01 Introduction
TDY.ai, LLC d/b/a TODAY (“Company,” “we,” “us,” or “our”) is committed to protecting the privacy and security of your information. This Privacy Policy describes how we collect, use, disclose, and safeguard information when you use the Flightplan workforce capacity planning platform (“Service”).
This policy applies to all users of the Service, including organization administrators, team members, and any individual who interacts with the platform. By using Flightplan, you consent to the practices described in this Privacy Policy.
If you do not agree with this Privacy Policy, please do not access or use the Service. For questions or concerns about our privacy practices, contact us at privacy@tdy.ai.
02 Information We Collect
We collect information necessary to provide and improve the Service. The categories of data we collect include:
2.1 Account Information
- Full name, email address, and organization affiliation
- Account credentials (passwords are stored as bcrypt hashes — we never store plaintext passwords)
- Role and permission assignments (Owner, Admin, Member)
- Profile settings and preferences
2.2 Workforce Planning Data (Customer Data)
Data you input into Flightplan for planning purposes:
| Category | Examples |
|---|---|
| Resource Profiles | Names, job titles, skills, team assignments, availability hours |
| Project Data | Project names, phases, milestones, work items, descriptions |
| Allocations | Resource-to-project assignments, hours per day, date ranges |
| Timesheets | Time entries, hours logged, approval status |
| Capacity Analytics | Utilization rates, capacity forecasts, conflict reports |
| Skills Data | Skill names, proficiency levels, certifications |
2.3 Usage and Technical Data
- IP addresses, browser type and version, operating system
- Pages visited, features used, session duration, and timestamps
- API usage patterns and request logs
- Device identifiers and referral URLs
2.4 Communication Data
- Emails, support tickets, and messages you send to us
- Notification preferences and delivery logs
- Feedback, survey responses, and feature requests
03 How We Use Your Information
We use the information we collect for the following purposes:
- Service Delivery — To provide, maintain, and operate the Flightplan platform, including resource management, project planning, capacity analytics, and reporting features
- Authentication & Security — To verify your identity, manage access control (RBAC), detect and prevent unauthorized access, and protect against security threats
- Service Improvement — To analyze usage patterns, identify performance issues, and improve the platform’s functionality and user experience
- Customer Support — To respond to your inquiries, troubleshoot issues, and provide technical assistance
- Communications — To send service-related notifications, maintenance alerts, security advisories, and billing communications
- Compliance — To comply with legal obligations, enforce our Terms of Service, and respond to lawful requests from authorities
- Billing & Invoicing — To process payments, manage subscriptions, and generate invoices
We do NOT:
- Sell your personal information or Customer Data to third parties
- Use your data for advertising or marketing purposes unrelated to the Service
- Train AI models on your Customer Data without explicit opt-in consent
- Share your data with data brokers or analytics companies
04 Data Sharing & Disclosure
We share your information only in the following limited circumstances:
4.1 Within Your Organization
Flightplan is a multi-tenant platform with organization-level data isolation. Data within your organization is accessible to members based on their assigned roles (Owner, Admin, Member). We do not share data between organizations.
4.2 Service Providers
We engage trusted third-party service providers who process data on our behalf, subject to strict contractual obligations:
- Microsoft Azure — Cloud infrastructure hosting (US datacenters)
- Azure Key Vault — Secrets management and encryption key storage
- Microsoft Sentinel — Security information and event management (SIEM)
- Email delivery services — For transactional and notification emails (Office 365)
4.3 Legal Requirements
We may disclose your information if required by law, court order, subpoena, or other legal process, or if we believe in good faith that disclosure is necessary to: (a) comply with applicable law; (b) protect the rights, property, or safety of TDY.ai, LLC d/b/a TODAY, our users, or the public; or (c) detect, prevent, or address fraud, security, or technical issues.
4.4 Business Transfers
In the event of a merger, acquisition, reorganization, or sale of assets, your information may be transferred as part of the transaction. We will notify you of any such change and any choices you may have regarding your information.
