Download: docx | pdf

Privacy Threshold Assessment (PTA)

Federal Aviation Administration (FAA) Office of Information & Technology (AIT) B4UFLY 2.0

Privacy Threshold Assessment (PTA)

The Privacy Threshold Assessment (PTA) is an analytical tool used to determine the scope of privacy risk management activities that must be executed to ensure that the Department’s initiatives do not create undue privacy risks for individuals.

The Privacy Threat Assessment (PTA) is a privacy risk management tool used by the Department of Transportation (DOT) Chief Privacy Officer (CPO). The PTA determines whether a Department system¹ creates privacy risk for individuals that must be further analyzed, documented, or mitigated, and determines the need for additional privacy compliance documentation. Additional documentation can include Privacy Impact Assessments (PIAs), System of Records notices (SORNs), and Privacy Act Exemption Rules (Exemption Rules).

The majority of the Department’s privacy risk emanates from its direct collection, use, storage, and sharing of Personally Identifiable Information (PII),² and the IT systems used to support those processes. However, privacy risk can also be created in the Department’s use of paper records or other technologies. The Department may also create privacy risk for individuals through its rulemakings and information collection requirements that require other entities to collect, use, store or share PII, or deploy technologies that create privacy risk for members of the public.

To ensure that the Department appropriately identifies those activities that may create privacy risk, a PTA is required for all IT systems, technologies, proposed rulemakings, and information collections at the Department. Additionally, the PTA is used to alert other information management stakeholders of potential risks, including information security, records management and information collection management programs. It is also used by the Department’s Chief Information Officer (CIO) and Associate CIO for IT Policy and Governance (Associate CIO) to support efforts to ensure compliance with other information asset requirements including, but not limited to, the Federal Records Act (FRA), the Paperwork Reduction Act (PRA), the Federal Information Security Management Act (FISMA), the Federal Information Technology Acquisition Reform Act (FITARA) and applicable Office of Management and Budget (OMB) guidance.

Each Component establishes and follows its own processes for developing, reviewing, and verifying the PTA prior to its submission to the DOT CPO. At a minimum the PTA must be reviewed by the Component business owner, information system security manager, general counsel, records officers, and privacy officer. After the Component review is completed, the Component Privacy Office will forward the PTA to the DOT Privacy Office for final adjudication. Only PTAs watermarked “adjudicated” and electronically signed by the DOT CPO are considered final. Do NOT send the PTA directly to the DOT PO; PTAs received by the DOT CPO directly from program/business owners will not be reviewed.

If you have questions or require assistance to complete the PTA please contact your Component Privacy Officer or the DOT Privacy Office at [email protected]. Explanatory guidance for completing the PTA can be found in the PTA Development Guide found on the DOT Privacy Program website, www.dot.gov/privacy.

PROGRAM MANAGEMENT

SYSTEM name: B4UFLY 2.0

Cyber Security Assessment and Management (CSAM) ID: B4UFLY 2.0 is not a FISMA reportable system within CSAM.

SYSTEM MANAGER CONTACT Information:

Name: Erik Amend

Email: [email protected]

Phone Number: 202-267-8282

Is this a NEW system?

☐ Yes (Proceed to Section 1)

☒ No

☐ Renewal

☒ Modification

Is there a PREVIOUSLY ADJUDICATED PTA for this system?

☒ Yes:

Date: November 20, 2018

☐ No

1. SUMMARY INFORMATION

   1. System TYPE

☐ Information Technology and/or Information System

Unique Investment Identifier (UII):

Cyber Security Assessment and Management (CSAM) ID:

☐ Paper Based:

☐ Rulemaking

Rulemaking Identification Number (RIN):

Rulemaking Stage:

☐ Notice of Proposed Rulemaking (NPRM)

☐ Supplemental NPRM (SNPRM):

☐ Final Rule:

Federal Register (FR) Notice: Click here to enter text.

☐ Information Collection Request (ICR)³

☐ New Collection

☒ Approved Collection or Collection Renewal

☒ OMB Control Number: 2120-0764

☒ Control Number Expiration Date: 06/30/2019 (Currently engaged with the Paperwork Reduction Act (PRA) Officer in developing the 60-day Federal Register Notice, and determining whether to discontinue or adjust the information collection.)

☒ Other:

B4UFLY 2.0 is a mobile application (app) hosted and developed by Kittyhawk for the Federal Aviation Administration (FAA) that is available for Apple iOS and Android mobile devices from the Apple App Store and Google Play at no cost to identify safe areas to fly drones. B4UFLY 2.0 was published to the digital registry on April 11, 2019.

