Privacy Policy — FishDay | FishDay

This Privacy Policy explains how FishDay ("FishDay", "we", "us", "our") collects, uses, shares and protects your personal data when you use the FishDay website at https://www.fishday.pro and related products (the "Service").

Please read it together with our Terms of Service.

Summary — what you should know

We collect only the data we need to run FishDay: account info, fishing locations and reference days, payment metadata, and basic technical/usage data.
We never sell your personal data and we do not share it for cross-context behavioural advertising. We do not use it to train third-party AI models.
Payments are processed by Stripe (PCI DSS Level 1). We do not store full card numbers.
We use a small number of trusted processors (hosting, email, weather data, analytics) that act on our written instructions.
You have rights to access, correct, delete and port your data and to object to or restrict certain processing.

1. Data Controller

[LEGAL REVIEW REQUIRED — controller entity to be confirmed by counsel.]

The controller of your personal data is [FishDay operating entity, registered address — to be confirmed]. Until the entity is finalised, you can reach our privacy team at privacy@fishday.pro or admin@fishday.pro.

2. Personal data we collect

We collect personal data (a) that you provide to us, (b) that we collect automatically when you use the Service, and (c) that we receive from third parties (e.g., Stripe, Google sign-in).

2.1. Account & profile

email address (required);
password hash (we never see your plain password);
display name and, optionally, avatar image;
preferred language and units;
email-verification, password-reset and authentication tokens.

2.2. User Content (locations, days, marketplace listings)

fishing-location coordinates, names and notes you save;
reference ("best") days you flag and any associated notes;
Marketplace listings you create, the listings you purchase, and the resulting access records.

2.3. Payment & subscription data

plan tier, billing interval, status (e.g., active, past due) and renewal dates;
Stripe customer ID, subscription ID, invoice IDs and the last four digits / brand of the card on file (provided to us by Stripe);
token-balance and ledger entries (purchases, grants, spends, refunds).

We do not see or store your full card number, CVC or full bank-account details — those are handled by Stripe.

2.4. Technical & usage data

IP address, approximate location derived from IP, user-agent, device type, OS and browser;
timestamps of sign-in / sign-out, referrer, pages and features used, performance metrics, error logs;
cookies and similar storage (see Section 8).

2.5. Communications

support tickets and emails you send to us, with attachments;
opt-in / opt-out status for marketing communications.

We do not knowingly collect special categories of personal data (such as health, biometric or political-opinion data) and ask you not to send such data via the Service. We do not knowingly collect data from children under 13 (or under 16 in the EEA/UK) — see Section 11.

3. How we use your data and our legal bases (GDPR/UK GDPR)

We use your personal data for the following purposes and on the legal bases set out below:

Purpose	Categories used	Legal basis (GDPR Art. 6)
Provide the Service: account creation, authentication, saving your locations and days, running comparisons, granting Tokens, delivering Marketplace content.	2.1, 2.2, 2.3	Performance of a contract (Art. 6(1)(b))
Process payments and manage subscriptions, invoicing, refunds, chargebacks.	2.1, 2.3	Performance of a contract; legal obligation (tax / accounting) (Art. 6(1)(b),(c))
Operate, secure, monitor and improve the Service; prevent fraud and abuse; enforce our Terms.	2.1–2.5	Legitimate interests in running and protecting the Service (Art. 6(1)(f))
Provide customer support and respond to enquiries.	2.1, 2.5	Performance of a contract; legitimate interests (Art. 6(1)(b),(f))
Send service-related notifications (e.g., subscription renewals, security alerts, FishDay Watch matches).	2.1, 2.4	Performance of a contract; legitimate interests (Art. 6(1)(b),(f))
Send marketing emails about new features, tips and offers.	2.1	Consent, where required (Art. 6(1)(a)); otherwise legitimate interests with opt-out (Art. 6(1)(f))
Cookies and similar technologies that are not strictly necessary (e.g., analytics).	2.4	Consent (Art. 6(1)(a)) where required by ePrivacy / local law
Comply with legal obligations and respond to lawful requests; defend or pursue legal claims.	As needed	Legal obligation; legitimate interests (Art. 6(1)(c),(f))

Where we rely on legitimate interests, you have the right to object — see Section 6.

4. Who we share data with (processors & recipients)

We do not sell your personal data and we do not "share" it for cross-context behavioural advertising as those terms are defined under the CCPA/CPRA. We disclose data only to the following categories of recipients, in each case under appropriate contractual safeguards:

Recipient	Purpose	Location
Vercel (hosting, edge / CDN)	Hosting the Service, serving traffic, logs.	EU / US
Supabase / managed PostgreSQL	Primary database for accounts, content and subscription state.	EU / US (region as configured)
Stripe Payments Europe Ltd. and its affiliates	Payment processing, subscription management, invoicing, fraud prevention.	EU / US (Stripe global infrastructure)
Google (Sign-in with Google, where used)	Optional federated authentication.	Global
Email-delivery provider (e.g., Resend / Postmark)	Transactional emails (verification, receipts, alerts).	EU / US
Weather-data providers (Open-Meteo, OpenWeather, WorldWeatherOnline)	Receive coordinates / dates from us to return weather data; recipients of geographic data only, not account data.	Global
Analytics & error-tracking (e.g., Vercel Analytics, Sentry)	Aggregated usage analytics and crash reporting.	EU / US
Public authorities, regulators, courts	Where required by law or to establish, exercise or defend legal claims.	As applicable

We may also disclose data in connection with a merger, acquisition, reorganisation or sale of assets — in which case we will require the successor to honour this Privacy Policy or notify you of any material change.

