CoreOP Privacy Policy
Last Updated: May 3, 2026
This Privacy Policy ("Policy") explains how Aviluxe Aviation LLC, a Texas limited liability company doing business as CoreOP ("CoreOP," "we," "our," or "us"), collects, uses, discloses, and protects information in connection with our websites at coreop.io and any subdomains (the "Websites"); our vendor management software, mobile applications, and crew tools (collectively, the "Services"); and other interactions you have with us.
This Policy applies when CoreOP acts as the controller of your information — that is, when we determine the purposes and means of processing.
When CoreOP processes information about an end customer, aircraft owner, crew member, or other individual on behalf of a vendor that subscribes to the Services (each such vendor, a "Vendor"), the Vendor is the controller and CoreOP acts as the processor under the Vendor's instructions and our agreement with the Vendor. In those cases, the Vendor's privacy policy governs, and CoreOP's obligations are defined in our subscription agreement and Data Protection Addendum. If you are an end customer, aircraft owner, or crew member dealing with a CoreOP Vendor, please contact that Vendor directly with privacy questions about your data. The "Notice to End Users of CoreOP Vendors" section below has more.
PLEASE READ THIS POLICY CAREFULLY. IF YOU DO NOT AGREE, DO NOT USE THE SERVICES.
Our Commitments Regarding Your Data
CoreOP is an operating system for your business. Your business data belongs to you. Specifically:
- You own Your Data. You retain all rights, title, and interest in the customer records, aircraft records, quotes, invoices, photos, messages, and other information you create in or upload to the Service. CoreOP does not claim ownership of Your Data.
- We do not sell Your Data. We do not sell, rent, or license Your Data to any third party for money or other consideration, and we never will.
- We do not share Your Data with third parties for their own use. The only third parties that receive Your Data are (a) service providers that operate the Service on our behalf under strict contractual restrictions (for example, our hosting and payment providers), and (b) integrations that you or your Vendor administrator explicitly connect (for example, when you connect QuickBooks Online or Google Calendar). We do not share Your Data with third parties for their own marketing, advertising, or independent commercial use.
- We do not use Your Data to train AI models. Neither CoreOP nor our AI providers use Your Data to train general-purpose or third-party AI models. AI providers we use are contractually prohibited from doing so.
- You can export or delete Your Data. During your subscription you can export Your Data at any time using in-product tools. For 30 days after termination, export tools remain available. After that, we delete Your Data except where retention is required by law or held in routine backups that are eventually overwritten.
This section is a plain-English summary. The full details of how CoreOP handles information are in the sections that follow. If this summary conflicts with the detailed sections, the detailed sections control — but we intend the two to say the same thing.
The commitments above apply to "Your Data" — the business information Vendors and their authorized users put into the Service. They do not change how our public marketing website (coreop.io) uses cookies and analytics, which is described in Section 4 and our Cookie Policy.
Quick Index
- Information We Collect
- How We Use Information
- How We Share Information
- Cookies, Analytics, and Online Advertising
- AI and Automated Processing
- Security, Retention, and International Transfers
- Your Rights and Choices
- Notice to Texas Residents
- Notice to California Residents
- Notice to Residents of Other States with Privacy Laws
- Notice to End Users of CoreOP Vendors
- Children's Privacy
- Third-Party Sites and Integrations
- Google User Data Policy
- Changes to This Policy
- Contact Us
1. Information We Collect
We collect information directly from you, automatically through your use of the Services, and from other sources.
Information You Provide Directly
When you register for, configure, or use the Services we collect information you submit, including:
- Contact and identity information such as your name, business name, email address, postal address, and phone number.
- Account credentials such as usernames, passwords, and two-factor authentication tokens.
- Business and employment information such as your role, business type, service area, fleet size, and aircraft inventory.
- Payment information processed by our third-party payment processor (Stripe). CoreOP receives limited payment metadata such as transaction IDs, last four digits of card numbers, and authorization status; we do not store full card numbers or bank account details.
- Subscription information such as your plan, seat count, billing history, and add-on usage.
- Vendor configuration data such as service catalogs, pricing, branding assets, document templates, and integration credentials.
- Customer and aircraft records that you upload or import, including aircraft tail numbers, ownership records, service history, and notes.
