WeatherStop Control
Privacy Policy
iOS-only contractor weather-risk control, stoppage evidence, notice discipline and delay-defence system.
Read together with the WeatherStop Control Terms and Conditions and any Order Form or Data Processing Addendum.
Document. WeatherStop Control - Privacy Policy.
Application. WeatherStop Control (iOS / iPadOS; Apple Watch companion features where enabled).
Issuing controller. ML Consulting MB, legal entity code 306991112, registered in the Republic of Lithuania.
Version. 1.0.
Effective from. 2026-05-28.
Last updated. 2026-05-28.
Website. https://mlconsulting.lt.
Privacy contact. mantvydas@mlconsulting.lt.
App support. support@mlconsulting.lt.
Lead supervisory authority. Valstybine duomenu apsaugos inspekcija (VDAI), L. Sapiegos g. 17, LT-10312 Vilnius, Lithuania, ada@ada.lt, vdai.lrv.lt.
At a glance: We do not sell personal data. We do not use WeatherStop Control for cross-app tracking or behavioural advertising. WeatherStop Control is a B2B evidence and workflow app, so most project, site, worker, weather-event, media, notice and Defence Pack data is controlled by the business workspace owner. ML Consulting acts mainly as processor for that workspace data and as controller for account, billing, support, telemetry, security and service-operation data.
Contents
· 1. About this Privacy Policy
· 2. Controller identification
· 3. Scope of this Policy
· 4. Our two privacy roles - controller and processor
· 5. Apple App Store and iOS platform context
· 6. Key terms used in this Policy
· 7. Personal data WeatherStop Control processes
· 8. How we collect personal data
· 9. Why we process personal data and our legal bases
· 10. On-device processing, offline capture and sync
· 11. Workspace Owners, field users and worksite monitoring
· 12. Recipients and sub-processors
· 13. International data transfers
· 14. Automated decision-making and AI features
· 15. Retention periods
· 16. Security and personal-data breaches
· 17. Your privacy rights
· 18. Regional rights notices
· 19. Children
· 20. Cookies and similar technologies
· 21. Communications and direct marketing
· 22. Changes to this Policy
· 23. App Store privacy-label summary
· 24. WeatherStop-specific privacy safeguards and Workspace Owner duties
· 25. Contact us
1. About this Privacy Policy
1.1. ML Consulting MB ("ML Consulting", "we", "us" or "our") is the publisher of WeatherStop Control, an iOS / iPadOS application for contractor weather-risk evidence, stoppage records, notice discipline, delay registers and Defence Pack exports.
1.2. This Privacy Policy explains what personal data we and the App process when you download, install, sign in to, subscribe to, join a workspace, capture a weather event, attach evidence, generate a Notice Draft, create a Defence Pack, request support or otherwise use WeatherStop Control.
1.3. This Policy is written to satisfy Articles 12 to 14 of Regulation (EU) 2016/679, the General Data Protection Regulation (GDPR), and the Lithuanian Law on Legal Protection of Personal Data. It is also designed to align with the App Privacy details shown on the App Store listing.
1.4. WeatherStop Control is business-to-business software. It is used by contractors, subcontractors, project managers, foremen, supervisors, commercial managers, quantity surveyors, claims consultants and invited reviewers. It is not a consumer weather app and is not intended for children.
1.5. This Policy should be read together with the WeatherStop Control Terms and Conditions, any Schedule A, any Order Form, the ML Consulting master privacy policy and any Data Processing Addendum that applies to the business workspace.
2. Controller identification
2.1. For processing where ML Consulting decides the purposes and means, the controller is ML Consulting MB, a Lithuanian small partnership, legal entity code 306991112, registered in the Republic of Lithuania.
2.2. Our website is https://mlconsulting.lt. Privacy requests should be sent to mantvydas@mlconsulting.lt. App support requests may also be sent to support@mlconsulting.lt.
2.3. ML Consulting MB has not designated a Data Protection Officer because its current processing does not meet the criteria in Article 37(1) GDPR. If our processing changes so that a DPO becomes mandatory, we will appoint one and publish their contact details.
2.4. Our lead supervisory authority for GDPR one-stop-shop purposes is the Lithuanian State Data Protection Inspectorate, Valstybine duomenu apsaugos inspekcija (VDAI), L. Sapiegos g. 17, LT-10312 Vilnius, Lithuania, email ada@ada.lt, website vdai.lrv.lt.
3. Scope of this Policy
This Policy applies to:
· the WeatherStop Control iOS and iPadOS application published by ML Consulting MB;
· Apple Watch companion or notification features where enabled;
· accounts, workspaces, projects, subscriptions, trials, pilots, onboarding, support channels, billing operations and authentication services we operate for WeatherStop Control;
· weather-event capture, source snapshots, site media, Notice Drafts, Weather Delay Registers, Evidence Quality Scores, Defence Packs, share links and audit metadata created or stored through the App;
· landing pages, help articles, documentation and privacy-choice pages hosted on mlconsulting.lt that describe WeatherStop Control;
· email, in-app, support, billing and onboarding communications about WeatherStop Control.
