Skip to Content

PERSONAL DATA PROTECTION POLICY - KRISTAL GROUP

Version 2.1 · 05/09/2026 · English

PREAMBLE

KRISTAL places confidentiality and security of personal data at the heart of its commitments to its customers, prospects, suppliers, partners, and users.

This policy (the "Policy") describes the conditions under which the companies of the KRISTAL group collect and process personal data, in compliance with Regulation (EU) 2016/679 known as the "GDPR" and with the French Data Protection Act of January 6, 1978, as amended.

The Policy applies to all activities of the KRISTAL group: KRISTAL Parts (worldwide distribution of aircraft parts), KRISTAL AERO LLC (US subsidiary - Parts intra-USA), KRISTAL MRO (independent maintenance shop network), KRISTAL AIRCRAFT (Tecnam distribution), and KRISTAL.air (mobile application for private pilots).

TABLE OF CONTENTS

  1. Data Controller
  2. Scope of the Policy
  3. Categories of Data Processed
  4. Origin of Data
  5. Purposes and Legal Bases
  6. Recipients and Processors
  7. Transfers outside the European Union
  8. Retention Periods
  9. Data Security
  10. Rights of Data Subjects
  11. Exercise of Rights - Contact
  12. Specific Provisions for KRISTAL.air
  13. Commercial Prospecting
  14. Cookies
  15. Minors
  16. Complaint to the CNIL
  17. Modification of the Policy

ARTICLE 1 - DATA CONTROLLER

1.1 The principal data controller is:

KRISTAL AERONAUTIQUE société à responsabilité limitée with share capital of €10,000 RCS Montpellier 412 462 285 Registered office: 61 rue Frédéric Mistral, 34400 Lunel - France Phone: +33 4 67 71 52 63 Email: contact@kristal.aero

1.2 For processing relating to the Parts intra-USA business, the operational data controller is the U.S. subsidiary:

KRISTAL AERO LLC - single-member LLC registered in Florida (EIN 36-5066092), 7901 4th N, Ste 300, St. Petersburg, FL 33702. KRISTAL AERONAUTIQUE and KRISTAL AERO LLC act as joint data controllers within the meaning of Article 26 GDPR for intra-group transfers and shared processing.

1.3 Any request relating to personal data protection may be addressed to:

  • By post: KRISTAL AERONAUTIQUE - Data Protection - 61 rue Frédéric Mistral, 34400 Lunel, France
  • By email: rgpd@kristal.aero

ARTICLE 2 - SCOPE OF THE POLICY

2.1 The Policy applies to personal data collected and processed in the context of:

  • The commercial relationship (professional customers and consumers, prospects, partners);
  • Browsing on the websites of the sub-domains group.kristal.aero, parts.kristal.aero, aircraft.kristal.aero, mro.kristal.aero, kristalair.kristal.aero;
  • Use of the KRISTAL.air mobile application;
  • Participation in competitions and events organized by or with KRISTAL (KRISTAL CUP);
  • Contractual relationships with upstream suppliers, Part-145 facilities, partner distributors, and brand sponsors.

2.2 The Policy is addressed to natural persons. Where the customer is a legal entity, the Policy applies to the personal data of its representatives, contacts, and employees.

2.3 Some pages, forms, or functionalities may include additional information specific to the processing concerned, in particular for KRISTAL.air (see Article 12).

ARTICLE 3 - CATEGORIES OF DATA PROCESSED

3.1 Depending on the services used, KRISTAL processes all or part of the following categories:

  • Identification and contact data: title, last name, first name, postal address, email address, telephone number, function, company.
  • Professional data: corporate name, SIREN/SIRET/EIN number, VAT number, aviation approvals held (Part-145, Part-CAO, Part-21G, FAA Repair Station, etc.).
  • Commercial data: quotation requests, orders, invoices, delivery methods, purchase history, returns, claims.
  • Payment data: means of payment, transaction number, necessary banking data (without storing card data beyond PCI-DSS obligations, delegated to the payment service provider).
  • Technical browsing data: IP address, session identifiers, technical identifiers, devices and browsers used, connection logs, cookie choices.
  • Customer relationship data: reviews, comments, email/phone exchanges, after-sales and warranty follow-up, litigation.
  • Prospecting data: communication preferences, opt-out exercised.

