Data Sharing Agreement
Last updated: July 5, 2026
This document is not yet in effect. It takes effect on 17 August 2026 and will replace our current Data Processing Addendum. Until then, the current Data Processing Addendum applies.
This Data Sharing Agreement forms part of our Terms of Service and, for Owners, sits alongside the Virtual Airline Owner Terms. Words defined in the Terms of Service — such as User, Pilot, Owner, VA Staff, Virtual Airline (VA), Services and Team vAMSYS — have the same meaning here.
§1 What this Agreement is, and who it is between
This Data Sharing Agreement (the "Agreement") sets out how personal data is shared between vAMSYS and a Virtual Airline (VA), run by its Owner, in the limited situations where a VA holds personal data of its own. It is the document the Terms of Service §11 points to for "the data a VA receives from, or shares with, us".
This is a controller-to-controller agreement. vAMSYS and a VA are separate, independent controllers — never joint controllers. vAMSYS does not act as a VA's processor, and this Agreement is not a data-processing agreement: it does not contain processor obligations (such as processing only on a controller's documented instructions, sub-processor authorisation by the VA, or audit-of-the-processor rights). Where a VA provides personal data to us — for example, the name and email it supplies to invite someone (§4.2) — we do not process it on the VA's behalf as its processor; we use it for our own purposes, on our own lawful basis, as a controller in our own right, and the accounts we create from it are vAMSYS-controlled. Each party is responsible for its own compliance with data-protection law.
This Agreement forms part of our Terms of Service. By operating a Virtual Airline, an Owner agrees to it. Where it conflicts with another document in your agreement, the order of priority in the Terms of Service applies — this Agreement prevails on the VA data-sharing matters within its scope (see Terms of Service "Agreement to these Terms", "Order of priority").
This Agreement governs only the three data-sharing flows described in §4. It does not change who controls the personal data on the platform: vAMSYS remains the controller of that, as set out in §3 and in the Privacy Policy.
§2 Definitions
Words defined in the Terms of Service have the same meaning in this Agreement. In particular, User, Pilot, Owner, VA Staff, Virtual Airline (VA), Services, Team vAMSYS and the data protection supervisory authority are defined in the Terms of Service §1.
The following terms have the meaning given to them in UK data-protection law — the UK GDPR, the Data Protection Act 2018 and the Data (Use and Access) Act 2025 — and are used here with that meaning:
controller — the body that decides why and how personal data is processed;
processor — a body that processes personal data on a controller's behalf and on its instructions;
personal data — information relating to an identified or identifiable living person;
data subject — the person the personal data is about (here, usually a User or Pilot);
personal-data breach — a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data;
data protection supervisory authority — an independent public authority that monitors the application of data-protection law; in the United Kingdom this is the Information Commissioner's Office (ICO).
References in this Agreement to "data-protection law" mean the UK GDPR, the Data Protection Act 2018 and the Data (Use and Access) Act 2025, and any other data-protection or privacy law that applies to a party.
§3 Our respective roles
vAMSYS is the controller of the personal data on the platform. This covers both the data that identifies a User — name, email, linked accounts, account settings, the billing data we hold for Owners, and the access and security logs we generate — and the operational data a Pilot's activity creates within a VA: bookings, flight reports, position reports, points, rank and similar. We decide why and how this data is processed, and we are the only party able to correct, export or delete it. This is set out in full in the Terms of Service §11.1 and the Privacy Policy §3.
A VA does not control that data. When a VA awards points, sets its scoring rules, leaves a comment on a flight, or removes an activity registration, it is using the Services to run its community — not deciding how personal data is processed. A VA can view a Pilot's data to operate its roster, but it cannot edit, export or own it.
A VA is an independent controller only where it holds personal data itself. That happens through the three flows in §4: the Pilot API, Pilot Invite, and the marketing-export facility. From the point at which a VA holds personal data through one of those flows, the VA is an independent controller of that data and is solely responsible for it.
We are separate controllers, not joint, and vAMSYS is not a VA's processor. vAMSYS and a VA are each independent controllers of the data they genuinely control. Neither party acts as the other's processor: each processes the data it controls for its own purposes and on its own lawful basis, and neither relies on the other's lawful basis. Even where one party hands data to the other — as a VA does with a Pilot Invite list (§4.2) — the recipient uses it as its own controller, not on the provider's behalf. If any specific activity were ever genuinely joint, we would say so and set out the arrangement; none of the flows in this Agreement is joint.