3.1. Where Apple, Stripe, Supabase, Google, weather providers, payment-card networks, mobile-network providers or other independent third parties process personal data for their own purposes, they act as independent controllers and their own privacy policies apply.
3.2. Where a business workspace owner uploads or generates personal data about employees, contractors, subcontractors, client contacts, site visitors or other people, that workspace owner is normally the controller for that Customer Data and ML Consulting acts as processor.
4. Our two privacy roles - controller and processor
4.1 We act as controller
We determine the purposes and means of processing for the following data categories:
· account, authentication and user profile data used to operate your user account;
· device, technical, telemetry, security-event and diagnostic data generated during normal App use;
· communications and support correspondence about the App;
· billing, subscription, invoice, Stripe and Apple App Store transaction data needed to operate payments and entitlements;
· website, demo, onboarding, marketing-preference and legal-notice data;
· aggregated, de-identified or statistical product information used to improve reliability, security and product quality.
4.2 We act as processor
4.2.1. WeatherStop Control operates on a workspace model. The business customer, called the Workspace Owner, uses the App to manage information about projects, sites, weather events, workers, supervisors, client contacts, main contractors, subcontractors, consultants, notices, media evidence and Defence Packs.
4.2.2. For Customer Data in the workspace, including personal data about workers, field users, site personnel, client contacts and identifiable people shown in site media, the Workspace Owner is normally the controller and ML Consulting acts as processor under a Data Processing Addendum meeting Article 28 GDPR.
4.2.3. As processor, we process Customer Data only on the documented instructions of the Workspace Owner unless EU or Lithuanian law requires otherwise. If you are a worker, contractor, subcontractor, client contact, site visitor or other person whose data was added by a Workspace Owner, you should normally contact that organisation first for privacy requests about workspace-controlled data.
5. Apple App Store and iOS platform context
5.1 App Privacy details on the App Store
5.1.1. Apple requires App Store apps to publish structured App Privacy details explaining the categories of data an app collects, how that data is used, whether it is linked to the user and whether it is used to track the user. WeatherStop Control's App Store privacy information should be kept consistent with this Policy.
5.2 App Tracking Transparency
5.2.1. WeatherStop Control does not track users across other companies' apps and websites for advertising or advertising measurement within the meaning of Apple's App Tracking Transparency framework. We do not request the App Tracking Transparency permission and we do not use the iOS Identifier for Advertisers (IDFA).
5.3 Privacy Manifest
5.3.1. WeatherStop Control should ship an Apple-required Privacy Manifest (PrivacyInfo.xcprivacy) declaring data categories, third-party SDKs and approved reasons for any required-reason APIs used by the App. The Privacy Manifest is the machine-readable counterpart of this Policy and the App Store privacy answers.
5.4 iOS sandbox and Data Protection
5.4.1. On-device application data is stored inside the iOS application sandbox and benefits from Apple's Data Protection encryption at rest. Where the App retains session tokens or similarly sensitive small secrets, it should use Apple's Keychain rather than ordinary local storage.
5.5 Sign in with Apple and account access
5.5.1. Where WeatherStop Control offers Sign in with Apple, Apple provides us with a stable Apple Account identifier and either your real email address or an Apple-generated relay address if you choose Hide My Email. We never receive your Apple Account password.
5.5.2. Where WeatherStop Control uses email magic links, one-time passwords, Supabase authentication or another account method, we process the minimum account data needed to authenticate the user and secure the workspace.
5.6 Direct billing, Stripe and App Store purchases
5.6.1. WeatherStop Control may be sold through direct business billing, Stripe checkout or customer portal, invoices, Order Forms, Apple App Store in-app purchases, auto-renewable subscriptions, Apple Business Manager Custom Apps or pilots. We do not receive full payment-card details when a payment provider processes a transaction. We receive payment status, subscription tier, entitlement state, invoice details and transaction metadata needed to operate the subscription.
5.7 WeatherKit, weather providers and platform services
5.7.1. WeatherStop Control may use Apple WeatherKit and NOAA/NWS or other weather providers to retrieve weather context for a project or event location. Weather-source requests may require a location or project coordinate and may generate provider logs, attribution information, API usage records and source snapshots.
5.7.2. WeatherKit is an Apple service and is subject to Apple's requirements, including attribution and weather-alert source handling. WeatherStop Control may also store source labels, retrieval times and provider metadata so exported records show where weather information came from.
