Privacy Policy

This Privacy Policy explains how RARE POWER collects, uses, discloses, and protects personal information in connection with our website, user accounts, quote tools, deal management, KYC/KYB processes, and related services. It applies to visitors, newsletter subscribers, account holders, and other individuals who interact with rare-engines.com or our services.

This policy works together with our Terms and Conditions, Know Your Client (KYC) Policy, End User Agreement, and APCO Warranty. Please review all of our legal documents for a complete understanding of your rights and obligations.

1. Introduction / Who We Are

RARE AVIATION INC. (doing business as RARE POWER or "RARE POWER Aircraft Engines") ("we," "us," or "our") operates the website rare-engines.com. We are a U.S. company registered at 7901 4th Street N, Suite 300, St. Petersburg, FL 33702, USA.

RARE POWER specializes in aircraft engine leasing, overhaul/exchange, and pre-payment programs for piston, turboprop, and helicopter engines. We primarily serve commercial operators, with a focus on helicopter and turboprop fleets. Our leadership has extensive international experience, particularly in Africa and the Middle East.

We do not sell personal information. We do not engage in targeted advertising, cross-context behavioral advertising, or "sharing" of personal information for such purposes. We do not use personal information to train AI models.

2. Information We Collect

We collect information from the following sources. We collect only what is necessary for the purposes described in this Policy.

Public Forms (No Account Required)

• Newsletter signup (via Brevo, double opt-in/DOI): Email address, first name, last name, and company name.
• Contact form: Name, email address, and free-text message content. These are transmitted via Brevo transactional email services.

Authenticated User Accounts (Auth0 OAuth2 + Django)

• First name, last name, email address.
• User type (Individual, Company, or Government).
• Company name (where applicable).
• Newsletter subscription flag (opt-in/opt-out status).

Addresses

Full physical addresses (street address, city, state/province, country, postal/zip code) for registered, delivery, and billing purposes.

KYC (Know Your Client) – Processed via Didit

• Verification status and session identifiers.
• Identity verification data, including government-issued ID or passport images, liveness detection/selfie data, and proof of address.
• Status flows through stages: Not Started → In Progress → In Review → Approved, Declined, or other outcomes.

KYB (Know Your Business) – For Company Users (NameScan + Manual Review)

• Company verification status.
• Uploaded documents: incorporation certificate, proof of good standing (e.g., tax returns, bank statements, annual returns, or similar).
• Sanctions and Politically Exposed Persons (PEP) screening results via NameScan.

Our separate KYC Policy provides additional detail on how we handle compliance screening data.

Transactional and Operational Information

• Cost calculator and quote requests: Aircraft type, engine variant, utilisation (hours per month), fleet size, reserves, operational use (Commercial or Agricultural), and hours used.
• Full deal and transaction history, including Overhaul/Exchange records, Lease records, invoices, purchase orders, logbook entries (including usage hours), and uploaded documents such as spec sheets and maintenance records.
• Electronic signatures and related documents processed via SignWell for lease agreements, sale agreements, and similar contracts.

File Storage

Sensitive documents and images (PDFs, scans, records) stored in AWS S3 (in directories such as media/ and static/, including invoices, logbooks, incorporation certificates, spec sheets, and other operational files).

Automatically Collected Information

• Server logs and technical data: IP address, browser type and version, operating system, device information, referring URLs, timestamps, and pages viewed. This supports site security, functionality, error diagnosis, and basic operational analytics.
• Functional cookies and session data: Django session and authentication cookies (secure, HTTP-only where appropriate) necessary for login, account access, and site functionality.
• CDN and static asset data from standard providers (Bootstrap via jsdelivr.net, HTMX via unpkg.com, Google Fonts).

We do not use Google Analytics, remarketing pixels, targeted advertising technologies, behavioral tracking, or cross-site tracking cookies.

3. How We Use Your Information

We use personal information for the following purposes, tied to specific legitimate needs:

• To provide and fulfill our services (contract performance): Process accounts, quotes, deals (leases, exchanges, overhauls, pre-payments), invoices, purchase orders, logbook tracking, and e-signed agreements.
• Customer communications and support: Respond to contact form inquiries and service requests; send transactional emails (quotes, confirmations, deal updates) via Brevo.
• Newsletter and marketing communications: Deliver newsletters and updates only with your double opt-in consent (via Brevo). You may unsubscribe at any time.
• Identity verification and compliance screening (legal obligations and legitimate interests): Conduct KYC (via Didit) and KYB (via NameScan plus manual review) for sanctions/PEP screening, anti-money laundering, export controls, and to meet regulatory requirements in the aviation and financial sectors. This is mandatory for entering into or maintaining business relationships.
• Transaction processing and record-keeping: Manage quotes (including the cost calculator), contracts, payments, deliveries, and historical deal records.
• Site operation, security, and improvement: Authenticate users (Auth0), maintain session security, prevent fraud/abuse, diagnose technical issues, and ensure the secure operation of rare-engines.com.
• Legal and regulatory compliance: Respond to legal process, enforce our agreements, defend claims, and meet record-keeping obligations.

We do not use your information for unrelated marketing, profiling for advertising, or AI training.

4. Legal Bases for Processing

As a U.S. company headquartered in Florida, our primary processing is governed by U.S. federal and state law, including contract law, legitimate business interests, and legal obligations (e.g., sanctions compliance, financial record-keeping, and aviation-related regulations).

Where applicable, we rely on the following bases:

• Contract: Processing necessary to enter into or perform contracts for accounts, quotes, leases, exchanges, and related services.
• Legal obligation: KYC/KYB compliance screening, sanctions/PEP checks, and retention of records required by U.S. law.
• Legitimate interests: Site security, fraud prevention, customer support, internal record-keeping, and improving our B2B services (balanced against your rights and expectations).
• Consent: Newsletter subscriptions (double opt-in via Brevo). You may withdraw consent at any time without affecting prior lawful processing.