§4 The data shared, and the three flows
This Agreement governs three flows of personal data between vAMSYS and a VA. For each, this section explains what data is shared, on what basis, and the point at which the VA becomes the controller.
4.1 The Pilot API ("Login with vAMSYS")
Where a VA wants to build a companion service that needs a Pilot's identity or contact details, the supported route is the Pilot API: a pilot-authenticated OAuth 2.0 Authorization Code flow with PKCE (Proof Key for Code Exchange), branded "Login with vAMSYS". The Pilot signs in, sees the scopes requested and the VA's own privacy policy, and consents. Basic identity is always required as the minimum scope, and the Pilot sees what they are sharing. The operating terms — the flow, token lifetimes and revocation — are in the Virtual Airline Owner Terms §6.2.
What data: the categories of personal data within the scopes the Pilot consents to (which may include the Pilot's identity and contact details).
On what basis: the Pilot consents at the consent screen; vAMSYS discloses the data to the VA's own application following that consent.
When the VA becomes the controller: once the Pilot consents and the VA receives the data into its own application, the VA is an independent controller of that data and is solely responsible for it (see Terms of Service §11.5–§11.6). What the VA's application then does with the data is outside the Services.
The Operations API (Virtual Airline Owner Terms §6.1) is not within this flow: it returns VA-level operational and pilot-administration data and a Pilot's chosen public display name, it never returns emails or other contact details, and the personal data it exposes remains vAMSYS-controlled under the Terms of Service §11.1–§11.2. It does not make the VA a controller.
4.2 Pilot Invite
A VA can invite people to join it by giving us their name and email address.
What data: the names and email addresses the VA provides.
On what basis: the VA is the controller and source of that data and warrants that it has the right to provide it to us (see §6.1). vAMSYS uses the data to create the User (and Pilot) account and to send the invitation.
When the VA is the controller: the VA is the controller of the invitation data it holds and provides. Once we have used it to create the account and send the invitation, vAMSYS controls that account as set out in §3 and the Privacy Policy §3. Our processing of that data (creating the account, sending the invitation) is on our own legitimate-interests basis as controller of the invitation feature, not as the VA's processor (see Privacy Policy §5, "When a VA invites you").
4.3 Marketing-export
A Pilot can choose to receive marketing from a specific VA, but only through our consent-based marketing-export facility:
the consent screen names the specific VA the Pilot is consenting to hear from;
consent is recorded per VA — it is granular, not a blanket opt-in across all the VAs a Pilot flies for; and
consent is freely given and freely withdrawable at any time.
What data: the contact data needed to send the marketing the Pilot has consented to receive from that VA.
On what basis: the Pilot's consent, recorded per VA and withdrawable.
When the VA is the controller: the VA is the controller of the marketing it sends and carries the unsubscribe and marketing-law compliance duty (see §6.2 and Terms of Service §11.4). vAMSYS provides the consent and opt-out mechanics and keeps a record of consent and withdrawal (see Privacy Policy §6 and §9).
§5 Each party's obligations as a controller
Each party, as a controller of the personal data it controls, will:
process personal data lawfully, fairly and transparently, and only for the purposes for which it holds the data;
have its own lawful basis for its processing, and be able to demonstrate it;
provide its data subjects with a clear privacy notice covering its own processing (for a VA, see §6.2);
apply data minimisation — collect and keep only the personal data it needs for its purpose;
keep the personal data it controls accurate and, where necessary, up to date;
keep the personal data it controls secure, with appropriate technical and organisational measures (see §10);
honour data-subject rights for the data it controls (see §8); and
keep personal data for no longer than necessary for the purpose it holds it for, or for as long as the law requires.
Each party is responsible for its own compliance as a controller. Neither party acts as the other's processor, and neither relies on the other's lawful basis.
§6 The VA's warranties and responsibilities
The warranties and responsibilities below are in addition to, and do not cut down, a VA's existing obligations under the Terms of Service §11.2, §11.6 and §11.7, the Virtual Airline Owner Terms §2.8, and the Acceptable Use Policy. A VA:
6.1 Right to provide Pilot Invite data
warrants that it has the right to provide to us the names and email addresses it supplies through Pilot Invite (§4.2), and that providing them to us does not breach data-protection law or anyone else's rights.
6.2 A compliant privacy policy and lawful basis
must have its own privacy policy and its own lawful basis for the personal data it controls.