5.8 App Privacy Report
5.8.1. iOS includes an App Privacy Report that can show the sensors, data categories and network domains accessed by installed apps. WeatherStop Control is designed so this report should primarily reflect user-invoked camera, location, notification, weather-source, ML Consulting backend, Apple, payment and support endpoints.
6. Key terms used in this Policy
· Personal data means any information relating to an identified or identifiable natural person.
· Processing means any operation performed on personal data, including collection, recording, organisation, storage, use, disclosure and erasure.
· Controller means the person or organisation that determines the purposes and means of processing.
· Processor means a person or organisation that processes personal data on behalf of a controller.
· Workspace Owner means the business customer that controls a WeatherStop workspace.
· Customer Data means all data submitted by or generated for a Workspace Owner through the App, including weather events, project records, source snapshots, site media, Notice Drafts, Defence Packs, exports and audit logs.
· Worker Personal Data means personal data relating to employees, contractors, subcontractors, foremen, supervisors or other personnel processed through WeatherStop Control.
· Event-Based Location means location data captured only in connection with a user-initiated or system-linked weather event, site record, source lookup, evidence submission or related operational record.
· Defence Pack means an organised export of Customer Data, source context, media, notices, audit metadata and related facts.
· Sub-processor means a third-party provider that processes personal data on our behalf.
· EEA means the European Economic Area.
· VDAI means the Lithuanian State Data Protection Inspectorate.
7. Personal data WeatherStop Control processes
We collect only the data reasonably needed to operate, secure, support, bill, improve and document WeatherStop Control. Not every workspace or user will involve every category below.
· Account and authentication data: name, business email address, account identifier, workspace role, invitation status, authentication method, organisation name and permission state.
· Device, technical and telemetry data: IP address, device model, operating system version, App version, language, timezone, crash logs, performance data, diagnostics, sync status, network status, feature usage and security events.
· Communications and support data: emails, support tickets, onboarding notes, demo requests, issue descriptions, attachments you send us, support diagnostics and correspondence metadata.
· Billing and payment data: company name, billing contact, invoice address, VAT or tax ID, plan, subscription tier, payment status, Stripe customer or subscription IDs, App Store transaction metadata, refunds, renewals and entitlement status.
· Project and workspace data: project names, site addresses, zones, trades, packages, client or main contractor references, project contacts, contract threshold settings, retention settings and role assignments.
· Weather Event Records: event date and time, affected work, weather reason, stoppage status, crew and equipment impact, supervisor declarations, notes, review status and internal comments.
· Weather Source Data: WeatherKit, NOAA/NWS or other source labels, retrieval time, coordinates used for lookup, forecast or observation summaries, alert source references, provider metadata, attribution, stale-source flags and uploaded weather records.
· Location data: event-based precise or coarse location used for site context, source lookup, media metadata and evidence provenance. WeatherStop Control is not designed for continuous background GPS tracking.
· Site media and files: photos, videos, captions, uploaded documents, screenshots, PDF files, source records and any metadata attached to those files, including timestamps and possible location metadata.
· Notice and delay data: Notice Drafts, notice recipients, delivery status, Weather Delay Register entries, review comments, correspondence attachments and notice history.
· Defence Pack and export data: PDF or ZIP pack content, export IDs, timestamps, source labels, file hashes, share-link metadata, redaction status and audit manifest data.
· Audit, provenance and security data: user actions, role changes, edit history, source fetches, export events, deletion requests, share-link access, login attempts and system logs.
· AI or automation data where enabled: prompts, user-provided inputs, draft summaries, draft notice text, suggested classifications, score explanations and reviewed output.
· Website and marketing data: demo forms, newsletter preferences, landing-page analytics, cookie preferences and event-registration details where applicable.
7.1 Special categories of personal data
7.1.1. WeatherStop Control is not designed to collect special categories of personal data under Article 9 GDPR, such as health data, biometric data, racial or ethnic origin, political opinions, religion, trade-union membership or sexual orientation.
7.1.2. Because the App can store photos, videos and free-text notes, users might accidentally capture or enter sensitive information. Workspace Owners must train users to avoid unnecessary sensitive data and must establish a valid Article 9 GDPR condition if such data is truly necessary.
7.2 What WeatherStop Control does not collect by design
· No sale of personal data.
· No cross-app behavioural advertising.
· No IDFA or advertising tracking.
· No continuous background GPS tracking by design.
· No collection of your full contacts or calendar by design.
· No access to your full photo library beyond images or videos you actively capture, select or attach.
· No payment-card numbers received by ML Consulting when Apple or Stripe processes payment.
· No use of Customer Data to train third-party AI models unless a Workspace Owner has expressly opted in to a clearly described feature or separate agreement.
8. How we collect personal data
· Directly from you when you create an account, accept an invitation, complete a profile, contact support, request a demo, subscribe, pay, upload records or use App features.
