Privacy Policy

Last updated: 14 May 2026

Who That Plane?! (whothatplane.com) is a free aerospace vehicle reference gallery. This policy explains what personal data is collected when you visit the site, how it is used, who it is shared with, and what rights you have over it.

Who is responsible for your data

The website is operated by an individual (the “operator”). The operator is the data controller for the purposes of the UK GDPR, the EU GDPR, and equivalent worldwide data-protection laws.

To contact the operator about anything in this policy, including to exercise any of the rights described below, please use the contact form. We aim to respond within 30 days.

Categories of data we collect

We do not ask for, store, or sell your name, email address, postal address, account password, or any other directly identifying information. The data described below is collected automatically by third-party services that run in your browser when you visit the site:

Usage data — pages viewed, time on page, click and scroll behaviour, referring page, internal search terms.
Technical data — browser type and version, operating system, screen size, IP address (used by the third-party services for geolocation and abuse detection), approximate location at the country / region level.
Advertising identifiers — cookies and similar tokens set by Google AdSense to personalise ads (where personalisation is permitted under applicable law).

In addition to the above, we store a small amount of data on your own device via the browser’s localStorage and sessionStorage APIs. This data is never transmitted to us or to any third party:

vg_theme: Your light / dark colour preference.
vg_audience: Whether you have selected Adult or Kids reading mode.
vg_pinned: The vehicle records you have pinned in the gallery.
vg_favorites: The vehicle records you have favourited (if enabled).
vg_scroll_<path>: The last scroll position on a stub page (sessionStorage only; cleared when the browser tab closes).

You can clear all of this device-local data at any time using your browser’s site-data controls.

Legal basis for processing (UK / EU users)

We rely on the following legal bases under Article 6 of the UK GDPR / EU GDPR:

Your consent (Art 6(1)(a)) for non-essential cookies and similar trackers used by Google Analytics, Microsoft Clarity, and personalised Google AdSense. Where consent is required, we do not place these cookies until you grant it; you can withdraw consent at any time using the cookie-preferences control we provide (rollout in progress — see Children’s privacy and Cookie preferences below).
Legitimate interest (Art 6(1)(f)) for operating the site, preventing abuse, and storing your local preferences (e.g. theme, pinned vehicles) on your own device. You may object to processing based on legitimate interest using the rights section below.

Third parties that receive your data

Service	Purpose	Data shared	Where to learn more
Google Analytics 4	Aggregate traffic analytics	Usage + technical data, anonymised; IP truncated	Google Privacy Policy · Opt-out
Microsoft Clarity	Anonymised session replay + heatmaps	Usage + technical data, masked input fields	Microsoft Privacy Statement
Google AdSense (`ca-pub-8924392125724687`)	Advertising	Usage + technical data + advertising identifiers	Google Ads Policies · Ad Settings
Wikimedia Foundation (Wikipedia / Wikimedia Commons)	Hot-linked images and article extracts	Standard request headers + IP, sent directly to Wikimedia when your browser loads an image	Wikimedia Privacy Policy
Cloudflare-fronted CDNs (e.g. unpkg)	Map tiles and JavaScript libraries (loaded only when you open the ADS-B / Radar features)	Standard request headers + IP	Cloudflare Privacy Policy

We do not sell your personal data and we do not share it for cross-context behavioural advertising except through Google AdSense, where you can opt out at any time (see California residents below).

International data transfers

Google and Microsoft are headquartered in the United States and process your data there. Both organisations are certified under the EU-US Data Privacy Framework and its UK and Swiss extensions, providing the safeguard required under Chapter V of the UK GDPR / EU GDPR for the transfer.

Retention

Google Analytics 4 — event data is retained for 14 months by default, then automatically deleted.
Microsoft Clarity — session recordings are retained for 30 days, then automatically deleted.
Google AdSense — retention varies by purpose; see Google’s policy linked above.
Browser localStorage / sessionStorage — persists on your device until you clear it; sessionStorage is cleared automatically when you close the browser tab.

Your rights

If you are in the UK, EU, or another jurisdiction with comparable laws, you have the following rights:

Right of access — ask whether we hold data about you and request a copy.
Right to rectification — ask us to correct inaccurate data.
Right to erasure (“right to be forgotten”) — ask us to delete data we hold about you, where applicable.
Right to restriction of processing — ask us to pause processing while you contest its accuracy or our legal basis.
Right to data portability — receive your data in a structured, machine-readable format.
Right to object — object to processing based on legitimate interest, including profiling.
Right to withdraw consent — at any time, where processing is based on consent.
Right not to be subject to automated decision-making with legal or similarly significant effects (we do not carry out such decision-making).
Right to lodge a complaint with your local data-protection supervisory authority. Examples: the UK Information Commissioner’s Office, the Irish Data Protection Commission, France’s CNIL, Germany’s BfDI. A directory of EU authorities is available from the European Data Protection Board.

To exercise any of these rights, contact us via the contact form. Because we do not hold a user account or directly identifying information about you, we may need to ask you to identify the specific session or device you are asking about.

California residents (CCPA / CPRA)

If you are a California resident, the California Consumer Privacy Act as amended by the California Privacy Rights Act gives you the following rights:

Right to know the categories and specific pieces of personal information we have collected about you, and the categories of sources, business or commercial purpose, and recipients.
Right to delete personal information we have collected from you.
Right to correct inaccurate personal information.
Right to limit use and disclosure of sensitive personal information (we do not collect sensitive PI as defined under the CPRA).
Right to opt out of sale or sharing of personal information. We do not sell personal information. We do share usage data with Google AdSense for cross-context behavioural advertising; you can opt out at any time using the contact form or by configuring Google Ad Settings.
Right to non-discrimination — we will not deny services, charge a different price, or provide a different quality of service because you exercised any of these rights.

We honour the Global Privacy Control (Sec-GPC: 1) signal as a valid opt-out of sale and sharing.

Children’s privacy

This site is intended for a general audience and is not directed at children under the age of 13. The site does include a “Kids mode” that presents simpler reading-level summaries of the same public-domain or Wikipedia-sourced material; this is a presentation preference, not a separate service for children, and we do not knowingly collect personal information from anyone under 13.

If you believe a child has provided personal information to a third-party service via this site, please contact us and we will work with you to address it.

Cookie preferences

You can manage cookies and similar trackers in two ways:

Through your browser settings (clearing cookies, blocking third-party cookies, or using Do Not Track / Global Privacy Control signals).
Through the cookie-preferences control on this site (rollout in progress). When available, this control will let you withdraw or grant consent for analytics and personalised advertising at any time, with denial as the default for users in the UK, EU, and Switzerland.

Security

The site is served over HTTPS. We do not operate a user account database or process payment information, so the attack surface for personal data is limited to the third-party services listed above; each operates its own security programme described in the policies linked from the table.

Changes to this policy

We may update this policy from time to time to reflect changes to the site, the third-party services we use, or applicable law. The “Last updated” date at the top of this page reflects the most recent revision. Material changes will be highlighted at the top of the page for at least 30 days after they take effect.

Contact

Questions, requests to exercise your rights, or complaints about this policy can be sent to the operator via the contact form.