AviLabs & Plan3 Privacy Policy

We are committed to protecting your safety and privacy, and we take our responsibilities regarding the protection of personal information seriously.

As you use and interact with AviLabs websites, products, and services, we process information from and about you in order to provide you with access to our tools, and to enhance experience and support. That means that we collect, use, and process your information. This privacy policy explains which data we collect, how we use it, how we protect and which rights you have in relation to our processing of your personal data.

  1. Who we are

Avilabs is in the business of providing disruption management software and related services to airlines and develops, maintains, operates, and markets a flight monitoring and disruption handling software for the travel industry called Plan3. Therefore, AviLabs is the company behind the Plan3 product.


Any references in this Privacy Policy (the “Policy”) to “AviLabs” “we”, “us” or “our” means AviLabs ehf., a company registered in Iceland with registration number no. 5208192150 and registered office at Nóatún 17, 105 Reykjavik, Iceland.

  1. Our relationship with you

Whether we are a data processor or a data controller will depend on our relationship with you. We will be a data processor:

In all other cases when it comes to personal data collected, we will be the “data controller” for the purposes of the Icelandic Data Protection Act and other data protection laws that apply to us, like the EU General Data Protection regulation (the “GDPR”). This will include when:

This Privacy Policy only applies when we are the data controller. my review hereshopscontinue reading

  1. Personal data we collect about you

When we use the term “personal data” in this Policy, we mean any information relating to you and through which you can be identified, directly or indirectly, or in combination with other information that we may hold.

We only collect your personal data where it is necessary for the purposes described in this Policy and in accordance with data protection laws. The types of personal data that we collect will depend on our relationship with you, the circumstances of collection and the type of service you are requesting from us. The personal data we collect and process may include: 

  1. Information needed to create a Plan3 account

To be able to use Plan3, you must supply us with information that is needed to create an account for you and manage your ability log in and out of Plan3:

Please keep in mind that if you an employee of any of our customers which is utilizing the Plan3 platform and has contacted us in relation to use the services, we may process the personal data necessary for such communications.

  1. Information processed when you visit our websites or the Plan3 product

When you are using our websites or the Plan3 product, we will be receiving certain information, such as:

  1. Marketing information

You may have signed up for our marketing communications for our services, competitions, surveys, newsletters, promotions or events. In signing up for such communications, we may be collecting personal data in relation to you, such as your e-mail address, name and other information you choose to provide us with, such as your job title or phone number.

  1. Other information when you interact with us in other ways

In addition to all the above, you may voluntarily provide us with information when you interact with us in other ways. We may collect any communications or feedback you exchange with us, such as your emails, letters, calls, or your messages or posts on social media directed to us. 

  1. How do we collect personal data

We will mainly collect your personal data directly from you, e.g. the information you provide us with when creating a Plan3 account, when you communicate with us or when you sign up for our marketing communications. We also collect your personal data whenever you use our services. This includes, for example:

However, in some cases we might collect information about you from third parties. If you are an employee of one our customers, he may have contacted us with your personal information as necessary for you to create an account for the customer or for our communications with you.

  1. Special categories of personal data

We don’t really collect personal data that is considered “special categories of personal data” that is subject to additional protection under the GDPR (for example, information revealing your racial or ethnic origin, physical or mental health, religious beliefs or trade union membership). However, it may happen that you send us such information without us asking in your communications with us. In such instances, we do recognize our legal obligations under article 9 of GDPR.

  1. Why we use your data

We use your data to operate our product and services, communicate with you or to further develop our products. As such, we may process your information to provide our services and to operate our business. This includes, by way of an example, us processing information to:

We may also process your information for information security purposes in order to be able to ensure that our product functions properly and to minimize the possibility of any information security related incidents that might affect us, our customer or you as a user. This includes, by way of an example, us processing information to:

In addition, we process your information in order to communicate with you in various ways. This includes, by way of an example, us processing information to:

  1. Our lawful basis to process data

We will only process your personal data where we have a legal basis to do so. The legal basis will depend on the reason we collected and our need to process your information. Our legal basis for the processing of your personal data are:  

As further explained below, where the basis of our processing is consent, you can withdraw your consent to such processing at any time. 