· From the Workspace Owner when it invites you, assigns a role, configures a project, uploads project data or controls access to records about you.
· From your device when the App records technical, diagnostic, security, notification, camera, location or sync events needed for the feature you use.
· From Apple, Stripe, Supabase or other service providers when they provide authentication, billing, entitlement, crash, push notification, App Store or platform services.
· From weather providers when the App retrieves weather context for a project, site or weather event.
· From generated records when the App creates audit logs, Evidence Quality Score explanations, source labels, Notice Drafts, Defence Packs or export manifests.
9. Why we process personal data and our legal bases
For each processing activity we rely on a lawful basis under Article 6(1) GDPR. Where we rely on consent, you may withdraw consent at any time without affecting prior lawful processing. Where we rely on legitimate interests, we have assessed that our interests are not overridden by your fundamental rights and freedoms.
· Provide and operate the App: account data, workspace data, project records, event records, media, notices, Defence Packs, telemetry and sync data. Legal basis: performance of a contract or pre-contractual steps, Article 6(1)(b), and for workspace Customer Data, processing on behalf of the Workspace Owner.
· Authenticate users and secure workspaces: account identifiers, login events, session data, role permissions, device and security logs. Legal basis: contract performance, Article 6(1)(b), and legitimate interests in security, Article 6(1)(f).
· Capture weather-event evidence: event facts, site media, event-based location, source context, timestamps, user declarations and audit metadata. Legal basis: contract performance for the Workspace Owner, Article 6(1)(b), user/device consent where required by iOS prompts, Article 6(1)(a), and the Workspace Owner's lawful basis for personnel and site data.
· Retrieve weather-source context: site coordinates, event location, source requests, WeatherKit, NOAA/NWS or other provider data and source metadata. Legal basis: contract performance, Article 6(1)(b), and legitimate interests in source provenance, Article 6(1)(f).
· Generate Notice Drafts, Weather Delay Registers and Defence Packs: project data, event data, source data, media, user notes, review status and export metadata. Legal basis: contract performance, Article 6(1)(b), and processor instructions from the Workspace Owner for Customer Data.
· Process direct billing and subscriptions: billing contact, invoice details, plan, Stripe metadata, payment status and tax records. Legal basis: contract performance, Article 6(1)(b), and legal obligations under Lithuanian accounting and tax law, Article 6(1)(c).
· Operate App Store entitlements where offered: Apple transaction metadata, subscription tier and entitlement state. Legal basis: contract performance, Article 6(1)(b).
· Provide support and implementation: account, workspace, diagnostics, issue descriptions, support attachments and correspondence. Legal basis: contract performance, Article 6(1)(b), and legitimate interests in support and service reliability, Article 6(1)(f).
· Improve product reliability and usability: pseudonymised telemetry, aggregated feature usage, crash logs, performance data and support themes. Legal basis: legitimate interests, Article 6(1)(f), or consent where required.
· Send notifications: push tokens, notification preferences and event reminders. Legal basis: consent through iOS prompts and in-app toggles, Article 6(1)(a).
· Send direct marketing: contact details and preferences for product updates or educational material. Legal basis: consent, Article 6(1)(a), or soft opt-in where permitted by ePrivacy rules.
· Comply with law and enforce rights: account data, billing records, logs, Customer Data where necessary, correspondence and legal records. Legal basis: legal obligation, Article 6(1)(c), and legitimate interests, Article 6(1)(f).
10. On-device processing, offline capture and sync
10.1. WeatherStop Control is designed for field use and may store in-progress weather events, photos, drafts, notification preferences, cached files, source snapshots, sync queues and diagnostics locally on the user's iPhone or iPad.
10.2. If you delete the App without exporting or syncing data, locally stored records may be deleted by the operating system. Server-side workspace records may continue to exist if they were synced or submitted to the Workspace Owner's workspace.
10.3. Offline capture reduces connectivity risk but does not remove the need to check sync status. Users and Workspace Owners are responsible for confirming that important weather events, media, notices and Defence Packs have synced or been exported before relying on them.
10.4. Where optional iCloud or CloudKit storage is enabled, iCloud is controlled at the Apple account and operating-system level and is also governed by Apple's privacy terms. ML Consulting does not receive your Apple Account password.
11. Workspace Owners, field users and worksite monitoring
11.1. The Workspace Owner may invite foremen, supervisors, project managers, commercial managers, quantity surveyors, admins, claims consultants, lawyers, client viewers or other users and assign workspace permissions.
11.2. The Workspace Owner may be able to view activity inside the workspace, including event records, photos, videos, location attached to events, source retrievals, Notice Drafts, review status, exports, share links, audit logs and user actions.
11.3. Because WeatherStop Control can process worker, contractor, subcontractor, location and site-media data, Workspace Owners are responsible for satisfying employment, labour, worksite-monitoring and privacy obligations in the countries where personnel work, including any national rules under Article 88 GDPR.
