Longeron Privacy Policy

Effective Date: June 28, 2026

1. Introduction

This Privacy Policy explains how Turbsol Management, LLC, doing business as Longeron, formerly JASSCO ("we", "us", or "our"), collects, uses, and shares information across the Longeron platform and its web and mobile applications and modules — including AvPics (web and the AvPics iOS app), the Filing Assistant, QuoteDeck, the Finance module, and Station (collectively, the "Services"). It should be read together with our Terms of Service.

Company Information

Service Name: Longeron (AvPics, Filing Assistant, QuoteDeck, Finance, Station)

Data Controller: Turbsol Management, LLC (d/b/a Longeron)

Email: legal@jassco.net

Phone: +1-980-414-8848

Website: https://www.jassco.net

2. Scope

This policy applies to information collected through the Services, whether accessed via the web application or the mobile (iOS) app. Most data is processed on behalf of the customer organization that holds the account; in that context the organization is the controller of its operational data and Longeron acts as its processor.

3. Information We Collect

3.1 Account & Authentication

  • Name, email address, and (for password sign-in) a hashed password; or single sign-on identity (e.g., Microsoft Entra)
  • Company/organization name and your role/permissions (e.g., admin, member, inspector)
  • Profile avatar and basic activity counters (last active, session counts), and user invitations (invitee email, assigned role)

3.2 Aviation Operational Content

  • QC photos & images — part, data-plate, serial-number, defect, packaging, certificate, and shipping-label photos, including annotated images
  • Capture metadata — timestamps, captions, severity ratings, photo type, inspector name, and optional GPS location (only if you enable location tagging)
  • Part & work data — part/serial numbers, barcode values, work-order/PO/SO/RO/RMA/invoice IDs, condition codes, inspection notes
  • Generated documents — assembled photo and inspection-report PDFs
  • Quotes & RFQs (QuoteDeck) — customer/contact names and emails, quote numbers, prices, line totals; and inbound RFQ emails (sender/recipient, subject, and full message body) when you use email-to-quote

3.3 Integration Credentials

When you connect a third-party system, we store the OAuth tokens, API keys, and connection settings needed to operate the integration (e.g., Salesforce/AvSight, QuickBooks, Smart145, PrintNode, cloud storage). These are held server-side with restricted access and, on the iOS app, in the device Keychain.

3.4 Billing & Subscription

  • Web/organization plans: Stripe customer and subscription identifiers, plan/seat selections, billing email and address, invoice status, and subscription/invoice events. We never see or store your card details — Stripe processes payments.
  • iOS in-app purchases: Apple transaction IDs, receipts, product/plan, subscription status, trial/period and auto-renewal information, and receipt-validation results. Apple processes the payment; we never see your card details.
  • Contracts: plan/term details, signer name, signature status, and the signed-document reference.

3.5 Device & Usage Data

  • Device id/name/model/type, OS and app version, platform
  • IP address, user agent, login/logout method, session start/end and duration, and a hashed session token
  • Basic diagnostics, sync logs, and feature-usage patterns

3.6 AI Assistant Content

If you use the in-app AI assistant, we store your chat sessions and messages, and the inputs you submit are processed by our AI provider as described in Section 4.3 and Section 5.2.

3.7 Sales, Support & Other

  • Demo-request leads (name, email, phone, company, size, role, message)
  • Support communications, attachments, and bug reports
  • Cargo-insurance certificates (certificate number, coverage, premium, freight reference) when you purchase coverage
  • Audit/compliance records (e.g., quote-write audit trail, filing-checklist status and notes)

What We Do NOT Collect

The Services are not designed to collect sensitive personal information (such as government ID numbers, financial account numbers, or biometric identifiers beyond device-level Face ID/Touch ID) unless your organization intentionally includes such information in uploaded content. We recommend avoiding upload of sensitive personal information unless strictly necessary for your aviation compliance processes.

Important: We never see or store your credit/debit card or payment-method details. Card processing is handled exclusively by Stripe (web/organization billing) or Apple (iOS in-app purchases).

