LEGAL DOCUMENT

Privacy Policy

Last updated: 30 April 2026 · Effective: 30 April 2026 · Version 1.0

TABLE OF CONTENTS

1. Data Controller 2. What Data We Collect 3. How We Use Your Data 4. Legal Basis for Processing 5. Data Retention 6. Data Sharing and Third Parties 7. International Data Transfers 8. Your Rights Under GDPR 9. Security Measures 10. Cookies 11. Children's Privacy 12. Changes to This Policy 13. Contact & DPA Requests

Summary: WXOPS collects only the data necessary to provide our aviation weather monitoring service. We do not sell your data, we do not use it for advertising, and we do not share it with third parties except as required to deliver the service (payment processing, hosting). You have full rights over your data under GDPR.

1. Data Controller

The data controller responsible for your personal data is:

WXOPS
Service operated by an individual data controller.
Contact: privacy@wxops.io

For all data protection enquiries, data subject access requests, or complaints, please contact us at the email address above. We aim to respond within 72 hours and will fulfil GDPR requests within 30 days.

2. What Data We Collect

We collect the minimum data necessary to provide the WXOPS service. We collect:

Account registration data:

Full name
Work email address
Organisation name
Password (stored as a bcrypt hash — we never store your plain-text password)
Selected subscription plan
Date and time of GDPR consent

Usage data (collected automatically):

Airport ICAO/IATA codes you add to your workspace
Alert rules and thresholds you configure
Fleet type and tail number configurations
Session tokens (for authentication)
Server access logs (IP address, timestamp, HTTP method, path) — retained for 30 days

Payment data:

We do not store payment card details. All payment processing is handled by Stripe, Inc. Payment data is subject to Stripe's Privacy Policy.
We retain Stripe customer IDs and subscription IDs to manage your billing relationship.

Data we do NOT collect:

We do not collect location data
We do not collect device fingerprints or tracking identifiers
We do not use advertising networks or analytics platforms (no Google Analytics, no Facebook Pixel)
We do not collect data about your employees or passengers

3. How We Use Your Data

We use your data for the following purposes only:

Service delivery: To operate your WXOPS workspace, display weather data, send push notifications for alerts you have configured, and generate PDF briefings
Account management: To authenticate your account, manage your subscription, and process billing
Service communications: To send account activation notifications, password reset emails, and critical service announcements. We do not send marketing emails without explicit consent.
Security and fraud prevention: To detect and prevent unauthorised access, abuse, or fraudulent activity
Legal compliance: To comply with applicable laws, regulations, and lawful requests from authorities

We do not use your data for: advertising, profiling, automated decision-making that produces legal effects, or sale to third parties.

4. Legal Basis for Processing (GDPR Article 6)

Contract performance (Art. 6(1)(b)): Processing your account data, configuration data, and usage data is necessary to deliver the service you have contracted for.
Consent (Art. 6(1)(a)): You explicitly consent to data processing at registration. You may withdraw consent at any time by deleting your account.
Legitimate interests (Art. 6(1)(f)): Server access logs for security monitoring. Our legitimate interest in preventing abuse and maintaining service integrity does not override your rights.
Legal obligation (Art. 6(1)(c)): Retaining billing records for tax and accounting purposes as required by law.

5. Data Retention

Account data: Retained for the duration of your subscription plus 90 days after cancellation. You may request immediate deletion.
Weather cache data: METAR/TAF/NOTAM cache is retained for up to 48 hours. Historical METAR data is retained for up to 30 days.
Session tokens: Expire after 30 days of inactivity.
Server logs: Retained for 30 days then automatically deleted.
Billing records: Retained for 7 years as required by Hungarian and EU tax law.
Deleted accounts: All personal data is purged within 30 days of account deletion request, except where retention is required by law.

We share data with the following third parties only to the extent necessary to deliver the service:

Stripe, Inc. — Payment processing. Stripe processes payment card data under their own Privacy Policy and is PCI-DSS Level 1 certified. stripe.com/privacy
aviationweather.gov — We retrieve publicly available weather data from NOAA's Aviation Weather Center API. No personal data is transmitted to this service.
FAA NOTAM API — We retrieve publicly available NOTAM data. No personal data is transmitted.
Google Fonts — We load fonts from Google Fonts CDN. Your IP address may be logged by Google when fonts are loaded. No other data is shared.

We do not sell, rent, or trade your personal data to any third party. We do not use data brokers. We do not integrate with social media platforms for tracking purposes.

In the event of a business transfer (merger, acquisition, or asset sale), your data may be transferred to the new controller, and you will be notified in advance with the option to delete your account.

7. International Data Transfers

WXOPS stores data on servers located within the European Union. Where data is processed by third-party processors outside the EU (specifically Stripe, which operates globally), those transfers are governed by Standard Contractual Clauses (SCCs) as approved by the European Commission, ensuring an adequate level of data protection.

8. Your Rights Under GDPR

As a data subject under the EU General Data Protection Regulation (GDPR), you have the following rights:

Right of access (Art. 15): You may request a copy of all personal data we hold about you.
Right to rectification (Art. 16): You may correct inaccurate or incomplete data via your account settings or by contacting us.
Right to erasure (Art. 17): You may request deletion of your personal data. We will comply within 30 days, except where retention is required by law.
Right to restriction of processing (Art. 18): You may request that we restrict processing of your data in certain circumstances.
Right to data portability (Art. 20): You may request your data in a structured, machine-readable format (JSON).
Right to object (Art. 21): You may object to processing based on legitimate interests.
Right to withdraw consent: You may withdraw consent at any time without affecting the lawfulness of prior processing.
Right to lodge a complaint: You have the right to lodge a complaint with a supervisory authority. In Hungary, this is the Nemzeti Adatvédelmi és Információszabadság Hatóság (NAIH), www.naih.hu.

To exercise any of these rights, contact us at privacy@wxops.io. We do not charge for handling data subject requests.

9. Security Measures

We implement appropriate technical and organisational measures to protect your personal data, including:

Passwords stored using bcrypt hashing (cost factor 12) — plaintext passwords are never stored or logged
Session tokens are cryptographically random (256-bit entropy)
HTTPS/TLS encryption for all data in transit
HttpOnly and SameSite cookie flags to prevent session hijacking
Multi-tenant data isolation — each organisation's data is logically separated
Regular backups with access controls
Access to production data restricted to authorised personnel only

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify you and the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by GDPR Article 33.

10. Cookies

WXOPS uses a single, strictly necessary cookie:

wxops_token — A session authentication cookie. This cookie is essential for the service to function and does not require consent under the ePrivacy Directive. It is HttpOnly, SameSite=Strict, and expires after 30 days.

We do not use tracking cookies, advertising cookies, or third-party analytics cookies. No cookie consent banner is displayed because we only use strictly necessary cookies.

11. Children's Privacy

WXOPS is a professional B2B service intended exclusively for aviation industry organisations and their adult employees. We do not knowingly collect data from individuals under the age of 18. If you believe a minor has registered, please contact us immediately at privacy@wxops.io and we will delete the account.

12. Changes to This Policy

We may update this Privacy Policy to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will notify you by email (to the address registered with your account) at least 30 days before the changes take effect. Continued use of the service after the effective date constitutes acceptance of the updated policy.

The version history of this document is available upon request.

13. Contact & Data Protection Requests

For all privacy-related enquiries, data subject access requests, or complaints:

Email: privacy@wxops.io
Response time: We acknowledge requests within 72 hours and fulfil them within 30 days.
Language: Requests may be submitted in English or Hungarian.