- Communications such as support tickets, sales inquiries, chat messages, call recordings (where permitted and disclosed), survey responses, and feedback.
- Photographs and media uploaded to the Services, including before-and-after job photos and aircraft condition documentation.
Information We Collect Automatically
When you use the Services, we and our service providers collect information automatically, including:
- Device and usage information such as IP address, browser type and language, operating system, device identifiers, referring and exit pages, pages and features viewed, time spent, click events, and error logs.
- Approximate location derived from your IP address.
- Precise geolocation, where you or your Vendor has enabled location features (for example, crew GPS check-in at a job site). Precise location is only collected when the Service is in active use and the device permits it. You can disable location at the device level at any time.
- Cookies, pixels, local storage, and similar technologies, as described in our Cookie Policy.
Information from Other Sources
We may receive information about you from:
- Our affiliates and service providers (for example, Stripe sends payment status; Supabase provides authentication metadata).
- Identity and fraud prevention partners.
- Marketing and lead-generation partners and data enrichment providers.
- Public sources such as company websites, business registries, social media profiles, and aviation registries (for example, FAA tail number lookups).
- Third-party platforms when you interact with us through them — for example, when you "like" or comment on a CoreOP post on LinkedIn, click a CoreOP ad, or sign in using Google.
We use information from these sources to verify, supplement, and improve the data we collect directly, and for the purposes described below.
2. How We Use Information
We use information for the following purposes:
- To provide, operate, maintain, and secure the Services.
- To create and manage your account, authenticate access, and enable two-factor authentication.
- To process payments, manage subscriptions, calculate platform fees, and issue refunds.
- To enable Vendors to operate their businesses on the Services, including managing their customers, scheduling crews, generating quotes and invoices, processing payments, and tracking job execution.
- To enable crew members to receive job assignments and complete work in the field.
- To enable end customers to view quotes, approve work, view invoices, and pay.
- To respond to your inquiries and provide support.
- To send transactional communications about your account, billing, security, the Services, and changes to our policies.
- To send marketing communications about CoreOP products, features, pricing, and events, where permitted by law and subject to your communication preferences.
- To analyze and improve the Services, develop new features, and conduct research.
- To operate AI features as described in Section 5. We do not use Your Data (as defined in our Terms of Service) to train general-purpose AI models, and our AI providers are contractually prohibited from using Your Data to train their general-purpose models.
- To detect, prevent, and respond to fraud, abuse, security incidents, and violations of our Terms of Service or Acceptable Use Policy.
- To comply with legal obligations, respond to lawful requests, and exercise or defend our legal rights.
- For any other purpose with your consent or at your direction.
Aggregated and De-Identified Data
We may aggregate or de-identify information so that it no longer reasonably identifies you or any individual. We may use aggregated or de-identified data for internal purposes such as capacity planning, error rate monitoring, feature usage statistics, product research and development, and internal benchmark reports. We do not disclose aggregated or de-identified data derived from Your Data to any third party for that party's independent commercial use. We do not attempt to re-identify de-identified data and we contractually prohibit recipients from doing so.
Legal Bases (for users in jurisdictions that require them)
Where required by law, we rely on the following legal bases:
- Contract — to provide the Services and fulfill our agreements with you.
- Legitimate interests — to operate, secure, and improve the Services; to market our products to business contacts; and to prevent fraud and abuse, where those interests are not overridden by your rights.
- Legal obligation — to comply with applicable law, regulation, and legal process.
- Consent — where required, for example for certain marketing communications, cookies, and processing of sensitive information.
3. How We Share Information
We do not sell Your Data, and we do not share Your Data with third parties for their own marketing, advertising, or independent commercial use. Subject to that commitment, we disclose information in the following limited circumstances:
- Within Aviluxe Aviation LLC and its current and future affiliates.
- With Vendors and their authorized users, where you are an end customer, crew member, or other person whose information was provided through a Vendor's account. The Vendor controls who in their organization can access that information.
- With service providers and subprocessors that perform services on our behalf — including hosting, infrastructure, payments, communications, analytics, customer support, security, and AI processing. These providers are bound by contract to protect your information and use it only for the services they provide to us. A current list is available on request by emailing support@coreop.io.