4. How We Use Information

4.1 Provide & Operate the Services

  • Capture, organize, and store QC photos and batches; scan barcodes; generate PDFs and inspection reports
  • Authenticate users and enforce role-based access; manage seats and entitlements
  • Run QuoteDeck, Filing Assistant, and Finance workflows, and sync with your connected systems
  • Maintain security, prevent fraud and abuse, troubleshoot, and improve reliability and performance
  • Provide customer support

4.2 Subscription & Billing

To verify active subscriptions, grant feature access by tier, process renewals/cancellations, handle billing retries, and meet financial-compliance obligations.

4.3 AI-Assisted Features

When you use the AI assistant or AI-assisted summaries, the relevant inputs and context are sent to our AI provider to generate a response. Our AI providers contractually do not use your data to train their foundation models, and we do not use Customer Data to train AI models (see Section 6.3). AI output may be inaccurate; you are responsible for verifying it before relying on it.

5. How We Share Information

5.1 Platform Sub-Processors

We use the following service providers to operate the Services. They process data only to provide services to us and are bound by confidentiality and data-protection obligations:

  • Supabase — primary database, authentication, file storage (photos/PDFs/avatars), and realtime signaling. Backed by Amazon Web Services (AWS).
  • Vercel — application hosting, serverless execution, and scheduled jobs; all requests transit Vercel.
  • Stripe — subscription billing and payment processing (web/organization plans).
  • Anthropic — large-language-model provider powering AI-assisted features (see Section 5.2).
  • Resend — transactional and outbound email (invites, password/recovery links, demo notifications, quote delivery).
  • Sentry — error monitoring, performance tracing, and Session Replay (see Section 5.3).
  • DocuSeal — self-hosted e-signature processing, including contract sends (signer name/email, document fields, and signed documents).
  • Microsoft (Entra ID / Graph) — single sign-on and directory lookup where used.
  • Metered (TURN/STUN) — WebRTC relay that carries the live Station camera stream when a direct connection isn't possible.
  • CARTO and Microlink — map basemap tiles and a hosted marketing preview image; these receive only standard browser request data (IP, user-agent), not your business records.

5.2 AI Processing (Anthropic)

The AI assistant sends the inputs you submit, along with relevant context (which may include your company name, enabled features, team roster, finance notes, and live results from your connected ERP such as AR aging, cash-flow, margins, and order/part lineage), to Anthropic solely to generate the requested response. This data is not used to train foundation models.

5.3 Error Monitoring & Session Replay (Sentry)

To diagnose errors and improve reliability, we use Sentry, which captures error events, stack traces, and request context, and may record a sample of browser Session Replays (always on error, and a fraction of normal sessions). Replays can capture on-screen content; we apply masking where feasible, but you should avoid displaying sensitive information you would not want recorded for debugging.

5.4 Within Your Organization

Your organization's administrators and supervisors may have access to user accounts and permissions, company-wide batches, photos, quotes, finance data, reports, and analytics.

5.5 Customer-Connected Integrations

When you connect a third-party system, data flows to/from it according to your configuration. These are your integrations, governed by their own terms:

  • ERP systems — Salesforce/AvSight and Smart145: we read operational records and write back QC and quote PDFs and quote records.
  • Accounting — QuickBooks Online (Intuit): we read payables/finance data for the Finance module.
  • Printing — PrintNode: we send document content (PDFs/images) to your networked printers.
  • Cloud storage — Microsoft OneDrive/SharePoint, Google Drive, Dropbox, Box: document sync where configured.
  • Cargo insurance — FlyCovr/Loadsure: shipment details and recipient emails when you quote or purchase coverage.

5.6 Apple App Store (iOS)

For iOS in-app purchases, Apple processes payment and sends us server-to-server notifications of subscription events (purchases, renewals, cancellations, expirations, refunds) along with transaction IDs and receipts. We never receive your card details. You can manage subscriptions in your Apple ID settings.

5.7 Legal, Safety & Business Transfers

We may disclose information to comply with law, regulation, legal process, or governmental/aviation-regulatory request (e.g., FAA, EASA), or to protect rights, property, and safety. If we are involved in a merger, acquisition, or sale of assets, information may be transferred subject to applicable law and the protections in Section 6.

We do not sell your personal information.

6. Content Ownership and Intellectual Property

6.1 Your Data Belongs to You

All photos, documents, inspection records, quotes, part data, and other content you upload or create using the Services ("Customer Data") is and remains your property (or your organization's property). Turbsol Management, LLC does not acquire any ownership rights to Customer Data.