11.4. Before granting personnel access or using the App to capture worksite evidence, Workspace Owners should provide an appropriate privacy notice, define a lawful basis, consult employee representatives or works councils where required, restrict role access, prohibit continuous surveillance and document retention and export rules.
11.5. WeatherStop Control is designed for event-based evidence capture. It is not designed as a general employee productivity tracker, continuous GPS tracker or hidden surveillance system.
12. Recipients and sub-processors
We share personal data only where necessary for the purposes described in this Policy. We do not sell personal data and we do not share personal data for cross-context behavioural advertising.
· Apple Inc. and Apple Distribution International Limited: App Store distribution, TestFlight, Apple Business Manager Custom Apps, StoreKit, Sign in with Apple, WeatherKit, push notifications, iCloud or CloudKit where used and platform diagnostics. Apple may act as an independent controller for Apple-side processing.
· Weather providers such as Apple WeatherKit and NOAA/NWS: weather data retrieval, source context, attribution and source labels for project or event locations.
· Supabase or equivalent backend providers: authentication, database, row-level security, file storage, audit logs, backups, sync and server-side workspace operations.
· Stripe or equivalent payment providers: direct subscription, invoice, payment, refund, tax and customer portal processing.
· Email delivery and support providers: service messages, passwordless sign-in emails, support replies, billing notices and onboarding communications.
· Analytics, monitoring and crash-reporting providers: privacy-respecting diagnostics, crash logs, performance monitoring and product reliability analysis, pseudonymised where feasible.
· PDF rendering, file and export infrastructure: Defence Pack generation, export storage, share links and document delivery.
· AI or language-model providers only if enabled: assistive drafting, summarisation, classification or translation features under written sub-processing terms that prohibit training on Customer Data unless separately agreed.
· Professional advisers and authorities: lawyers, accountants, auditors, insurers, courts, regulators or public authorities where necessary for legal, accounting, security, dispute or compliance purposes.
· Workspace Owner-designated recipients: clients, main contractors, consultants, lawyers, insurers or viewers invited or shared with by the Workspace Owner or an authorised user.
12.1. A current sub-processor list should be maintained at mlconsulting.lt/legal/sub-processors or another published ML Consulting legal page. Each sub-processor processing personal data on our behalf is required to provide appropriate data-protection commitments.
13. International data transfers
13.1. ML Consulting MB is established in Lithuania and aims to keep personal data within the EEA by default where practical. Some providers, including Apple, Stripe, Supabase, email, analytics, support, infrastructure or AI providers, may process personal data in the United States or other regions where they operate.
13.2. Where personal data is transferred outside the EEA or United Kingdom to a country without an adequacy decision, we rely on lawful transfer safeguards under Chapter V GDPR, including European Commission adequacy decisions, the EU-US Data Privacy Framework where applicable, Standard Contractual Clauses, the UK International Data Transfer Addendum or Agreement and additional technical and organisational measures.
13.3. Workspace Owners that export Defence Packs or share records with recipients outside the EEA are responsible for their own transfer assessment and lawful transfer mechanism for that onward disclosure.
14. Automated decision-making and AI features
14.1. WeatherStop Control does not subject individuals to decisions based solely on automated processing that produce legal effects or similarly significant effects within the meaning of Article 22 GDPR.
14.2. Evidence Quality Scores, notice-readiness flags, missing-data warnings, source-status labels, stale-source flags, pack-readiness labels and similar automation are operational workflow aids. They do not decide worker performance, employment status, safety compliance, legal entitlement, claim value, insurance validity or dispute outcome.
14.3. AI-assisted features, if enabled, may help draft summaries, Notice Drafts, pack summaries, source explanations, template text or translations. They are assistive only. Users must review and approve output before it becomes part of a record, notice, Defence Pack or external communication.
14.4. Where an AI helper relies on a third-party model provider, the provider acts as our sub-processor under written terms. We minimise inputs, use redaction where supported and prohibit provider training on Customer Data unless the Workspace Owner has expressly agreed otherwise.
14.5. We design AI helpers to support transparency, logging and human oversight appropriate to their risk. WeatherStop Control is not held out as a high-risk AI system for employment decisions, law enforcement, essential services, credit, education or migration decisions.
15. Retention periods
We keep personal data only for as long as needed for the purposes described in this Policy or as required by law. The actual period for a record may be the longest period that applies to its purposes.
· Account and authentication data: for the life of the account, then deleted or anonymised within 24 months of complete inactivity unless legal, billing, security or dispute records require longer retention.
· On-device data: held on the device until the user deletes the record, signs out, deletes the App, resets the device or the operating system removes it. Synced workspace records may remain on the server.