- With integration partners and third-party services that you or your Vendor connects to the Services (for example, Google Calendar, QuickBooks Online, FlightAware, weather APIs, marketing platforms, and social media platforms). When you authorize an integration, we share the information necessary for the integration to work. You control which integrations are enabled.
- With our payment processor, Stripe, to process payments, manage Stripe Connect accounts, and comply with payment regulations. Stripe's handling of your information is governed by Stripe's privacy policy.
- In connection with a corporate transaction such as a financing, merger, acquisition, sale of assets, reorganization, or insolvency proceeding, including for due diligence. In any such transaction we will require the recipient to honor the commitments in this Policy with respect to Your Data.
- For legal and safety reasons, when we believe in good faith that disclosure is necessary or appropriate to comply with law, lawful requests, or legal process; to enforce our agreements; to protect the rights, property, safety, or security of CoreOP, our users, or others; or to detect, investigate, or prevent fraud or abuse.
- With your consent or at your direction, including when you choose to make information public or share it with third parties.
A note on our public marketing website. On our public marketing website (coreop.io) and our mobile marketing landing pages, we and our advertising partners may use cookies, pixels, and similar technologies for advertising and analytics. Under some state privacy laws (including California, Colorado, Connecticut, Texas, and Virginia), certain of these cookie-based data flows may qualify as "sharing" or "sale" of personal information. This activity is limited to our public marketing surfaces, does not involve Your Data inside the authenticated Service, and can be opted out of using the mechanisms described in Sections 8, 9, 10, and our Cookie Policy.
4. Cookies, Analytics, and Online Advertising
We and our service providers use cookies, pixels, software development kits, and similar technologies to operate the Services, remember your preferences, analyze usage, and (on our Websites) to deliver relevant marketing. For details about the specific cookies we use, the categories they fall into, and how to control them, see our Cookie Policy at coreop.io/legal/cookies.
We honor Global Privacy Control (GPC) and similar legally recognized browser-based opt-out signals for users in jurisdictions where the law requires recognition of those signals.
5. AI and Automated Processing
The Services include features that use artificial intelligence, machine learning, and large language models, including third-party models accessed through providers such as Anthropic and xAI (collectively, "AI Features"). AI Features may be used to generate quote suggestions, draft messages, summarize calls and notes, recommend pricing, draft marketing content, and assist customer support.
When you or a Vendor uses AI Features, the inputs (including any personal information in those inputs) and outputs are processed by us and by the relevant AI provider as our subprocessor. AI providers are contractually prohibited from using your inputs or outputs to train their general-purpose models.
We do not use Your Data to train general-purpose AI models. AI Features process Your Data only to generate the specific output you have requested (for example, a suggested quote draft, a note summary, or a message draft).
AI outputs may contain errors, omissions, or inaccuracies, and you are responsible for reviewing AI-generated content before relying on it or sharing it with third parties. We make no representation that AI Features will produce any particular result.
We do not use AI Features to make decisions that produce legal or similarly significant effects about you without human involvement.
6. Security, Retention, and International Transfers
Security
We implement administrative, technical, and physical safeguards designed to protect information against unauthorized access, disclosure, alteration, and destruction. These include encryption in transit and at rest, role-based access controls, multi-factor authentication for administrative access, tenant isolation through row-level security, logging and monitoring, and regular security reviews. For more, see our Security page at coreop.io/security.
No system is perfectly secure, and we cannot guarantee the security of any information you transmit to us. You are responsible for maintaining the confidentiality of your account credentials and for all activities under your account.
Retention
We retain personal information for as long as needed to provide the Services, comply with our legal obligations, resolve disputes, and enforce our agreements. When information is no longer needed, we delete or de-identify it, except where retention is required by law or where the information is held in routine backups that are eventually overwritten.
If your subscription is terminated, see the Terms of Service for our data export and deletion timelines.
International Transfers
CoreOP is based in the United States and processes information in the United States. We may also process information in other countries where our service providers operate. If you access or use the Services from outside the United States, you understand that your information will be transferred to, stored in, and processed in the United States and other jurisdictions, which may have data protection laws that differ from those of your country. Where required, we implement appropriate safeguards (such as standard contractual clauses) for international transfers.
