Privacy Policy

Last updated: April 24, 2026

CatchVault ("we," "us," or "our") operates the CatchVault mobile application and the website at catchvault.co. This Privacy Policy explains what information we collect, how we use it, who receives it, and the rights and choices you have.

By using CatchVault, you agree to the collection and use of information as described in this policy. If you do not agree, please do not use the app or website.

Your Rights and Choices

  • Access and update — you can view and edit your profile information and catches at any time within the app.
  • Delete catches — you can delete individual catches, comments, likes, and follow connections from within the app.
  • Delete your account — you can delete your entire account from the app settings. This hard-deletes your profile, catches, and associated data from our active servers. See Data Retention below for information about backups and legally-required retention.
  • Profile visibility — you can set your profile to private at any time, which hides your catches and profile from other users.
  • Revoke permissions — you can revoke camera, photo, or location permissions at any time through your device settings.
  • Marketing communications — we do not currently send marketing emails. If that changes, any marketing message will include an unsubscribe link, and you will continue to receive transactional and account messages (password resets, subscription receipts, policy updates) which are necessary to operate the service.
  • Research opt-out — you may opt your data out of future research licensing datasets. See Research, Conservation, and Fisheries Data Licensing below.
  • Regional rights — California, EU, UK, EEA, and Swiss residents have additional rights described in the California Privacy Rights and EU / UK / EEA Privacy Rights sections below.

Information We Collect

Account Information

When you create an account, we collect your name, email address, and an optional profile photo. You can sign up with email and password, Apple Sign In, or Google Sign In. If you use Apple or Google Sign In, we receive only the information those services provide (typically your name and email).

Profile Information

You may optionally provide additional profile details including a display name, profile slug (username), and the states where you fish. You can set your profile to public or private at any time.

Content that is public by default. If your profile is public, your display name, profile slug, profile photo, logged catches, and comments are visible to other CatchVault users. Your display name and aggregate statistics may also appear on leaderboards, species pages, and event standings. You can switch your profile to private at any time from the app settings, which hides your individual catches and profile details from other users. Direct messages, email address, precise GPS coordinates, and gear setups are never public regardless of profile visibility.

Catch Data

When you log a catch, we collect the information you provide: species, length, weight, fishing technique, lure or bait used, photos, and any notes. If you grant location permission, we record the GPS coordinates of your catch. Photos may also be analyzed on-device using AI for species identification and LiDAR-based length measurement on supported devices.

Weather Data

When you log a catch with location data, we automatically fetch weather conditions (temperature, wind, pressure, humidity, precipitation, cloud cover, UV index, and related atmospheric data) from Open-Meteo, a third-party weather service. Only your catch coordinates and timestamp are sent to retrieve this data.

Messages and Social Features

CatchVault includes social features such as direct messages, comments, likes, and the ability to follow other anglers. The content of messages you send, comments you post, and your social interactions are stored to provide these features.

Device and Usage Information

We may collect basic device information such as device type and operating system version to ensure app compatibility and improve performance. We use on-device caching to store images locally for faster loading.

Push Notification Tokens

If you grant push notification permission, we generate and store a device push token so we can deliver notifications (such as direct messages, follow requests, and event updates) to your device. Tokens are issued via Firebase Cloud Messaging (Google LLC) and stored alongside your account. You can revoke push notification permission at any time in your device settings.

Crash and Diagnostic Data

We use Firebase Crashlytics (Google LLC) to collect crash reports and technical stability data — including device model, operating system version, app version, installation identifier, and stack traces — so we can diagnose and fix bugs. Crash reports do not include your name, email address, catch photos, catch coordinates, message contents, or other catch data.

How We Use Your Information

  • Provide the service — display your catches, populate leaderboards, enable social features, and show your profile to other users (if public).
  • AI Fishing Assistant — if you use the Finn AI assistant, your catch history and question are sent to our AI provider (Anthropic) to generate personalized fishing advice. This data is not used to train AI models.
  • Weather context — attach real-time weather data to your catches so you can identify patterns over time.
  • Species information — species names may be sent to Wikipedia to retrieve reference information displayed in the app.
  • Tournaments and events — if you join tournaments, your relevant catch data is used to calculate standings and rankings.
  • Improve the app — we may use aggregated, non-identifiable data to understand usage patterns and improve features.
  • Security and abuse prevention — we may use account data, device information, and usage patterns to detect and respond to abuse, fraud, policy violations, and security threats.
  • Research, conservation, and sustainable fisheries — we may include your catch data in aggregated, de-identified datasets licensed to third-party organizations whose use is consistent with scientific, conservation, or sustainable fisheries management purposes. See the Research, Conservation, and Fisheries Data Licensing section below for details and opt-out options.