· Telemetry and service-operation data: retained in identifiable form for up to 13 months where feasible, then aggregated, anonymised or deleted unless needed for security, fraud or dispute reasons.
· Support communications: retained for up to 24 months from closure of the support matter, longer if the matter relates to a complaint, dispute, security issue or legal obligation.
· Billing, accounting and tax records: retained for up to 10 years from the end of the relevant accounting period where required by Lithuanian accounting and tax law.
· Apple App Store and Stripe transaction metadata: retained for the life of the entitlement and the period needed for renewals, refunds, disputes, accounting and tax obligations.
· Customer Data in business workspaces: governed by the Data Processing Addendum or Order Form. The default product position should provide a 30-day export window after termination where feasible, followed by deletion or anonymisation from active systems and later deletion from backups on their normal rotation.
· Weather Source Data and event records: retained according to the workspace retention settings, project requirements, legal hold settings and the Workspace Owner's instructions.
· Defence Packs and share links: retained according to workspace settings, export limits and share-link expiry settings. Downloaded copies are controlled by the recipient or Workspace Owner, not ML Consulting.
· Website cookies and marketing preferences: retained according to the cookie settings, consent records and unsubscribe status needed to honour user choices.
16. Security and personal-data breaches
16.1. We use technical and organisational measures appropriate to the risk, including role-based access control, authentication controls, encryption in transit, encryption at rest where supported, database access controls, audit logs, backup procedures, limited support access, monitoring and supplier due diligence.
16.2. No system is perfectly secure. Workspace Owners and users must also protect accounts, devices, passcodes, biometrics, email access, MDM settings, exported Defence Packs and share links.
16.3. If we become aware of a personal-data breach affecting data for which we are controller, we will assess it under Articles 33 and 34 GDPR and notify the supervisory authority and affected individuals where required. If the breach affects Customer Data for which we are processor, we will notify the Workspace Owner without undue delay according to the Data Processing Addendum.
16.4. Suspected security incidents, lost devices, unauthorised workspace access, mistaken exports or exposed share links should be reported promptly to support@mlconsulting.lt and, for privacy matters, mantvydas@mlconsulting.lt.
17. Your privacy rights
Subject to the conditions and limits in the GDPR, you have the following rights:
· Right of access under Article 15: confirm whether we process personal data about you and obtain a copy.
· Right to rectification under Article 16: correct inaccurate personal data and complete incomplete data.
· Right to erasure under Article 17: request deletion where the conditions apply, including where data is no longer necessary or consent is withdrawn and no other legal basis applies.
· Right to restriction under Article 18: restrict processing while we verify accuracy, handle an objection or address other Article 18 circumstances.
· Right to data portability under Article 20: receive data you provided in a structured, commonly used and machine-readable format where processing is based on consent or contract and carried out by automated means.
· Right to object under Article 21: object to processing based on legitimate interests on grounds relating to your situation and object at any time to direct marketing.
· Rights related to automated decision-making under Article 22: not be subject to solely automated decisions with legal or similarly significant effects where the right applies.
· Right to withdraw consent under Article 7(3): withdraw consent at any time without affecting processing carried out before withdrawal.
· Right to lodge a complaint under Article 77: complain to the VDAI or to the supervisory authority where you live, work or where the alleged infringement took place.
17.1 How to exercise your rights
17.1.1. Send privacy requests to mantvydas@mlconsulting.lt with the subject line "Privacy request - WeatherStop Control". We may need to verify your identity, usually by asking you to authenticate to the relevant account or provide proportionate proof of identity.
17.1.2. We respond to verifiable requests without undue delay and in any event within one month under Article 12(3) GDPR. We may extend that period by up to two further months for complex or numerous requests and will explain the extension within the first month.
17.1.3. The service is free unless a request is manifestly unfounded or excessive, in which case Article 12(5) GDPR permits a reasonable fee or refusal.
17.2 Workspace-controlled data
17.2.1. For Customer Data that we process as processor for a Workspace Owner, direct your request to the Workspace Owner first. If you cannot identify the Workspace Owner, contact us and we will redirect or assist according to the Data Processing Addendum and applicable law.
18. Regional rights notices
18.1 United Kingdom
18.1.1. If you are in the United Kingdom, the UK GDPR and the Data Protection Act 2018 apply where within their territorial scope. The rights in section 17 apply equivalently. The UK supervisory authority is the Information Commissioner's Office (ICO).
18.2 Switzerland
18.2.1. If you are in Switzerland, the Swiss Federal Act on Data Protection may apply. The Swiss supervisory authority is the Federal Data Protection and Information Commissioner (FDPIC). Where required, we use the Swiss addendum to the Standard Contractual Clauses.