Where the VA uses the Pilot API, it must provide a link to its own privacy policy, which is shown to the Pilot on the consent screen; that URL must be present and must resolve before consent can proceed.
That privacy policy must, at a minimum, tell Pilots the matters required by the Terms of Service §11.6 — that is:
the controller's identity and contact details;
what data is collected or received (including via the Pilot API);
why, and the lawful basis;
who the data is shared with;
how long it is kept;
the Pilot's rights and how to exercise them;
how international transfers are handled; and
how to complain (including to a data protection supervisory authority).
vAMSYS does not review, verify or endorse the contents of a VA's privacy policy; the Owner warrants that it is compliant (including with the laws of the Pilots' own countries).
6.3 Compliance with marketing law
is responsible for complying with marketing law for any marketing it sends through the marketing-export facility (§4.3), including an unsubscribe option in every message and honouring withdrawals of consent (see Terms of Service §11.4).
6.4 No harvesting and no bulk extraction
must not extract, copy, scrape, harvest or compile Pilots' emails or identity data, by hand or by automated means, beyond what these flows permit, and must not use Pilot data for any purpose beyond operating the VA except through the marketing-export facility. There is no bulk export of a VA's roster or its Pilots' personal data. See the Acceptable Use Policy §7 and the Terms of Service §11.2.
6.5 Its pilots' home-country law
is responsible for complying with the law that applies to its own processing, including the data-protection law of its Pilots' home countries, for the personal data it controls.
6.6 Third-party tools it connects
is fully responsible for any third party it gives access to the data, including any third-party tool it connects to either API, as if for its own acts — including how that third party handles, stores and uses the data. That third party is engaged by the VA, not by vAMSYS, and the VA must ensure it is bound by appropriate terms and processes personal data lawfully (see Terms of Service §11.7).
§7 vAMSYS's commitments
vAMSYS, as the controller of the personal data on the platform:
processes that personal data lawfully, on the lawful bases set out in the Privacy Policy §5, and only for the purposes described there;
applies appropriate technical and organisational security measures to protect it (see §10 and the Privacy Policy §10);
uses sub-processors to provide the Services, maintains a list of them and notifies VAs of material changes with a reasonable opportunity to object — the list and the change-notification process are in the Privacy Policy (§7), and are not duplicated here; and
processes personal data in the UK and the EEA, as described in the Privacy Policy (§8). Where any personal data is processed outside the UK/EEA — for example, by our payment processor — we rely on UK adequacy or appropriate safeguards (the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses), as described in the Privacy Policy §8 and the Terms of Service §11.8.
Where a VA, as a controller, transfers personal data it has received through these flows to another party, or outside the UK/EEA, that transfer is the VA's own responsibility, on the VA's own lawful basis and with its own appropriate safeguards.
§8 Data-subject requests
Each party handles data-subject requests (such as access, rectification, erasure, restriction, portability and objection) for the personal data it controls.
vAMSYS is the controller of the personal data on the platform and will action a data subject's request for that data directly. Where a request concerns data a VA holds in its own systems, vAMSYS will direct the person to the VA and assist as far as it reasonably can (see Terms of Service §11.9 and Privacy Policy §12).
A VA is the controller of personal data it received through these flows (Pilot API, Pilot Invite data it holds, and the marketing it sends) and must handle data-subject requests for that data itself, on its own responsibility.
Each party will cooperate with the other to the extent reasonably necessary to allow the other to respond to a data-subject request relating to the shared flows — for example, by passing on a request that was sent to the wrong party, or by providing reasonable information needed to identify the data in question.
§9 Personal-data breaches
Each party is responsible for assessing and notifying a personal-data breach as required by data-protection law for the personal data it controls — including, where the law requires, notifying the relevant data protection supervisory authority and the affected data subjects.
Where a personal-data breach on vAMSYS's side affects data a VA has received from us through these flows (which the VA holds as its own controller), vAMSYS will notify that VA without undue delay — our target is within 72 hours of becoming aware — so the VA can meet its own obligations (see Terms of Service §11.3 and Privacy Policy §15).
Where a personal-data breach on a VA's side affects the integrity of the shared flows (for example, a compromise of the VA's API credentials, or of personal data it received through them), the VA must notify vAMSYS without undue delay so we can take any steps needed to protect the Services and other users.
Each party will provide the other with reasonable information about a relevant breach to help the other meet its own obligations.
