Privacy Policy
As of: July 10, 2026
1. Overview
Fishfy is designed as a local-first app: your catches, spots, photos, and notes are primarily stored locally on your iPhone. Data leaves your device only when you use a feature that explicitly requires it (for example weather retrieval, cloud sync, or “Spot Occupied”).
We do not track you. Fishfy contains no analytics SDK, no advertising, and no cross-app tracking.
This policy describes which data is processed when and for what purpose, who receives it, and what rights you have.
2. Controller
Controller within the meaning of the GDPR:
Apzura
Hafenstraße 39
67346 Speyer
Germany
Represented by: Falco Grimminger
Email: support@fishfy.app
3. What Data We Process
Account data (when signing in):
• Email address
• Provider identifier (Apple, Google) and technical account ID
• Self-chosen username (publicly visible during content transfer)
• Language and time-zone code
• Optional: recovery email
Your content:
• Catch photos
• Catch data (location, time, fish species, size, bait, notes, weather snapshot)
• Spot data (position, notes, depth, season months, target fish)
Location data:
• Current location when you use weather, water-level, or “Spot Occupied”
• Locations of spots and catches you save
Device and diagnostic data (when push or cloud features are active):
• Anonymous device identifier (vendorID, per app installation)
• Push token (FCM)
• Device label (e.g. your iPhone name)
• Active notification settings
• Pro status
Payment data:
Processed exclusively between you and Apple (App Store / StoreKit). We only receive Apple’s confirmation of your Pro status.
4. Why We Process Your Data
Providing app features and managing your account:
Legal basis: performance of contract (Art. 6(1)(b) GDPR).
IT security, abuse prevention, stability, 3-device limit:
Legal basis: legitimate interest (Art. 6(1)(f) GDPR).
Pro features (cloud sync, push, “Spot Occupied”, content transfer):
Legal basis: performance of contract (Art. 6(1)(b) GDPR).
Newsletter and voluntary data sharing:
Legal basis: consent (Art. 6(1)(a) GDPR). You can withdraw consent at any time with effect for the future.
Weather and water-level data for the chosen location:
Legal basis: performance of contract.
5. Location Data and Features
You control location permission in your iOS settings. There are two levels:
• While Using the App: location is accessed only while Fishfy is active.
• Always: location can also be used in the background, exclusively for “Spot Occupied” and background weather collection. Without these features, “While Using” is sufficient.
How we use your location:
• Weather and water level: when you view current values, coordinates are sent to Open-Meteo (weather) or our cloud functions (water level). We do not store a location history.
• Catch and spot positions: stored locally. With cloud sync enabled, also stored in your personal area on Firebase.
• “Spot Occupied”: see section 7.
• Background weather collection: if you allow iOS background refresh, Fishfy retrieves weather data at your current location at larger intervals to keep forecasts up to date.
You can change or revoke the permission in iOS settings at any time.
6. Cloud Features (Pro)
The following features are available only with a Pro subscription and require an account:
Cloud sync and backup:
Your catches and spots are stored in your personal area on Firebase. Photos are kept in a private storage bucket. Only you have access (authentication via Firebase Auth).
Push notifications:
Alerts about good bite activity, similar catches, and “Spot Occupied” conflicts. Calculation runs server-side based on Open-Meteo. For this we store on Firebase: your push token, your notification settings, watched spots, and watched catches.
Content transfer:
You can transfer your own catches or spots to another Fishfy user. Recipients are identified by username. Content is temporarily placed in a transfer area; once received or expired, it is automatically deleted.
3-device limit:
A maximum of three devices can be active per account at the same time. Devices inactive for 60 days are automatically removed server-side.
7. “Spot Occupied” (Pro, optional)
“Spot Occupied” lets other Pro users know you are currently fishing. How it works:
• Activation is manual or automatic via an iOS Shortcuts automation and is limited to one device at a time.
• While active, Fishfy sends your current location to the server at intervals in coarse grid form (not an exact live coordinate visible to others).
• The server receives a session ID and a time-limited activation token.
• Other users see at their spots in the app only a counter (“Occupied by 1 person”) when someone with Spot Occupied is within 100 m. They see neither your identity nor your username.
• With location set to “While Using”, the status stays active for 15 minutes even if you minimize or close the app. It then ends automatically with a push reminder and a 5-minute grace period.
• With location set to “Always”, the feature stays active in the background. If you force-quit the app in the app switcher, the status ends.
Safeguards: VPN and simulator detection, secured cloud functions, no direct client access to the underlying data.
