1. Who we are and how to contact us
This Privacy Policy explains how METAR Reader ("we", "us", "our") collects, uses, and protects your personal data when you use our website at metarreader.com and the related services we provide (the "Service").
METAR Reader is a web application that decodes aviation weather reports (METAR and TAF) for approximately 70,000 stations worldwide. The underlying weather data is sourced from NOAA, the US National Weather Service. This is public weather data and is not personal data, and NOAA does not process the personal data of our users.
For the purposes of the EU General Data Protection Regulation (GDPR), METAR Reader is the data controller responsible for your personal data.
If you have any questions about this policy, or if you wish to exercise any of your rights, you can contact us by email at info@metarreader.com.
2. The personal data we collect and how we collect it
We collect and process the following categories of personal data.
Account data. When you create an account, we collect your email address and authentication credentials. We also store the preferences you set, such as your choice of units and your refresh interval, along with your saved or favourite stations and the contents of your personal dashboard. You provide this data directly when you register and when you use the Service.
Payment and billing data. When you subscribe to our paid Pro tier or make a one-off donation, our payment processor collects the billing details needed to complete the transaction. We do not store full payment-card numbers. We may retain limited records of your transactions, such as the fact that a payment was made, the amount, and the date, for accounting and support purposes.
Analytics and usage data. We use analytics to understand how the Service is used. This involves cookies and online identifiers and includes data such as your IP address and records of the events and pages you interact with. Where required, this data is collected only after you give your consent (see section 8).
Hosting and server log data. Like most websites, our hosting infrastructure automatically records standard technical information when you access the Service. This typically includes your IP address, your browser and device type (user agent), and the date and time of your requests. We use these logs to operate, secure, and troubleshoot the Service.
3. Purposes and legal bases for processing
We only process your personal data where we have a valid legal basis to do so under the GDPR. The following sets out what we do and why.
Providing your account and the core Service. We process your account data and preferences to create and maintain your account, authenticate you, and deliver the features you have requested, such as saved stations and your dashboard. Legal basis: performance of a contract with you (Article 6(1)(b) GDPR).
Processing payments for Pro subscriptions and donations. We process billing and transaction data to take payment, manage your subscription, and provide receipts and support. Legal basis: performance of a contract with you, and our legitimate interests in keeping accurate financial records (Article 6(1)(b) and Article 6(1)(f) GDPR).
Operating, securing, and improving the Service. We process server log data and similar technical information to keep the Service running, prevent fraud and abuse, diagnose problems, and maintain security. Legal basis: our legitimate interests in operating and protecting our Service (Article 6(1)(f) GDPR).
Analytics. We process analytics and usage data to measure traffic and understand how people use the Service so we can improve it. Legal basis: your consent (Article 6(1)(a) GDPR). You can withdraw this consent at any time, as described in section 8.
Where we rely on legitimate interests, we have considered whether those interests are overridden by your rights and freedoms, and we have concluded that our processing does not unfairly affect you. You can object to this processing as described in section 7.
4. Third parties and processors we share data with
We do not sell your personal data. We share it only with the service providers we rely on to run the Service, and only to the extent necessary. These providers process data on our behalf as processors, under contract, or as independent parties where indicated.
Supabase. We use Supabase as our managed database and authentication provider. Your account data, credentials, preferences, saved stations, and dashboard are stored and authenticated through Supabase.
Stripe. We use Stripe to process payments for Pro subscriptions and donations. Stripe acts as the payment processor and receives the billing data necessary to complete your transaction. We do not store full payment-card numbers; these are handled by Stripe. Stripe processes this data in accordance with its own privacy policy and applicable card-scheme rules.
Google Analytics. We use Google Analytics, provided by Google, to analyse usage of the Service. Google processes data such as your IP address and usage events through cookies and online identifiers. Depending on its configuration, Google may shorten or otherwise handle IP addresses to reduce their precision. Google acts as a third party in respect of this data. This processing only takes place after you give consent.
Hosting provider. Our website and servers are hosted by our cloud hosting provider, which processes the server log data described in section 2 in order to deliver the Service to you.
Each of these providers is bound by appropriate data protection terms. We may also disclose personal data where we are legally required to do so, for example to comply with a court order or a request from a competent authority.
5. International data transfers and safeguards
Some of our service providers are based outside the European Economic Area (EEA), in particular in the United States. Where your personal data is transferred outside the EEA, we take steps to ensure it continues to receive an adequate level of protection.
These safeguards include reliance on the European Commission's Standard Contractual Clauses, and, where applicable, certification of the recipient under the EU-US Data Privacy Framework. In the case of Google Analytics, transfers of data to Google in the United States are protected by these mechanisms.
You can ask us for more information about the safeguards in place by contacting us at info@metarreader.com.