18.3 California and other US states
18.3.1. If you are a California resident, the California Consumer Privacy Act as amended by the California Privacy Rights Act may give rights to know, access, delete, correct, limit certain sensitive personal information uses and opt out of sale or sharing. We do not sell personal information and do not share personal information for cross-context behavioural advertising.
18.3.2. Residents of Colorado, Connecticut, Virginia, Utah, Texas and other US states with comprehensive privacy laws may have similar rights. To exercise a state-law right, contact mantvydas@mlconsulting.lt.
18.4 Global Privacy Control
18.4.1. On WeatherStop Control landing pages, we honour the Global Privacy Control signal where technically feasible, treating it as an objection to non-essential cookies and a request to opt out of any sale or sharing of personal information, although we do not sell or share personal information for behavioural advertising.
19. Children
19.1. WeatherStop Control is intended for business users only and is not directed at children. We do not knowingly collect personal data from children below the age of digital consent applicable in their jurisdiction.
19.2. If a Workspace Owner lawfully permits supervised use by younger trainees or apprentices, the Workspace Owner is responsible for ensuring that all required employment, training, parental, school, privacy or labour-law conditions are met.
19.3. If you believe a child has provided personal data to us without appropriate authorisation, contact us and we will take appropriate steps to delete or restrict it.
20. Cookies and similar technologies
20.1. The WeatherStop Control iOS app does not use advertising cookies. It uses on-device storage, Keychain, SwiftData, UserDefaults, cache files, notification tokens and sync queues to deliver App functionality. These are App storage technologies, not website cookies.
20.2. WeatherStop landing pages on mlconsulting.lt use strictly necessary cookies and may use privacy-respecting analytics or marketing cookies only where disclosed and, where required, consented to. Cookie choices can be managed through the website banner or privacy choices page where available.
20.3. If the App opens a web view for support, billing, documentation, Apple, Stripe or another provider, that provider's privacy and cookie practices may also apply.
21. Communications and direct marketing
21.1 Service messages
21.1.1. We send transactional service messages such as security alerts, sign-in emails, passwordless links, billing notices, renewal notices, support replies, export notices, material change notices and operational incident updates. Service messages are necessary for the App and cannot be opted out of without ceasing to use the relevant service.
21.2 Direct marketing
21.2.1. Where we send marketing emails about WeatherStop Control or related ML Consulting products, we rely on your consent or on a soft opt-in where permitted by ePrivacy rules. Every marketing email includes an unsubscribe option.
21.2.2. You can opt out of marketing by using the unsubscribe link, updating preferences where available or emailing mantvydas@mlconsulting.lt. Opting out of marketing does not stop service messages.
22. Changes to this Policy
22.1. We may update this Policy to reflect new features, billing channels, sub-processors, Apple requirements, legal developments, security practices, data categories or operational changes.
22.2. Material changes that adversely affect your rights or expectations will be notified with reasonable advance notice, typically by in-app notice and email where we have an email address, unless a shorter period is required by law or urgent security reasons.
22.3. Routine updates, clarifications, contact-detail changes, sub-processor-list updates and typographical corrections take effect when posted.
22.4. Each version is dated and archived. The version in force at the time of processing governs that processing unless mandatory law requires otherwise.
23. App Store privacy-label summary
This section is a practical implementation guide for keeping the App Store privacy label consistent with this Policy. The final App Store Connect answers must reflect the actual build, enabled SDKs and production configuration at submission time.
Data likely collected and linked to the user or workspace
· Contact Info: name, email address, business contact details and support contact details.
· Location: precise or coarse event-based location where the user grants location permission and uses location-supported features.
· User Content: photos, videos, uploaded files, notes, Notice Drafts, support content, project records and Defence Pack content.
· Identifiers: user ID, workspace ID, account ID, device/session identifiers where used for security and functionality.
· Purchases: App Store or direct subscription status and purchase history metadata.
· Usage Data: product interaction, feature usage, sync state and operational logs.
· Diagnostics: crash data, performance data and other diagnostic data.
· Other Data: weather event records, weather source metadata, source labels, export metadata and audit logs where not covered by another Apple category.
Data-use purposes likely declared
· App Functionality: authentication, workspaces, weather lookup, evidence capture, notices, Defence Packs, billing, support and security.
· Analytics: product reliability, performance, crash diagnostics and aggregate feature usage where enabled.
· Product Personalization: workspace role permissions, project context, saved preferences and relevant event reminders.
· Developer's Advertising or Marketing: only if the user signs up for marketing emails or demo/onboarding communications.
· No Third-Party Advertising and no tracking.
Important label controls
· Declare all data collected by ML Consulting or integrated third-party partners, even when used only for App functionality.
· Do not mark data as unlinked unless it is genuinely de-identified before collection and is not re-linked later.
· If precise location is immediately coarsened before storage, disclose the retained form accurately.