5. International data transfers

The Service is operated globally and your personal data may be processed in countries other than your own, including the United States and the European Economic Area. Where we transfer personal data out of the EEA, the United Kingdom or Switzerland to a country that has not been deemed adequate, we rely on appropriate safeguards, including the European Commission's Standard Contractual Clauses (2021/914) and the UK International Data Transfer Addendum, supplemented where necessary by additional technical and organisational measures.

[LEGAL REVIEW REQUIRED — confirm SCC/IDTA execution with each sub-processor and add a TIA summary if requested by counsel.]

6. Your rights

Depending on where you live, you have some or all of the following rights:

Access — request a copy of the personal data we hold about you;
Rectification — ask us to correct inaccurate or incomplete data;
Erasure ("right to be forgotten") — ask us to delete your data, subject to legal exceptions;
Restriction — ask us to limit how we use your data;
Portability — receive your data in a structured, commonly used, machine-readable format;
Objection — object to processing based on our legitimate interests, including profiling, and to direct marketing at any time;
Withdraw consent — where processing is based on consent, withdraw it at any time without affecting the lawfulness of processing before withdrawal;
No automated decisions — we do not make decisions producing legal or similarly significant effects about you based solely on automated processing.

California residents (CCPA/CPRA) additionally have the right to know, delete and correct their personal information, the right to opt out of any "sale" or "sharing" of personal information (we do not sell or share — see Section 4), the right to limit the use of sensitive personal information (we do not collect such information), and the right to non-discrimination for exercising these rights.

To exercise any right, email privacy@fishday.pro from the address on your account, or contact us at admin@fishday.pro. We will respond within the timeframes required by applicable law (within 30 days under the GDPR, extendable by two further months for complex requests, with a status update). We may need to verify your identity before acting on a request. You may use an authorised agent where allowed by law.

If you are in the EEA, the UK, or Switzerland, you also have the right to lodge a complaint with your local supervisory authority. We would, however, appreciate the chance to address your concern first.

7. Data retention

Account & User Content — while your account is active and for up to 90 days after deletion, after which we delete or anonymise it (longer retention may apply for backup rotations, typically up to 30 days).
Marketplace transaction records — retained for as long as required to support buyer/seller disputes and applicable warranty periods.
Payment, invoice and tax records — retained for the period required by applicable accounting and tax laws (typically 5–10 years).
Technical and security logs — retained for up to 12 months.
Backups — older snapshots are rotated out on a rolling basis, generally within 35 days.
Marketing preferences — we keep records of your opt-out / suppression list indefinitely so we can honour your choice.

We may retain data for longer where necessary to comply with a legal obligation, resolve disputes, prevent fraud or abuse, or enforce our agreements.

8. Cookies & similar technologies

We use a small number of cookies and similar storage technologies:

Strictly necessary — for authentication (NextAuth session cookies), CSRF protection, the locale you choose, and load-balancing. These cannot be disabled.
Functional — remembering your unit preferences, recently viewed locations, and similar settings.
Analytics & performance — aggregated usage and error data to improve the Service. Where required by law (e.g., in the EEA/UK) we ask for your consent before setting non-essential cookies.

You can manage cookies in your browser settings and, where shown, via our cookie banner. Disabling strictly necessary cookies will break parts of the Service.

We honour Global Privacy Control (GPC) signals where required by applicable law.

9. Security

We implement reasonable and appropriate technical and organisational measures designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access. These include:

encryption in transit (TLS) for all traffic to and from the Service;
encryption at rest for the database and backups (provided by our managed-database vendor);
password hashing using modern algorithms; we never store plaintext passwords;
least-privilege access control, audit logging and Row-Level Security on sensitive tables;
multi-factor authentication on administrative consoles;
regular dependency updates, monitoring and incident-response procedures.

No method of transmission or storage is 100% secure. If we become aware of a breach affecting your personal data, we will notify you and the relevant authorities as required by applicable law.

10. Marketplace & user-shared data

When you publish a listing on the Marketplace, the location coordinates, date(s), description and any related notes become available to buyers who unlock the listing with Tokens, and may be visible in aggregated form on Marketplace browse pages. Do not include personal information you do not want others to see in a Marketplace listing. You can delete a listing at any time, but we cannot recall copies that buyers have already accessed.

11. Children

The Service is not directed to children under 13 (or under 16 in the EEA/UK) and we do not knowingly collect personal data from them. If you believe a child has provided us with personal data, contact privacy@fishday.pro and we will take appropriate action, including deleting the data.

12. Automated decision-making & profiling

We do not engage in automated decision-making that produces legal or similarly significant effects about you. Some Service features (e.g., FishDay Watch matching) compare data automatically and produce informational outputs only.

13. Third-party links

The Service may contain links to third-party sites (e.g., weather providers, Stripe billing portal). Their privacy practices are governed by their own policies, which we encourage you to review.

14. Changes to this Policy

We may update this Privacy Policy from time to time. The latest version will always be available at this URL with the "Effective date" updated. If we make material changes, we will notify you in-product or by email at least 14 days before they take effect, except where a shorter period is required by law or for security reasons.

15. Contact & complaints

Questions, requests under Section 6, or complaints can be sent to:

FishDay — Privacy

Email: privacy@fishday.pro (or admin@fishday.pro)

Web: https://www.fishday.pro

[LEGAL REVIEW REQUIRED — if/when EU exposure makes it required, appoint an Article 27 GDPR representative and add their details here. Likewise, name the lead supervisory authority once the EU establishment is finalised.]