Skip to content
Wingmint

Legal

Privacy Policy

Last updated: · Effective:

At a glance

This is the short version. The rest of the policy expands on every bullet below.

  • We sell Wingmint to US flying clubs. Your club is our customer. You (the member) are the end user. Most of the data we process belongs to your club, and your club decides what happens with it.
  • We don't sell your data.We don't run ad networks. We don't share data with data brokers. No marketing pixels, no Google Analytics, no Facebook tags, no session recorders. We do use privacy-friendly, cookieless traffic analytics (Vercel Analytics) to count page views — it doesn't identify individuals or follow you across sites.
  • We don't train AI on your data.Not our models, and not our vendors' models. Our contracts with subprocessors prohibit it.
  • Your data stays in the United States. Wingmint serves US clubs and is hosted in the US. The only exception is Keycafe(Canada), an optional SmartBox key-exchange integration your club has to turn on — clubs that don't use Keycafe never send data there.
  • TSA FTSP data (citizenship, passport) is used only for compliance. 49 CFR 1552 is the reason we collect it. We use the CPRA §7027(m) safe harbor so it doesn't get reused for anything else.
  • You can get your data out any time. Export via the dashboard or our public API. Portability is a product wedge for us, not a compliance checkbox.

1. Who we are

Wingmint is a software product operated by Fifth Nine, LLC(“Wingmint,” “we,” “us”), an Illinois limited liability company with a mailing address at 2093 Philadelphia Pike #7272, Claymont, DE 19703. Wingmint provides multi-tenant SaaS software that US flying clubs use to manage scheduling, billing, maintenance, member onboarding, and TSA Flight Training Security Program (49 CFR 1552) compliance.

This policy covers the Wingmint website at wingmint.com, club subdomains at *.wingmint.com, any custom domains clubs map to Wingmint, our mobile experiences, and the Wingmint REST and MCP APIs.

2. Who this applies to

This policy describes how we handle data for five groups:

  • Clubs. The flying club that signs up for Wingmint as a customer.
  • Club admins. Officers, treasurers, and secretaries who configure Wingmint for their club.
  • Members. Pilots and students who log in to book aircraft, record flights, and pay dues. Includes instructors (CFIs) and guests.
  • Visitors. Anyone who reads the marketing site without logging in.
  • Applicants. Prospective members who submit an onboarding application to join a club.

3. Our two roles

Wingmint operates in two distinct roles, and it matters which one applies to any given piece of data:

  • We are a processor (or “service provider” under CCPA) for data that a club enters into Wingmint about its members — reservations, flight logs, Hobbs and tach readings, citizenship and FTSP records, squawks, uploaded documents, and billing transactions. Your club is the controller of that data. We handle it on the club's instructions, according to the terms of our agreement with the club and our Data Processing Addendum. If you're a member who wants to access, correct, or delete your data, please contact your club's administrator first. We will assist them in responding to your request.
  • We are a controller for data about the club as a customer (signing contract, billing contact, business email), for information we collect directly from visitors to our marketing site, and for the account data we need to identify a user who logs in (name, email, password hash, session). This is the data where our decisions govern and your rights run directly against Wingmint.

4. Information we process for clubs

When a club uses Wingmint to run its operations, we process the following categories of information on the club's behalf. We don't use this data for our own purposes, we don't sell it, we don't use it to train anything, and we don't mine it for cross-customer insights.

Member profile and credentials

  • Name, email, phone number, mailing address
  • Emergency contact name, phone, relationship
  • Pilot certificate type and number (student, private, commercial, ATP), ratings
  • Medical certificate class, medical expiration date, biennial flight review (BFR) date
  • Role within the club (member, student, instructor, admin)

TSA Flight Training Security Program (49 CFR 1552)

  • Citizenship status (US citizen, lawful permanent resident, non-US citizen)
  • Proof-of-citizenship document type (US passport, birth certificate, naturalization certificate, permanent resident card, foreign passport with visa) and the uploaded document itself
  • FTSP status, category, determination date, and expiration
  • Timestamp and identity of the club administrator who verified the record

Operations

  • Aircraft reservations (start time, end time, aircraft, instructor if any, notes)
  • Flight logs: Hobbs and tach readings, route, landings, fuel, oil added, squawks reported
  • Maintenance records tied to each aircraft, including grounding status
  • Key pickup and return events from Keycafe SmartBox integrations, if your club uses them

Billing and payments

  • Member invoices, dues, flight charges, credits
  • Stripe customer and subscription identifiers (the card and bank account numbers themselves live with Stripe, not Wingmint)
  • Transaction history and monthly statements, retained for audit and tax purposes

Uploaded documents

Members and admins may upload pilot certificates, medical certificates, citizenship proof, insurance certificates, and FTSP determination letters. These files are stored in encrypted object storage (Vercel Blob). Only the member who uploaded the document, the club's admins, and Wingmint staff acting on the club's instructions can access them.

5. Information we collect directly

This is the data where Wingmint is the controller. Your rights under state privacy laws run directly against us for this information.

Account data

When you create a Wingmint login we store your name, email address, a salted hash of your password (we never store the password itself), and an email-verification status. If you sign in via a third-party identity provider, we store the identifier that provider gives us instead of a password.

Session and device data

When you log in, we record the session (expiration time, the organization you're currently working in), your IP address, and a user-agent string. We use this for security (detecting account takeover, forcing re-authentication) and to keep you logged in across requests. IP addresses are not used to build an advertising profile.

Customer relationship data

When a club signs up as a paying customer we collect the business name, billing email, mailing address for tax purposes, the name and email of the admin who signed the agreement, and records of our correspondence.

Visitor data

When you visit wingmint.com without logging in, our web host (Vercel) receives the request and records standard server logs: URL requested, timestamp, IP address, user-agent, referrer. These logs are used for operational purposes (capacity planning, abuse detection) and are retained by Vercel per its logging defaults.

We also use Vercel Analyticsfor privacy-friendly traffic measurement — aggregate page-view counts, country, device class, and referrer. It is cookieless, uses no third-party identifiers, and does not fingerprint individual users or follow them across sites. We do not run any other analytics, advertising, or session-recording tools on the marketing site or in the product.

Support conversations

If you email us at support@wingmint.com or hello@wingmint.com, we keep the email thread so we can help you and so the next person on our team can pick up where the last one left off.

6. How we use information

Under state privacy laws we're required to tell you the specific purposes for which we use personal information. Here they are:

  • Providing the service. Authenticating you, displaying the schedule, accepting a reservation, billing a member, sending a statement.
  • Legal compliance. TSA 49 CFR 1552 (FTSP) verification and recordkeeping. FAA Part 61 pilot record retention. Tax and accounting recordkeeping. Responding to lawful subpoenas and court orders.
  • Security, fraud prevention, and abuse detection. Rate-limiting login attempts, flagging unusual behavior, logging administrative actions.
  • Product improvement.Aggregated, de-identified usage patterns (“how many clubs use the mobile app on weekends”) help us decide what to build next. We do not profile individual members for this.
  • Customer and member support. Answering emails, investigating bug reports, helping a treasurer reconcile a month-end statement.
  • Communications.Sending the transactional emails you'd expect (verify your email, reset your password, here's your monthly statement). We also send occasional product announcements to club admins; these are not required and you can unsubscribe.

We do not use personal information for targeted advertising, cross-context behavioral advertising, profiling that produces legal or similarly significant effects, or any purpose not listed above.

7. Sensitive personal information

Under California's CPRA (and similar categories in Virginia, Colorado, Connecticut, and other states), some of the data Wingmint handles counts as sensitive personal information:

  • Citizenship and immigration status (required for TSA FTSP)
  • Government identifiersin uploaded citizenship-proof documents, which may include passport numbers, driver's license numbers, and permanent resident card numbers
  • Financial account information(Stripe customer identifiers tied to a bank account or card — the actual card and account numbers are stored by Stripe, not by Wingmint)
  • Account credentials (the salted password hash used to authenticate you)
  • Precise geolocation, indirectly, in the form of the mailing address a member provides during onboarding

We only use sensitive personal information for the reasons we collected it — providing the Wingmint service you've asked us to provide, keeping your account secure, and complying with legal obligations like 49 CFR 1552. We do not use it to infer characteristics about you, we do not use it to advertise, and we do not disclose it for any purpose beyond those listed in Section 8.