· If a feature is on-device only and no data leaves the device or is retained by ML Consulting or partners, it may not be collected for App Store label purposes, but the final answer must match the build.
· If the production build adds a new SDK, AI provider, analytics tool, payment path, map/geocoder, crash reporter or weather source, update this Policy and the App Store answers before release.
24. WeatherStop-specific privacy safeguards and Workspace Owner duties
24.1. WeatherStop Control is designed around event-based evidence capture, not continuous surveillance. The App should request camera, location, notification and file permissions only when the relevant feature needs them, and users can manage those permissions through iOS Settings.
24.2. Workspace Owners remain responsible for implementing privacy-by-design controls in their own organisation. The App can provide role permissions, review states, share-link controls, audit metadata and export tools, but those tools must be configured and used correctly by the Workspace Owner.
24.1 Field capture safeguards
· Use location capture only for weather-event evidence, source lookup, site context and audit provenance, not for continuous worker tracking.
· Train field users to avoid photographing unrelated people, children, private homes, medical information, security systems, licence plates, unrelated documents and confidential client material unless necessary and lawful.
· Use photo captions and notes to describe site conditions factually. Avoid speculative statements about fault, blame, worker performance, legal entitlement or insurance coverage.
· Check sync status before relying on field records. Unsynced local data may be lost if a device is damaged, wiped, replaced or the App is deleted.
· Use device passcodes, Face ID or Touch ID, MDM where available and prompt revocation of access when a device is lost or a worker leaves the project.
24.2 Workspace Owner privacy duties
· Provide workers, contractors, subcontractors and site personnel with a clear privacy notice before using WeatherStop Control for evidence capture involving them.
· Identify and document the lawful basis for processing worker, contractor, location, media and site evidence data.
· Consult works councils, employee representatives or trade unions where national law or workplace rules require consultation before introducing event-based monitoring tools.
· Limit user permissions to the minimum role access needed for each person.
· Review retention settings against contract, insurance, audit, employment, legal-hold and project-closeout obligations.
· Define who may create, approve, export, share or revoke Defence Packs and Notice Drafts.
· Review exported records before sharing them externally, including redaction of personal data, confidential information, privileged material and security-sensitive site details.
· Keep an official project file outside the App where contracts, formal notices, correspondence, legal advice, official weather reports and submitted claim documents must be retained.
24.3 External sharing and Defence Packs
24.3.1. When a Workspace Owner or authorised user shares a Defence Pack, source appendix, Notice Draft, media bundle, share link or export with a client, main contractor, insurer, lawyer, consultant, adjudicator, arbitrator, court or regulator, that onward sharing is controlled by the Workspace Owner.
24.3.2. Before external sharing, the Workspace Owner should check whether the export contains personal data, worker data, location data, commercial confidential information, privileged legal content, security-sensitive site information, third-party copyright material, client data or information outside the intended purpose.
24.3.3. ML Consulting cannot control copies after they have been downloaded, forwarded, printed, uploaded to a third-party claim portal or otherwise shared outside controlled App share-link functionality.
24.4 Support access and diagnostics
24.4.1. Support access is intended to be limited to what is necessary to diagnose and resolve the support request. Where possible, users should provide event IDs, screenshots with personal data redacted, log IDs or reproduction steps rather than unnecessary full project files.
24.4.2. If a support request requires access to Customer Data, the Workspace Owner or authorised admin should approve that access. Support records may include diagnostic data and correspondence and are retained according to section 15.
24.5 App Store submission readiness
· Before App Store submission, compare this Policy against the production build, Privacy Manifest, SDK list, App Store privacy answers, WeatherKit usage, Stripe/Supabase configuration and any AI provider settings.
· If the production build adds background location, microphone, contacts, calendars, advertising SDKs, third-party analytics, map/geocoding services, AI processors or new payment providers, update this Policy and the App Store privacy answers before release.
· If a feature is disabled for the initial launch but described in this Policy as optional or future-capable, ensure the App Store label reflects only what the submitted build actually collects.
· If WeatherStop Control is distributed as a Custom App or through Apple Business Manager, ensure customer-specific deployment materials and onboarding notices do not contradict this Policy.
25. Contact us
25.1. For any question, request or complaint about this Policy or our processing of personal data, contact ML Consulting MB at mantvydas@mlconsulting.lt. App support requests may be sent to support@mlconsulting.lt.
25.2. When contacting us about a privacy request, please include the subject line "Privacy request - WeatherStop Control" and enough information to identify the relevant account, workspace or processing activity.
25.3. You may also lodge a complaint with the VDAI or another competent data-protection supervisory authority. We would appreciate the opportunity to address your concern directly first.
Document end - Version 1.0 - Effective 2026-05-28 - WeatherStop Control Privacy Policy - Copyright 2026 ML Consulting MB
© 2026. All rights reserved.