6. How long we keep data
We keep your personal data only for as long as we need it for the purposes set out in this policy, after which we delete or anonymise it.
Account data. We retain your account data for as long as your account remains active. If you delete your account, or ask us to delete it, we will remove your account data within 30 days, except where we are required to keep certain information for longer.
Payment and transaction records. We retain transaction records for as long as required to meet our legal and accounting obligations. Under Dutch law this is generally seven years.
Analytics data. We retain analytics data for up to 14 months, in line with the retention settings configured in our analytics tools.
Server logs. We retain server log data only for a limited period for security and troubleshooting purposes, after which it is deleted or overwritten.
Refund-abuse prevention. When you receive a refund, we keep a salted, irreversible hash of your email address together with the corresponding Stripe transaction identifiers in a separate refund_history record. This record is not removed when you delete your account. It lets us recognise a previously-refunded email and decline a repeat refund within twelve months, regardless of any new account that may sign up afterwards. The lawful basis is our legitimate interest in preventing refund abuse (Article 6(1)(f) GDPR). The record contains no readable email or personal data on its own; we retain it for twenty-four months from the refund date, after which it is deleted. You can request removal earlier by contacting us at info@metarreader.com, and we will balance your request against our fraud-prevention interest in line with Article 17(1)(c) GDPR.
7. Your rights under the GDPR
If you are in the EEA, you have the following rights in relation to your personal data:
- The right of access. You can ask us for a copy of the personal data we hold about you.
- The right to rectification. You can ask us to correct personal data that is inaccurate or incomplete.
- The right to erasure. You can ask us to delete your personal data in certain circumstances, for example where it is no longer needed for the purposes for which it was collected.
- The right to restriction. You can ask us to limit how we use your personal data in certain circumstances.
- The right to data portability. You can ask us to provide certain personal data to you, or to another controller, in a structured, commonly used, and machine-readable format.
- The right to object. You can object to our processing of your personal data where we rely on legitimate interests, including any processing for direct marketing purposes.
- The right to withdraw consent. Where we rely on your consent, for example for analytics cookies, you can withdraw that consent at any time. Withdrawing consent does not affect the lawfulness of processing carried out before you withdrew it.
To exercise any of these rights, please contact us at info@metarreader.com. We will respond to your request within one month, although we may extend this period where the request is complex. We may need to verify your identity before acting on a request. There is normally no charge for exercising your rights, but we may charge a reasonable fee or refuse to act where a request is manifestly unfounded or excessive.
8. Cookies and similar technologies
We use cookies and similar technologies on the Service. These fall into two categories.
Essential cookies. These are necessary for the Service to function, for example to keep you logged in and to maintain your session. Because they are strictly necessary to provide a service you have requested, they do not require your consent. The Service will not work properly without them.
Analytics cookies. We use non-essential analytics cookies, in particular through Google Analytics (GA4), to understand how the Service is used. We operate under Google Consent Mode v2, which means that the Google Analytics script may load on the first page view but all consent signals are set to denied by default. No analytics cookies are written and no events tied to your visit are sent until you accept.
On your first visit you will see a cookie banner with two clear options: Accept and Decline. If you accept, analytics consent is granted and cookies may be set; if you decline, no analytics cookies are written. Your choice is stored on your device (in browser local storage) so we do not ask again on every page.
You can change or withdraw your decision at any time from the Cookies & analyticssection on your account page, or from your browser's cookie settings. Blocking essential cookies may affect how the Service works.
9. Children
The Service is not directed at children. It is intended for users aged 16 and over, and we do not knowingly collect personal data from children under the age of 16. If you believe that a child under 16 has provided us with personal data, please contact us at info@metarreader.com and we will take steps to delete it.
10. How we keep data secure
We take appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, misuse, or alteration. These measures include encryption of data in transit, restricted access to systems on a need-to-know basis, secure authentication, and reliance on reputable service providers that maintain their own security standards.
No method of transmission over the internet or method of storage is completely secure, so while we strive to protect your personal data, we cannot guarantee its absolute security.
11. Changes to this policy
We may update this Privacy Policy from time to time, for example to reflect changes in the way we process data or changes in the law. When we make material changes, we will update the "last updated" date at the top of this policy and, where appropriate, notify you through the Service. We encourage you to review this policy periodically.
12. How to lodge a complaint
If you have a concern about how we handle your personal data, we would ask you to contact us first at info@metarreader.com so that we can try to resolve it.
You also have the right to lodge a complaint with a data protection supervisory authority. In the Netherlands, this is the Autoriteit Persoonsgegevens (Dutch Data Protection Authority), which you can contact through its website at autoriteitpersoonsgegevens.nl. If you are based in another EU country, you may lodge a complaint with the supervisory authority in your country of residence or place of work.