StashMap Privacy Policy

StashMap is a “local-first” fishing spot manager. By design, your fishing data does not go to our servers.

By default, your spots, photos, videos, hand-drawn layers and logs are stored only on your device. They are never uploaded to any server, including servers operated by the developer.

Core features (spot records, layer drawing, encrypted backup) run entirely on-device. We do not operate accounts, do not require sign-in, and do not build user profiles.

Permissions and their purpose: Location (show your position and set the default coordinate of new spots); Photo library (attach images/videos); Camera (capture photos/videos); Network (load map tiles and, only when you open a spot's weather/tide panel, query our weather service); Haptics (tactile feedback).

We never use these permissions unless you actively trigger the corresponding feature. Your location is used only for map display and new-spot defaults; it is not transmitted to us or any third party except as described below for the weather service.

Apple Maps (MapKit) — Provider: Apple Inc. Purpose: base-map rendering, map interaction, place search and location. When you use map features, Apple processes the necessary location and request data under Apple's own privacy policy (https://www.apple.com/legal/privacy/). This data does not pass through StashMap's servers.

StashMap Weather Service — when you open the environment / tide / ocean panel for a spot, the app sends only that spot's coordinates to our weather service to retrieve forecasts. We use QWeather (weather) and StormGlass (tide and marine) as upstream providers. We send coordinates only — never your identity, photos, logs or layer content — and retain them only for short-lived caching.

When you use “encrypted spot sharing”, the app packs a single spot (location + latest fishing notes only) into a file encrypted with AES-256-GCM using a fresh per-share key. The app itself does not transmit the file — you choose a system share channel (AirDrop, email, etc.). The key is shared separately. No intermediary can decrypt the file, and our servers never touch the encrypted file or store the key.

We do not collect or upload your spot locations, photos, videos, logs or layers; we do not build user profiles, do behavioural tracking, or serve targeted ads; we do not share any usage data with third parties; we do not require an account.

The app offers an “encrypted backup export”. You keep the backup file yourself; backups are never automatically uploaded. A backup is password-protected and a lost password cannot be recovered. Because the app's core data lives on your device, uninstalling the app deletes all of it.

StashMap is not directed to children under 13 (or the minimum age required in your jurisdiction) and does not knowingly collect any user's age or identity.

Because StashMap is local-first and does not collect your personal data on our servers, there is generally no server-side personal data to access, export, correct or delete.

If you are in the EU/EEA or UK (GDPR) or California (CCPA/CPRA), you still have the right to access, correct, delete and port your personal data, to object to or restrict processing, and to not be discriminated against for exercising these rights. We do not sell or share personal information. Data on your device is removed by uninstalling. For any request, contact us below.

If we update this policy (for example, a new feature introducing a new data flow), we will show a notice on next launch and update the effective date above. Material changes will require you to re-confirm.

Email: [email protected]. Project: https://github.com/Stash-Map. We aim to reply within 7 business days.