Account Access by CoreOP Personnel
Authorized CoreOP staff may access your account data for the following purposes:
- Providing customer support and resolving technical issues
- Investigating security incidents or suspected abuse
- Resolving billing disputes and processing refunds
- Ensuring platform reliability and performance
- Complying with legal obligations
CoreOP staff access falls into two categories:
Read-only access: Administrative views of your account data (subscription state, billing history, settings, activity logs) used for diagnostics and support. These views are logged in our internal audit system but do not generate a notification to you.
Impersonation: A view of the platform as if you were signed in as a member of your team. When a staff member impersonates a user within your account, you will receive an in-app notification disclosing:
- The staff member's name
- The time access began
- The reason for access
- The session expiration time (30 minutes maximum)
During impersonation, staff cannot perform write actions on your behalf. They can only view the platform from your user's perspective. All actions during impersonation, and the start and end of every impersonation session, are logged in our internal audit system with the staff member's identity, the affected user, and the reason for access.
You may review the impersonation history for your account at any time by contacting support@coreop.io. We will provide a complete log of any impersonation sessions affecting your account within 14 days of your request.
All staff access is:
- Restricted by role-based permissions
- Logged in our internal audit system
- Subject to our internal security policies and data handling standards
- Compliant with applicable data protection laws
If you have questions about a specific access event, please contact us at support@coreop.io.
7. Your Rights and Choices
Marketing Communications
You can opt out of marketing emails by clicking the unsubscribe link in any marketing email or by emailing support@coreop.io. See the SMS Text Messaging section below for full details on our text messaging program, message types, and how to opt out. We may continue to send you transactional and account communications regardless of your marketing preferences.
Account Information
You can update most account information by signing in to the Services. If you need help, contact your Vendor account administrator (if applicable) or support@coreop.io.
Privacy Rights Under State Laws
Depending on where you live, you may have rights to:
- Confirm whether we process your personal information.
- Access a copy of the personal information we hold about you.
- Correct inaccurate personal information.
- Delete personal information we hold about you.
- Opt out of the "sale" or "sharing" of personal information for cross-context behavioral advertising.
- Opt out of profiling that produces legal or similarly significant effects.
- Limit the use of sensitive personal information (where applicable).
- Appeal a denial of a privacy request (where applicable).
To exercise these rights, email support@coreop.io with the subject line "Privacy Request" or visit coreop.io/legal/privacy-request. We will verify your identity before responding, typically by confirming details associated with your account. If we cannot verify your identity, we may be unable to fulfill your request.
You may use an authorized agent to submit a request on your behalf. We will require proof of the agent's authority and may verify the request directly with you.
We will not discriminate against you for exercising your privacy rights.
SMS Text Messaging
If you provide your phone number and opt in to text messaging, you may receive SMS messages from CoreOP. Consent to receive text messages is not a condition of purchase or of submitting any form, and the consent choice is separate from providing your phone number.
We offer two separate categories of SMS messages, and you may opt into one, both, or neither:
- Transactional (non-marketing) messages, such as appointment reminders, booking confirmations, and account notifications.
- Marketing messages, such as special offers, discounts, and service updates.
Message frequency may vary. Message and data rates may apply. You can cancel the SMS service at any time by replying STOP. For help, reply HELP or contact us at support@coreop.io or (561) 728-0059.
No mobile information will be shared with third parties/affiliates for marketing/promotional purposes. Information sharing to subcontractors in support services, such as customer service, is permitted. All other use case categories exclude text messaging originator opt-in data and consent; this information will not be shared with any third parties.
8. Notice to Texas Residents
The Texas Data Privacy and Security Act (TDPSA) gives Texas residents the rights described in Section 7. To exercise those rights, email support@coreop.io. If we deny your request, you may appeal by replying to our denial with the subject line "Privacy Request Appeal." If we deny your appeal, you may contact the Texas Attorney General at https://www.texasattorneygeneral.gov/.
We do not knowingly process the sensitive personal data of Texas residents without consent, and we do not sell sensitive personal data.
If we engage in "targeted advertising" or "sale" of personal data as those terms are defined under the TDPSA — which today applies only to cookie-based data flows on our public marketing website (coreop.io), not to Your Data inside the authenticated Service — we provide a means to opt out at coreop.io/legal/privacy-request, through the "Your Privacy Choices" link in our website footer, and by honoring the Global Privacy Control browser signal.