Because our website is accessible worldwide (including to individuals in the European Economic Area, United Kingdom, and Switzerland), we also consider the requirements of the EU General Data Protection Regulation (GDPR) and equivalent laws where they apply. In such cases, the bases above align with GDPR Articles 6 and 9. We provide transparency and honor applicable rights as described in Section 7.

5. Third-Party Service Providers & Disclosures

We use the following service providers to process personal information on our behalf. These processors are contractually obligated to protect your information and use it only for the services we request:

• Brevo: Email delivery, transactional notifications, CRM, and newsletter list management (double opt-in).
• Auth0: Authentication and identity management (OAuth2).
• Didit: KYC identity verification, liveness detection, and related session processing.
• NameScan: KYB company verification, sanctions screening, and PEP checks.
• AWS (Amazon Web Services): Cloud storage (S3) and content delivery (CloudFront) for files, documents, and static assets.
• SignWell: Electronic signature platform for lease agreements, sale agreements, and similar documents.

We may also disclose personal information in the following limited circumstances:

• To comply with applicable laws, regulations, court orders, or government requests (including sanctions enforcement).
• To protect our rights, property, or safety, or that of our users or the public.
• In connection with a business transaction (e.g., merger or asset sale), subject to appropriate confidentiality protections.
• With your consent or at your direction.

We do not sell personal information and do not share it for cross-context behavioral advertising.

6. Data Retention

We retain personal information only for as long as necessary for the purposes described in this Policy, or as required or permitted by law:

• KYC/KYB and compliance screening records (including verification data, documents, and screening results): Retained for the duration of the business relationship plus a minimum of five (5) years after termination, or longer as required by applicable U.S. laws (including sanctions compliance, anti-money laundering record-keeping, financial regulations, or to defend against legal claims).
• Transactional, deal, and operational records (quotes, leases, exchanges, invoices, purchase orders, logbooks, e-signed agreements, uploaded files): Retained for the duration of the relationship plus a period aligned with contract, tax, and regulatory requirements (typically seven years or longer where required).
• Account and profile data: Retained while the account is active and for a reasonable period afterward to support ongoing or historical services, or as needed for legal obligations.
• Newsletter and marketing data: Retained until you unsubscribe or request deletion (subject to legal record-keeping needs).
• Automatically collected technical logs: Retained for a limited period necessary for security, debugging, and operational purposes (typically short-term, subject to legal holds).

We securely delete or anonymize information when it is no longer needed, except where retention is required by law or for legitimate legal defense purposes.

7. Your Rights

Depending on your location and the nature of the data, you may have certain rights regarding your personal information.

California Residents (CCPA/CPRA)

You have the right to know what personal information we collect, use, and disclose; to request access to or deletion of your personal information; to opt out of any "sale" or "sharing" (we do not engage in these activities); and to non-discrimination for exercising your rights. Certain exceptions and limitations apply, particularly for data processed for legal compliance obligations (e.g., KYC/sanctions records that we are required to maintain).

General Rights (All Users)

Subject to applicable law and verification of your identity, you may request:

• Access to the personal information we hold about you.
• Correction of inaccurate information.
• Deletion of your information (subject to important limitations — we cannot delete information we are legally required to retain, such as KYC compliance records, or information necessary to perform active contracts or defend legal claims).
• Restriction of processing or objection in certain circumstances.
• Data portability (where technically feasible and applicable).

Newsletter Unsubscribe: Use the unsubscribe link in any newsletter email or contact us.

Limitations: Requests may be denied or limited where the information is necessary for compliance screening, sanctions obligations, contractual performance, or legal requirements. B2B commercial aviation services and associated compliance data are subject to these constraints.

To exercise your rights, please contact us using the details in Section 12. We will respond within the timeframes required by applicable law (e.g., 45 days under CCPA, with possible extension). We may require identity verification before fulfilling requests.

8. Security

We implement reasonable administrative, technical, and physical safeguards appropriate to the sensitivity of the information we process, particularly KYC/KYB data and transaction records. These include:

• Encryption in transit (HTTPS/TLS) across the site and for data transmissions to processors.
• Secure session management and authentication via Auth0 and Django.
• Access controls and least-privilege principles for internal systems and AWS S3 storage.
• Use of established, reputable processors with their own security certifications and contractual commitments.

No method of transmission or storage is 100% secure. While we strive to protect your information, we cannot guarantee absolute security. In the event of a data breach affecting your personal information, we will notify you and relevant authorities as required by applicable law.

9. International Data Transfers

We are based in the United States. Personal information may be transferred to, stored in, or processed by our service providers in the United States and other countries, including France (Brevo), and locations where AWS, Auth0, Didit, NameScan, and SignWell operate.

When we transfer personal information from the EEA, UK, or Switzerland, we rely on appropriate safeguards such as Standard Contractual Clauses (SCCs) approved by the European Commission (or equivalent mechanisms), supplemented by additional measures where necessary. By using our services or providing information to us, you consent to such transfers to the extent permitted by law.

10. Children's Privacy

Our services and website are directed exclusively to businesses and commercial operators in the aviation industry. We do not knowingly collect personal information from children under 13 (or the applicable age of consent in your jurisdiction). If you believe we have inadvertently collected such information, please contact us immediately so we can take appropriate action.

11. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or service offerings. We will post the updated Policy on this page with a new "Last Updated" date. For material changes, we may provide additional notice via email (to registered users) or a prominent notice on the website. Your continued use of the site after any update constitutes acceptance of the revised Policy.