Privacy policy

Last updated: 2026-04-28

FishMap respects your privacy. This policy explains what personal data we collect, why we need it, what legal basis we rely on, and the rights you have under the EU General Data Protection Regulation (GDPR).

1. Data controller

The data controller is FishMap (operated by Filip Nyman). Contact us at hej@fishmap.se with questions about your data or this policy.

2. Data we collect

  • Account data: email address, hashed password and your chosen username.
  • Content you upload: catches (species, weight, length, method, GPS, water, photos), tips, fishing sessions and comments.
  • Profile info: home region (optional), avatar (optional), XP, achievements and catch stats.
  • Technical data: browser type, device, anonymised IP and timestamps in server logs.
  • Cookies & local storage: login session cookie, theme preference and your cookie consent.

3. Why we process your data (purposes and legal basis)

  • Provide the service (account, map, catches) — legal basis: contract (Art. 6(1)(b) GDPR).
  • Display catches, leaderboards and tips publiclycontract; this is the core of the service you signed up for.
  • Send transactional email (verification, password reset) — contract.
  • Security, operations and debugginglegitimate interest (Art. 6(1)(f)).
  • Improve the service via analytics — only with your consent (Art. 6(1)(a)) via the cookie banner.

4. What is public

Username, catches (including GPS coordinates and photos), tips and achievements are public on the map, leaderboards and your profile. Email, password and private session notes are never public.

5. Recipients and processors

We use the following processors to deliver the service:

  • Lovable Cloud / Supabase — database, authentication and file storage, hosted in the EU.
  • Lovable / Cloudflare — web hosting and CDN.

We never sell your data and don't share it with third parties for marketing.

6. Retention

  • Account and content data: as long as your account exists.
  • When you delete your account, all personal data, catches, tips and photos are removed immediately.
  • Server logs: 30 days max.

7. Your rights

Under GDPR you have the right to:

  • request a copy of your data (access and portability),
  • have inaccurate data corrected,
  • delete your account and data (the "right to be forgotten"),
  • object to or restrict certain processing,
  • withdraw your consent at any time,
  • file a complaint with the Swedish Authority for Privacy Protection (IMY) at imy.se.

You can export or delete your data directly from your profile.

8. Cookies

We use as few cookies as possible, grouped in three categories:

  • Necessary (always on): login session, CSRF protection, your cookie consent and theme preference.
  • Analytics (requires consent): aggregated usage stats. We currently use no third-party analytics.
  • Marketing (requires consent): not used today.

9. Security

Passwords are stored hashed. All traffic is encrypted with HTTPS. Database access is protected by Row Level Security so each user can only modify their own data.

10. Children

FishMap is not intended for children under 13.

11. International transfers

Data is primarily processed inside the EU/EEA. Any transfer to third countries by sub-processors uses the EU Commission's Standard Contractual Clauses (SCC) as a safeguard.

12. Changes

We may update this policy. Material changes are announced in-app.

13. Contact

Questions about your data? Email hej@fishmap.se.