3.2 In connection with KRISTAL.air, the following may also be processed:

  • Pilot profile data: pilot identifier, type and number of license, qualifications, declared by the user;
  • Flight data: aircraft type, registration, GPS tracks, geolocation data, departure and arrival points, flight duration and performance;
  • Community data: posts, comments, photos, videos, messages, shares, competition rankings;
  • Application usage data: interactions, frequency of use, settings, badges and rewards.

3.3 KRISTAL does not collect any so-called "sensitive" personal data within the meaning of Article 9 GDPR (health, opinions, biometrics, genetic data, etc.). KRISTAL.air does not collect medical fitness status nor any health data of the pilot.

ARTICLE 4 - ORIGIN OF DATA

4.1 Data is collected:

  • Directly from the data subject when creating a customer account, requesting a quotation, placing an order, subscribing to the newsletter, participating in a competition, contacting by email or phone, posting on the KRISTAL.air community;
  • Indirectly, from partners: commercial lead providers, public professional registers, aviation partners, competent authorities (DGAC, FAA, EASA for approvals);
  • Automatically, via technical tools: cookies, connection logs, sensors integrated into the mobile application (with consent).

ARTICLE 5 - PURPOSES AND LEGAL BASES

5.1 KRISTAL processes personal data for the following purposes and on the following legal bases:

Purpose Legal basis (GDPR)
Management of customer accounts, quotations, orders, deliveries, invoicing Performance of contract (Art. 6.1.b)
After-sales, claims, and warranty management Performance of contract / legal obligation (Art. 6.1.b and c)
Accounting, taxation, archiving, fraud prevention Legal obligation (Art. 6.1.c)
Export compliance, sanctions, embargoes, AML Legal obligation (Art. 6.1.c)
Commercial prospecting (existing customers - analogous products/services) Legitimate interest (Art. 6.1.f)
Commercial prospecting to consumer prospects Consent (Art. 6.1.a)
B2B prospecting (LCEN) Legitimate interest, opt-out (Art. 6.1.f)
Personalization of browsing, statistics Consent (non-essential cookies) or legitimate interest
Animation of the KRISTAL.air community, organization of competitions Performance of contract / consent
Sharing of user content on the application Consent (Art. 6.1.a) + license grant (T&Cs)
Geolocation and processing of KRISTAL.air flight data Consent (Art. 6.1.a)
IT security, prevention of incidents and abuses Legitimate interest (Art. 6.1.f)
Establishment, exercise, and defense of legal rights Legitimate interest (Art. 6.1.f)

5.2 For processing based on legitimate interest, KRISTAL ensures that its interests do not infringe the rights and freedoms of data subjects, and keeps the balancing assessment available.

5.3 For processing based on consent, the data subject may withdraw consent at any time, without affecting the lawfulness of prior processing.

ARTICLE 6 - RECIPIENTS AND PROCESSORS

6.1 Data is communicated only to authorized recipients, within the strict limits necessary for the purpose pursued.

6.2 Recipients of the data, within their respective authorization limits, include in particular:

  • Authorized internal departments of KRISTAL AERONAUTIQUE and KRISTAL AERO LLC (sales, operations, accounting, quality, legal, management);
  • Processors within the meaning of Article 28 GDPR, acting solely on KRISTAL's instructions and under a contract containing the required clauses;
  • Authorities, courts, and authorized bodies when KRISTAL is legally required;
  • Advisors and auditors subject to professional or contractual secrecy;
  • Acquirers or partners in the event of a transfer, merger, or restructuring, subject to the continuity of the commitments of this Policy.

