Privacy Policy | Thalweg

Thalweg ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our fishing intelligence platform at thalweg.app (the "Service").

1. Our Privacy Commitment

Privacy is not an afterthought at Thalweg—it is our foundation. We built this platform because we were frustrated with fishing apps that encourage oversharing and exploit user data. Our core principles are:

Your Locker data is private by default. No public profiles, public catch feeds, or public heatmaps.
Strong access controls ensure only authorized account holders can access private Locker and Safety Check-In data.
We do not sell or share your personal data with third parties for advertising or marketing purposes.
Minimal data collection. We only collect what is necessary to provide the Service.

2. Information We Collect

2.1 Information You Provide

When you create an account and use Thalweg, you may provide:

Account Information: Email address and password (password is hashed and never stored in plain text)
Locker Data: Activities, catches, observations, notes, photos, media, and summary details you choose to save
Safety Check-In Data: Safety contacts, trip timer details, check-in notes, and related status history
Preferences: Favorite rivers, display settings, notification preferences

2.2 Information Collected Automatically

When you use the Service, we automatically collect:

Environmental Snapshots: When you save Locker activity, we automatically capture weather, water conditions, and tide data from our data sources (USGS, NOAA) at that moment
Location Data You Permit: If you grant location access for Locker activity logging, maps, or Safety Check-In, we may collect precise coordinates needed to provide those features
Technical Data: Browser type, operating system, device type, and general location (country/region) for Service optimization

2.3 Information We Do NOT Collect

Contact lists or address books
Social media accounts or connections
Biometric data
Financial or payment information (unless and until billing is introduced)

3. How We Use Your Information

We use the information we collect to:

Provide, maintain, and improve the Service
Display your personalized dashboard, Locker data, and Safety Check-In status
Save your preferences and settings
Send Service-related communications (account verification, security alerts, important updates)
Respond to your requests and provide customer support
Detect, prevent, and address technical issues or abuse

4. How We Protect Your Information

4.1 Data Access Controls

Your Locker and Safety Check-In data are protected by account-level access controls. This means:

Requests only return data associated with your authenticated account
Access to operational tooling is limited to what is necessary to run and secure the service

4.2 Data Storage

Database: Your data is stored in Supabase (PostgreSQL) with encryption at rest and in transit
Media: Locker photos and other media are stored in Supabase Storage with user-specific access controls
Infrastructure: All infrastructure runs on secure, industry-standard cloud providers (AWS, Supabase)

4.3 Authentication

We use Supabase Auth for secure authentication. Passwords are hashed using bcrypt and never stored in plain text. We support secure session management with automatic token refresh.

5. Third-Party Services

We use the following third-party services to provide environmental data and infrastructure:

5.1 Data Sources (Public APIs)

USGS NWIS: Water conditions data (flow, temperature, turbidity). No personal data is sent to USGS.
NOAA / NWS: Weather forecasts, barometric pressure, tides, currents, and alerts. No personal data is sent to these providers.
Fish Passage Center, DART, and state/tribal sources:Biological and fish-passage context. No personal Locker data is sent to these providers.
Open-Meteo: Additional weather data. No personal data is sent to Open-Meteo.

5.2 Infrastructure Providers

Supabase: Database hosting, authentication, and file storage. Supabase is GDPR compliant and SOC 2 Type II certified.Supabase Privacy Policy
Amazon Web Services (AWS): Lambda functions for data ingestion, CloudFront for content delivery, S3 for static assets.AWS Privacy Policy
MapTiler: Base map tiles for visualization. Your general location (tile coordinates) is transmitted when loading maps.MapTiler Privacy Policy

6. Cookies and Local Storage

Thalweg uses cookies and local storage for essential functionality:

Authentication Cookies: Session tokens to keep you logged in securely
Local Storage: User preferences, UI state, and offline queue/caching support used by current product features

We do not use third-party tracking cookies or analytics that track you across websites. We do not display advertisements.

7. Your Rights and Choices

7.1 Access and Export

You can access all your personal data through the Thalweg app at any time. We provide the ability to export your Locker history and account data in a standard format.

7.2 Deletion

You can delete your account and all associated data at any time through your account settings. When you delete your account:

All your Locker activities and entries are permanently deleted
All your Locker media is permanently deleted
Your Safety Check-In contacts and trip history are permanently deleted
Your preferences are permanently deleted
Your email address is removed from our database

Deletion is permanent and cannot be undone. We may retain limited security and operational logs for troubleshooting and legal compliance.

7.3 Communications

You can opt out of non-essential communications at any time. We will still send important Service-related messages (security alerts, Terms of Service updates) as permitted by law.

8. Data Retention

We retain your personal data for as long as your account is active or as needed to provide the Service. After account deletion, we may retain limited technical and security logs for a short period for security and troubleshooting purposes.

9. Children's Privacy

Thalweg is not intended for children under 13 years of age. We do not knowingly collect personal information from children under 13. If you believe we have collected information from a child under 13, please contact us immediately.

10. International Data Transfers

Your data may be processed and stored in the United States, where our infrastructure providers are located. By using the Service, you consent to the transfer of your data to the United States. We ensure all transfers comply with applicable data protection laws.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by posting the new Privacy Policy on this page and updating the "Last updated" date. Your continued use of the Service after changes constitutes acceptance of the updated policy.

12. Contact Us

If you have questions about this Privacy Policy or our privacy practices, please contact us.

13. California Privacy Rights

If you are a California resident, you have specific rights under the California Consumer Privacy Act (CCPA):

Right to know what personal information we collect
Right to delete your personal information
Right to opt out of the sale of personal information (we do not sell personal information)
Right to non-discrimination for exercising your rights

To exercise these rights, contact us.

14. European Privacy Rights (GDPR)

If you are in the European Economic Area (EEA), you have rights under the General Data Protection Regulation (GDPR):

Right of access to your personal data
Right to rectification of inaccurate data
Right to erasure ("right to be forgotten")
Right to restriction of processing
Right to data portability
Right to object to processing

Our legal basis for processing personal data is your consent (account creation) and legitimate interests (Service improvement, security).