9. Notice to California Residents
This section applies to California residents and is provided pursuant to the California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively, the "CCPA").
Categories of Personal Information We Collect, Disclose, and "Share" or "Sell"
For purposes of the CCPA, we treat our public marketing website (coreop.io) and our authenticated Service (the CoreOP platform used by Vendors, End Customers, and Crew) as separate contexts because they involve different data flows and different partners. In the past 12 months we have collected the following categories of personal information, as defined by the CCPA:
Public Marketing Website (coreop.io)
| Category | Collected | Disclosed for a Business Purpose | "Sold" or "Shared" |
|---|---|---|---|
| Identifiers (name, email, phone, IP address, device identifiers) | Yes | Service providers; legal recipients | Advertising and analytics partners (cookies) |
| Commercial information (leads, demo requests, marketing interactions) | Yes | Service providers; legal recipients | No |
| Internet activity (browsing on coreop.io, marketing interactions) | Yes | Service providers; analytics partners | Advertising and analytics partners (cookies) |
| Geolocation (approximate from IP) | Yes | Service providers | No |
| Professional or employment information (job title, company) | Yes | Service providers | Advertising partners (cookies) |
| Inferences (marketing segments, preferences) | Yes | Service providers | Advertising partners (cookies) |
Authenticated Service (Vendor accounts, End Customer portals, Crew mobile)
| Category | Collected | Disclosed for a Business Purpose | "Sold" or "Shared" |
|---|---|---|---|
| Identifiers (name, email, phone, account identifiers) | Yes | Service providers; affiliates; Vendors; legal recipients | No |
| Commercial information (subscription, transaction, and purchase records) | Yes | Service providers; affiliates; legal recipients | No |
| Internet activity (interactions within the authenticated Service) | Yes | Service providers | No |
| Geolocation (approximate from IP; precise from device when Vendor enables) | Yes | Service providers; Vendors | No |
| Audio, electronic, and visual information (call recordings where permitted; uploaded photos) | Yes | Service providers; Vendors; legal recipients | No |
| Professional or employment information | Yes | Service providers; affiliates; Vendors | No |
| Inferences (usage patterns, feature preferences) | Yes | Service providers; affiliates | No |
| Sensitive personal information (account credentials; precise geolocation when enabled) | Yes | Service providers; Vendors | No |
We do not "sell" or "share" personal information collected inside the authenticated Service. Cookie-based "sharing" and "sale," where indicated, occur only on our public marketing website and can be opted out of as described below.
Sources, Purposes, and Retention
The sources of personal information are described in Section 1, the purposes for which we use personal information are described in Section 2, and the categories of recipients are described in Section 3. We retain personal information as described in Section 6.
Sensitive Personal Information
We do not use or disclose sensitive personal information for purposes other than those allowed by the CCPA without offering a right to limit. Specifically, we use sensitive personal information only to provide the Services, secure them, prevent fraud and abuse, and comply with law.
Your CCPA Rights
You have the right to:
- Know what personal information we collect, use, disclose, "sell," and "share."
- Access a copy of your personal information.
- Correct inaccurate personal information.
- Delete personal information.
- Opt out of "sale" and "sharing" for cross-context behavioral advertising.
- Limit the use of sensitive personal information (we already limit such use as described above; no further action is required).
- Not receive discriminatory treatment for exercising your rights.
To exercise these rights, email support@coreop.io with the subject line "California Privacy Request" or visit coreop.io/legal/privacy-request. To opt out of "sale" or "sharing" for cross-context behavioral advertising on our public marketing website specifically, click "Your Privacy Choices" in the Website footer or set the Global Privacy Control signal in your browser.
You may designate an authorized agent to submit requests on your behalf as described in Section 7.
Shine the Light
We do not disclose personal information to third parties for their own direct marketing purposes within the meaning of California Civil Code § 1798.83.
Notice of Financial Incentives
We do not currently offer financial incentives in exchange for personal information.
