Privacy Policy
Last updated: 29 May 2026
1. Who we are
[OPERATOR ENTITY — TBD] ("we", "us", "our") operates FisherGuy and the website fisherguy.app. We are registered under [reg. no. TBD] in [JURISDICTION — TBD].
For privacy questions: privacy@fisherguy.app · For general contact: ab@agonist.se
We are the data controller under the General Data Protection Regulation (GDPR — EU Regulation 2016/679).
2. What data we collect, and why
FisherGuy is designed to collect as little data as possible. The categories below correspond exactly to the declarations in our App Store privacy label and our iOS PrivacyInfo.xcprivacy manifest.
| Data category | Purpose | Legal basis (GDPR Art. 6) | Retention |
|---|---|---|---|
| Email address | Account registration, sign-in, password recovery | Contract (Art. 6.1.b) | Until account deletion |
| Precise location | Show nearby fishing spots within radius of your position | Consent (Art. 6.1.a) — only when you grant iOS permission | Not stored server-side; only used in real time |
| Photos & videos | Attach catch photos to your logbook | Consent (Art. 6.1.a) | Until you delete the catch or the account |
| User ID (internal) | Identify your account across devices, sync catches, anonymize analytics | Contract (Art. 6.1.b) | Until account deletion |
| Product interaction (anonymous) | Understand which features are used, fix bugs, improve UX | Legitimate interest (Art. 6.1.f) — pseudonymized | Up to 24 months in aggregated form |
| Crash data (anonymous) | Diagnose app crashes and ship fixes | Legitimate interest (Art. 6.1.f) | 90 days |
FisherGuy does not collect: contacts, calendars, microphone audio, advertising identifiers (IDFA), browsing history, contacts from other apps, or financial data. There is no cross-app or cross-site tracking.
3. Sub-processors
We rely on the following infrastructure providers. Each is bound by a Data Processing Agreement (DPA) under GDPR Art. 28.
| Provider | Data processed | Location |
|---|---|---|
| Cloudflare (Pages, DNS, R2 object storage) | Website hosting, catch-photo storage, edge caching | EU (Frankfurt) + global edge |
| Self-hosted backend (Senko VPS, EU) | Account data, catches, feed activity, AI proxy | EU (Helsinki) |
| Apple App Store + Sign in with Apple | App distribution, subscription billing, authentication | EU + US (Standard Contractual Clauses) |
| PostHog (self-hosted on our infrastructure) | Anonymized product analytics | EU (Helsinki) |
| Anthropic Claude (AI) | Natural-language fishing-spot queries (anonymous) | US (Standard Contractual Clauses) |
| Adapty (subscription management — only if you subscribe) | Subscription receipts | EU + US (SCC) |
4. Your rights (GDPR Art. 15–22)
Under GDPR you have the right to:
- Access the personal data we hold about you (Art. 15)
- Correct inaccurate or incomplete data (Art. 16)
- Delete your data — the "right to be forgotten" (Art. 17)
- Restrict processing (Art. 18)
- Export your data in a portable format (Art. 20)
- Object to processing based on legitimate interest (Art. 21)
- Withdraw consent at any time, without affecting prior lawful processing
To exercise any right, use Profile → Delete Account in the app, or email privacy@fisherguy.app. We respond within 30 days as required by Art. 12.
5. Right to lodge a complaint
You may lodge a complaint with a supervisory authority if you believe we have violated your data protection rights. You may also contact the authority in your EU country of residence.
6. Children
FisherGuy is rated 4+ on the App Store and contains no objectionable content. We do not knowingly collect data from children under 13. If you believe a child has provided us data, contact privacy@fisherguy.app and we will delete it.
7. Automated decision-making
The AI recommends fishing spots based on your queries. These are informational suggestions, not decisions with legal effect (GDPR Art. 22 does not apply). You retain full control over which spots to visit.
8. International transfers
Some sub-processors (Anthropic, Apple) are based outside the EEA. Transfers are protected by the EU Commission's Standard Contractual Clauses (SCC) and supplementary safeguards.
9. Security
We use TLS 1.3 for all network connections. Passwords are stored with bcrypt (work factor 12). JWT access tokens are short-lived (15 minutes). Refresh tokens rotate with replay detection. Backups are encrypted at rest.
10. Changes to this policy
We will update this policy when material changes occur. The "last updated" date at the top reflects the latest revision. For significant changes affecting your rights, we will notify you by email and inside the app.
11. Contact
[OPERATOR ENTITY — TBD] · [HQ — TBD] · privacy@fisherguy.app