2. System OVERVIEW:

This is an update to the B4UFLY⁴ Privacy Threshold Assessment (PTA), dated November 30, 2018, that documents the changes resulting from updating the app from B4UFLY to B4UFLY 2.0. B4UFLY 2.0 allows users, who have downloaded the app to their mobile device, to determine whether or not it is safe to fly a drone within their geographic area. The app uses the geo-location of a user’s mobile device to populate a map and a status indicator to advise the user whether their area is safe for drone operation. The app also allows users to plan their upcoming drone flights by inputting GPS coordinates and a specific date to see if an area will be safe for flight in the future. Users can also view surrounding airport locations and their coordinates.

Kittyhawk is developing B4UFLY 2.0 for the FAA to update and replace the current B4UFLY app, which was previously-developed and operated by Network Designs, Inc. (NDi). B4UFLY 2.0 is planned to be available in the 4^th quarter of FY2019 and will continue to be offered as a free download for Apple iOS and Android mobile devices from the Apple App Store and Google Play. B4UFLY 2.0 will continue not to collect, use, or maintain Personally-Identifiable Information (PII). Kittyhawk will host B4UFLY 2.0 in the Amazon Web Services (AWS) environment and the app will provide the same general functionality and features as B4UFLY.

The following changes have occurred since the date of the previously-adjudicated PTA:

1. When users launch B4UFLY 2.0, they will be provided a privacy policy informing them of the following [See Appendix A]:

• Kittyhawk manages B4UFLY 2.0, not the FAA.

• By registering with the Apple App Store or Google Play to download B4UFLY 2.0, users will need to provide their information to a non-FAA third party.

2. B4UFLY 2.0 will provide users the following updated four flight statuses regarding the operation of their drone: (1) Good to go; (2) Caution; (3) Do Not Fly; and (4) Connection Error. Additionally, B4UFLY 2.0 will provide users with explanations on why they are receiving a “Caution” status.

3. B4UFLY 2.0 was registered with the U.S. Digital Registry on April 11, 2019. [See Appendix B]

4. B4UFLY 2.0 will update its flight sources to include information from three additional publicly-available sources.

5. B4UFLY 2.0 will now provide users a ‘Contact Kittyhawk’ web link where they may submit technical questions via Typeform⁵ web-form directly to Kittyhawk.

6. Records schedules have been updated to cover the chart and mapping records in the vendor cloud.

First time B4UFLY 2.0 users navigate directly to the Apple App Store or Google Play⁶ and must provide their information to register with the stores in order to access their content. Once registered, user may download the app directly to their mobile device at no cost. Neither the Apple App Store nor Google Play provides any information to the FAA showing that an identifiable user has downloaded the app. The only data the FAA receives from the Apple App Store or Google Play is the total number of downloads. Users who have previously registered with the Apple App Store or Google Play store for B4UFLY will not have to register again for B4UFLY 2.0. Existing users who have previously given consent to automatic updates and enabled the auto updates feature on their mobile device will automatically download B4UFLY 2.0 to their mobile devices. Existing users who have not previously given consent to automatic updates will be prompted, and must give consent prior to downloading B4UFLY 2.0 to their mobile device. The user does not input any PII directly into the app (there are no fields to input PII).

Once launched, B4UFLY 2.0 provides a flight safety map that is populated using the geo-location services of the user’s mobile device and provides the following four statuses regarding the operation of their drone: (1) Good to go; (2) Caution; (3) Do Not Fly; and (4) Connection Error. Additionally, B4UFLY 2.0 will provide users with explanations on why they are receiving a “Caution” status: (e.g., “Caution! Airport Nearby,” “Caution! Special Permissions Required,” etc.). The user’s flight safety map is populated using Kittyhawk’s back-end cloud database, which receives the data call from the user’s mobile device and returns back a populated map based on their selected flight area. Geo-location data of mobile devices are not transmitted back to the FAA, and after the data call is complete, are deleted and not stored in the back-end database.

B4UFLY 2.0 will provide flight restriction data from the following seven publicly-available flight sources, which are populated into Kittyhawk’s back-end cloud database:

1. Controlled Airspace: (http://adds-faa.opendata.arcgis.com/datasets/class-airspace)

2. Airports: (http://adds-faa.opendata.arcgis.com/datasets/airports)

3. Critical Infrastructure: (https://udds-faa.opendata.arcgis.com/datasets/national-security-uas-flight-restrictions)

4. DC SFRA and all Section 93 sites: (http://adds-faa.opendata.arcgis.com/datasets/airspace-boundary)

5. National Parks: (https://public-nps.opendata.arcgis.com/datasets/national-park-service-park-unit-boundaries)

6. Military Training Routes: (http://adds-faa.opendata.arcgis.com/datasets/mtr-segment)

7. Special User Airspace: (http://adds-faa.opendata.arcgis.com/datasets/u.s.-special-use-airspace)

All flight restriction data populated from Kittyhawk’s back-end database is non-PII. Memoranda of Understanding (MOUs) are not required for these data exchanges.

