Last updated: 2 June 2026
This Privacy Policy explains how Myrslok ("we", "us", the "Service") collects, uses, and protects personal data when you use our aviation-training tools at myrslok.com. We are committed to compliance with the EU General Data Protection Regulation (GDPR) and the ePrivacy Directive.
The data controller for your personal data is:
Myrslok is a private, login-only training platform. We deliberately collect as little personal data as possible. We process:
| Category | Examples | Source |
|---|---|---|
| Account data | Username, display name, hashed password (PBKDF2-SHA256 — we never store your password in plain text), assigned role and project access | You / your administrator |
| Training & progress data | XP, levels, quiz/SRS review history, streaks, in-app "banana" economy balance, boosts, duel history, leaderboard entries | Generated by your use of the Service |
| Session data | A single signed authentication cookie (myrslok_session), valid 24 hours | Created at login |
| Technical/log data | IP address and request metadata processed by our hosting provider for security and delivery | Automatically, via Cloudflare |
We do not collect your email address at sign-up, we do not use advertising or analytics trackers, and we do not sell or share your data for marketing.
We use only a strictly-necessary authentication cookie and functional browser storage (e.g. cached game state). These are exempt from prior consent under the ePrivacy Directive because they are essential to a service you actively requested. See our Cookie & Storage Notice for details.
We use a small number of trusted service providers who act as data processors on our behalf:
| Provider | Purpose | Note |
|---|---|---|
| Cloudflare, Inc. | Hosting, storage (KV / D1 / R2), CDN, security | Processes IP/log data; offers GDPR DPA & Standard Contractual Clauses |
| Pusher (MessageBird/Bird) | Real-time events (duel challenges, presence) | May receive user/session identifiers |
| Mapbox, Inc. | Map tiles in map-based tools | Receives your IP when map tiles load |
Some of these providers are based outside the EU/EEA (e.g. the United States). Where personal data is transferred internationally, it is protected by appropriate safeguards such as Standard Contractual Clauses and/or the EU–US Data Privacy Framework.
Account and progress data is retained for as long as your account is active. Session cookies expire after 24 hours. Server logs are retained for a limited period by our hosting provider for security purposes. When your account is deleted, your personal data is removed from our active stores.
Under the GDPR you have the right to: access your data; rectify inaccurate data; erase your data ("right to be forgotten"); restrict or object to processing; and data portability. To exercise any of these rights, email ivar@myrslok.com. You also have the right to lodge a complaint with the Danish Data Protection Authority (Datatilsynet, datatilsynet.dk), or with the supervisory authority in your own EU/EEA country of residence.
We protect your data with industry-standard measures: passwords are salted and hashed (PBKDF2-SHA256), sessions are HMAC-signed and delivered over HTTPS with HttpOnly, Secure and SameSite=Strict cookies, and access to projects is permission-gated.
The Service is intended for adult aviation professionals and trainees and is not directed at children under 16.
We may update this policy from time to time. Material changes will be reflected by an updated "Last updated" date above.