1. What data we collect
We collect the minimum data necessary to run the service:
- Email address — when you create an account or subscribe to discharge alerts. We use this only to send the alerts you signed up for and to manage your account.
- Phone number — optionally, if you enable SMS alerts. Your number is passed to our SMS provider, solely to deliver those messages.
- Site preferences — which CSO sites you have subscribed to, stored against your account.
- Member number — a sequential identifier assigned when you join, used only to display your membership order on your account page.
- Anonymous usage analytics — page-view data collected via Cloudflare Web Analytics and Vercel Analytics. These services do not use cookies or fingerprint your device; no personal identifiers are stored.
- Ad interaction data — if advertising is enabled, Google AdSense may collect information about your device, browser, and interactions with ads in order to serve relevant advertisements. This data is collected and processed by Google under their own privacy policy; WaterWatch does not receive or store it directly.
We do not collect location data, browsing history, or any information beyond what is listed above.
2. How we use your data
- Delivering alerts — your email or phone number is used solely to send you the discharge start/stop notifications you requested.
- Managing your account — storing your subscription preferences so you can review or cancel them at any time.
- Improving the service — aggregated, anonymous analytics help us understand which pages are most useful.
We will never sell, rent, or share your personal data with third parties for marketing purposes.
3. Legal basis for processing (UK GDPR)
- Consent — you provide your email or phone number voluntarily when subscribing to alerts. You may withdraw consent at any time by unsubscribing via the link in any alert email or by contacting us directly.
- Legitimate interests — anonymous analytics to maintain and improve the service, where these interests do not override your rights.
4. Data storage and security
Subscriber data is stored in Supabase (EU West region) and processed by the WaterWatch Cloudflare Worker (EU West). SMS delivery uses Vonage. All data is encrypted in transit (TLS 1.2+) and at rest.
We apply the principle of least privilege: only the parts of the system that need your data to function can access it. No personal data is stored in any third-party logging or error-monitoring service.
5. Data retention
- Your email and subscription preferences are retained for as long as you remain subscribed.
- On unsubscribing, your contact details are deleted within 30 days.
- Anonymous analytics data is retained by Cloudflare and Vercel according to their own retention policies (typically 30–90 days).
6. Your rights
Under UK GDPR you have the right to:
- Access — request a copy of the personal data we hold about you.
- Rectification — ask us to correct inaccurate data.
- Erasure — request deletion of your data (“right to be forgotten”).
- Restriction — ask us to restrict processing while a dispute is resolved.
- Portability — receive your data in a structured, machine-readable format.
- Withdraw consent — unsubscribe at any time via the link in any alert email or by emailing us.
To exercise any of these rights, email hello@water-watch.co.uk. We will respond within 30 days.
7. Cookies and tracking
When you sign in, WaterWatch sets strictly necessary HttpOnly session cookies (access token, ID token, and refresh token) issued by Amazon Cognito, our authentication provider. These cookies are required to keep you signed in and are never used for advertising or tracking. Because they are strictly necessary for the service to function, no cookie consent banner is required for them under UK/EU GDPR guidance.
WaterWatch may display advertisements served by Google AdSense. Google AdSense uses cookies and similar technologies to serve ads based on your prior visits to this site and other sites on the internet. You can opt out of personalised advertising by visiting Google’s Ads Settings or www.aboutads.info. Google’s use of advertising cookies is governed by Google’s Privacy Policy.
The service also uses browser sessionStorage to hold temporary OAuth state (PKCE verifier and state nonce) during sign-in, and localStorage to store your favourites list and your daily CSV download count (reset at midnight UTC, used to manage the free-download allowance). Neither is shared with any third party.
Cloudflare Web Analytics and Vercel Analytics use a cookieless approach that does not identify individual users.
8. Third-party services
WaterWatch relies on a small number of third-party infrastructure providers to operate. We do not share your personal data with any third party for marketing purposes. The categories of provider we use include:
- Open data sources — discharge and river-level data is sourced from publicly available Environment Agency APIs and water company open data feeds. No personal data is sent.
- Database & backend infrastructure — subscriber and account data is stored in a cloud database hosted in the EU/EEA.
- Authentication provider — user sign-in and session management is handled by a third-party identity service. Only your email address is shared for this purpose.
- CDN & edge network — the service is delivered via a global content delivery network for performance and security.
- Hosting — the web application is hosted on a cloud platform.
- Email delivery — alert emails are sent via a third-party transactional email provider. Only your email address is passed to them, solely for delivery.
- SMS delivery — SMS alerts are sent via a third-party messaging provider. Only your phone number is passed to them, solely for delivery.
- Maps — interactive maps use a third-party tile and geocoding service. No personal data is sent.
- Advertising — ads are served by Google AdSense (Google LLC). Google may use cookies and device identifiers to personalise ads and measure ad performance. Google’s data practices are governed by the Google Privacy Policy.
You may contact us at hello@water-watch.co.uk for the specific names of any providers if required for the exercise of your data rights.
9. Children
WaterWatch is not directed at children under 13. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.
10. Changes to this policy
We may update this policy from time to time. Any material changes will be noted at the top of this page with an updated date. Continued use of the service after a change constitutes acceptance of the revised policy.
11. Contact and complaints
For any privacy queries, email hello@water-watch.co.uk.
If you are unhappy with how we handle your data, you have the right to complain to the Information Commissioner’s Office (ICO).