Privacy Policy

Last updated: January 10, 2026

Thalweg ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our fishing intelligence platform at thalweg.app (the "Service").

1. Our Privacy Commitment

Privacy is not an afterthought at Thalweg—it is our foundation. We built this platform because we were frustrated with fishing apps that encourage oversharing and exploit user data. Our core principles are:

  • Your catch data is private by default. No public profiles, no leaderboards, no sharing features.
  • Row Level Security (RLS) at the database level ensures only you can access your personal fishing data.
  • We do not sell or share your personal data with third parties for advertising or marketing purposes.
  • Minimal data collection. We only collect what is necessary to provide the Service.

2. Information We Collect

2.1 Information You Provide

When you create an account and use Thalweg, you may provide:

  • Account Information: Email address and password (password is hashed and never stored in plain text)
  • Catch Logs: Species, location, date, time, gear/lure used, notes, and photos you choose to log
  • Preferences: Favorite rivers, display settings, notification preferences
  • Waypoints: Custom map markers and notes you create

2.2 Information Collected Automatically

When you use the Service, we automatically collect:

  • Environmental Snapshots: When you log a catch, we automatically capture weather, water conditions, and tide data from our data sources (USGS, NOAA) at that moment
  • Technical Data: Browser type, operating system, device type, and general location (country/region) for Service optimization

2.3 Information We Do NOT Collect

  • Precise GPS location tracking while you use the app
  • Contact lists or address books
  • Social media accounts or connections
  • Biometric data
  • Financial or payment information (the Service is free)

3. How We Use Your Information

We use the information we collect to:

  • Provide, maintain, and improve the Service
  • Display your personalized dashboard and catch logs
  • Save your preferences and settings
  • Send Service-related communications (account verification, security alerts, important updates)
  • Respond to your requests and provide customer support
  • Detect, prevent, and address technical issues or abuse

4. How We Protect Your Information

4.1 Row Level Security (RLS)

Your catch logs, waypoints, and personal fishing data are protected by PostgreSQL Row Level Security at the database level. This means:

  • Database queries are automatically filtered to only return data belonging to your authenticated user account
  • Even if someone gains access to our database, they cannot query other users' data without their authentication credentials
  • Our team cannot access your personal catch data without your explicit permission

4.2 Data Storage

  • Database: Your data is stored in Supabase (PostgreSQL) with encryption at rest and in transit
  • Photos: Catch photos are stored in Supabase Storage with user-specific access controls
  • Infrastructure: All infrastructure runs on secure, industry-standard cloud providers (AWS, Supabase)

4.3 Authentication

We use Supabase Auth for secure authentication. Passwords are hashed using bcrypt and never stored in plain text. We support secure session management with automatic token refresh.

5. Third-Party Services

We use the following third-party services to provide environmental data and infrastructure:

5.1 Data Sources (Public APIs)

  • USGS NWIS: Water conditions data (flow, temperature, turbidity). No personal data is sent to USGS.
  • NOAA National Weather Service: Weather forecasts and barometric pressure. No personal data is sent to NOAA.
  • NOAA CO-OPS: Tide predictions. No personal data is sent to NOAA.
  • Open-Meteo: Additional weather data. No personal data is sent to Open-Meteo.

5.2 Infrastructure Providers

  • Supabase: Database hosting, authentication, and file storage. Supabase is GDPR compliant and SOC 2 Type II certified.Supabase Privacy Policy
  • Amazon Web Services (AWS): Lambda functions for data ingestion, CloudFront for content delivery, S3 for static assets.AWS Privacy Policy
  • MapTiler: Base map tiles for visualization. Your general location (tile coordinates) is transmitted when loading maps.MapTiler Privacy Policy

6. Cookies and Local Storage

Thalweg uses cookies and local storage for essential functionality:

  • Authentication Cookies: Session tokens to keep you logged in securely
  • Local Storage: User preferences, UI state, and offline data caching

We do not use third-party tracking cookies or analytics that track you across websites. We do not display advertisements.

7. Your Rights and Choices

7.1 Access and Export

You can access all your personal data through the Thalweg app at any time. We provide the ability to export your complete catch history and account data in a standard format.

7.2 Deletion

You can delete your account and all associated data at any time through your account settings. When you delete your account:

  • All your catch logs are permanently deleted
  • All your photos are permanently deleted
  • All your waypoints and preferences are permanently deleted
  • Your email address is removed from our database

Deletion is permanent and cannot be undone. Some anonymized, aggregated data may be retained for Service analytics.

7.3 Communications

You can opt out of non-essential communications at any time. We will still send important Service-related messages (security alerts, Terms of Service updates) as permitted by law.

8. Data Retention

We retain your personal data for as long as your account is active or as needed to provide the Service. After account deletion, we may retain anonymized, aggregated data for analytics purposes. We retain technical logs for a limited period (typically 30 days) for security and troubleshooting purposes.

9. Children's Privacy

Thalweg is not intended for children under 13 years of age. We do not knowingly collect personal information from children under 13. If you believe we have collected information from a child under 13, please contact us immediately.

10. International Data Transfers

Your data may be processed and stored in the United States, where our infrastructure providers are located. By using the Service, you consent to the transfer of your data to the United States. We ensure all transfers comply with applicable data protection laws.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by posting the new Privacy Policy on this page and updating the "Last updated" date. Your continued use of the Service after changes constitutes acceptance of the updated policy.

12. Contact Us

If you have questions about this Privacy Policy or our privacy practices, please contact us.

13. California Privacy Rights

If you are a California resident, you have specific rights under the California Consumer Privacy Act (CCPA):

  • Right to know what personal information we collect
  • Right to delete your personal information
  • Right to opt out of the sale of personal information (we do not sell personal information)
  • Right to non-discrimination for exercising your rights

To exercise these rights, contact us.

14. European Privacy Rights (GDPR)

If you are in the European Economic Area (EEA), you have rights under the General Data Protection Regulation (GDPR):

  • Right of access to your personal data
  • Right to rectification of inaccurate data
  • Right to erasure ("right to be forgotten")
  • Right to restriction of processing
  • Right to data portability
  • Right to object to processing

Our legal basis for processing personal data is your consent (account creation) and legitimate interests (Service improvement, security).

Questions about privacy? Contact us