Legal Bases for Processing (EU / UK / EEA)

If you are located in the European Union, European Economic Area, United Kingdom, or Switzerland, we rely on the following legal bases under Article 6 of the GDPR (and equivalent UK GDPR and Swiss FADP provisions) to process your personal data:

  • Performance of a contract (Art. 6(1)(b)) — to create and operate your account, deliver the core app features, process your subscription, deliver messages and notifications, and provide customer support.
  • Legitimate interests (Art. 6(1)(f)) — to secure the service against fraud and abuse, investigate technical issues using crash diagnostics, and understand how the app is used through product analytics. Where we rely on legitimate interests, we balance them against your rights and reasonable expectations, and you may object at any time.
  • Consent (Art. 6(1)(a)) — for optional processing such as collection of precise location, push notifications, and inclusion of your de-identified catch data in research datasets. You can withdraw consent at any time.
  • Legal obligation (Art. 6(1)(c)) — to comply with tax, accounting, and other legal requirements and to respond to lawful requests from public authorities.

Service Providers

We engage the following service providers to process personal data on our behalf, under written contracts that limit their use of the data to providing services to us. Each entry describes what the recipient receives and what they explicitly do not receive.

  • Supabase — cloud database, authentication, and file storage for your account data, catches, photos, comments, and messages. Data is stored on Supabase-managed infrastructure in the United States.
  • Anthropic (Claude API) — powers the Finn AI fishing assistant and cloud length estimation fallback. Receives your catch history entries (species, length, weight, timestamp, approximate location) and your typed question in order to generate a response. Anthropic does not receive your name, email address, profile photo, message contents, or payment information, and does not use this data to train AI models.
  • OpenAI — powers the cloud fish-analysis fallback used when the on-device CoreML classifier is not confident. Receives your catch photo and any measurement data we have for it so it can identify the species and estimate size. OpenAI does not receive your name, email address, account credentials, message contents, or payment information, and does not use this data to train models under the terms of our API agreement.
  • Open-Meteo — weather data provider. Receives GPS coordinates and timestamps to return weather conditions. Open-Meteo does not receive your name, email address, account identifier, photos, or catch notes.
  • Wikipedia API — used to fetch species reference information. Only species names are sent; no personally identifying information is transmitted.
  • PostHog — product analytics provider. Receives event data (screen views, feature usage, session metadata) and app and device metadata (operating system, app version, device model). To enable per-user funnels and account-level debugging, we associate events with your CatchVault user ID and email address. PostHog does not receive precise location, catch photos, catch notes, message contents, comments, or payment information.
  • Firebase Cloud Messaging (Google LLC) — delivers push notifications to your device. Receives your Firebase Cloud Messaging device token, basic app/device metadata, and the notification payload text (for example "New message from @angler"). Firebase Cloud Messaging does not receive your name, email address, catch photos, catch coordinates, full message contents, or payment information.
  • Firebase Crashlytics (Google LLC) — crash and stability reporting. Receives crash stack traces, device model, operating system version, app version, and a Firebase installation identifier when the app crashes or reports a non-fatal error. Crashlytics does not receive your name, email address, catch photos, catch coordinates, message contents, comments, or payment information.
  • Google Cloud (Cloud Run) — hosts the serverless functions that power AI-assisted fish length measurement, cloud species analysis, and account deletion. Receives your catch photo and, on supported devices, depth data for transient processing. Google Cloud Run does not retain the image or depth data after returning a result, and does not receive your name, email address, message contents, comments, or payment information.
  • Apple & Google (Sign-In) — if you choose to sign in via Apple or Google, authentication is handled by their respective services under their own privacy policies. We receive from these providers only the limited profile information you authorize (typically your name, email address, and a stable user identifier).
  • Other vendors and service providers — we may from time to time engage additional vendors (for example, email-delivery or customer-support tools) to support the service. Any such vendor will be contractually bound to process personal data only for the purposes we specify and to apply appropriate security safeguards.

