Skyline Soaring Club Data Retention Policy

Effective Date: not yet approved by the board
Last Updated: January 17, 2026

Purpose

This Data Retention Policy explains how long Skyline Soaring Club retains member and operational data stored in the Manage2Soar system. This policy ensures compliance with legal requirements, protects member privacy, and supports club operations.

Data Categories and Retention Periods

Member Information

• Active Members: Retained during active membership
• Former Members: 7 years after departure from club
• Rationale: Legal compliance, financial record-keeping, IRS requirements, alumni relations
• Includes: Name, email, address, phone number, membership status, emergency contacts

Flight Operations Data

• Flight Logs: Retained indefinitely for safety and historical purposes
• Instructor Reports & Check Flights: Retained indefinitely
• Student Training Records: Retained indefinitely
• Rationale: Safety analysis, accident investigation, FAA requirements, insurance claims, operational continuity

Financial Records

• Payment History: 7 years (IRS requirement)
• Invoices & Receipts: 7 years
• Dues Records: 7 years
• Tow Fees & Flight Charges: 7 years
• Rationale: Tax compliance, audit support, dispute resolution

Duty Roster & Reservations

• Future/Current Assignments: Until completed
• Historical Duty Records: 2 years
• Aircraft Reservations: 2 years after reservation date
• Swap History: 2 years
• Rationale: Operational planning, dispute resolution, fairness tracking

Communication Records

• Automated System Emails: 30 days in system logs
• Member-to-Member Communications: Not stored (sent via external email providers)
• Notification History: 30 days, cleared out at the end of the month
• Rationale: Troubleshooting, audit trail, system optimization

Authentication & Session Data

• Active Login Sessions: 30 days maximum (automatic expiration)
• OAuth Tokens (Google): Until revoked by user or provider
• Password Reset Tokens: 24 hours (automatic expiration)
• Rationale: Security best practices, privacy protection

User-Generated Content

• Member Biographies: Until member requests deletion
• Profile Photos: Until member updates or deletes
• CMS Pages & Documents: Until manually deleted by authorized personnel
• Rationale: Member-controlled content, club documentation

System Backups

• Daily Database Backups: 30 days (encrypted)
• Monthly Database Backups: 1 year (encrypted)
• Rationale: Disaster recovery, business continuity
• Storage: Google Cloud Storage with automatic lifecycle policies

Analytics & Usage Data

• Page Views & Feature Usage: 90 days (if implemented)
• System Performance Metrics: 90 days
• Rationale: System optimization, capacity planning

Data Deletion Procedures

Automatic Deletion

The following data is automatically deleted according to retention policies:

• Expired session tokens and authentication credentials
• Old database backups (via Google Cloud Storage lifecycle policies)
• System log files (90-day rotation)
• Notification history (30 day cleanup, run at end-of-month)

Member-Requested Deletion

Members can request account closure and data deletion by contacting the club office at webmaster@skylinesoaring.org. Upon account closure:

1. Account is immediately marked inactive
2. User-generated content (biography, photos) is deleted immediately
3. Personal contact information is retained for 7 years (financial compliance), then anonymized
4. Flight safety records are retained indefinitely but de-identified (no personal information)

Anonymization Process

After the 7-year retention period for departed members:

• Name is replaced with "Former Member #[ID]"
• Email, phone, and address are permanently deleted
• Membership dates and financial totals are retained (de-identified)
• Flight records remain for safety analysis but are no longer linked to personal identity

Member Rights

Right to Data Access

Members can request a complete copy of their personal data stored in Manage2Soar by contacting webmaster@skylinesoaring.org. Requests will be fulfilled within 30 days.

Right to Correction

Members can update most personal information directly through the member portal. For assistance or corrections that require admin access, contact the club office.

Right to Deletion

Members can request account deletion as described above. Note that certain records must be retained for legal compliance even after account closure.

Right to Data Portability

• Members can export their flight logbook, training records, and other personal data in machine-readable format upon request.
• Members can also export their flight logbook as a feature of this website, without contacting any membership officer. 

Legal Basis and Compliance

This policy complies with:

• FAA Requirements: Record-keeping for flight instruction and student progress (14 CFR Part 61)
• General Data Protection Best Practices: Proportionate retention, secure deletion, member rights
• California Privacy Laws: Right to access, deletion, and data portability (if applicable)

While Skyline Soaring Club may not be legally required to comply with all data protection regulations (such as GDPR or CCPA), this policy reflects industry best practices and demonstrates good data stewardship.

Data Security

All retained data is protected using:

• Encryption: Data encrypted in transit (TLS/HTTPS) and at rest (database encryption)
• Access Controls: Role-based permissions limit data access to authorized personnel
• Audit Trails: System logs track data access and modifications
• Backup Security: Database backups are encrypted using AES-256 encryption
• Infrastructure: Hosted on Google Cloud Platform with SOC 2 compliance

Third-Party Data Sharing

Skyline Soaring Club does not sell or share member data with third parties except:

• Service Providers: Google Cloud Platform (hosting), SMTP2Go (email), only as necessary for system operations
• Legal Requirements: When required by law, court order, or to protect club interests
• Safety Investigations: With FAA, NTSB, or insurance providers in the event of an accident

Policy Updates

This policy may be updated periodically to reflect changes in:

• Legal requirements and compliance standards
• System capabilities and data storage practices
• Club operational needs and member feedback

Material changes will be communicated to members via email and posted on the member homepage. Check the "Last Updated" date at the top of this page for the most recent version.

Contact Information

Questions, concerns, or requests regarding this policy should be directed to:

Privacy Contact: webmaster@skylinesoaring.org
Webmaster: webmaster@skylinesoaring.org

---