Privacy Policy
This Privacy Policy describes how Cyclic ("Cyclic", "we", "us") collects, uses, and shares information when you use the platform at cyclicmro.com. Cyclic is a B2B service for Part 145 helicopter MRO shops; we do not knowingly collect information from individuals acting in a personal (non-business) capacity.
1. Information we collect
Account information. When you sign up: your name, email address, shop name, password (stored as a bcrypt hash, never in plaintext), and the OEMs you elect as your primary platforms.
Operator Content. Whatever you put into the platform — customer records, aircraft and engine registry entries, quotes you draft, RFQ templates you save, AMM PDFs you upload, internal notes — is stored in your tenant-isolated workspace.
Usage data. Server logs (IP address, request URL, user agent, timestamp, response status), audit-log entries for actions taken in your tenant (record creates / edits / deletes), and feedback you submit through the in-app feedback widget.
Billing information. If you subscribe to a paid tier, our payment processor (Stripe) collects your payment method and billing address. Cyclic does not store your full credit card number; we store the Stripe customer and subscription IDs that map to your account.
Optional OEM portal credentials. If you choose to connect an OEM portal (e.g., Bell mybell.com) where the OEM's terms permit automated access by an authorized account holder, you may store the credentials in your tenant via the OEM Portal Connections panel. These credentials are encrypted at rest using a per-installation key and decrypted only at the moment of an authorized scrape run.
2. How we use information
- To provide the service: render your dashboard, generate quote drafts, store and retrieve your data.
- To secure the service: detect abuse, rate-limit credential-stuffing attempts, investigate incidents.
- To support you: respond to your feedback or support requests.
- To bill you: process subscription payments via Stripe.
- To improve the service: review aggregated usage patterns (no Operator names or content) to decide what to build next.
- To meet legal obligations: respond to lawful requests from regulatory or law-enforcement authorities.
We do not sell your information. We do not use Operator Content to train third-party machine-learning models. We do not share Operator Content across tenants.
3. Service providers we share with
We use a small number of third-party processors that help us deliver the service. Each is bound by its own data-protection commitments and processes data only as instructed by Cyclic.
- Railway — hosting and database (US data centers).
- Stripe — payment processing for paid subscriptions.
- Sentry — application error tracking. We scrub cookies, authentication headers, and password fields before sending error events.
- Resend (when enabled) — transactional email delivery (e.g., customer-loop email send, password reset).
- Anthropic — large-language-model API used to generate quote drafts. Operator Content sent to Anthropic is processed solely to return the requested completion and is not retained for model training under our agreement with Anthropic.
We do not enable third-party advertising networks or analytics that profile individual users. We use only essential session cookies; see Section 7.
4. Data security
Cyclic implements commercially reasonable security measures, including: TLS 1.2+ for all data in transit; bcrypt password hashing; per-tenant row-level data isolation enforced in code; encrypted storage of OEM portal credentials at rest using Fernet symmetric encryption with keys derived from a per-installation secret; HTTP security headers (HSTS, CSP, Referrer-Policy, X-Frame-Options, X-Content-Type-Options) on every response; rate limiting on authentication endpoints; HttpOnly + Secure + SameSite session cookies. We do not represent that the service is invulnerable. You are responsible for keeping your account credentials secure.
5. Data retention
We retain Operator Content while your account is active. On account closure we provide a thirty (30) day window for export, then delete Operator Content from active systems within sixty (60) days. We retain anonymized aggregate statistics (with no Operator identifiers, customer names, serial numbers, dollar amounts, or part numbers) indefinitely as part of the priors-calibration dataset that powers the platform for all tenants. We retain billing records for at least seven (7) years to comply with U.S. tax law. We retain server logs for ninety (90) days for security investigation purposes.
6. Your rights
You may, at any time, by emailing hello@cyclicmro.com from the address on file:
- Request a copy of the personal data we hold about you.
- Correct or update your account information (most fields are editable in Settings).
- Request deletion of your account and associated Operator Content, subject to the retention exceptions in Section 5.
- Request a portable export of your Operator Content.
7. Cookies
Cyclic uses only essential session cookies necessary for authenticated session state and CSRF protection. We do not use tracking, advertising, or analytics cookies. You may disable cookies in your browser, but the service will not function without session cookies.
8. California privacy rights (CCPA / CPRA)
If you are a California resident, you have the right to know what personal information we collect, the right to delete that information (subject to retention exceptions), the right to correct inaccurate information, the right to opt out of the sale or sharing of personal information (we do not sell or share for advertising), and the right to non-discrimination for exercising your rights. Contact hello@cyclicmro.com to exercise any right. We may need to verify your identity before responding.
9. International users
Cyclic is operated from the United States. If you access the service from outside the U.S., your information will be transferred to and processed in the U.S. By using the service you consent to that transfer. We do not currently target European Union or United Kingdom users; we will offer GDPR-equivalent rights to any such user who requests them via hello@cyclicmro.com.
10. Children
Cyclic is a business service. We do not knowingly collect information from individuals under sixteen (16) years of age. If you believe a minor has provided us information, please contact us and we will delete it.
11. Changes to this Policy
We may update this Privacy Policy from time to time. We will post the updated policy at this URL and update the "Effective" date. Material changes will be communicated by email to the address on file.
12. Contact
Privacy questions or rights requests: hello@cyclicmro.com · (650) 383-8190 · Cyclic, 10000 Washington Blvd, Culver City, CA 90232.