How We Share Your Information

Beyond the service providers listed above who process data on our behalf, we share personal information only in the following limited circumstances:

  • With other users — when you make content public (catches, comments, profile), that content is visible to other CatchVault users and may appear on leaderboards and event standings.
  • Research, conservation, and fisheries partners — we may share de-identified, aggregated data with vetted partners under binding Data Use Agreements. See the Research, Conservation, and Fisheries Data Licensing section below.
  • Legal process — we may access, preserve, and disclose personal information if we believe in good faith it is required or appropriate to (a) comply with applicable law, legal process, or enforceable governmental requests (such as a subpoena, court order, or search warrant); (b) enforce our Terms of Service, including investigating potential violations; (c) detect, prevent, or address fraud, security, or technical issues; or (d) protect the rights, property, or safety of CatchVault, our users, or others.
  • Business transfers (merger, sale, or other transaction) — if CatchVault is involved in a merger, acquisition, sale of assets, financing, reorganization, bankruptcy, or change of control, your personal information may be transferred to the successor or acquiring entity. We will require the recipient to honor this Privacy Policy or provide you notice and choice before materially changing how your data is used.
  • With your consent — we may share personal information with additional third parties where you have given us your express consent to do so.

We do not sell your personal information. We do not sell, rent, or trade your personal information — including your name, email address, account credentials, precise location, or individual catch records — to advertisers, data brokers, or any other third party. We do not sell personal information as defined under the California Consumer Privacy Act (CCPA) or other applicable privacy laws.

Separately, CatchVault may license aggregated, de-identified catch and environmental data (with personal identifiers removed and location aggregated to the county level) to the research, conservation, fisheries, and industry partners described below. Because this data has been de-identified and aggregated in accordance with applicable law, it is not personal information and its licensing is not a "sale" of personal information under the CCPA or similar statutes.

Research, Conservation, and Fisheries Data Licensing

CatchVault may license catch data, species observation data, and related environmental metadata (weather conditions, location at the county level, fishing conditions) to third-party organizations whose use is consistent with scientific, conservation, or sustainable fisheries management purposes. Eligible recipients may include:

  • Academic and scientific research institutions and universities
  • Government wildlife, fisheries, and natural-resource agencies at the federal, state, tribal, and local level
  • Non-profit conservation and angling-advocacy organizations (for example, conservation trusts, fisheries-focused non-profits, and recreational-angler advocacy groups)
  • Sustainable seafood certifiers, habitat-offset programs, and fisheries consultancies
  • Private-industry research and development partners — including fishing tackle and equipment manufacturers — that fund or conduct species, habitat, or angler-behavior research

Before data is shared:

  • All data is aggregated or de-identified to remove personal identifiers. Location data is aggregated to the county level; GPS coordinates are never shared.
  • Recipients must sign a binding Data Use Agreement limiting use to scientific, conservation, or sustainable fisheries management purposes.
  • Recipients are contractually prohibited from attempting to re-identify individual users and from re-selling or re-licensing the data to unapproved third parties.

You may opt out of having your catch data included in future research datasets by contacting support@catchvault.co. Opting out will exclude your data from future research datasets. Data already included in previously delivered datasets cannot be recalled, but will not be refreshed or updated in subsequent deliveries.

Affiliate and Brand Partnerships

CatchVault may participate in affiliate programs or brand partnerships with fishing tackle manufacturers, retailers, and other outdoor industry companies. This means we may earn a commission if you purchase a product or service through a link or recommendation within the app or on our website.

Affiliate and partner content will always be clearly identified. These partnerships do not affect how we collect, store, or use your personal data. We do not share your personal information with affiliate or brand partners unless you explicitly opt in to a specific offer or promotion that requires it.

Device Permissions

  • Camera & Photo Library — used to take or select photos of your catches. Photos are uploaded to our servers when you log a catch.
  • Location — used to tag catches with GPS coordinates and to fetch weather data. Location access is optional and can be revoked at any time in your device settings. We request approximate location accuracy (within about 1 kilometer).
  • LiDAR Sensor — on supported devices, used for on-device fish length measurement. LiDAR data is processed locally and is not uploaded.

Data Retention

We retain personal information for as long as necessary to provide the service, comply with legal obligations, resolve disputes, and enforce our agreements. Specific retention periods we apply include:

  • Account and profile data — retained while your account is active.
  • Catch data, photos, comments, and messages — retained while your account is active. De-identified, aggregated copies of catch and environmental data may persist in research datasets previously licensed under our Research Data Licensing program.
  • Crash diagnostics — retained for up to 90 days by Firebase Crashlytics (Google LLC's default retention).
  • Analytics events — retained in PostHog for up to 24 months.
  • Subscription and payment records — retained for up to 7 years to comply with US tax and accounting requirements.
  • Backups — our encrypted database backups are retained on a rolling basis for up to 30 days. When you delete content, it is removed from the active database immediately and ages out of backups within 30 days.
  • Trust-and-safety records — reports, blocks, and moderation records may be retained for up to 2 years after account deletion in order to enforce our Terms of Service and prevent re-registration by abusive users.

