POLICY
Privacy Policy
This notice explains how Weather Terminal processes personal data when you use weather-terminal.com, create an account, request forecasts, generate share links or contact support. The service uses only essential cookies and local storage. No advertising cookies. No third-party behavioral tracking inside the app.
1. Controller and scope
This policy covers the Weather Terminal website, related account flows, and the short-lived share-link feature. Separate third-party services you visit through links from this site apply their own privacy notices.
2. Data we collect
- account data such as username, display name, email address, password hash and optional avatar;
- consent and security records such as policy-version acceptance, IP address, user agent, login events, token metadata and audit logs;
- while a password-reset or email-change security notice is pending, its recipient address and generic or masked notice content;
- location and forecast request data such as searched cities, reverse-geocoded coordinates, weather-source selections and cached forecast payloads;
- share-link metadata such as selected card type, selected day, location snapshot and a short-lived weather snapshot attached to the link;
- support or legal correspondence you send to us by email.
3. Purposes and legal bases
- to provide forecasts, search, reverse geocoding and card rendering: performance of the service requested by you;
- to create and manage accounts, session restoration and password resets: performance of a contract and pre-contractual steps;
- to send password-reset and email-change security notices: legitimate interests in protecting accounts and warning users of credential changes;
- to protect the platform against abuse, fraud, spam and unauthorized access: legitimate interests in service security;
- to keep records of terms acceptance and privacy-notice version: legal obligation / legitimate interest in accountability;
- to respond to support or legal requests: legitimate interests and, where applicable, legal obligation.
4. Cookies and local storage
- __Secure-balass-refresh-weather-v2 is the host-only, HttpOnly, Secure cookie scoped to weather-terminal.com/identity/. Account requests use that same-origin boundary and are processed by the BalassLabs Identity service without exposing the refresh token to JavaScript or sending it to Weather pages, assets or shared links. Until 25 July 2026, already-open legacy Weather web clients may receive the temporary host-only __Host-balass-refresh-weather-v1 cookie on identity.balasslabs.com (Secure, HttpOnly, SameSite=None, Path=/); its expiry is capped at that deadline. Native clients and older isolated sessions may use the legacy refreshToken cookie;
- weatherapp_auth_hint, weatherapp_session_revision_v1, weatherapp_session_event_v1 are non-secret local-storage entries used to decide whether silent restoration should run and to order sign-in, refresh and sign-out changes across tabs. They never contain the access or refresh token;
- weather_terminal_language, weather_terminal_ui and saved-location keys remember your language, card layout, provider choice and last location;
- hasSeenSettingsOnboarding stores whether the onboarding tooltip has already been dismissed.
These storage items are essential or preference-based. The authentication cookie is used only to restore and protect your account session; Weather Terminal does not use it for profiling, advertising or third-party analytics.
5. Location and weather requests
If you search a city, enter coordinates, or allow browser or mobile-device geolocation, the selected location is sent to our weather/search services so the app can resolve the place and load forecasts. Device geolocation is optional. If granted, it is used to choose a starting location and is not required for ongoing use of the service.
Weather requests may include city name, country, region, latitude, longitude and the chosen weather provider. We keep a limited cache of recent responses to improve speed and reduce upstream weather-provider load.
6. Accounts, share links and security
Accounts unlock saved preferences and share links. Share links are public by design: anyone with the link can view the shared weather snapshot until the link expires. Share links are short-lived and currently expire after 12 hours.
We keep login, token and audit-security data to detect abuse, enforce rate limits, investigate incidents and invalidate compromised sessions. Security logs are not used for advertising or profiling.
After a successful password reset or email change, a non-actionable security notice is queued durably. Email-change notices go to the previous address and show only a masked new address.
7. Recipients and processors
We may share data only with service providers needed to operate Weather Terminal, such as:
- weather-data providers used to produce forecasts and current conditions: Open-Meteo (open-meteo.com) and, as a secondary source for registered users, OpenWeatherMap (openweathermap.org);
- reverse-geocoding provided by Nominatim / OpenStreetMap (nominatim.openstreetmap.org) — used only when you allow browser/mobile geolocation or provide coordinates, to resolve them to a place name;
- email infrastructure used for verification, reset and account-notice emails;
- hosting, logging, storage and network-security providers used to run the service.
Each of these processors sees only the minimum data needed for its function — weather providers receive coordinates, the geocoder receives coordinates, email infrastructure receives the address we are sending to. We do not sell personal data. We do not disclose personal data to third parties for their own advertising purposes.
8. Retention
- account data is kept while your account remains active, then deleted or anonymized as operationally and legally appropriate;
- share links and their attached weather snapshots are short-lived and removed after expiry according to platform cleanup schedules;
- security, consent and audit records are retained for fraud prevention, accountability and legal defense for a limited period consistent with those purposes;
- pending credential-security notice content is scheduled to be scrubbed at seven days; an active delivery lease or service outage can delay the scheduled job. Recipient, subject and body are erased after delivery or terminal failure, and the content-free idempotency record is retained for up to 90 days;
- the mobile app keeps privacy-bounded diagnostic files on the device for up to seven days. Entries contain only a bounded action, failure type and optional HTTP status — never search text, location names, coordinates, tokens, file paths, URIs, storage keys or exception messages. These files leave the device only when you explicitly choose Share Logs;
- support correspondence is retained only as long as needed to resolve the issue and keep a basic record of the request.
9. International transfers
Some processors or infrastructure providers may process data outside your country. When transfers are required, we aim to rely on appropriate safeguards such as contractual protections, adequacy decisions, or equivalent lawful transfer mechanisms.
10. Your rights
Depending on applicable law, you may have the right to access, rectify, erase, restrict or object to processing, and to receive a portable copy of data you provided. Signed-in users can already use the in-app account flow to export account data, sign out and request deletion.
You may also lodge a complaint with your local supervisory authority. In Romania, that authority is the National Supervisory Authority for Personal Data Processing (ANSPDCP).
Processing is carried out in accordance with the EU General Data Protection Regulation (Regulation (EU) 2016/679, GDPR) and, for users in Romania, Romanian Law no. 190/2018 implementing the GDPR. Depending on applicable law, you may exercise rights of access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction (Art. 18), portability (Art. 20) and objection (Art. 21).
11. Children
Account creation is intended for users aged 16 or older. If you believe a child has provided personal data unlawfully, contact us so we can investigate and remove it where appropriate.
12. Changes and contact
We may update this notice when the product, security posture or legal requirements change. The date and version at the top identify the current revision.
For privacy, data-protection or legal requests, contact [email protected].
For acceptable-use rules and service disclaimers, read the Terms of Use.