Privacy Policy

Last updated May 21, 2026

ltapzmap is a shared map for lighter-than-air (hot air balloon) pilots, run by Wicked Balloons. This page explains what information we collect, why, and the choices you have. We collect only what we need to run the site and we do not sell your data.

Information we collect

• Account details: your email address and a password (stored only as a salted bcrypt hash — we never see or store the plain password).
• Pilot certificate info: the certificate number and name you enter at signup, used only to verify you against the public FAA Airmen registry. It is visible to admins for approval and is not shown to other pilots.
• Map data you create or upload: features, drawings, uploaded files (KML, GPX, etc.), and any names/descriptions you attach. You choose whether each upload is private, public, or shared with a festival. Flight tracks are always kept private.
• Messages: in-app messages, feature contact requests, and bug/feature feedback you send.
• Approximate location: on first load the map centers near you using a rough city-level estimate derived from your IP address. We do not store this; we don’t use precise GPS unless you click the “locate me” control.
• Technical data: standard server logs (IP, timestamp, request) and a session cookie that keeps you signed in.

How we use it

• To create and secure your account and keep you signed in.
• To verify you are a certificated balloon pilot before granting access.
• To store, display, and let you export the map data you choose to share.
• To deliver messages and respond to your bug reports and feature requests.
• To operate, debug, and improve the site.

How your data is shared

• Public features you mark public are visible on the shared map to all signed-in pilots. Private features and flight tracks are visible only to you (and site admins for moderation). Festival-shared data is visible to that festival’s attendees.
• We do not sell or rent your personal information to anyone.
• We share data with the service providers below only as needed to run the site, and we may disclose information if required by law.

Service providers

• Cloudflare — CDN, DNS, and DDoS protection.
• Amazon Web Services (EC2) — hosting and database.
• MapTiler / OpenStreetMap — base map tiles.
• FAA Airmen Inquiry — certificate verification (we look you up; we don’t send them anything beyond the query).
• Have I Been Pwned — checks your chosen password against known breaches using k-anonymity; your full password never leaves our server.
• IP geolocation (ipwho.is) — rough location to center the map.
• Email provider — verification, approval, and notification emails.

Cookies

We use a single essential cookie to keep you signed in. We don’t use advertising or third-party tracking cookies.

Data retention & your choices

• You can delete your uploads and features at any time from your account.
• You can switch any upload between private and public.
• To access, correct, or delete your account and associated data, email us and we’ll handle it.

Security

Connections are encrypted with HTTPS, passwords are bcrypt-hashed, and access to private data is restricted to you and site admins. No system is perfectly secure, but we take reasonable measures to protect your information.

Children

ltapzmap is intended for certificated pilots and is not directed to children under 13.

Changes

We may update this policy as the site evolves; we’ll revise the “last updated” date above when we do.

Contact

Questions or requests about your data? [email protected]. See also our About & data sources page.