B4UFLY 2.0 will provide two web links so that will allow users to provide feedback regarding the operation of the application to the FAA for policy related questions and Kittyhawk for technical related questions. The ‘Contact FAA’ link to the FAA.gov feedback web-form is where individuals may provide comments, questions, or issues, they may have regarding B4UFLY 2.0 policy related questions.⁷ The FAA.gov feedback web-form only requires that individuals provide an email address so that they may be contacted in response to the feedback they provided. Additionally, the ‘Contact Kittyhawk’ link to the Typeform web-form is where individuals may provide comments, questions, or issues regarding technical issues with B4UFLY 2.0. Providing an email address on the Typeform web-form is optional for users who require a response from Kittyhawk and no other PII is collected. Using Typeform allows Kittyhawk to identify critical technical issues, and provide timely fixes and responses for users when the FAA hotline is closed during weekends and weeknights. The Feedback records are routed to The FAA Hotline Information System (FHIS)⁸ and follow the FHIS records retention schedule and B4UFLY is not responsible for those records.

An unmitigated privacy risk may exist, as the ‘Contact Kittyhawk” technical questions records are not covered under DOT/FAA 845 - Administrators Correspondence Control and Hotline Information System, ACCIS, Administrator’s Hotline Information System, AHIS, and Consumer Hotline Information System, CHIS - 65 FR 19526 - April 11, 2000. Program office has been advised to work with the FAA CPO’s office.

No reports are generated by the B4UFLY 2.0 app. The Apple App Store or Google Play download service can provide the FAA with non-PII metrics only, such as number of downloads.

2. INFORMATION MANGEMENT

   1. SUBJECTS of Collection

Identify the subject population(s) for whom the system collects, maintains, or disseminates PII. (Check all that apply)

☒ Members of the public:

☒ Citizens or Legal Permanent Residents (LPR)

☒ Visitors

☐ Members of the DOT Federal workforce

☐ Members of the DOT Contract workforce

☐ System Does Not Collect PII. If the system does not collect PII, proceed directly to question 2.3.

2. What INFORMATION ABOUT INDIVIDUALS will be collected, used, retained, or generated?

Email addresses will be the only PII collected so that the FAA and Kittyhawk can respond Users’ questions.

3. Does the system RELATE to or provide information about individuals?

☐ Yes:

☒ No

4. Does the system use or collect SOCIAL SECURITY NUMBERS (SSNs)? (This includes truncated SSNs)

☐ Yes:

Authority:

Purpose:

☒ No: The system does not use or collect SSNs, including truncated SSNs. Proceed to 2.6.

5. Has an SSN REDUCTION plan been established for the system?

☐ Yes:

☒ No:

6. Does the system collect PSEUDO-SSNs?

☐ Yes:

☒ No: The system does not collect pseudo-SSNs, including truncated SSNs.

7. Will information about individuals be retrieved or accessed by a UNIQUE IDENTIFIER associated with or assigned to an individual?

☒ Yes

Is there an existing Privacy Act System of Records notice (SORN) for the records retrieved or accessed by a unique identifier?

☒ Yes:

SORN: “Contact Us” records:

DOT/FAA 845 - Administrators Correspondence Control and Hotline Information System, ACCIS, Administrator’s Hotline Information System, AHIS, and Consumer Hotline Information System, CHIS - 65 FR 19526 - April 11, 2000.

☐ No:

Explanation:

Expected Publication:

☐ Not Applicable: Proceed to question 2.9

8. Has a Privacy Act EXEMPTION RULE been published in support of any Exemptions claimed in the SORN?

☐ Yes

Exemption Rule:

☐ No

Explanation:

Expected Publication:

☒ Not Applicable: SORN does not claim Privacy Act exemptions.

9. Has a PRIVACY IMPACT ASSESSMENT (PIA) been published for this system?

☒ Yes: 2/13/19

☐ No:

☐ Not Applicable: The most recently adjudicated PTA indicated no PIA was required for this system.

10. Does the system EXCHANGE (receive and/or send) DATA from another INTERNAL (DOT) or EXTERNAL (non-DOT) system or business activity?