Because our use of sensitive personal information falls within the purposes enumerated in California Code of Regulations §7027(m), the CPRA “Right to Limit Use and Disclosure of Sensitive Personal Information” does not apply to Wingmint's processing. If we ever expand our use of sensitive PI beyond these purposes, we'll update this policy, notify you, and publish a “Limit the Use of My Sensitive Personal Information” link.

8. Who we share with

We do not sell personal information.We do not share personal information for cross-context behavioral advertising. We don't use data brokers. Full stop.

We share personal information in four narrow circumstances:

  • With the club you belong to.Your reservations, flight logs, member profile, and billing history are visible to your club's admins, treasurers, and instructors in the roles your club configures. This is how a flying club works.
  • With our subprocessors.Vendors that run parts of the Wingmint service on our behalf — our web host, database, payment processor, email sender, key-box integration, address autocomplete. We publish a named list of these vendors at wingmint.com/subprocessors so your club can see exactly who we use and what they do. Every subprocessor is under a written contract that binds them to handle data only for the purpose of providing the service to Wingmint, with no training or secondary use.
  • With law enforcement or regulators.If we're served with a lawful subpoena, court order, or TSA / FAA request that compels disclosure, we'll comply. We review every request and push back on overbroad ones. Where legally permitted, we'll notify the affected club before disclosing.
  • In a business transfer.If Wingmint is acquired, merged, or sells its assets, personal information goes with the business. The acquirer will be bound by a policy at least as protective as this one, or we'll notify you and give you a chance to delete first.

9. AI and automated decisions

We do not use club or member data to train generative AI or machine-learning models. Not our own models, and not our vendors' models. The contracts with every subprocessor that could conceivably touch an AI pipeline (including our email, hosting, and any future AI-feature vendors) prohibit training on Wingmint customer data and require deletion of any prompt or response data on a short horizon.

Wingmint does not currently use AI features that affect your account. We do not use automated processing to make legal or similarly significant decisions about you (such as approving or denying your club membership, or pricing insurance). If we add an AI feature later — for example, suggesting maintenance intervals or flagging scheduling conflicts — we'll update this policy to disclose what data the feature uses, what it produces, and how you can opt out.

10. How long we keep it

We retain personal information only for as long as we need it to provide the service or meet a legal obligation:

CategoryRetention
Account data (name, email)Life of account + 90 days after deletion
Session recordsExpire per session lifetime; purged within 30 days
Flight logs and pilot recordsRetained per your club's recordkeeping policy and FAA Part 61 guidance (typically 7+ years)
TSA FTSP recordsRetained for the period required by 49 CFR 1552 (minimum 5 years from date of training)
Billing and tax records7 years, per IRS and state tax requirements
Uploaded documents (passport, medical)Life of membership + 5 years, then purged unless still needed for FTSP
Support email threads2 years
Server access logs30 days
Marketing contact data (newsletter, demo requests)Until you unsubscribe + 30 days

When your club cancels its Wingmint subscription, we keep its data in read-only mode for 90 days so the club can export it, then permanently delete it — except for records we're required to retain under TSA, FAA, or tax law, which we keep in cold storage for the required period.

11. Your rights

Depending on where you live, you may have the following rights over personal information that Wingmint controls:

  • Access. Ask for a copy of the personal information we hold about you.
  • Correction.Ask us to fix information that's wrong.
  • Deletion. Ask us to delete personal information, subject to legal retention requirements.
  • Portability. Ask us to deliver your data in a portable format. (You can also self-serve this from the dashboard and API.)
  • Opt out of sale, sharing, or targeted advertising. Wingmint doesn't engage in any of these, but you have the right anyway and we honor the Global Privacy Control signal as a valid opt-out.
  • Appeal a denial.If we decline a rights request, you can appeal. We'll respond to appeals within 45 days.
  • Non-discrimination. Exercising a privacy right will not change your price, service level, or access.

How to exercise rights.For data your club controls (your member profile, reservations, flight logs, FTSP records, billing), contact your club's admin first — they have direct tools to help you. If they can't resolve your request, or for data Wingmint controls directly (your account login, our marketing emails), email privacy@wingmint.com. We'll respond within 45 days. If we need more time, we'll tell you why and extend once by another 45 days at most.

We verify requests by matching identifying details to the information we already hold — typically your login email plus one additional signal. We will not ask for information we don't already have just to verify you. You may use an authorized agent; we'll require written authorization and may still verify you directly.

