Security & trust

• Sign in with email/password or Google. Passwords are hashed and managed by our authentication provider — never stored in plain text.
• Sessions use signed tokens stored in your browser and can be revoked by signing out.
• Admin features require a separate role on the server — they cannot be unlocked from the browser.

• Catches, sessions and tips you create are linked to your account. Row-level security in the database restricts who can read or modify each row.
• Public profile fields (username, avatar, stats, bio) are visible to other users. Sensitive fields such as newsletter preferences and unsubscribe tokens are only readable by you and our server.
• Data is hosted in the EU through our cloud provider. Connections to the app are encrypted with HTTPS/TLS.
• You can export or delete your account from your profile page.

• Marketing emails are only sent to users who have opted in. You can opt out at any time from your profile or by using the unsubscribe link in any newsletter.
• Transactional emails (account, security) are sent without consent because they are required to operate the service.

Found something that looks like a vulnerability? Please email security@fishmap.se with steps to reproduce. We will respond as soon as possible and ask that you avoid testing on other users' data.