What happens when you delete your account. When you delete your account from the app, we hard-delete your profile, catches, photos, comments, messages, and associated data from our active servers. Backups containing deleted data age out within 30 days. We may retain the minimum information required to (a) comply with legal obligations such as tax and accounting, (b) resolve disputes, or (c) enforce our Terms of Service against abuse — in each case only for as long as necessary for that specific purpose.

Data Storage and Security

Your data is stored on Supabase-managed infrastructure with industry-standard encryption in transit and at rest. Photos are stored in secure cloud storage (S3-compatible). We use row-level security policies to ensure users can only access their own private data.

While we take reasonable measures to protect your information, no system is completely secure. We cannot guarantee absolute security of your data.

International Data Transfers

CatchVault is operated from the United States, and our primary service providers (Supabase, Google LLC / Firebase, Anthropic, OpenAI, and Google Cloud) process data in the United States. If you are located in the European Union, European Economic Area, United Kingdom, Switzerland, or another jurisdiction with data protection laws differing from those of the United States, your personal data will be transferred to, processed, and stored in the United States.

Where we transfer personal data from the EU/EEA, UK, or Switzerland to the United States or other countries that have not received an adequacy decision, we rely on appropriate safeguards, including the European Commission's Standard Contractual Clauses (and the UK International Data Transfer Addendum where applicable), and, where available, our service providers' certification under the EU–US Data Privacy Framework and its UK Extension. You may request a copy of the applicable safeguards by contacting support@catchvault.co.

California Privacy Rights (CCPA)

If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), provides you with additional rights regarding your personal information:

  • Right to know — you have the right to request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources from which it was collected, the business purpose for collecting it, and the categories of third parties with whom it is shared.
  • Right to delete — you have the right to request deletion of your personal information. You can delete your account and all associated data directly from the app, or contact us to submit a deletion request.
  • Right to correct — you have the right to request that we correct inaccurate personal information we maintain about you.
  • Right to opt out of sale or sharing — we do not sell personal information as defined under the CCPA, nor do we share personal information for cross-context behavioral advertising. When data is shared with research, conservation, fisheries, or industry partners, it is de-identified and aggregated and therefore not personal information under applicable law. You may nevertheless request that your data be excluded from research datasets by contacting support@catchvault.co.
  • Right to non-discrimination — we will not discriminate against you for exercising any of your CCPA rights. You will not receive a different level of service or pricing for making a privacy request.

To exercise any of these rights, please contact us at support@catchvault.co. We will respond to verifiable requests within 45 days.

EU / UK / EEA Privacy Rights

If you are located in the European Union, European Economic Area, United Kingdom, or Switzerland, you have the following rights under the GDPR (and UK GDPR and Swiss FADP where applicable):

  • Access — request a copy of the personal data we hold about you.
  • Rectification — request that we correct inaccurate or incomplete personal data.
  • Erasure — request that we delete your personal data where we do not have an overriding legal obligation to retain it.
  • Restriction — request that we restrict processing of your personal data in certain circumstances.
  • Objection — object to our processing of your personal data where we rely on legitimate interests or for direct marketing.
  • Portability — receive a copy of the personal data you have provided to us in a structured, commonly-used, machine-readable format.
  • Withdraw consent — where we process data based on your consent, withdraw that consent at any time (withdrawal does not affect the lawfulness of processing before the withdrawal).
  • Lodge a complaint — file a complaint with your local supervisory authority. In the UK, that authority is the Information Commissioner's Office (ico.org.uk). EU/EEA residents can find their supervisory authority at edpb.europa.eu.

To exercise these rights, please contact us at support@catchvault.co. We will respond to verifiable requests within 30 days where required by GDPR.

Children's Privacy

CatchVault is not directed at children under the age of 13. We do not knowingly collect personal information from children under 13. If you believe a child under 13 has provided us with personal information, please contact us and we will delete it promptly.

Linked Sites

CatchVault or users of CatchVault may include links to websites, products, or services that we do not own or operate (for example, affiliate product pages, tackle retailers, or social media platforms). This Privacy Policy does not apply to your activities on those sites or the information you disclose to them. We encourage you to review the privacy practices of any third-party site before providing information to them.

Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will revise the "Last updated" date at the top of this page. For material changes, we will take reasonable steps to notify you — for example, by in-app notice or email — before the change takes effect. We encourage you to review this policy periodically. Continued use of CatchVault after changes constitutes acceptance of the updated policy.

Contact Us

If you have any questions about this Privacy Policy, our data practices, or your rights, please contact us at support@catchvault.co.

Written correspondence may also be sent to our registered agent:

CatchVault
c/o Registered Agent
502 W 7th St, Ste 100
Erie, PA 16502
United States