☒ Yes:

B4UFLY 2.0 will provide flight restriction data from the following seven publicly-available flight sources, which are populated into Kittyhawk’s back-end cloud database:

1. Controlled Airspace: (http://adds-faa.opendata.arcgis.com/datasets/class-airspace)

2. Airports: (http://adds-faa.opendata.arcgis.com/datasets/airports)

3. Critical Infrastructure: (https://udds-faa.opendata.arcgis.com/datasets/national-security-uas-flight-restrictions)

4. DC SFRA and all Section 93 sites: (http://adds-faa.opendata.arcgis.com/datasets/airspace-boundary)

5. National Parks: (https://public-nps.opendata.arcgis.com/datasets/national-park-service-park-unit-boundaries)

6. Military Training Routes: (http://adds-faa.opendata.arcgis.com/datasets/mtr-segment)

7. Special User Airspace: (http://adds-faa.opendata.arcgis.com/datasets/u.s.-special-use-airspace)

All data populated in the app is non-PII and are for the purposes of determining safe areas for drone operations. Memoranda of Understanding (MOUs) are not required for these data exchanges.

☐ No

11. Does the system have a National Archives and Records Administration (NARA)-approved RECORDS DISPOSITION schedule for system records?

☒ Yes:

Schedule Identifier: National Archives and Records Administration, General Records Schedule 3.1 (approved January 2017), General Technology Management Records

Schedule Summary:

ITEM 11 - System development records. Temporary. Destroy 5 years after system is superseded by a new iteration, or is terminated, defunded, or no longer needed for agency/IT administrative purposes, but longer retention is authorized if required for business use. DAA-GRS-2013-0005-0007.        

ITEM 20 - Information technology operations and maintenance records. Temporary. Destroy 3 years after agreement, control measures, procedures, project, activity, or transaction is obsolete, completed, terminated or superseded, but longer retention is authorized if required for business use. DAA-GRS-2013-0005-0004.

Schedule Identifier: National Archives and Records Administration, 7910 Aeronautical Charts (approved February 2002)⁹

Schedule Summary:

ITEM 2 - Products: Aeronautical Charts; (a) unique charts:

1. Visual Navigation Charts: Include Sectional Aeronautical charts, Tem11nal Area

Charts, Grand Canyon Visual Flight Rules (VFR) Chart, World Aeronautical

Charts, Helicopter Route Charts, and U.S. Gulf Coast VFR Aeronautical Chart or their equivalents.

2. Instrument Navigation Charts: Include Instrument Flight Rules (IFR) Enroute

Low Altitude Charts, Instrument Flight Rules (IFR) Enroute High Altitude Charts,

Terminal Procedures Pubhcat10n (includes instrument procedure charts), and Alaskan Terminal Procedures Publication or their equivalents.

3. Supplementary Publications: Include (m electronic format)

Airport Safety Modeling Data (ASMD); D1g1tal Aeronautical Information CD

which includes the D1g1tal Aeronautical Chart Supplement (DACS), D1g1tal Obstacle File (DOF), and the Navigation Digital Data File, Digital Aeronautical; Flight Information File, and National Flight Database (NFD) [ARINC-424 GPS Navigation Database].

Permanent. Transfer one copy of any new edition to the National Archives at each charting cycle.

Schedule Identifier: General Records Schedule 5.8 (approved July 2017), Administrative Help Desk Records

Schedule Summary:

ITEM 10 - Technical and administrative help desk operational records, as follows:

1. Records of incoming requests (and responses) made by phone, email, web portal, etc.

2. Trouble tickets and tracking logs.

3. Quick guides and “Frequently Asked Questions” (FAQs).

4. Evaluations and feedback about help desk services.

5. Analysis and reports generated from customer management data.

6. Customer/client feedback and satisfaction surveys, including survey instruments, data, background materials, and reports.

Temporary. Destroy 1 year after resolved, or when no longer needed for business use, whichever is appropriate. DAA-GRS-2017-0001-0001.

☐ In Progress

☐ No:

3. SYSTEM LIFECYCLE

The systems development life cycle (SDLC) is a process for planning, creating, testing, and deploying an information system. Privacy risk can change depending on where a system is in its lifecycle.

1. Was this system IN PLACE in an ELECTRONIC FORMAT prior to 2002?

The E-Government Act of 2002 (EGov) establishes criteria for the types of systems that require additional privacy considerations. It applies to systems established in 2002 or later, or existing systems that were modified after 2002.

☐ Yes:

☐Not Applicable: System is not currently an electronic system. Proceed to Section 4.

☒ No:

2. Has the system been MODIFIED in any way since 2002?

☒Yes: The system has been modified since 2002.

☐ Maintenance.

☐ Security.