6.2 Limited Processing License

We process Customer Data solely to provide the Services — storing, backing up, transmitting, and displaying it as needed to operate them (including via the sub-processors above). We do not use Customer Data for any other purpose.

6.3 No Secondary Use

We will not:

  • Use Customer Data for advertising, analytics products, or benchmarking
  • Sell, license, or share Customer Data with third parties for their own purposes
  • Use Customer Data to train artificial-intelligence or machine-learning foundation models
  • Mine Customer Data for insights beyond what is needed to provide the Services

6.4 Data Portability

You may request a full export of your Customer Data at any time. We will provide it in standard, machine-readable formats (CSV, JSON, or PDF as appropriate) within 30 days of request.

6.5 Service Discontinuation

If Turbsol Management, LLC discontinues the Services:

  • We will provide at least 90 days written notice
  • You will have full access to export your Customer Data during the notice period
  • Customer Data will not be treated as a business asset in any sale, merger, or bankruptcy proceeding
  • We will permanently delete Customer Data after confirming successful export or at the end of the notice period, whichever comes first

6.6 Enterprise Content Protection

For enterprise and organizational customers, your proprietary business data, trade secrets, processes, and methodologies stored in the Services are protected under this policy and our Terms of Service. Longeron's access to such data is strictly limited to service delivery and authorized support activities.

7. Data Retention

Active Accounts: We retain information as long as your account is active and for legitimate business purposes.

Account Deletion: When you delete your account:

  • Data is marked for deletion within 30 days
  • Backups may persist for up to 90 days
  • Some data may be retained longer for aviation compliance and legal requirements (FAA/EASA record-keeping mandates)

7.1 Specific Retention Periods

  • Subscription & transaction records: duration of subscription plus up to 7 years (financial compliance)
  • Subscription events: up to 3 years (dispute resolution)
  • Failed receipt validations: until resolved or 90 days
  • Aviation inspection records: per FAA/EASA requirements (typically 2–7 years depending on record type)

Organization Policies: Your organization may have its own retention policies for aviation inspection records that supersede general data-retention practices.

8. Security

8.1 Data Encryption

  • Data encrypted in transit (TLS)
  • Passwords hashed (Supabase Auth / bcrypt)
  • Database and storage encryption at rest
  • Integration tokens stored with restricted, service-role-only access; on iOS, in the device Keychain

8.2 Access Controls

  • Row-level security and role-based access control (RBAC)
  • Single sign-on and multi-factor authentication available (enforced at your identity provider)
  • Face ID / Touch ID support on mobile

8.3 Infrastructure

  • Supabase/AWS and Vercel security infrastructure
  • Regular updates, vulnerability scanning, and monitoring

Note: No method of transmission or storage is 100% secure. We cannot guarantee absolute security, but we implement industry-standard practices.

9. Your Choices & Rights

Depending on your location and applicable laws, you may have rights to:

  • Access a copy of your data
  • Correct inaccurate information
  • Delete your account and data (subject to aviation record-keeping requirements)
  • Export your data in a portable format
  • Object to certain processing

EEA users have additional rights under the GDPR (rectification, erasure, portability, and to lodge a complaint with a supervisory authority). California residents have rights under the CCPA/CPRA to know, delete, correct, and to non-discrimination for exercising rights. International transfers rely on Standard Contractual Clauses or other appropriate safeguards.

How to Exercise Your Rights

  • Organization-managed accounts: contact your administrator first.
  • Direct requests: contact us at legal@jassco.net.
  • Response time: within 30 days.

10. Children's Privacy

The Services are professional business applications intended for aviation-industry professionals. They are not intended for use by children under 18, and we do not knowingly collect personal information from children.

11. International Transfers

If you use the Services from outside the United States, your information may be transferred to and processed in the United States (where our primary infrastructure runs) and other jurisdictions where our sub-processors operate. Those jurisdictions may have different data-protection laws; we use Standard Contractual Clauses and other appropriate safeguards for such transfers.

12. Changes to This Policy

We may update this policy from time to time. Material changes will be posted on this page with an updated effective date.

13. Contact Us

For questions about this Privacy Policy, or to request access, correction, or deletion, contact us at:

Privacy Officer: Longeron Legal Team

Email: legal@jassco.net

Phone: +1-980-414-8848

Response Time: Within 30 days