6.3 KRISTAL uses a limited number of carefully selected processors. By way of illustration and non-exhaustive list, the principal processors are:

Category Identified processor Location
Hosting / ERP / CRM / websites Odoo SA Belgium (EU)
Domain name and DNS Gandi SAS France (EU)
Internal collaboration tools Slack (Salesforce Inc.) United States (transfer outside EU)
Internal project management tools Jira / Atlassian United States / Australia (transfer outside EU)
Insurance company Allianz Global Corporate & Specialty SE Germany / France (EU)
Insurance broker JADIS S.A. France (EU)
Chartered accountant and tax declarations Mandated chartered accountancy firm France (EU)
Bank(s) and payment service providers Partner banking institutions (notably Société Générale) and SEPA / card service providers (Visa, Mastercard networks) France / EU
Carriers TNT/FedEx, DHL, UPS, Chronopost, France Express, Geodis and any carrier engaged on a one-off basis Worldwide
Mobile application hosts Apple Inc. (App Store) and Google LLC (Google Play) United States (transfer outside EU)
Partner Part-145 facilities Network of authorized third-party facilities - for repair operations subcontracted France / EU / worldwide as applicable
OEMs and upstream suppliers For order fulfillment, in particular drop-ship mode (Michelin, McFarlane, and other suppliers) Worldwide
External advisors Lawyers, chartered accountants, statutory auditors, auditors France / EU

6.4 The up-to-date list of processors is made available to data subjects upon written request to rgpd@kristal.aero and may be supplemented by any one-off processor engaged for a specific need.

6.5 KRISTAL does not sell, rent, or transfer personal data to third parties for commercial purposes without the prior and express consent of the data subject.

ARTICLE 7 - TRANSFERS OUTSIDE THE EUROPEAN UNION

7.1 Given the activities of the group (worldwide sale of parts, US subsidiary, international partners), some data may be subject to transfers outside the European Union and the European Economic Area, in particular to:

  • The United States, in connection with the operations of KRISTAL AERO LLC, US partner manufacturers and distributors, international carriers;
  • The United Kingdom (post-Brexit), covered by an adequacy decision of the European Commission;
  • Mauritius, in the framework of the management by the insurance company Allianz GCS of certain claims delegated to AWP Indian Ocean;
  • Any other jurisdiction where a final customer, commercial partner, or processor necessary for order fulfillment is located.

7.2 Any transfer outside the EU is governed by one of the following mechanisms within the meaning of Articles 44 to 49 GDPR:

  • Adequacy decision of the European Commission (United Kingdom, United States under Data Privacy Framework if applicable, Mauritius, etc.);
  • Standard Contractual Clauses (SCC) approved by the European Commission;
  • Binding Corporate Rules (BCR);
  • Specific derogations provided in Article 49 GDPR where strictly necessary (in particular performance of a contract at the data subject's request).

7.3 The detail of the mechanisms applied for a given transfer may be obtained upon written request to rgpd@kristal.aero.

ARTICLE 8 - RETENTION PERIODS

8.1 KRISTAL retains data only for the period strictly necessary for the pursued purpose or to comply with a legal obligation. Indicative durations are as follows:

Category of data Retention period
Active customer account data Duration of the contractual relationship + 3 years
Prospect data 3 years from the last active contact
Accounting documents and invoices 10 years from the close of the financial year (Art. L123-22 French Commercial Code)
Payment data (other than banking traceability) Duration of the transaction then intermediate archiving
Aviation traceability data (Form 1, 8130-3, COC, RMA, warranty) Duration required by the applicable aviation regulation and OEM warranty, by default 10 years
Litigation data Until exhaustion of remedies
Export compliance and sanctions data 10 years (compliance archiving period)
KRISTAL.air - pilot profile data Duration of the account + 1 year
KRISTAL.air - flight and performance data Duration of the account + 1 year, save anonymized aggregation for statistical purposes
KRISTAL.air - user content (UGC) Duration of publication, deletion upon account closure save moderation request
Connection and technical log data 12 months (Art. L34-1 French Posts and Electronic Communications Code)
Cookies and trackers 13 months maximum from their deployment (CNIL recommendation)
Prospecting data - opt-out 3 years after objection

8.2 At the end of these periods, data is deleted or anonymized, save for mandatory legal obligation requiring longer retention or necessity of defense of rights.