☐ Changes Creating Privacy Risk:

☒ Other: The Kittyhawk B4UFLY 2.0 app will replace the original B4UFLY app developed by NDi. B4UFLY 2.0 will offer users the same general features and functionality.

☐ No: The system has not been modified in any way since 2002.

3. Is the system a CONTRACTOR-owned or -managed system?

☒ Yes: The system is owned or managed under contract.

Contract Number: 692M15-19-T-00014

Contractor: Kittyhawk

☐ No: The system is owned and managed by Federal employees.

4. Has a system Security Risk CATEGORIZATION been completed?

The DOT Privacy Risk Management policy requires that all PII be protected using controls consistent with Federal Information Processing Standard Publication 199 (FIPS 199) moderate confidentiality standards. The OA Privacy Officer should be engaged in the risk determination process and take data types into account.

☐ Yes: A risk categorization has been completed.

Based on the risk level definitions and classifications provided above, indicate the information categorization determinations for each of the following:

Confidentiality: ☐ Low ☐ Moderate ☐ High ☐ Undefined

Integrity: ☐ Low ☐ Moderate ☐ High ☐ Undefined

Availability: ☐ Low ☐ Moderate ☐ High ☐ Undefined

Based on the risk level definitions and classifications provided above, indicate the information system categorization determinations for each of the following:

Confidentiality: ☐ Low ☐ Moderate ☐ High ☐ Undefined

Integrity: ☐ Low ☐ Moderate ☐ High ☐ Undefined

Availability: ☐ Low ☐ Moderate ☐ High ☐ Undefined

☒ No: A risk categorization has not been completed. Provide date of anticipated completion.

5. Has the system been issued an AUTHORITY TO OPERATE?

☐ Yes:

Date of Initial Authority to Operate (ATO):

Anticipated Date of Updated ATO:

☐ No:

☒ Not Applicable: System is not covered by the Federal Information Security Act (FISMA).

4. COMPONENT PRIVACY OFFICER ANALYSIS

The Component Privacy Officer (PO) is responsible for ensuring that the PTA is as complete and accurate as possible before submitting to the DOT Privacy Office for review and adjudication.

COMPONENT PRIVACY OFFICER CONTACT Information

Name:

Email:

Phone Number:

COMPONENT PRIVACY OFFICER Analysis

5. COMPONENT REVIEW

Prior to submitting the PTA for adjudication, it is critical that the oversight offices within the Component have reviewed the PTA for completeness, comprehension and accuracy.

Component Reviewer	Name	Review Date
Business Owner	Erik Amend	5/23/2019
General Counsel	<<General Counsel Name>>	<<Review Date>>
Information System Security Manager (ISSM)	None	None
Privacy Officer	<<Privacy Officer Name>>	<<Review Date>>
Records Officer	Lisa Edwards	5/22/2019

Table 1 - Individuals who have reviewed the PTA and attest to its completeness, comprehension and accuracy.

Appendix A –B4UFLY 2.0 Privacy Policy and Terms of Service

B4UFLY Privacy Policy and Terms of Service - April 26, 2019

Context:

Upon Opening B4UFLY, there is a DISCLAIMER page with Warnings, Notes, and Terms of Service for the user to scroll through and agree. I want to keep the Warnings and Notes the same, and I’ve included the updated Terms of Service language below that. The FAA refers to Terms of Service as the “B4UFLY License Agreement”. I’ve also included a Privacy Policy below that.

---------

WARNING: The operator’s reliance on B4UFLY for location determination DOES NOT constitute FAA authorization to operate and DOES NOT constitute evidence of compliance with applicable aviation regulations in or during enforcement proceedings before the National Transportation Safety Board or any other forum.

WARNING: Basemap (land and water data) information presented ONLY APPLIES TO THE LOCATION ENTERED BY THE B4UFLY User. Basemap data is intended only to supplement other approved navigation data sources and should be considered as an educational aid to determine location with respect to airports or other restricted airspace areas.

WARNING: Information provided by B4UFLY is not guaranteed to be accurate due to time delays inherent in gathering and processing data for data link transmission. Verify all information by maintaining software updates before use of B4UFLY for reference.

WARNING: B4UFLY provides information related to the location entered by the operator and does not provide real-time information about the location of your drone/UAS. Your drone/UAS may be capable of out-flying the distances demarcated by B4UFLY. You, and only you, are responsible for operating safely and in permitted areas.

WARNING: You are solely responsible for ensuring that B4UFLY is using the latest software updates and that reports set forth by B4UFLY are the latest reports issued by the reporting entity.

