Privacy Policy

Effective date: March 4, 2026

OnFire Lab, LLC ("we," "us," or "OnFire Lab") operates Zulu Terminal (zuluterminal.com). This policy explains what data we collect, why we collect it, how we use it, and your choices.

1. Information we collect

Account information

When you create an account we collect your name and email address. Passwords are hashed with bcrypt and never stored in plain text. We require a permanent email address; temporary or disposable email providers are not accepted at registration.

Guest usage

You can use Zulu Terminal as a guest without creating an account. Guest usage is rate-limited and we do not collect personal information from guest users beyond standard usage analytics.

Briefing and safety data

When you create a pre-flight briefing, we collect the departure and destination airport codes, and optionally an aircraft N-number. This data is processed by automated agents (powered by Anthropic Claude) to generate AI-enriched safety briefings. Briefings, saved aircraft, and safety data are stored in our database to provide the service.

Shared briefings

You may share a briefing via a private, unguessable link. Shared briefings are read-only and display the briefing content, risk scores, and creation date. Shared links are not indexed by search engines. Sharing can be revoked at any time, which immediately disables the link.

Bot protection

We use Cloudflare Turnstile on our signup form to prevent automated abuse. Turnstile may collect limited interaction data (such as browser type and session signals) to distinguish humans from bots. No personal data is shared with Cloudflare for this purpose beyond what is necessary for the challenge.

Usage data

We use PostHog to collect usage statistics such as page views, session duration, device type, and product usage events (e.g. feature interactions, navigation patterns). PostHog may also record anonymized session replays to help us understand how users interact with the product. Session replays are configured to mask text inputs and sensitive form fields to prevent the capture of personal information. This data is used to improve Zulu Terminal and cannot be used to identify you outside of our platform. You can opt out of analytics tracking by using a browser ad blocker, enabling the "Do Not Track" browser setting, or by contacting us at support@zuluterminal.com.

2. How we use your data

  • Provide and improve Zulu Terminal (pre-flight briefings, aircraft risk profiles, safety intelligence)
  • Authenticate you and secure your account
  • Send transactional emails (account confirmation, password reset)
  • Understand how the product is used so we can make it better

We do not sell your personal data. We do not use your data to train AI models. Your briefing and account data is only accessible to you.

3. Third-party services

ServicePurposeData shared
Anthropic (Claude)AI-enriched safety briefingsAirport codes, aircraft data, weather, safety data for briefing generation
StripePayment processing for subscriptionsEmail, name; card details handled entirely by Stripe
Cloudflare TurnstileBot protection on signupBrowser signals for challenge verification
PostHogProduct analytics, session replayPage views, feature usage events, anonymized session replays
DatadogApplication monitoring and error trackingServer-side logs and performance metrics (no personal info)
Amazon Web Services (AWS)Cloud hostingAll application data is hosted on AWS infrastructure
SendGrid (Twilio)Transactional email deliveryEmail address, name; for account confirmation, password reset, and notifications

Anthropic processes data under their privacy policy; API inputs and outputs are not used to train their models. Stripe processes payment data under their privacy policy. Cloudflare processes Turnstile data under their privacy policy. PostHog processes analytics data under their privacy policy. Datadog processes monitoring data under their privacy policy. AWS processes data under their privacy notice. SendGrid (Twilio) processes email data under their privacy policy. We do not store credit card numbers or payment card details on our servers.

4. Data retention

Your account and briefing data are retained as long as your account is active. If you delete your account, we will delete your personal data within 30 days. Anonymized, aggregated analytics data may be retained indefinitely.

5. Data security

We use industry-standard measures to protect your data, including encrypted connections (TLS), httpOnly authentication cookies, bcrypt password hashing, and role-based access controls. Your briefing data is only accessible to your account.

6. Your rights

You may:

  • Access the personal data we hold about you
  • Request correction of inaccurate data
  • Request deletion of your account and associated data
  • Opt out of analytics by using a browser ad blocker

To exercise any of these rights, email us at support@zuluterminal.com.

7. Children's privacy

Zulu Terminal is not directed at children under 13. We do not knowingly collect personal information from children under 13. If you believe a child has provided us with personal data, please contact us and we will delete it.

8. Cookies

Zulu Terminal uses the following cookies:

CookiePurposeType
zt_tokenAuthentication session tokenEssential (HttpOnly, Secure)
zt_roleUser role for frontend navigationEssential (Secure)
Theme preferenceStores your light/dark mode preferenceFunctional
PostHog cookiesAnalytics tracking and session identificationAnalytics (can be blocked)
Cloudflare TurnstileBot protection challenge on signupEssential (signup only)

Essential cookies are required for the service to function and cannot be disabled. Analytics cookies can be blocked using a browser ad blocker or by disabling third-party cookies in your browser settings.

9. International data transfers

Zulu Terminal is operated from the United States. All data, including account information, briefing data, and usage analytics, is processed and stored on servers located in the United States (AWS us-east-1 region). If you access Zulu Terminal from outside the United States, you consent to the transfer of your data to the United States, where data protection laws may differ from those in your jurisdiction.

10. Do Not Track

Some browsers offer a "Do Not Track" (DNT) setting. Zulu Terminal respects the DNT signal. When we detect a DNT header, we disable PostHog analytics tracking for that session. Essential cookies required for authentication and service functionality are not affected by the DNT setting.

11. Data breach notification

In the event of a data breach that affects your personal information, we will notify affected users by email within 72 hours of becoming aware of the breach. The notification will include a description of the breach, the types of data affected, and the steps we are taking to address it. We will also notify relevant regulatory authorities as required by applicable law.

12. California privacy rights (CCPA/CPRA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):

  • Right to know: You can request details about the categories and specific pieces of personal information we have collected about you, the sources of that information, and the purposes for which it is used.
  • Right to delete: You can request deletion of the personal information we have collected about you, subject to certain exceptions.
  • Right to correct: You can request correction of inaccurate personal information we hold about you.
  • Right to opt out of sale or sharing: We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising.
  • Right to non-discrimination: We will not discriminate against you for exercising any of your privacy rights.

To exercise any of these rights, email us at support@zuluterminal.com. We will verify your identity before processing your request and respond within 45 days as required by law.

13. European privacy rights (GDPR)

If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, you have additional rights under the General Data Protection Regulation (GDPR):

Legal basis for processing: We process your personal data on the following bases:

  • Contractual necessity: Account data, briefing data, and billing data are processed to provide the service you have requested.
  • Legitimate interest: Usage analytics and product improvement, provided these interests are not overridden by your data protection rights.
  • Consent: Where required, such as for analytics cookies and session replays. You may withdraw consent at any time.

Your rights: In addition to the rights listed in Section 6, you have the right to:

  • Request a portable copy of your personal data in a structured, machine-readable format
  • Object to processing based on legitimate interest
  • Restrict processing of your personal data
  • Lodge a complaint with your local data protection authority

International transfers: Your data is transferred to and processed in the United States. We rely on Standard Contractual Clauses (SCCs) approved by the European Commission as the legal mechanism for such transfers. To request a copy of the applicable SCCs, contact us at support@zuluterminal.com.

14. Changes to this policy

We may update this policy from time to time. If we make material changes, we will notify you by email or by posting a notice on the site. Your continued use of Zulu Terminal after changes constitutes acceptance of the updated policy.

15. Contact us

OnFire Lab, LLC
Email: support@zuluterminal.com