05 Data Security
We implement comprehensive technical and organizational measures to protect your data. For full details, see our Security Policy. Key measures include:
- Encryption at Rest — All data is encrypted using AES-256 encryption in Azure-managed storage
- Encryption in Transit — All communications use TLS 1.2 or higher
- Authentication — JWT tokens with bcrypt password hashing; role-based access control (RBAC)
- Infrastructure Security — Private network isolation between application tiers, firewall rules, Fail2ban intrusion prevention
- Monitoring — Microsoft Sentinel SIEM with real-time security analytics and alerting
- Access Controls — Principle of least privilege for all internal access; SSH key-based authentication for server access
- Secrets Management — All credentials and API keys stored in Azure Key Vault, never in source code
While we strive to protect your information, no method of electronic storage or transmission is 100% secure. We cannot guarantee absolute security but are committed to promptly addressing any security incidents.
06 Data Retention
We retain your information for as long as necessary to provide the Service and fulfill the purposes described in this Privacy Policy:
- Active Account Data — Retained for the duration of your subscription and active account
- Customer Data — Retained for thirty (30) days after account termination to allow data export, then permanently deleted
- Usage Logs — Retained for up to twelve (12) months for security monitoring and analytics purposes
- Billing Records — Retained for seven (7) years as required by applicable tax and accounting regulations
- Security Logs — Retained for up to twenty-four (24) months for incident investigation and compliance purposes
- Support Communications — Retained for up to three (3) years to maintain support history and quality
You may request earlier deletion of your data at any time by contacting privacy@tdy.ai, subject to our legal and regulatory obligations.
07 Your Privacy Rights
Depending on your jurisdiction, you may have certain rights regarding your personal information:
7.1 General Rights (All Users)
- Access — Request a copy of the personal information we hold about you
- Correction — Request correction of inaccurate or incomplete personal information
- Deletion — Request deletion of your personal information, subject to legal retention requirements
- Data Portability — Request your data in a structured, machine-readable format (JSON or CSV)
- Objection — Object to processing of your personal information for certain purposes
- Withdrawal of Consent — Withdraw consent for data processing where consent is the legal basis
7.2 California Residents (CCPA/CPRA)
California residents have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), including the right to know what personal information is collected, the right to opt out of the sale of personal information (we do not sell personal information), and the right to non-discrimination for exercising privacy rights.
7.3 European Users (GDPR)
If you are in the European Economic Area (EEA), you have additional rights under the General Data Protection Regulation (GDPR), including the right to lodge a complaint with a supervisory authority and the right to restrict processing of your personal data.
7.4 Exercising Your Rights
To exercise any of these rights, contact us at privacy@tdy.ai. We will respond to verified requests within thirty (30) days. We may request additional information to verify your identity before processing your request.
08 Cookies & Tracking
Flightplan uses a minimal set of cookies and similar technologies:
- Authentication Cookies — JWT access tokens and refresh tokens stored as secure, HTTP-only cookies. These are essential for the Service to function and cannot be disabled.
- Preference Cookies — Your theme preference (light/dark mode) and UI settings are stored in local storage.
- Session Data — Temporary session information for maintaining your login state.
We do not use third-party advertising cookies, tracking pixels, social media widgets, or analytics services that track you across other websites. We do not participate in cross-site tracking or retargeting.
09 International Data Transfers
Flightplan is hosted on Microsoft Azure infrastructure in the United States. If you access the Service from outside the United States, your information will be transferred to and processed in the United States.
For users in the EEA, UK, or other jurisdictions with data transfer restrictions, we rely on Standard Contractual Clauses (SCCs) and other approved transfer mechanisms to ensure your data receives adequate protection during international transfers.
By using the Service, you consent to the transfer of your information to the United States and acknowledge that data protection laws in the United States may differ from those in your jurisdiction.
10 Children’s Privacy
Flightplan is a business-to-business workforce planning tool and is not intended for use by individuals under the age of 16. We do not knowingly collect personal information from children under 16. If we learn that we have collected personal information from a child under 16, we will promptly delete that information. If you believe a child has provided us with personal information, please contact us at privacy@tdy.ai.
11 Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. When we make material changes, we will:
- Update the “Effective Date” at the top of this page
- Send email notification to the account email of organization Owners and Admins
- Display a prominent notice within the Flightplan application
- Provide at least thirty (30) days advance notice before material changes take effect
Continued use of the Service after the effective date of any changes constitutes your acceptance of the updated Privacy Policy.
12 Contact Us
If you have questions, concerns, or requests related to this Privacy Policy or our data practices, contact us:
- Privacy Team: privacy@tdy.ai
- Security Team: security@tdy.ai
- General Support: support@tdy.ai
- Legal: legal@tdy.ai
We aim to respond to all privacy-related inquiries within five (5) business days.
TDY.ai, LLC d/b/a TODAY
United States