Privacy Policy – Parakiter

Last updated: 29 April 2026

This Privacy Policy explains how Wing Locker Ltd (“we”, “us”, “our”) handles your personal data when you use the Parakiter mobile app or visit parakiter.com.

We’re a UK business and the controller of your personal data under the UK General Data Protection Regulation (UK GDPR) and the EU GDPR (when you use the app from inside the EU). Our ICO registration number is C1921027.

If you only want the short version: we collect the minimum we need to make the app work, we don’t sell your data, and you can delete your account at any time directly inside the app.

Who this applies to

Anyone with a Parakiter account
Anyone who visits parakiter.com
Anyone whose device sends us crash or analytics events while using the app

What data we collect, and why

When you sign up

Data	Why we need it	Lawful basis
Email address	Account login, password reset, billing receipts	Performance of contract
Username	Identifying you to other pilots in chat	Performance of contract
Password	Authenticating you (we never see the plaintext — Firebase Authentication holds the hash)	Performance of contract
Country and region	Showing you the right sites and forecasts	Performance of contract
Marketing email opt-in (optional)	Sending product updates, parakite tips, and feature announcements	Consent — you can withdraw at any time from the app’s profile screen

When you set up your pilot profile

Data	Why
Wing manufacturer, model, size	Computing the wind speed range you can fly in
All-up weight (AUW)	Same — wind window depends on your weight
Gust allowance preference	Tuning condition ratings to your risk tolerance
Speed unit (mph/kph)	Display preference
Profile photo (optional)	Shown on your profile and beside your chat messages

When you use the app

Data	Why
Approximate location (optional)	Centring the forecast map on nearby sites. Only requested when you tap to use it. You can deny the OS permission and the app still works.
Photos and videos you upload to chats	Sharing them in the chat thread you posted to. Stored on Cloudflare R2.
Chat messages	Delivering them to other members of the thread
Sites you submit	Adding them to the public site database after admin moderation
Site favourites	Showing them on your profile and dashboard
Forecast alerts you create	Notifying you when conditions become flyable
Device push token (FCM)	Sending you the push notifications you’ve enabled
App open count, session duration, last opened time	Operating the app responsibly — knowing roughly how engaged users are so we can prioritise improvements. Aggregated; never sold.

Subscription and payment

We don’t see your card. Apple App Store and Google Play handle billing entirely on their side. From them we receive only:

Whether your subscription is active, in trial, in grace, or expired
The date your current paid period ends
An anonymous transaction identifier so we can match renewals to your account

Crash and error data

When the app crashes we collect, via Firebase Crashlytics:

Anonymised device model, OS version, app version, locale
The stack trace of the crash
Your account user ID (so we can correlate crashes per user)

This is sent only when collection is enabled (it is in production builds, off in development builds). It does not include the contents of your messages, photos, or location.

Cookies and similar technologies

The Parakiter app itself does not use cookies. Parakiter.com uses only essential cookies for session management. We do not use third-party advertising or behavioural tracking cookies.

Lawful bases under UK GDPR

We rely on the following bases:

Performance of contract — for everything that’s needed to deliver the service you signed up for: account creation, forecast delivery, chat, alerts, subscription enforcement.
Consent — for marketing emails and for optional features that ask permission (location, camera, photos, push notifications). You can withdraw consent any time without affecting the rest of the service.
Legitimate interests — for fraud and abuse prevention, analytics on aggregate app usage, and crash reporting. We’ve assessed these as proportionate to the very limited data collected.
Legal obligation — for retaining records we’re required to keep (e.g. tax records, subpoenaed records).

Who we share your data with

We use the following third-party processors. Each has its own privacy policy and contractual obligations to keep your data safe.