§10 Security
Each party will put in place appropriate technical and organisational measures to protect the personal data it controls against unauthorised or unlawful processing and against accidental loss, destruction or damage, taking account of the state of the art, the costs of implementation, and the nature, scope and risk of the processing.
Each party is responsible for the security of its own systems. vAMSYS's measures for the platform are described in the Privacy Policy §10. A VA is responsible for the security of any data it receives into its own systems and for keeping its API credentials secure (see Terms of Service §11.7 and Virtual Airline Owner Terms §6.3).
§11 Restrictions and acceptable use
The data shared under this Agreement is subject to purpose limitation: a VA may use it only for the purpose on which it was shared (operating the VA, the consented Pilot-API purpose, or the consented marketing), and not for any other purpose.
A VA must not:
carry out any bulk export of a VA's roster or its Pilots' personal data; or
scrape, harvest, copy or compile Pilots' emails, names or identity data, by hand or by automated means, beyond what these flows permit.
These restrictions reflect the Acceptable Use Policy §7 and the Terms of Service §11.2. A breach of them is a breach of the Terms of Service, and vAMSYS may take enforcement action under the Terms of Service §8 — including restricting access and suspending or terminating the VA, and suspending or revoking API access — and, for a paying VA, under the Virtual Airline Owner Terms §3.13.
§12 Information and cooperation
Each party will, on the other's reasonable request, provide reasonable information the other genuinely needs to demonstrate its own compliance as a controller, or to investigate suspected misuse of the shared flows. vAMSYS will provide reasonable information to help a VA demonstrate its own compliance, and a VA will provide reasonable information where vAMSYS needs it to investigate suspected misuse.
This is an obligation to provide information, not audits. This Agreement does not grant a VA any right to carry out, or to appoint a third party to carry out, an on-site or other audit or inspection of vAMSYS — that would be disproportionate, and vAMSYS is not the VA's processor. The parties will resolve any reasonable, proportionate information requests cooperatively.
§13 Liability
Each party is responsible for its own compliance as a controller and for the personal data it controls.
Liability between the parties arising out of or in connection with this Agreement is governed by the limitation of liability in the Terms of Service §10 and by the Virtual Airline Owner Terms. This Agreement does not create any new or uncapped indemnity. A VA's existing warranties and responsibilities — including those in the Terms of Service §11.2, §11.6 and §11.7, and the Virtual Airline Owner Terms §2.8 — continue to apply.
Nothing in this Agreement excludes or limits either party's liability under data-protection law to a data subject or to a supervisory authority, or any liability that cannot lawfully be excluded or limited (see Terms of Service §10.2).
§14 Term and termination
This Agreement is co-terminous with the VA's use of the Services and, for a paying VA, with its subscription. It takes effect when the VA begins using the Services and continues for as long as the VA uses them.
On termination — however it comes about — the VA must stop using the personal data it received through these flows for any purpose connected to its ended relationship with vAMSYS, and must then delete that data. There are two exceptions: (a) for Pilot API data, the VA need not delete it where it has its own independent lawful basis to keep it — for example, a Pilot's live, continuing consent to the VA's own standalone service — in which case the VA holds it as an independent controller, under its own privacy policy and on its own responsibility; and (b) where data-protection law or another law requires the VA to keep data, in which case it must keep it only for as long as, and only for the purpose for which, the law requires. Pilot Invite data and marketing contact data must be deleted on termination (subject only to exception (b)).
The provisions that by their nature are intended to continue — including §5 (each party's obligations as a controller, in respect of data still held), §6 (the VA's warranties and responsibilities), §8 (data-subject requests), §9 (personal-data breaches), §11 (restrictions and acceptable use), §13 (liability) and this §14 — survive termination in respect of any personal data a party continues to hold.
§15 Changes to this Agreement
We may update this Agreement from time to time. Because it forms part of the Terms of Service, changes follow the same process: where a change materially and adversely affects you, we follow the change process in the Terms of Service §13.1, "Changes to these Terms" (at least 30 days' notice and a chance to leave before it takes effect); other changes take effect when we update the 'Last updated' date at the top of this Agreement.
§16 How to contact us, and your right to complain
For anything to do with this Agreement, the data shared under it, or your rights, contact us at:
vAMSYS LTD 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ, United Kingdom Email: help@vamsys.co.uk (Company number 09982167.)
You also have the right to complain to a data protection supervisory authority about how your personal data has been handled. In the United Kingdom that authority is the Information Commissioner's Office (ICO), at ico.org.uk.