10. Notice to Residents of Other States with Privacy Laws
If you reside in Colorado, Connecticut, Delaware, Florida, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Utah, Virginia, or another U.S. state with a comprehensive consumer privacy law, you may have rights similar to those described in Sections 7 and 9. To exercise those rights, email support@coreop.io or visit coreop.io/legal/privacy-request.
We honor the Global Privacy Control browser signal in jurisdictions that legally require recognition of universal opt-out mechanisms.
If we deny your request, you may appeal by replying to our denial with the subject line "Privacy Request Appeal." If your appeal is denied, you may contact your state attorney general.
11. Notice to End Users of CoreOP Vendors
If you are a customer, aircraft owner, crew member, or other individual whose information is processed by CoreOP because a Vendor uses CoreOP to manage their business, the Vendor — not CoreOP — is the controller of your information. The Vendor decides what information to collect, how to use it, who in their organization can access it, and how long to retain it.
To exercise privacy rights with respect to information held by a Vendor in the Services, please contact that Vendor directly. We will assist Vendors in responding to your requests as required by law.
If you are unable to identify or reach the relevant Vendor, you may contact us at support@coreop.io and we will use reasonable efforts to route your request appropriately.
12. Children's Privacy
The Services are not directed to children under 16 and we do not knowingly collect personal information from children under 16. If you believe a child has provided us with personal information, contact us at support@coreop.io and we will take appropriate steps to delete it.
13. Third-Party Sites and Integrations
The Services may link to or integrate with third-party websites, products, and services. We are not responsible for the privacy practices of any third party. When you authorize an integration, you authorize the exchange of information between CoreOP and that third party for the purposes described in the integration. Review the privacy policies of any third parties you connect to the Services.
14. Google User Data Policy
CoreOP's use and transfer of information received from Google APIs to any other app adheres to the Google API Services User Data Policy, including the Limited Use requirements.
Calendar integration
When you connect your Google Calendar to CoreOP (a Vendor-initiated, optional integration available at /dashboard/vendor/integrations), CoreOP requests the following Google OAuth scopes:
https://www.googleapis.com/auth/calendar.events— to create, update, and delete Calendar events that represent CoreOP bookings.https://www.googleapis.com/auth/calendar.readonly— to read your existing Calendar events so CoreOP can detect scheduling conflicts before booking new work.
What we do with Google data
- Create CoreOP-managed events on your Calendar corresponding to bookings scheduled in CoreOP, so your shop's schedule and your personal Calendar stay aligned.
- Read your existing Calendar events strictly to detect availability conflicts when a new booking is being scheduled.
What we do NOT do with Google data
- We do not use Google user data to serve advertisements.
- We do not transfer Google user data to third parties except as necessary to provide and improve the user-facing features described above, to comply with applicable law, or as part of a merger, acquisition, or asset sale (with appropriate notice to you).
- We do not allow humans to read Google user data unless we have obtained your explicit affirmative agreement, it is necessary for security purposes (such as investigating abuse), to comply with applicable law, or for internal operations and only when the data has been aggregated and de-identified.
- We do not sell Google user data.
- We do not use Google user data to train or develop generalized AI/ML models.
Revoking access
You can revoke CoreOP's access to your Google account at any time:
- Inside CoreOP: visit /dashboard/vendor/integrations and click Disconnect on the Google Calendar card.
- Inside Google: visit myaccount.google.com/permissions and remove CoreOP.
When access is revoked from either side, CoreOP stops creating and reading Calendar events for your account on the next request. CoreOP-created events already on your Calendar are not retroactively deleted; you may delete them manually.
Retention of Google data
CoreOP stores Google OAuth tokens (encrypted at rest) and minimal connection metadata (granted scope set, connected Google account email, token expiry). We do NOT store the contents of your Calendar events on CoreOP servers — events are read on demand and Calendar event creation is a write-and-forget operation. When you disconnect, the OAuth row is marked revoked and tokens become unreadable.
15. Changes to This Policy
We may update this Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we update the Policy we will revise the "Last Updated" date at the top, and if changes are material we will provide additional notice (for example, by email or in-product notification). Your continued use of the Services after the effective date of any update constitutes acceptance of the updated Policy.
16. Contact Us
If you have questions about this Policy or our privacy practices, contact us at:
Email: support@coreop.io Phone: (561) 728 0059 Web: coreop.io