  1. How long we keep your personal data for

We keep your personal information contained in the Plan3 account for as long as you hold the account. You can change the personal data in your account directly in the account.

If you are a customer of ours, we will simply delete your personal data when you terminate our contract, as per our Terms.

Otherwise, if you decide to delete the Plan3 account, we will delete your personal data within 3 months. However, we may need to retain non-personal data related to the account, e.g. in relation to account usage, as necessary for our legitimate business purposes – for example for us to proof to our customers that certain activity by a Plan3 account resulted in fees for them.  

When our use of your personal data is based on your consent, you have the option to withdraw your consent of our processing and delete your personal data at any time. You can do this by submitting your request to us.

  1. Protecting personal data

We are committed to protecting the personal data we hold and we have implemented appropriate technical and organisational measures against unauthorised, accidental or unlawful access, loss, destruction or damage of such data.

In addition, we only allow access to your data to our employees, agents, contractors or other parties who have a business need to know. When we trust third parties to process your data on our behalf, we require that they will protect your data the same way we do and that they comply with appropriate security standards.

We have procedures and policies in place in the event of a security breach related to personal data. Where relevant, we will notify you or our supervisory authority of a security breach when we are under the duty to do so under the GDPR.

  1. Sharing personal data

We do not share your information with third parties for their own direct marketing purposes. We do not sell your information as defined under applicable law. However, we use and share the categories of information we collect from and about you consistent with the various business purposes we discuss throughout this Privacy Policy. Such parties can be categorized as follows:

  1. Your data protection rights

You have specific rights under the GDPR that allow you to understand and, to certain extent, control the way we process your personal data:

  1. The right to access your data: you have the right to receive a copy of the personal data we hold about you and to receive information about how we process such data.
  2. The right to correct your data: you have the right correct your data. If you suspect that we hold inaccurate or incomplete information about you, please let us know so that we can update and complete our records.
  3. The right to delete: in certain instances, you have the right to request that we delete your data. Please note that we will automatically delete or anonymise your data after its retention period has passed and as such, you do not need to submit a specific request for this.
  4. The right to restrict processing: in limited circumstances, you may request that we do not process your data, but only store it, e.g. while you are seeking us to correct your data.
  5. The right to withdraw consent: in limited circumstances, you may have the right to withdraw your consent for our processing of your personal data, where we are utilizing your consent as a basis for our processing. In such instances, we will respect your choice and stop processing your data further.
  6. The right to object: you may consider that you have reasons to object to the use of your personal data when such use is only based on our legitimate interests as described in this Policy. Before using your data for legitimate interests, we have balanced these interests against your rights and freedoms. However, if you consider that you have grounds to object to the use of your data, you can explain to us your particular situation and we will individually review your request.
  7. Rights in relation to automated decision making: we do not take decisions about individuals process based solely on automated processing. As such, this right is not applicable.
  8. The right to data portability: where the processing of your data is based on consent or on a contract and the processing is carried out by automated means, you have the right to receive such data in a structured, commonly used, machine-readable format.

You can exercise your above rights by contacting our Data Protection Officer. For more information, see section 13 below.

  1. Updates to this Policy

We will modify this Privacy Policy when there is a change to the way we process your data and when we need to ensure that the information we provide to you is up to date and in accordance with the relevant data protection laws. Any new version of this Policy will be published on this website.

  1. Contact information

Questions or comments in relation to this Policy, and/or requests concerning your rights under GDPR, should all be directed to our Data Protection Officer in writing to the following email: dpo@avilabs.is, or to our address: AviLabs ehf., Nóatúni 17, 105 Reykjavík, Iceland.