WARNING: B4UFLY information should not be used for maneuvering UAS, in, near, or around areas where UAS flight may be prohibited or restricted. Information contained within data link products may not accurately depict current conditions. Information provided by B4UFLY DOES NOT provide real-time information about the location of the UAS.

NOTE: All visual depictions contained within this document, including screen images of B4UFLY, the screen and displays, are subject to change and may not reflect the most current B4UFLY software and/or aviation databases.

NOTE: Temporary Flight Restriction (TFR) and other data are updated periodically. Confirm data currency through alternate sources and contact your local Flight Service Station for interpretation of TFR data.

Terms of Service

PLEASE READ THESE B4UFLY TERMS OF SERVICE, INCLUDING OUR PRIVACY POLICY AND ANY DOCUMENTS INCORPORATED BY REFERENCE, (THE “TERMS”) CAREFULLY BEFORE USING THE B4UFLY APPLICATION TO ENSURE THAT YOU UNDERSTAND EACH PROVISION. BY USING THE B4UFLY APPLICATION YOU AGREE TO BE BOUND BY THESE TERMS AND OUR PRIVACY POLICY WHICH IS INCORPORATED BY REFERENCE. WE MAY REVISE AND UPDATE THESE TERMS FROM TIME TO TIME IN OUR SOLE DISCRETION IN ACCORDANCE WITH SECTION 13 . If you are not willing to be bound by these Terms, then you must not access or otherwise use the B4UFLY application.

1. Updates. Kittyhawk may issue updated versions of the B4UFLY application from time to time and may automatically update the version of the B4UFLY application that you are using. You agree, upon request by us at any time, to use the most up-to-date version of the B4UFLY application. You agree that these Terms will apply to any such updates. Standard carrier data charges may apply to your use of the B4UFLY application.

2. Third Party Services and Links. As a part of the B4UFLY application, we may offer links to web sites and/or integrate the B4UFLY application with those operated by various third parties and are not responsible or liable for any acts or omissions created or performed by these third parties or the integration with them. We provide such links and integration for your convenience and reference only. We do not operate or control in any way any information, software, products or services available on such web sites, applications or services. Our inclusion of a link to or integration with a third party does not imply any endorsement of the services or the site, its contents, or its sponsoring organization.

3. Information Errors. Information contained in the B4UFLY application may contain errors

sometimes. Kittyhawk may also make changes and improvements to the information provided in the B4UFLY application at any time. We are not responsible for any errors or delays caused by such errors or other technical problems beyond our reasonable control.

4. Privacy Policy. You agree that all User Information and information you provide to us or submit

through the B4UFLY application is subject to our Privacy Policy, and you consent to all actions we take with respect to your information consistent with and in compliance with our Privacy Policy.

5. Indemnification

You agree to indemnify, defend and hold harmless the Federal Aviation Administration (FAA), Kittyhawk, and its officers, directors, employees, agents, and contractors from and against any and all claims, costs, demands, damages, liabilities, or expenses, including, without limitation, reasonable attorneys’; fees, arising from or related to: (a) your use of the B4UFLY application, (b) your breach of these Terms, or (c) any actual, prospective, completed or terminated service between you and a third party.

6. Disclaimer of Warranties. YOUR USE OF THE B4UFLY APPLICATION IS AT YOUR OWN RISK.

DOCUMENTATION AND THE INFORMATION ASSOCIATED WITH IT ARE PROVIDED ON AN “AS IS” AND “AS AVAILABLE” BASIS. WE DISCLAIM ANY WARRANTY OF ANY KIND, WHETHER EXPRESS OR IMPLIED, AS TO ANY MATTER WHATSOEVER RELATING TO THE B4UFLY APPLICATION, DOCUMENTATION AND ANY INFORMATION PROVIDED HEREUNDER, INCLUDING WITHOUT LIMITATION THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, AND NONINFRINGEMENT. WE ARE NOT LIABLE FOR ANY DIRECT, INDIRECT, PUNITIVE, INCIDENTAL, SPECIAL OR CONSEQUENTIAL DAMAGES OR OTHER INJURY ARISING OUT OF OR IN ANY WAY CONNECTED WITH THE USE OF THE B4UFLY APPLICATION OR WITH THE DELAY OR INABILITY TO USE THE B4UFLY APPLICATION, OR FOR ANY INFORMATION AND SERVICES OBTAINED THROUGH US, OR OTHERWISE ARISING OUT OF THE USE OF THE B4UFLY APPLICATION, WHETHER RESULTING IN WHOLE OR IN PART, FROM BREACH OF CONTRACT, TORTIOUS BEHAVIOR,

NEGLIGENCE, STRICT LIABILITY OR OTHERWISE, EVEN IF WE HAD BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME JURISDICTIONS DO NOT ALLOW THE EXCLUSION OF IMPLIED WARRANTIES, SO THE ABOVE EXCLUSION MAY NOT APPLY TO YOU.