12. Security

No system is perfectly secure, and we will not tell you ours is. Here are the specific controls we rely on:

  • All traffic to Wingmint is encrypted in transit using TLS 1.3.
  • Data at rest in our database and in object storage is encrypted with AES-256.
  • Passwords are hashed with a modern, slow hash (Argon2id-family), not stored in plaintext or with legacy hashes like SHA-1 or MD5.
  • Postgres row-level security plus a multi-tenant data model isolate every club's data. A query from one club cannot return rows belonging to another.
  • Administrative access to production is limited to a small number of Wingmint staff using single-sign-on and hardware-backed multi-factor authentication. Every production action is logged.
  • Uploaded documents (passport, medical) are stored in encrypted object storage with short-lived signed URLs; the club and the member who uploaded the document are the only users authorized to read them.
  • Payment card and bank account numbers are handled by Stripe, a Level 1 PCI-DSS service provider. Wingmint itself is not PCI in scope for card numbers.
  • We run automated vulnerability scans against dependencies on every deploy, patch promptly, and test backups.

If we have a breach.If we learn of a security incident that affects your personal information, we'll notify your club administrator without undue delay (typically within 72 hours of becoming aware) and, if the law requires direct notice to individuals, we'll send that too. Breach notifications will describe what happened, what information was involved, and what you can do to protect yourself.

13. US-only processing

Wingmint is built for US flying clubs. We host our service in the United States, and every core subprocessor listed on our subprocessors page processes member data in the United States. We do not intentionally target, market to, or onboard customers outside the US.

The one exception is Keycafe, a Canadian vendor that operates SmartBox key exchange hardware. Keycafe is an optional integration — a club only sends data to Keycafe if the club explicitly enables the integration and installs Keycafe hardware at their hangar. Clubs without SmartBoxes never transfer data to Keycafe. When the integration is active, the data is limited to what's required to hand off a key: member name, member contact, and one-time access codes.

We do not transfer personal information to the European Economic Area, the United Kingdom, or other jurisdictions with separate data-export regimes. If you are located outside the US, please do not use Wingmint — our service is not designed to meet GDPR, UK GDPR, or other non-US legal frameworks.

14. Children

Wingmint is designed for adult members of flying clubs. Clubs are responsible for obtaining any required parental consent before creating accounts for members under 18.

Wingmint is not directed to children under 13, we do not knowingly collect personal information from children under 13, and we do not knowingly sell or share personal information of any user under 16. If you are a parent or guardian and believe a child has provided us with personal information without consent, contact privacy@wingmint.com and we'll delete it.

15. State-specific notices

California

California residents have the rights described in Section 11, plus the right to know what categories of personal information we've collected, disclosed, sold, or shared in the past 12 months. We've collected the categories listed in Sections 4 and 5. We haven't sold or shared any category. We disclosed categories for business purposes to the subprocessors listed at wingmint.com/subprocessors. As described in Section 7, we rely on the §7027(m) safe harbor for our use of sensitive personal information.

California “Shine the Light” (Cal. Civ. Code §1798.83): we do not share personal information with third parties for their own direct-marketing purposes.

Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, Delaware, Iowa, New Hampshire, New Jersey, Tennessee, Minnesota, Maryland, Indiana, Kentucky, Nebraska, Rhode Island

Residents of these states have substantially the same rights described in Section 11 under their respective state privacy laws. You can exercise these rights as described in Section 11. If we deny a request you may appeal; appeals are decided within 45 days. If your appeal is denied and you live in one of these states, you may file a complaint with your state Attorney General.

Nevada

Nevada residents have the right to opt out of the sale of covered information under NRS 603A.340. Wingmint does not sell covered information, and has no opt-out to offer because the conduct doesn't occur.

16. Changes to this policy

We'll update this policy when our practices change or when the law makes us. For material changes — new categories of data, new sharing practices, changes to your rights — we'll notify club admins by email at least 30 days before the change takes effect and post a summary of what's new at the top of the updated policy for at least 60 days after. We'll keep an archive of prior versions available on request.

Changelog

  • April 16, 2026— Initial version.

17. Contact

Questions, rights requests, or concerns about this policy?

For a list of our named subprocessors, see wingmint.com/subprocessors. For terms of service, see wingmint.com/terms.