Who sees what pilot documents
Syndik8 treats pilot documents differently from every other kind of document on the platform. The reason is straightforward: they’re personal, they belong to one person, and the rest of the syndicate doesn’t need to see them. The cost for admins is that the view from the admin chair is deliberately limited. This page explains the seating chart and why each seat is where it is.
The four seats
Section titled “The four seats”Imagine four people standing around a pilot’s medical certificate:
- The pilot themselves. Uploaded the certificate. Owns the data.
- A fellow member of one of the pilot’s syndicates.
- An admin of one of the pilot’s syndicates.
- An outsider: anyone else.
What does each one see?
The pilot
Section titled “The pilot”The pilot sees everything. The certificate file is theirs. The expiry, the title, the upload date: all of it is visible on My documents.
The pilot can re-upload (which replaces the old file), record a new expiry (which updates the record in place), or delete. Deleting a medical offers two outcomes: delete everything (which withdraws consent) or delete just the certificate while the expiry date, and the consent, stay.
A fellow member
Section titled “A fellow member”A fellow member sees nothing. Pilot documents do not appear in any syndicate library. There is no “members of this syndicate” route to a pilot’s medical. The certificate, the title, the expiry, the fact-of-upload: none of it is visible.
The same is true for the pilot’s licence, even though a licence is far less sensitive. Both kinds of pilot document live on My documents, which is owner-scoped, and that scoping is enforced server-side, not just by the app.
An admin
Section titled “An admin”An admin sees a redacted summary: an attention chip with four fields (has medical, medical expiry, has licence, licence upload date) and nothing more. Specifically:
- The chip is the only path. There is no admin route to the certificate file.
- The medical class is not in the chip.
- Limitations on the certificate are not in the chip.
- Clinical commentary is not in the chip.
- Date of birth is not in the chip.
The admin can read the chip on the Members tab, or on a member’s profile. That’s the only place this information lives.
An outsider
Section titled “An outsider”An outsider sees nothing. There is no public link to any pilot document. The signed URLs the pilot themselves uses to view the file are short-lived and not guessable. An outsider can’t see that any given user has a medical on file, much less what it says.
Why those lines
Section titled “Why those lines”Three principles led to this seating chart.
Health data needs a high bar. UK GDPR Article 9 sets health data apart. Storing a pilot medical is allowable, but only with conditions. Showing it around (to other members, to admins, to outsiders) multiplies the risk surface and the consent burden. The cleanest answer is to show the file to as few people as possible. The pilot is the file’s owner; everyone else gets less.
Admins still need something. A syndicate admin cares about whether the members flying their aircraft are current. They don’t need to see the certificate to do that. They need to see yes/no and the expiry date. The attention chip is exactly that: the smallest dataset that lets an admin do their job, and no more.
The case for the chip is real and defensible. Without it, an admin can’t tell at a glance who is current; with it, they can. The case for more than the chip (the medical class, the clinical detail, the file itself) is much weaker. An admin doesn’t fly the pilot’s medical; the pilot does. So Syndik8 gives admins the chip and stops there.
Members don’t need anything at all. A fellow member has no business reading another pilot’s medical. There is no operational reason for it, and several reasons against. So pilot documents are not in any syndicate library, period. The only documents that appear in a syndicate library are the ones the syndicate owns: its agreement, its rules, its mandate, and the assets’ ship’s papers.
What admins can do with the chip
Section titled “What admins can do with the chip”A common question: if I can see that a member’s medical has expired, what am I supposed to do?
The honest answer: probably nothing, beyond noticing. The pilot is responsible for their own currency. Syndik8 doesn’t block bookings on an expired medical, and admins generally shouldn’t either without a deliberate house rule. The chip is a courtesy view, not a compliance gate. See Pilot-in-command responsibility for the longer version.
If your syndicate has a house rule about currency (say, “members must hold a current medical to fly P1”), the chip is the right place to look. But enforcement happens through your house rules, not through the app.
A note on the licence
Section titled “A note on the licence”The pilot licence is less sensitive than the medical (it’s a credential, not health data), but Syndik8 treats it the same way for the same reason: it’s personal, it’s owner-scoped, it belongs in My documents, and fellow members don’t need to see it. The admin attention chip shows fact-of-upload only, not the licence content. Consistency makes the model easier to reason about.