7. Limitation of Liability. IN NO EVENT SHALL THE FEDERAL AVIATION ADMINISTRATION (FAA), KITTYHAWK, OR OUR SUPPLIERS, PARTNERS AND AFFILIATES, BE LIABLE FOR LOST PROFITS OR ANY SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES (HOWEVER ARISING, INCLUDING NEGLIGENCE) ARISING OUT OF OR IN CONNECTION WITH THIS AGREEMENT. OUR LIABILITY, AND THE LIABILITY OF OUR SUPPLIERS, PARTNERS AND AFFILIATES, TO YOU OR ANY THIRD PARTIES IN ANY CIRCUMSTANCE, SHALL NOT EXCEED $1.00.

Terms.

8. Governing Law and Dispute Resolution

A. Governing Law. These Terms shall be governed by the laws of the state of California, without

respect to its conflict of laws principles.

B. Binding Arbitration. THESE TERMS PROVIDE THAT ALL DISPUTES BETWEEN YOU AND US WILL BE RESOLVED BY BINDING ARBITRATION. YOUR RIGHTS WILL BE DETERMINED BY A NEUTRAL ARBITRATOR AND NOT A JUDGE OR JURY. Any claim or controversy arising out of or relating to the use of the B4UFLY application (“Dispute”), will be finally, and exclusively, settled by arbitration in San Francisco, California, from which arbitration there will be no appeal. The arbitration will be held before one arbitrator. The arbitrator will be selected pursuant to the American Arbitration Association rules. The arbitrator will apply the substantive law of the state of California, except that the interpretation and enforcement of this arbitration provision will be governed by the U.S. Federal Arbitration Act. To begin the arbitration process, a party must make a written demand to the other party. Each party shall bear its own costs and attorneys’ fees. Any judgment upon the award rendered by the arbitrators may be entered in any court of competent jurisdiction. The arbitrator shall not have the power to award damages in connection with any Dispute in excess of actual compensatory damages and shall not multiply actual damages or award consequential, punitive or exemplary damages, and each party irrevocably waives any claim thereto. The agreement to arbitrate will not be construed as an agreement to the joinder or consolidation of arbitration under these Terms with arbitration of disputes or claims of any non-party, regardless of the nature of the issues or disputes involved.

C. Class Action and Jury Trial Waiver. WITH RESPECT TO ALL PERSONS AND ENTITIES, REGARDLESS OF WHETHER THEY HAVE OBTAINED OR USED THE KITTYHAWK SERVICE FOR PERSONAL, COMMERCIAL OR OTHER PURPOSES, ALL CLAIMS MUST BE BROUGHT IN THE PARTIES’ INDIVIDUAL CAPACITY, AND NOT AS A PLAINTIFF OR CLASS MEMBER IN ANY PURPORTED CLASS ACTION, COLLECTIVE ACTION, PRIVATE ATTORNEY GENERAL ACTION OR OTHER REPRESENTATIVE PROCEEDING. THIS WAIVER APPLIES TO CLASS ARBITRATION, AND, UNLESS WE AGREE OTHERWISE, THE ARBITRATOR MAY NOT CONSOLIDATE MORE THAN ONE PERSON’S CLAIMS. YOU AGREE THAT, BY ENTERING INTO THIS AGREEMENT, YOU AND WE ARE EACH WAIVING THE RIGHT TO A TRIAL BY JURY OR TO PARTICIPATE IN A CLASS ACTION, COLLECTIVE ACTION, PRIVATE ATTORNEY GENERAL ACTION, OR OTHER REPRESENTATIVE PROCEEDING OF ANY KIND. ACCORDINGLY, YOU GIVE UP YOUR RIGHT TO GO TO COURT TO ASSERT OR DEFEND YOUR RIGHTS, AND YOU ALSO GIVE UP YOUR

RIGHT TO PARTICIPATE IN OR BRING CLASS ACTIONS.

C. Limitation on Time to File Claims. YOU AND WE AGREE THAT ANY CAUSE OF ACTION ARISING OUT OF OR RELATED TO THE B4UFLY APPLICATION MUST COMMENCE WITHIN ONE (1) YEAR AFTER THE CAUSE OF ACTION ACCRUES. OTHERWISE, SUCH CAUSE OF ACTION IS PERMANENTLY BARRED.

