1. Introduction
FishingTactix ("we", "us", "our") is a fishing companion app operated by Kristan Hurn as a sole trader based in the United Kingdom. This Privacy Policy explains how we collect, use, store, share, and protect your personal data when you use the FishingTactix application and website at fishingtactix.com.
We are committed to protecting your privacy in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
2. Data Controller
The data controller responsible for your personal data is:
Name: Kristan Hurn
Trading as: FishingTactix
Email: kristan@fishingtactix.com
Privacy enquiries: kristan@fishingtactix.com
3. What Data We Collect
3.1 Account Data
- Email address
- Display name
- User role (angler, vendor, or creator)
- Account creation date
- Discipline preferences (Coarse, Sea, Fly)
- Marketing opt-in preference
3.2 Catch & Activity Data
- Catch logs (species, weight, date, time, notes, rig used)
- Match results (venue, peg, placings)
- Photos and videos of catches (EXIF metadata is automatically stripped before upload)
- Voice note transcriptions
- Weather conditions at time of catch (auto-captured)
- Venue data (name, GPS coordinates, notes, ratings)
- Trip plans and kit checklists
- Reel line tracker data
- Rod licence expiry dates
3.3 Location Data
- GPS coordinates (used for local weather, tide data, tackle shop finder, and venue mapping)
- Location data is processed in your browser and is not stored on our servers unless you explicitly save a venue
- Venue postcodes are geocoded via OpenStreetMap Nominatim
- Privacy Shield allows you to control location visibility: Secret Spot (hidden), Fuzzy (~2 mile blur, default), or Exact
3.4 Technical Data
- Device session identifiers (for 2-device limit enforcement)
- Browser type and version
- Error logs (sent to Firebase for debugging)
- GDPR consent timestamp
3.5 Payment Data
All payment processing is handled by Stripe. We do not collect, store, or have access to your full card number, CVV, or bank details. Stripe processes payments in compliance with PCI-DSS Level 1. We receive only: confirmation of payment, subscription status, and Stripe customer ID.
4. Lawful Basis for Processing
Under UK GDPR Article 6, we process your data on the following bases:
| Purpose | Lawful Basis |
|---|---|
| Account creation and authentication | Contract (Art. 6(1)(b)) |
| Catch logging, venue management, trip planning | Contract (Art. 6(1)(b)) |
| Subscription billing via Stripe | Contract (Art. 6(1)(b)) |
| Weather, tide, and bite prediction services | Legitimate Interest (Art. 6(1)(f)) |
| Error tracking and app stability | Legitimate Interest (Art. 6(1)(f)) |
| Marketing emails (features, deals, tips) | Consent (Art. 6(1)(a)) |
| Community feed and leaderboard | Consent (Art. 6(1)(a)) |
| GDPR consent record-keeping | Legal Obligation (Art. 6(1)(c)) |
5. How We Use Your Data
- Provide and improve the FishingTactix app and its features
- Authenticate your account and manage your subscription
- Sync your data across up to 2 devices via cloud storage
- Generate bite predictions, weather forecasts, and smart rig suggestions
- Display community catch feeds and leaderboards (only data you choose to share)
- Send smart alerts (pressure drops, licence expiry, line replacement reminders)
- Find nearby tackle shops and display local deals (if location is enabled)
- Send marketing emails (only with your explicit opt-in consent)
- Monitor app errors and improve stability
6. Third-Party Services & Data Sharing
We share data with the following third-party services, each acting as a data processor or independent controller as specified:
| Service | Purpose | Data Shared |
|---|---|---|
| Google Firebase | Authentication, database, file storage, cloud functions | Account data, catch logs, photos, app data |
| Stripe | Payment processing | Email, subscription details (Stripe handles all card data) |
| Open-Meteo | Weather and marine forecasts | Approximate location coordinates |
| WorldTides | Tide predictions | Location coordinates |
| OpenStreetMap / Nominatim | Maps and postcode geocoding | Postcode or place name, IP address (tile servers) |
| iNaturalist | Species identification | Photo of fish (uploaded for ID) |
| Environment Agency | River level monitoring | Station/location query |
Firebase data is stored in Google Cloud data centres in the EU/US, governed by Google Cloud Data Processing Terms. We do not sell your personal data to any third party.
