How WeatherLabs collects, uses and protects personal data, under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
Last updated: 12 June 2026
The data controller for the personal data described here is WeatherLabs Ltd, a limited company registered in England and Wales (company number 17265453), with its registered office at 2 Arnewood House, Everton Road, Lymington, SO41 0HF, United Kingdom. You can contact us about privacy at contact@weatherlabs.io.
We aim to collect only what we need to run the Service. Specifically:
localStorage/sessionStorage to remember your settings and (optionally) your API key on your device. We do not use advertising cookies or third-party tracking cookies. The keys we set are:
| Key | Purpose |
|---|---|
wl_api_key | Your forecast-API key, if you choose to store it (session-only by default; on this device only if you tick "remember"). |
wl_api_base | The API endpoint the Explorer/Playground points at. |
wl_account_base | The account/dashboard API endpoint. |
wl_dev_email | Identity in local development mode only. |
wl_theme preference (light/dark). These items stay in your browser; clearing your browser storage removes them.| What | Why | Lawful basis (UK GDPR) |
|---|---|---|
| Account & authentication | Create and secure your account; provide the Service | Performance of a contract (Art. 6(1)(b)) |
| Billing & subscriptions | Take payment, apply your Plan, issue records | Contract (Art. 6(1)(b)); legal obligation for tax/accounting (Art. 6(1)(c)) |
| Usage metering & quotas | Meter usage, enforce quotas, bill correctly | Contract (Art. 6(1)(b)) |
| Security, logging & abuse-prevention | Keep the Service safe and available; investigate misuse | Legitimate interests (Art. 6(1)(f)) — protecting our service and users |
| Service communications | Notify you about changes, incidents, billing | Contract (Art. 6(1)(b)); legitimate interests (Art. 6(1)(f)) |
Where we rely on legitimate interests, we have considered your rights and freedoms and limit processing to what is necessary. You can object to processing based on legitimate interests — see your rights.
We use a small number of carefully chosen providers to deliver the Service. They process personal data on our behalf, under contract, only for the purposes we set:
| Provider | Role | Data involved |
|---|---|---|
| Clerk, Inc. | Identity / authentication | Email, user id, session data |
| Paddle (Paddle.com Market Ltd) | Payments & merchant of record | Billing details, payment data (held by Paddle), customer/subscription ids |
| Amazon Web Services (AWS) | Hosting & infrastructure — region eu-west-2 (London) | Application data, usage records, server logs |
This list may change as the Service evolves; we will keep it current and give notice of material changes. Our primary hosting region is AWS London (eu-west-2).
Our hosting is in the UK (AWS London). However, some providers — in particular Clerk and Paddle — may process personal data outside the UK (including in the United States). Where personal data is transferred outside the UK, we rely on appropriate safeguards such as the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses (SCCs), and/or transfers to countries the UK government has deemed adequate.
We keep personal data only as long as we need it:
| Data | Retention |
|---|---|
| Detailed usage charts / request-level metadata | Approximately 45 days |
| Billing & monthly usage records | 6 years (to meet HMRC / UK tax record-keeping obligations) |
| Server logs (incl. IP) | 90 days or less |
| Account data | Until you delete your account (then erased, subject to records we must keep by law) |
Under UK GDPR you have the right to: access your personal data; have it rectified if inaccurate; have it erased; restrict or object to its processing; and request portability of data you provided to us. To exercise these rights, contact us (below) — we will respond within the statutory timeframe (normally one month).
Self-service account deletion. You can delete your account from your dashboard. Deleting your account revokes your API keys, cancels your subscription, and erases your personal data from our systems — except records we are required to keep by law (for example, billing records retained for tax purposes), and copies in routine backups which are overwritten on our normal cycle.
We take appropriate technical and organisational measures to protect personal data, including encryption in transit, access controls, and storing API keys as secrets rather than in plain logs. No system is perfectly secure, but if a personal-data breach occurs that is likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours where required, and will inform affected users without undue delay where the breach is likely to result in a high risk to them.
If you have a concern about how we handle your personal data, please contact us first so we can try to resolve it. You also have the right to complain to the UK supervisory authority, the Information Commissioner's Office (ICO) — ico.org.uk.
Privacy enquiries and rights requests: contact@weatherlabs.io (general: hello@weatherlabs.io). The controller's full legal details are in section 1.