8. In-App Purchases
Pro subscriptions are processed exclusively via the Apple App Store (StoreKit 2). Payment data is handled solely by Apple. We only receive the information whether your Pro status is active.
Management and cancellation: in your Apple ID settings under “Subscriptions”.
9. Protection Against Time Manipulation
To ensure forecasts, catch attribution, and “Spot Occupied” work correctly, Fishfy checks at startup and during operation whether the device clock deviates significantly. For this:
• individual UDP packets are sent to “time.apple.com” (NTP),
• alternatively an HTTPS HEAD request is made to “apple.com” to read the HTTP Date header.
No personal data is transmitted, only the standard requests of the respective protocols.
Additionally, Fishfy stores a local time anchor after a successful online check to also detect manipulation when offline.
10. Voluntary Data Sharing
In settings you can opt in to voluntary sharing of your catch data to help improve the app. This feature is disabled by default.
If enabled and Pro: after each catch, the catch data (including weather snapshot and photo) is transmitted to our analysis endpoint at Vercel Inc. (USA).
Also if enabled and Pro: if you used “Spot occupied” (location “Always”) and logged no catch during that time, we ask you on the next app start whether you had any luck. For “Nothing caught” we transmit anonymized conditions (incl. weather, time range, coordinates) and an automatically generated satellite image of the location (no catch photo).
Use:
• Internal analysis only, to improve forecasts.
• No sharing of results with independent third parties for their own purposes.
Image use:
• Images without recognizable persons may be used for app marketing.
• Faces and sensitive location details are obscured/pixelated before use.
Withdrawal at any time in settings, with effect for the future.
11. Newsletter and Service Emails
When creating your account, you can opt in to the newsletter (“News & Updates”). This option is disabled by default.
Service emails (password reset, email verification, security-related notices) are sent regardless, as they are necessary for account management.
Email delivery uses Resend, Inc. (USA). See section 13 on third-country transfers.
Newsletter withdrawal at any time in app settings.
12. Recipients and Third-Party Providers
We use the following providers:
Google Ireland Limited (Firebase: Auth, Firestore, Storage, Messaging, Cloud Functions):
Location: Ireland. Server region: europe-west1 (Belgium).
Function: account, cloud sync, push, “Spot Occupied”, content transfer, device management.
Basis: performance of contract; Data Processing Agreement (DPA).
Apple Distribution International Ltd.:
Location: Ireland.
Function: Sign in with Apple, Apple Push (APNs), App Store / In-App Purchases, time reference.
Basis: performance of contract.
Google Ireland Limited (Google Sign-In):
Location: Ireland.
Function: sign in with Google.
Basis: performance of contract.
Open-Meteo GmbH:
Location: Switzerland.
Function: weather and historical weather data.
Basis: performance of contract. Switzerland: EU Commission adequacy decision.
Resend, Inc.:
Location: USA.
Function: delivery of service and newsletter emails.
Basis: data processing agreement; Standard Contractual Clauses (see section 13).
Vercel, Inc.:
Location: USA.
Function: receiving data from “Voluntary Data Sharing” (only with active opt-in).
Basis: consent; Standard Contractual Clauses.
Water-level data sources (PEGELONLINE, Hubeau, Rijkswaterstaat WaterWebservices, eHYD, FOEN/BAFU, WATERINFO/HIC, Hydrométrie Wallonie KiWIS, BRUWATER Open Data, Héichwaasser):
Location: EU or CH.
Function: current water levels. Only spot coordinates and country code are transmitted via our cloud functions.
Basis: performance of contract.
13. International Data Transfers
Resend (USA) and Vercel (USA) process data in the United States. For these transfers, EU Standard Contractual Clauses (SCC) and Data Processing Agreements (DPA) are in place. Both providers are, to our knowledge, certified under the EU-U.S. Data Privacy Framework. Despite these safeguards, there is a residual risk of access by U.S. authorities.
By using the corresponding features, in particular newsletter (optional) and voluntary data sharing (optional), you explicitly consent to this transfer.
14. Storage Period
Local data (catches, spots, photos, settings):
Until deletion in the app or app uninstall.
Account data:
Until account deletion in the app.
Cloud-synced content:
Until deletion via the app, account deletion, or Pro subscription end with subsequent cleanup.
“Spot Occupied” sessions:
A few minutes up to a maximum of 20 minutes per session in “While Using” mode, up to a maximum of 12 hours in “Always” mode.
Content transfer data:
Until received or expired, at most a few days.
Device documents (push token, settings):
Automatically removed after 60 days of inactivity.
Newsletter subscription:
Until withdrawal.
Log files of cloud functions:
Typically 30 to 90 days for security and stability purposes.
15. Your Rights
You have the following rights under the GDPR:
• Access to the data we hold about you (Art. 15)
• Rectification (Art. 16)
• Erasure (Art. 17)
• Restriction of processing (Art. 18)
• Data portability (Art. 20)
• Objection to processing (Art. 21)
• Withdrawal of granted consent with effect for the future
• Complaint to the competent supervisory authority
Directly in the app (More → Data):
• “Export catches (PDF)”: exports your catches as a PDF. This feature is part of Fishfy Pro.
• “Delete all data”: you choose between (a) “Delete in app only” (deletes local data on this device only; cloud data remains) or (b) “Delete app & Firebase” (deletes local and all cloud data in Firebase, plus your Firebase account). For (b), re-authentication may be required for security reasons.
Data portability (Art. 20) without Pro: email us at support@fishfy.app. We will provide your personal data in a common, machine-readable format.
For anything else: support@fishfy.app
16. Data Security
• Connections to our cloud functions, Firebase, and third-party providers always use TLS.
• Access to your cloud content is secured via Firebase Auth; without a valid auth token, no read or write access is possible.
• “Spot Occupied” sessions are protected by short-lived activation tokens.
• Water-level and weather requests are routed through our cloud functions; raw location data does not reach the source authorities.
• Your cloud content is protected by Firestore and Storage rules so that only you, as the authenticated owner, can access it.
17. Tracking, Analytics, Advertising
Fishfy contains:
• no tracking SDK,
• no analytics tools (no Google Analytics, no Firebase Analytics, no Crashlytics),
• no advertising.
There is no App Tracking Transparency dialog, because we do not perform cross-device tracking.
18. Children
Fishfy is designed for people who go fishing on their own. If you are a minor, please obtain the consent of your legal guardian before creating an account or subscribing to Pro. We do not knowingly process data of children who cannot legally consent to such processing themselves.
19. Changes to This Policy
We will inform you in the app about material changes. The current “as of” date is shown at the end of this policy.
20. Contact
For privacy questions or to exercise your rights:
support@fishfy.app
Data sources and licenses
Fishfy uses open and official data sources. We thank the following providers and reproduce their data unmodified and without warranty.
Weather and historical weather data:
• Open-Meteo (Open-Meteo GmbH), licensed under CC BY 4.0.
Water levels and water temperature:
• Germany: PEGELONLINE, German Federal Waterways and Shipping Administration (WSV).
• Switzerland: Federal Office for the Environment (FOEN), provided via existenz.ch.
• Netherlands: Rijkswaterstaat.
• France: Hub'Eau (eaufrance, OFB and BRGM).
• Austria: eHYD, Land- und forstwirtschaftliches Rechenzentrum.
• Belgium: waterinfo.be (Vlaamse Milieumaatschappij), Service public de Wallonie and Brussels Open Data.
• Luxembourg: heichwaasser.lu (Administration de la gestion de l'eau).
All rights to the respective data and trademarks remain with the named bodies. Water temperatures without a nearby station are estimated from regional climate values and historical weather data.
21. Website fishfy.app (cookies, local storage and contact form)
This privacy policy also applies to our website fishfy.app.
The website sets no tracking or marketing cookies, uses no analytics tools (no Google Analytics, no Tag Manager) and includes no advertising. Fonts are served locally from our server; no external services or CDNs are embedded.
Technically necessary storage: we only store your chosen language locally in your browser (localStorage, key “fishfy_lang”) so the page appears in your language. This information stays in your browser and is not transmitted to us.
Server log files: when you access the website, our hosting provider Vercel Inc. (USA) processes technically necessary access data such as IP address, date and time of the request and the page requested. The legal basis is our legitimate interest in secure and stable operation (Art. 6(1)(f) GDPR). For the transfer to the USA, Vercel relies on Standard Contractual Clauses.
Contact form: if you use our contact form, we process the data you provide (name, email address, selected topic and message) in order to handle your request. The legal basis is our legitimate interest in responding to your request (Art. 6(1)(f) GDPR). Delivery is handled by the email service provider Resend (Resend, Inc., USA) as a processor, sent to our mailbox support@fishfy.app. We use your data only to handle your request, not for advertising. For the transfer to the USA, Standard Contractual Clauses are used.
Since no consent-requiring cookie and no tracking are used, the website shows no cookie banner. If we use analytics or marketing services in the future, we will obtain your consent beforehand and update this policy.