7. Data Storage & Security
- Local storage: App preferences, cached data, and offline catch logs are stored in your browser's localStorage
- Cloud storage: Account data, catch logs, photos, and venue data are stored in Google Firebase (Firestore and Cloud Storage)
- Encryption: All data in transit uses HTTPS/TLS. Firebase encrypts data at rest using AES-256
- Photo privacy: EXIF metadata (including GPS coordinates) is automatically stripped from all photos before upload using client-side canvas redraw
- Password security: Passwords must meet strict requirements (8+ characters, uppercase, lowercase, number, special character). Passwords are managed by Firebase Authentication and are never stored in plaintext
- Device sessions: Active sessions are tracked and limited to 2 devices. Sessions expire after inactivity and are cleaned up automatically
- Input sanitisation: All user-generated text is sanitised to prevent XSS and injection attacks
8. Data Retention
| Data Type | Retention Period |
|---|---|
| Account and profile data | Until account deletion |
| Catch logs, photos, and venue data | Until account deletion |
| Subscription and payment records | 6 years after last transaction (UK tax law) |
| Error logs | 90 days |
| GDPR consent records | Duration of account + 1 year |
| Anonymised analytics | Indefinitely (no personal data) |
When you delete your account, all personal data is permanently removed from our systems within 30 days, except where retention is required by law (e.g., financial records).
9. Cookies & Local Storage
FishingTactix is a Progressive Web App (PWA) and uses browser localStorage rather than traditional cookies. We use localStorage for:
- Essential: GDPR consent record, authentication state, app preferences, offline data cache
- Functional: Catch logs, venue data, kit checklists, discipline settings, night mode preference
We do not use tracking cookies, advertising cookies, or any third-party analytics cookies. No data from localStorage is shared with third parties.
10. Your Rights Under UK GDPR
You have the following rights regarding your personal data:
- Right of access (Art. 15): Request a copy of all personal data we hold about you
- Right to rectification (Art. 16): Request correction of inaccurate data
- Right to erasure (Art. 17): Request deletion of your data ("right to be forgotten"). You can delete your account in the app via Settings, or contact us directly
- Right to restrict processing (Art. 18): Request that we limit how we use your data
- Right to data portability (Art. 20): Export your data in a machine-readable format (JSON) using the "Export All My Data (GDPR)" button in Settings
- Right to object (Art. 21): Object to processing based on legitimate interest or for marketing purposes
- Right to withdraw consent: Where processing is based on consent, you may withdraw it at any time via Settings or by contacting us. Withdrawal does not affect the lawfulness of prior processing
To exercise any of these rights, email kristan@fishingtactix.com. We will respond within 30 days as required by UK GDPR.
11. Children's Privacy
FishingTactix is not directed at children under the age of 13. We do not knowingly collect personal data from children under 13. If you believe a child under 13 has provided us with personal data, please contact us at kristan@fishingtactix.com and we will delete the data promptly.
Users aged 13–17 may use the app with parental or guardian consent.
12. International Data Transfers
Your data may be transferred to and stored in data centres outside the UK (including the EU and US) through our use of Google Firebase and Stripe. These transfers are protected by:
- EU-US Data Privacy Framework
- UK International Data Transfer Agreement (IDTA)
- Standard Contractual Clauses (SCCs) where applicable
- Google Cloud and Stripe's compliance with applicable data protection laws
13. Data Breach Notification
In the event of a personal data breach that poses a risk to your rights and freedoms, we will:
- Notify the Information Commissioner's Office (ICO) within 72 hours of becoming aware of the breach
- Notify affected users without undue delay if the breach is likely to result in a high risk to your rights and freedoms
- Document the breach and corrective actions taken
14. Complaints
If you are unhappy with how we handle your data, please contact us first at kristan@fishingtactix.com. We will do our best to resolve your concern.
You also have the right to lodge a complaint with the UK supervisory authority:
Information Commissioner's Office (ICO)
Website: ico.org.uk/make-a-complaint
Helpline: 0303 123 1113
15. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated via the app or email. The "Last updated" date at the top of this page indicates when the policy was last revised. Continued use of FishingTactix after changes constitutes acceptance of the updated policy.
16. Contact Us
For any questions about this Privacy Policy or your personal data, contact: