Skip to main content
Legal

Privacy Policy

Effective May 15, 2026 · Last updated May 15, 2026

The short version

  • We collect the bare minimum needed to run and improve a fishing-report subscription: email, a hashed password (or a Google sign-in token), the waters you save, product analytics about how FishCast is used, and masked session recordings for debugging and UX improvement.
  • We never sell your personal information.
  • We don't store your payment card. Stripe does.
  • You can delete your account and your data from Account & billing at any time.
  • We're a tiny team. If you have a question, email [email protected] and a real person will reply.

1. Who we are

FishCast ("FishCast," "we," "us," "our") provides fishability scores, water-condition reports, and trip planning for anglers in the United States. FishCast is operated by FishCast LLC, a Utah limited liability company based in Utah, U.S.A. When you contract with FishCast, you are contracting with FishCast LLC doing business as FishCast.

This Privacy Policy explains what personal information we collect when you use FishCast and the choices you have about that information.

If you have questions about this policy, contact us at [email protected].

2. Information we collect

Information you give us

  • Account information. When you sign up, we collect your email address and (for password sign-up) a password. Passwords are never stored in plain text; they're hashed by our authentication provider, Supabase, before they reach our database.
  • Google sign-in. If you sign in with Google, we receive the basic profile information Google shares with apps that ask for it: typically your email address and your name. We don't receive your Google password.
  • Saved waters. The list of waters you've pinned to your dashboard.
  • Trip plans. The lat/lng coordinates and labels for trips you plan in the app.
  • Your location (optional). If you enable the "Near Me" feature, we ask your browser for your current location so we can show waters close to you. Your coordinates are sent to our server for that single request and are not stored in our database. We cache them locally on your device (in localStorage) for up to 24 hours so you don't get re-prompted on every visit. You can revoke location access at any time through your browser's site settings, and we will not prompt you again unless you ask.
  • Support correspondence. If you email us, we keep the message so we can reply and so we can spot patterns (e.g., a feature multiple people are confused by).

Information collected automatically

  • Server logs. Each request to FishCast is logged with an IP address, user-agent string, request path, and response status by our hosting provider. We use these for debugging, abuse detection, and capacity planning, and we retain them no longer than reasonably necessary for those purposes.
  • Local storage. Your browser stores your authentication session locally so you stay signed in across page loads. We also store small preferences in your browser, including which map style you've selected and whether you've dismissed the install-prompt or trial-status banner. None of this is shared with any third party.
  • Service-worker cache. FishCast is a progressive web app, so your browser caches static assets (JavaScript, stylesheets, fonts, map tiles) for faster reloads. Live water data — gauge readings, weather, regulations, chatter — is fetched fresh from the server on every visit; we do not store the substance of your water reports on your device. You can clear the cache at any time by clearing your site data.
  • Product analytics and masked session recordings. We use PostHog to understand which pages and features are working, such as signup flow steps, searches completed, reports opened, waters saved, and trip-planner usage. PostHog may also record masked interaction sessions so we can debug broken flows and improve the interface. We do not send payment-card details, raw search query text, exact trip-planner coordinates, or your email/name as analytics properties by default, and we mask page text and element attributes in recordings.

Information we do not collect

  • Payment cards. Card details go directly to Stripe. They never touch our servers. We only ever see a Stripe customer ID and subscription metadata.
  • Your real-time location on an ongoing basis. (If you opt in to "Near Me," we read your position once per visit to find nearby waters (see above), but we do not track you continuously or store your location in our database.)
  • Browsing activity outside FishCast.
  • Information from your contacts, photos, or other apps.

3. How we use information

  • To run the service: authenticate you, render your reports, save your pins, plan your trips.
  • To process payments and manage your subscription via Stripe.
  • To detect and prevent abuse, fraud, and security incidents.
  • To send transactional emails: sign-up confirmations, password resets, trial-ending notices, billing receipts. We do not send marketing emails without separate consent.
  • To debug, monitor performance, measure conversion funnels, and improve the product.
  • To comply with legal obligations.

We do not use your personal information to train AI models. The only AI calls FishCast makes are to an OpenAI model that summarizes public fishing-report snippets and extracts the fly or lure patterns named in them. Those calls operate exclusively on third-party material we've already retrieved from Google search results — never on your account data, your saved waters, or anything you've written. The fishability score itself is produced by a deterministic algorithm, not by AI.

FishCast does not perform automated decisions or profiling that have legal or similarly significant effects on you.

4. Service providers we share information with

We use a small set of vendors to operate FishCast. We share only the minimum data each one needs to do its job, and each one is bound by a contract requiring them to handle your data responsibly.

Stripe · payments & subscription billing

We use Stripe for payments, analytics, and other business services. Stripe may collect personal data including via cookies and similar technologies. The personal data Stripe collects may include transactional data and identifying information about devices that connect to its services. Stripe uses this information to operate and improve the services it provides to us, including for fraud detection, loss prevention, authentication, and analytics related to the performance of its services. You can learn more about Stripe and read its privacy policy at stripe.com/privacy.

Supabase · authentication & database

Supabase hosts our user database and processes sign-in requests. They see your email, hashed password, and the records associated with your account. Their privacy practices: supabase.com/privacy.

Resend · transactional email delivery

We use Resend to send transactional emails — saved-water alerts, account notifications, and other operational messages. Resend receives your email address and the body of the message we send (alert content, links, the unsubscribe token for that email). It does not receive your password, your saved-waters list, or your payment information. resend.com/legal/privacy-policy.

Railway · application hosting

Railway runs the FishCast servers and stores server logs (IP addresses, request metadata) on our behalf. railway.com/legal/privacy.

Mapbox · map tiles

The maps in FishCast load tiles from Mapbox. When your browser loads a tile, Mapbox receives your IP address and the geographic area being viewed. mapbox.com/legal/privacy.

Cloudflare Stream · video hosting and delivery

If you upload a clip to the FishCast feed, the video file goes directly from your browser to Cloudflare Stream's upload endpoint. Cloudflare stores the original file, transcodes it for HLS playback, and serves it to other anglers when they view your post. Cloudflare receives the video itself and standard delivery telemetry (IP address, user-agent, viewer location at the network level). It does not receive your account credentials or the rest of your profile data. cloudflare.com/privacypolicy.

PostHog · product analytics

We use PostHog to measure how people move through FishCast and which features help users get value. PostHog receives product events such as page views, button clicks, signup and checkout steps, searches completed, reports opened, waters saved, and trip-planner results loaded. We also use PostHog session replay with masking enabled to debug broken flows and improve the product experience. We avoid sending raw search query text, exact trip-planner coordinates, payment-card details, or email/name analytics properties by default, and we mask page text and element attributes in recordings. PostHog's privacy practices: posthog.com/privacy.

Google · OAuth sign-in & web fonts

If you sign in with Google, Google authenticates you and shares your email and profile information with us. We also load fonts from Google Fonts; Google receives your IP address when fonts load. policies.google.com/privacy.

OpenAI & Serper · server-side, no user data

We send public fishing-report snippets (already published on the open web) to OpenAI for two purposes: to summarize each snippet into a short, faithful description, and to extract the fly or lure patterns named in it. We send water names to Serper for web search. Neither receives your account information, your IP address, or anything you've written. Their privacy practices: openai.com/policies/privacy-policy, serper.dev/privacy.

Open-Meteo & USGS · anonymous public data

Weather and stream-flow data come from public APIs. We send only a lat/lng of the water being viewed. If you use "Near Me," the server uses your coordinates to find waters within a radius. Those coordinates are not forwarded to any third-party API. No personal data is shared with Open-Meteo or USGS.

We do not sell or share your personal information with advertisers. We do not engage in cross-context behavioral advertising.

5. Your rights

If you live in the European Economic Area, United Kingdom, or Switzerland (GDPR)

You have the right to:

  • Access the personal information we hold about you.
  • Correct information that is inaccurate.
  • Delete your information ("right to erasure").
  • Restrict or object to certain processing.
  • Receive your information in a portable format.
  • Withdraw consent (where processing is based on consent).
  • Lodge a complaint with your national data protection authority.

Our legal bases for processing: contract (running the service you've signed up for), legitimate interests (security, abuse detection, product improvement), consent (where you've affirmatively opted in), and legal obligation (tax records, regulatory requests).

If you live in California, Colorado, Connecticut, Virginia, Utah, or another US state with a comprehensive privacy law

You have the right to:

  • Know. Request a list of the categories and specific pieces of personal information we have about you, and how we use them.
  • Correct. Ask us to fix inaccurate information.
  • Delete. Ask us to delete your information.
  • Opt out of sale or sharing. We don't sell or share your personal information for cross-context behavioral advertising, so there's nothing to opt out of, but the right exists if our practices ever change.
  • Limit use of sensitive personal information. We don't use sensitive personal information for purposes beyond providing the service.
  • Non-discrimination. We won't deny service, charge different prices, or provide a different level of service for exercising any of these rights.

California residents can also request the categories of personal information disclosed to third parties under California Civil Code § 1798.83 ("Shine the Light").

We respond to Global Privacy Control (GPC) signals as opt-out-of-sale requests, even though we don't sell. If you send a GPC signal, your browser will receive a confirmation that the request was honored.

How to exercise your rights

Email [email protected] from the address associated with your account. We'll verify it's you and respond within 45 days (CCPA / state laws) or 30 days (GDPR), with one possible 45- or 60-day extension if your request is complex. There is no fee.

You can also delete your account directly from Account & billing. That erases your row, your saved waters, and your trip plans, and cancels your subscription. Server log entries fall off naturally after their retention window.

6. Children

FishCast is not directed to children under 13. We do not knowingly collect personal information from children under 13. If you believe a child under 13 has provided us with personal information, contact us and we will delete it.

7. International transfers

FishCast is operated from the United States. If you use FishCast from outside the United States, your information will be transferred to and processed in the U.S. Our vendors that handle data internationally (including Stripe and Supabase) maintain their own data-protection frameworks (such as Stripe's Data Privacy Framework certification and Standard Contractual Clauses) covering transfers from the EEA, the UK, and Switzerland to the United States.

8. Data retention

We keep your information only as long as we need it for the purposes described in this policy, and only as long as the law requires.

  • Account information & saved waters: kept while your account is active. When you delete your account, we delete your row from our user table and your saved-waters and trip-plan records.
  • Subscription & billing records: the source of truth lives in Stripe; their retention policy applies to the underlying payment data. We mirror the bare minimum needed to gate access (Stripe customer ID, subscription status, plan, period dates) and remove that mirror when the account is deleted, except where we are legally required to keep records for tax or audit purposes.
  • Server logs: retained for as long as our hosting provider's defaults require, and only for as long as we need them to operate the service.
  • Support correspondence: kept while it's useful for follow-up, then deleted.

9. Security

FishCast relies on industry-standard practices provided by our infrastructure: TLS in transit, encrypted-at-rest databases via Supabase, password hashing handled by Supabase Auth, and short-lived authentication tokens. No system is perfectly secure; if you suspect your account has been compromised, change your password and email us immediately.

10. Cookies and similar technologies

FishCast uses your browser's local storage to keep you signed in and to store app preferences. PostHog may use cookies or local storage to remember an anonymous device ID and measure product usage across visits. We do not use third-party advertising cookies. Stripe and Mapbox set their own functional cookies on the pages where their services load (checkout, billing portal, map views); you can review their cookie policies via the links in Section 4.

11. Changes to this policy

If we make material changes, we'll update the "Last updated" date above and notify you by email or via an in-app banner. Continued use of FishCast after the new policy takes effect means you accept it.

12. Contact us

Questions, requests, or complaints: [email protected]