D. Notwithstanding the above, we reserve the right to commence and prosecute any legal and

equitable action or proceeding before any competent jurisdiction to obtain injunctive or other

equitable relief against you in the event that, in the sole opinion of Kittyhawk, such action is

necessary.

9. Waiver and Severability

No waiver by Kittyhawk of any term or condition set forth in these Terms will be deemed a further

or continuing waiver of such term or condition or a waiver of any other term or condition. Any

failure of Kittyhawk to assert a right or provision under these Terms does not constitute a waiver of such right or provision. If any provision of these Terms is determined by a court or other tribunal of competent jurisdiction to be invalid, illegal or unenforceable for any reach, such provision will be eliminated or limited to the minimum extent such that the remaining provisions of the Terms will continue in full force and effect.

10. Assignment

We may assign these Terms, in whole or in part, at any time with or without notice to you. You may

not assign, delegate or otherwise transfer these Terms, or assign, transfer or sublicense any rights in the B4UFLY application; any attempted transfer or assignment in violation of this provision will be null and void.

11. Export Control; Legal Compliance

You agree to comply with all relevant export laws and regulations of the United States. You agree to comply with all the applicable laws and regulations that apply to your use of the B4UFLY application (such as your transmission and storing of electronic data), including the U.S. Export Administration Regulations and Office of Foreign Assets Control Regulations, as well as end-user, end-use and destination restrictions issued by U.S. and other governments.

12. Complete Agreement

These Terms, together with the Privacy Policy and any other legal notices published by us on the

B4UFLY application, constitutes the entire agreement between you and us concerning the B4UFLY application and supersedes any prior written or oral representations. A printed version of these Terms and of any notice given in electronic form will be admissible in administrative proceedings relating to the Terms to the same extent and subject to the same conditions as other business documents and records originally generated and maintained in printed form.

13. Changes

We reserve the right, at our sole discretion, to modify or replace these Terms at any time. You are

responsible for reviewing these Terms on a regular basis. If a revision is material (as determined at

our sole discretion), we will provide at least thirty (30) days notice prior to any new terms taking

effect. Any changes that are made to these Terms will not apply retroactively and will not apply to

disputes or events occurring before the change is published.

By continuing to use the B4UFLY application after any revisions become effective, you agree to be

bound by the revised terms. If you do not agree to the new terms, you are no longer authorized to

use the B4UFLY application.

14. Notices and Contact Information

All notices, requests, feedback or other communications should be sent directly to us via email at [email protected] or through the Contact Us page. Our contact information is Kittyhawk.io, Inc., 49 Powell Street, San Francisco, CA 94102, and [email protected].

Privacy Policy

By using the B4UFLY application, the user agrees to accept the terms of this Privacy Policy.

The B4UFLY application does not collect, use, maintain, or disseminate any Users’ personally identifiable information (PII). However, in order to register to download the B4UFLY application and other mobile applications from the Apple App Store or Google Play Store, you may be required to provide your PII. Any PII associated with the collected, used, maintained and disseminated to the Apple Store or Google Play Store is maintained by those companies, and is outside the control of the FAA or Kittyhawk.

The user navigates directly to the Apple App Store or Google Play Store and downloads the application directly to their mobile device for free. Neither the Apple App Store nor Google Play Store provides any information to the FAA or Kittyhawk showing that an identifiable user has downloaded the application.

The geo-location services that populate the map occurs in the following manner: there is a backend database that is maintained on the vendor’s cloud via Amazon Web Services, which receives the data call from the user’s mobile device and returns back a populated map. Geo-location data of mobile devices are not transmitted back to the FAA or Kittyhawk, and after the data call is complete, are deleted and not stored in the backend database.

We use various technologies (e.g. cookies) to help us improve the application such as unique device identifiers, IP addresses, hardware models, operating system and version, etc. We monitor aggregated, anonymous, and non-identifiable data to monitor the performance and functionality of the application.

Current landing page upon opening app (after reading and agreeing to the Warnings and Terms of Service). We may want to keep all of the following:

B4UFLY

4.0.1

Safety is everyone’s responsibility. Unmanned aircraft must never interfere with manned aircraft operations. B4ULFY provides situational awareness of your current or planned operational area, as well as additional reference resources.

B4UFLY Privacy Notice

There is a balance between your rights as a drone user and other people’s right to privacy. Even though this balance can be difficult to precisely define, we encourage you to voluntarily follow the UAS Privacy Best Practices. (link to UAS Privacy Best Practices)

APPENDIX B- B4UFLY 2.0 Digital Registry

File Type	application/vnd.openxmlformats-officedocument.wordprocessingml.document
Author	Barrett, Claire (OST)
File Modified	0000-00-00
File Created	2021-01-15