Data privacy and security

This article summarizes the practical reality of how Checkride handles your data. The formal language lives in our Privacy Policy; this is the plain-English version.

What we collect

From all users:

• Account info: name, email, optional profile photo
• Authentication data: hashed password (if set), sessions, login timestamps and IPs
• App activity: pages visited, actions taken (we use this to debug and improve the product)

From student pilots:

• Date of birth (required to gate parental consent for minors)
• Logbook entries and training progress
• Lesson and appointment history
• Endorsements issued to you
• Payment method (tokenized via Stripe — we don't store card numbers)

From CFIs:

• CFI certificate number, ratings, medical class and expiry
• Teaching history (lessons completed, students taught)
• Payout account verification status from Stripe

From schools:

• Legal entity info collected by Stripe for Connect (we don't see SSN/EIN directly)
• Aircraft and fleet records you upload
• Member roster

What we don't collect

• Card numbers, bank account numbers, full SSNs — Stripe holds those.
• Behavioral data from outside our app. We don't track you around the web.
• Conversations you have with other CFIs, students, or schools outside the platform.

Where the data lives

• Primary database: PostgreSQL, hosted in a US-East region with daily snapshots and point-in-time recovery.
• File storage (logbook PDFs, endorsement PDFs, aircraft documents): Active Storage with private buckets and signed URLs that expire quickly.
• Backups are encrypted at rest. Restores are only ever done into the same region.

Who can see your data

Inside your school's workspace:

• School owner, chief instructor, administrator — see everything across the school
• Instructors — see their own students' data, plus shared schedule
• Students — see their own data plus the read-only school roster (CFI names, aircraft you can pick from)
• Dispatchers, mechanics — see only what their role needs

Across schools (e.g., if you're a student at two): we keep your data partitioned. CFIs at School A can't see your logbook entries from School B.

Internally at Checkride: only on-call engineers with a documented need (incident response, customer support ticket on your account). Every internal access is logged.

What we share with third parties

• Stripe — for payments and Connect payouts
• AWS — our hosting provider; they don't access your data, just operate the infrastructure
• Email service provider — to send transactional and marketing emails (the latter requires your opt-in)
• LLM provider (default: Groq) — when you trigger the AI training recommendations or the school priorities chat. The prompt includes your training data; we don't send personally identifiable information beyond first name and your training context.

We don't sell or rent your data, ever, to anyone.

Security practices

• All traffic to and from our servers uses TLS 1.2+.
• Passwords are hashed with bcrypt at a high work factor.
• Sessions are HTTP-only and signed.
• We rotate signing keys on a schedule and immediately upon any suspected exposure.
• We run external security testing periodically. Reports go to security@trycheckride.com.

How to ask us a question we haven't answered here

Email privacy@trycheckride.com. We answer every privacy or data-access request. For GDPR-style requests (right to access, right to deletion), see Cancelling a subscription and exporting your data.