ARTICLE 9 - DATA SECURITY

9.1 KRISTAL implements appropriate technical and organizational measures within the meaning of Article 32 GDPR to ensure the confidentiality, integrity, availability, and resilience of systems processing personal data. These measures include in particular:

  • Encryption in transit (HTTPS/TLS) and at rest for sensitive data;
  • Access management policy based on need-to-know and least privilege;
  • Strong authentication on critical tools;
  • Regular backup and periodic testing of recovery plans;
  • Awareness and training of employees;
  • Periodic review of processors and transfers;
  • Pseudonymization and anonymization where technically possible.

9.2 In the event of a data breach likely to result in a risk to the rights and freedoms of data subjects, KRISTAL shall notify the CNIL within 72 hours and, if the risk is high, the data subjects as soon as possible, in the conditions of Articles 33 and 34 GDPR.

ARTICLE 10 - RIGHTS OF DATA SUBJECTS

10.1 In accordance with Articles 15 to 22 GDPR, the data subject has the following rights:

  • Right of access (Art. 15): obtain confirmation that data is processed and obtain a copy;
  • Right of rectification (Art. 16): obtain correction of inaccurate or incomplete data;
  • Right of erasure (Art. 17 - "right to be forgotten"): obtain deletion of data in the cases provided by the GDPR;
  • Right to restriction of processing (Art. 18): obtain suspension of processing in the cases provided;
  • Right to data portability (Art. 20): retrieve data in a structured, machine-readable format for processing based on consent or contract;
  • Right to object (Art. 21): object to processing on legitimate grounds or object without grounds to commercial prospecting;
  • Right to withdraw consent at any time, where processing is based on consent;
  • Right to provide directives concerning the fate of data after death (Art. 85 French Data Protection Act).

10.2 These rights are exercised within the limits provided by law. In particular, the right to erasure cannot be exercised where retention is required by a legal obligation or is necessary for the establishment, exercise, or defense of legal rights.

ARTICLE 11 - EXERCISE OF RIGHTS - CONTACT

11.1 To exercise its rights, the data subject may submit its request:

  • By email to: rgpd@kristal.aero
  • By post to: KRISTAL AERONAUTIQUE - Data Protection - 61 rue Frédéric Mistral, 34400 Lunel - France

11.2 To enable processing of the request, KRISTAL may request a proof of identity as well as any useful information for identifying the data subject and formulating the request.

11.3 KRISTAL responds to requests within a period of one (1) month from receipt, extendable by two months in case of complexity or large volume of requests, in accordance with Article 12 GDPR.

11.4 Where the request is manifestly unfounded or excessive, KRISTAL may charge a reasonable fee or refuse to act, while justifying its decision.

ARTICLE 12 - SPECIFIC PROVISIONS FOR KRISTAL.AIR

12.1 The KRISTAL.air application is a free application for private pilots, providing access to community functions, organization of aviation competitions (KRISTAL CUP), flight sharing, and content authored by users.

12.2 Creation of an account on KRISTAL.air is conditional on acceptance of the General Terms and Conditions of Use and of this Policy.

12.3 Geolocation and flight data: the use of geolocation, flight recording, and track sharing functions requires the user's explicit consent, requested upon first use and revocable at any time from the application settings.

12.4 Medical data: no collection. KRISTAL.air does not collect or store any data relating to the pilot's medical fitness status, nor any health data. Proof of fitness to fly is solely the responsibility of the pilot vis-à-vis the relevant aviation authorities.

12.5 User content (UGC): the user remains owner of the content it publishes. By publishing, the user grants KRISTAL a non-exclusive license to host, distribute, and adapt (technically) on the application and its extensions, in the conditions of the KRISTAL.air T&Cs. KRISTAL acts as host within the meaning of Article 6-I-2 of the French Digital Economy Trust Act (LCEN) and has no general obligation to monitor content.