Processor	What they do	Where data is held	Their privacy policy
Firebase / Google Cloud (Google LLC)	Authentication, push notifications, crash reporting, analytics	EU and US	https://firebase.google.com/support/privacy
Render (Render Services Inc.)	Hosting our API server and PostgreSQL database	US (Oregon)	https://render.com/privacy
Cloudflare R2 (Cloudflare Inc.)	Storing photos and videos you upload	EU	https://www.cloudflare.com/privacypolicy/
Apple App Store (Apple Inc.)	Billing iOS subscriptions	Per Apple’s regions	https://www.apple.com/legal/privacy/
Google Play (Google LLC)	Billing Android subscriptions	Per Google’s regions	https://policies.google.com/privacy
Open-Meteo	Weather forecasts (we send only site coordinates, no user data)	EU	https://open-meteo.com/en/terms
RASP weather API	Soaring forecasts (we send only site coordinates)	EU	Via the data provider
UKHO (UK Hydrographic Office)	UK tide forecasts (we send only the tide station ID)	UK	https://www.admiralty.co.uk/terms
WorldTides	Non-UK tide forecasts (we send only site coordinates)	EU	https://www.worldtides.info/terms
Esri	Map satellite imagery (we send only the map tile coordinates being displayed)	US	https://www.esri.com/en-us/privacy
Anthropic (Claude API)	Used by admins only, to suggest enrichment data for new sites. Your personal data is never sent.	US	https://www.anthropic.com/legal/privacy
Sentry (Functional Software Inc.)	Backend error monitoring (only when configured)	EU/US	https://sentry.io/privacy

We do not sell your personal data and we do not share it with advertisers.

International data transfers

Some of our processors are based in the United States. Where data leaves the UK or EU we rely on the UK International Data Transfer Agreement, the EU Standard Contractual Clauses, or the EU-US Data Privacy Framework, depending on the processor.

How long we keep your data

Data	How long
Account profile, wings, favourites, alerts	Until you delete your account
Chat messages	Indefinitely while the thread exists, unless you delete the message
Chat photos and videos	Auto-archived after 30 days unless they’re liked enough to be preserved as part of a site’s media gallery (see app moderation settings)
Device push tokens	Until you sign out, the token rotates, or you uninstall the app
App session and open counts	Up to 24 months for trend analysis, then aggregated
Account deletion audit log	Indefinitely (anonymised) — required for fraud prevention and to be able to honour future “did you delete my account?” queries
Subscription and billing records	At least 6 years from the end of the relevant tax year — UK statutory requirement
Crash reports	90 days, then anonymised aggregates only

When you delete your account (see below) we anonymise your account row immediately, remove all your wings, favourites, alerts, sessions, push tokens, and chat memberships, and detach your name from any sites you submitted. Chat messages and photos you posted are kept and shown as coming from a “deleted account” so other people’s conversations don’t lose context. If you want those removed too, email info@winglocker.co.uk before deleting and we’ll handle it.

Your rights

You have the following rights under UK GDPR. We respond to all valid requests within one calendar month.

Access — request a copy of the data we hold about you.
Portability — get your data in a machine-readable format. We’ve built this directly into the app: the API endpoint GET /api/users/me/export returns your full profile and authored content as JSON. Email us if you want help retrieving it.
Rectification — correct inaccurate data. Most fields are editable directly in the profile screen.
Erasure — delete your account. Available in the app: Profile → Delete Account at the bottom. You can also email us.
Restriction — ask us to stop using your data while we resolve a complaint.
Objection — object to processing based on legitimate interests.
Withdraw consent — for anything we process based on consent. The marketing email toggle is in the app’s profile screen.
Complain to the ICO — if you’re not satisfied with how we’ve handled your data, you can complain to the UK Information Commissioner’s Office at https://ico.org.uk/make-a-complaint/.

To exercise any of these rights, email info@winglocker.co.uk. We may need to verify your identity before acting on a request, especially deletion or access requests.

Children

Parakiter is intended for adult parakite pilots. We do not knowingly collect data from anyone under 16. If you’re a parent or guardian and you believe a child under 16 has signed up, email us at info@winglocker.co.uk and we’ll delete the account.

Security

We use industry-standard security:

All traffic between the app and our servers is encrypted with TLS 1.2+.
Passwords are stored only as Firebase-managed hashes; we never see the plaintext.
Database credentials and API keys are stored in environment variables on Render and not committed to source control.
Self-service account deletion goes through password re-authentication.
Photos stored on Cloudflare R2 are accessed only via signed URLs.

Despite this, no system is perfectly secure. If we ever discover a breach affecting your data we’ll notify you and the ICO within 72 hours as required by UK GDPR.

Changes to this policy

When we update this policy materially we’ll bump the “Last updated” date and notify users via in-app announcement and (if you’re opted in) email.

Contact us

For privacy questions or to exercise your rights:

Email: info@winglocker.co.uk
Post: 8 The Fairway, Newton Ferrers, Plymouth, Devon, PL8 1DP

Wing Locker Ltd is registered with the UK Information Commissioner’s Office under registration number C1921027.