category” data (UK GDPR Art. 9) or “sensitive personal information” (CCPA § 1798.140(ae)). We do not use personal information for automated decision-making that produces legal or similarly significant effects, and we do not profile visitors for advertising.

Cookies and similar technologies

We use a small set of first-party cookies for theme persistence (light/dark), session continuity for signed-in users, and basic analytics. We do not run advertising cookies, cross-site tracking pixels, or third-party tag managers. A non-exhaustive list:

  • sb-* — Supabase auth session (HTTP-only, strictly necessary).
  • theme — light/dark preference (persistent, functional).
  • __sprinkle_anon — anonymous analytics id (rotates every 24h).

We honour the Global Privacy Control (GPC) browser signal as a valid opt-out of any “sale” or “sharing” of personal information under the CCPA and equivalent state laws. We do not sell or share personal information as those terms are defined under the CCPA, regardless of GPC status.

Aircraft-owner records (FAA registry)

The FAA publishes aircraft registration records — owner name, registered address, and aircraft details — as a public dataset under 49 U.S.C. § 44103 and the implementing regulations at 14 C.F.R. Part 47. Sprinkle republishes a subset of these records, alongside derived analytics (e.g. fleet composition by manufacturer), under the same public-record terms. We do not enrich FAA records with email addresses, phone numbers, financial information, or other private contact details.

UK GDPR balancing test. We have considered whether our legitimate interest in publishing a reference of US civil aviation is overridden by the interests, rights, and freedoms of registered owners. Because the records are already published by a US federal agency under a public-record statute, are widely mirrored by industry databases, and contain no special-category or sensitive financial data, we have concluded that republication is consistent with UK GDPR Art. 6(1)(f). The opt-out mechanism below provides an additional safeguard.

Owner opt-out and correction requests. If you are an FAA-registered owner and want a record reviewed, corrected, or suppressed from on-site search and search-engine indexing, email privacy@sprinkle.com from the address on file (or include the N-number and aircraft serial). We will acknowledge within 10 business days and action verified requests within 30 days. Note that the underlying record remains publicly available at faa.gov regardless of any action we take on sprinkle.com.

Service providers (processors)

We rely on a small set of US-based infrastructure providers to operate the site. Each processes personal data on our documented instructions under written terms that include UK / EU GDPR-compliant data-processing addenda and, where relevant, the UK International Data Transfer Addendum to the EU Standard Contractual Clauses (SCCs).

  • Vercel Inc. — hosting, edge delivery (US).
  • Supabase Inc. — managed Postgres database, authentication (US).
  • Cloudflare Inc. — CDN, image delivery, DDoS protection (US).
  • Email service providers — transactional email for account sign-in and replies. We do not use them for marketing campaigns.

International transfers

Because our processors are located in the United States, personal data we collect from UK/EEA visitors is transferred outside the UK. We rely on the UK's extension to the EU–US Data Privacy Framework where the recipient is certified, and on the UK International Data Transfer Addendum to the EU SCCs where it is not. A copy of the relevant transfer mechanism is available on request to privacy@sprinkle.com.

Retention

  • Server logs: up to 30 days, then deleted or aggregated.
  • Aggregated analytics: up to 24 months in non-identifiable form.
  • Account data: retained while the account is active; deleted within 30 days of account closure, subject to legal hold or fraud-prevention needs.
  • Inbound email: retained for up to 24 months for support continuity, unless a longer period is required to handle a legal claim.
  • FAA-registry mirror: retained for as long as the upstream record remains current; superseded snapshots may be retained for historical reference.

Security

All traffic is served over HTTPS with modern TLS. Authentication tokens are issued by Supabase and stored as HTTP-only, Secure cookies. Access to production data is limited to named personnel and gated on multi-factor authentication. We log administrative access, apply principle-of-least-privilege on the database, and review our security posture periodically. No internet service can guarantee absolute security; if we discover a personal-data breach that is likely to result in a risk to your rights, we will notify the UK ICO within 72 hours and, where required, notify affected users directly.

Your rights

If you are a US resident

Under the California Consumer Privacy Act (CCPA/CPRA) and comparable laws in Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Oregon (OCPA), and other states with comprehensive privacy statutes, you may have the right to:

  • Know what personal information we have collected about you and how we use it.
  • Access a portable copy of that information.
  • Correct inaccurate personal information.
  • Delete personal information we hold about you, subject to statutory exceptions.
  • Opt out of any “sale” or “sharing” of personal information, and of targeted advertising. (We do not engage in any of these.)
  • Limit the use of sensitive personal information. (We do not knowingly process such information.)
  • Not be discriminated against for exercising any of these rights.

To exercise a right, email privacy@sprinkle.com with enough information for us to verify your identity (typically the email on your account, or the N-number for owner requests). We will respond within 45 days, extendable once by a further 45 days where reasonably necessary, and will inform you if we decline any part of the request. You may use an authorised agent; we may ask the agent for written authorisation and may verify your identity directly.

California “Shine the Light”: we do not disclose personal information to third parties for their own direct-marketing purposes.

If you are in the UK or EEA

Under the UK GDPR and the EU GDPR, you have the right to: access your data; correct inaccurate data; erase your data; restrict or object to processing; data portability; and to withdraw consent at any time where processing is based on consent (without affecting prior lawful processing). To make a request, email privacy@sprinkle.com.

If you are unhappy with how we have handled your personal data, you have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk, or with your local EU supervisory authority. We would appreciate the chance to address your concerns first.

Children

Sprinkle is not directed to children under 13, and we do not knowingly collect personal information from children under 13 in violation of the US Children's Online Privacy Protection Act (COPPA), or from children under 16 in the UK/EEA without verifiable parental consent. If you believe a child has provided us information, email privacy@sprinkle.com and we will delete it.

Do Not Track

Browsers transmit a “Do Not Track” signal inconsistently and there is no industry consensus on how to interpret it. We honour the GPC signal as described above; we do not separately respond to DNT.

Changes to this notice

We will update the effective date and version above when this notice changes. Material changes will be announced on the site, and where you have an account we will email you before they take effect.

Contact and complaints

For any privacy question, request, or complaint, email privacy@sprinkle.com, or write to: Privacy — 30M Limited, Office 3 St Anns House, 111 Guildford Road, Lightwater, Surrey, GU18 5RA, United Kingdom. We do not currently appoint a statutory Data Protection Officer (our processing does not meet the UK GDPR Art. 37 threshold), but the privacy address above is monitored by the team member responsible for data protection at 30M Limited. UK / EEA users may also contact the ICO (ico.org.uk).