12.6 Competitions and challenges (KRISTAL CUP, TDP - Tour de Piste, ANR - Air Navigation Race, and other formats): participation in a Competition entails processing of data necessary for registration, ranking, and communication of results. The pilot remains solely responsible for the conduct of the flight, KRISTAL being neither a flight operator nor an organizer within the meaning of the French Aviation Code.

12.7 Sponsoring: advertising content related to brand sponsors is broadcast without transfer of personal data to advertisers, except for aggregated and anonymized audience data.

12.8 Data Protection Impact Assessment (DPIA): in light of the large-scale collection of geolocation data, KRISTAL conducts, where required, a data protection impact assessment in accordance with Article 35 GDPR.

ARTICLE 13 - COMMERCIAL PROSPECTING

13.1 Prospecting to existing customers: KRISTAL may send its customers commercial communications relating to products or services analogous to those already ordered, on the basis of its legitimate interest. The customer may object at any time, free of charge, without justification, via the unsubscribe links present in each communication or by writing to rgpd@kristal.aero.

13.2 B2B prospecting: commercial communications addressed to professional contacts relate to goods and services connected with their professional activity, in line with CNIL guidance and the LCEN regime. A right to object applies in the same conditions.

13.3 B2C prospecting: commercial communications by electronic means addressed to consumers are subject to the prior consent of the data subject, in the conditions of Article L34-5 of the French Postal and Electronic Communications Code. Consent is revocable at any time.

ARTICLE 14 - COOKIES AND TRACKERS

14.1 KRISTAL websites use cookies and trackers to ensure service operation, measure audience, and improve user experience.

14.2 Non-essential cookies are deployed only after consent has been obtained, in accordance with CNIL recommendations. The user may at any time configure consent via the dedicated banner.

14.3 The detailed cookies policy is accessible on the website www.kristal.aero, in the "Cookies" section.

ARTICLE 15 - MINORS

15.1 The services KRISTAL Parts, MRO, and AIRCRAFT are addressed to a professional clientele or to adults.

15.2 KRISTAL.air may be used by pilots in training under 18 years of age in certain cases (BIA, PPL students, ULM). In the event of use by a minor, the prior authorization of a holder of parental authority is required. KRISTAL implements the protections provided by GDPR for minors and limits processed data to what is strictly necessary.

15.3 If KRISTAL learns that an account has been created in violation of these provisions, it suspends the account and deletes the associated data without delay.

ARTICLE 16 - COMPLAINT TO THE CNIL

16.1 The data subject may, in case of persistent disagreement with KRISTAL on the management of its personal data, lodge a complaint with the Commission Nationale de l'Informatique et des Libertés (CNIL):

  • 3 place de Fontenoy - TSA 80715 - 75334 Paris Cedex 07
  • Phone: +33 1 53 73 22 22
  • Website: www.cnil.fr

16.2 The data subject may also bring a matter before the data protection authority of its place of residence or work within the European Union.

ARTICLE 17 - MODIFICATION OF THE POLICY

17.1 KRISTAL may amend this Policy to comply with any legal, regulatory, jurisprudential, technical, or organizational evolution.

17.2 The version in force is the one published on the website www.kristal.aero. Substantial changes are notified to data subjects by any appropriate means.

17.3 Personal data already collected continues to be processed in accordance with the Policy in force at the time of collection, save for mandatory legal provision to the contrary.

CONTACT

Any question, comment, or request relating to this Policy may be addressed to:

KRISTAL AERONAUTIQUE - Data Protection 61 rue Frédéric Mistral, 34400 Lunel, France rgpd@kristal.aero

KRISTAL AERONAUTIQUE - société à responsabilité limitée with share capital of €10,000 - RCS Montpellier 412 462 285 - VAT FR62 412 462 285

This is an English translation. The French version of this document remains the binding version.

Document last updated on 05/11/2026 05:12:24 AM. For any question: rgpd@kristal.aero