CatchRules

Privacy Policy

Effective date: March 1, 2026 · Last updated: March 1, 2026

At a glance.CatchRules is designed to work with as little personal data as possible. We do not require an account. We do not sell your data. We do not track you across other apps or websites. Your photos are processed on your device and are not uploaded to our servers. Your precise location is used on your device to figure out which state or province you are fishing in — only that short code is sent to our servers, never your coordinates.

1. Who We Are

The CatchRules mobile application (“Service”) is operated by Lunana Global Inc. ( “we,” “us,” or “our”). We are the “controller” of the personal data described in this Privacy Policy for purposes of the GDPR, UK GDPR, and analogous laws, and a “business” for purposes of the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA).

This Privacy Policy describes how we collect, use, disclose, and protect information when you use the Service. It should be read together with our Terms of Service and End-User License Agreement.

2. Plain-English Summary

No account, no email, no password. You can use CatchRules without giving us your name or email.
Your photos stay on your device. The species identification model runs locally on your iPhone. We do not upload your photos, and we never see them.
Your GPS stays on your device. iOS resolves your coordinates to a state or province on your device. We receive only a two- or five-character jurisdiction code (for example, US-FL), never a latitude/longitude.
We use a random device identifier — a SHA-256 hash of a UUID stored in your iOS Keychain — to remember whether you have a Pro subscription and to apply rate limits. It is not tied to your name, Apple ID, advertising ID, or any other identifier.
We do not sell, rent, or share your data for advertising. No third-party analytics SDKs, no tracking pixels, no ad networks.
Subscriptions are handled by Apple. We are told whether the device has an active Pro subscription; we are not given your payment details.

3. What We Collect

The complete list of data the Service sends to or stores on our servers:

Data	How we collect it	What it is
Device token	Generated on first launch	A SHA-256 hash of a UUID generated on your device and stored in the iOS Keychain. Used to mark your device as entitled to Pro (or not) and to rate-limit abusive traffic. Not linked to your Apple ID, name, email, or advertising ID.
Home jurisdiction code	You choose it, or we derive it once from a GPS fix	A short code such as `US-FL` or `CA-BC` identifying the state, province, or territory you have picked as your home jurisdiction. No coordinates.
Pro subscription status	Reported by Apple’s StoreKit after purchase	A Boolean (“is Pro”) and, if applicable, the plan type and expiration. Your Apple ID, payment card, name, and billing address are handled by Apple and are never shared with us.
Species & jurisdiction queries	Sent when you look up regulations or species rules	The scientific name of a species and a jurisdiction code, plus the device token, sent to our regulation-lookup API. Queries are logged for debugging and abuse prevention; logs are retained only as long as needed for those purposes and are routinely purged.
Crash & error reports (Apple)	Only if you opt in via iOS Settings → Privacy → Analytics	Apple-provided crash diagnostics, if you have enabled “Share With App Developers.” These contain no personal data from CatchRules. We access them through App Store Connect; Apple’s own Privacy Policy applies.

We do not collect your name, email address, phone number, postal address, contacts, calendar, health data, browsing history, advertising identifier, or any form of biometric data.

4. What Stays on Your Device

Several categories of data are processed or stored only on your iPhone and never reach our servers:

Photos you submit for species identification. The machine-learning classifier runs on-device in Core ML. Your images are not uploaded.
AR / LiDAR measurements. Depth frames, camera feeds, and measurement computations occur on-device and are not transmitted.
Precise location coordinates. iOS passes latitude/longitude to the app only after you grant the Location permission. The app uses Apple’s on-device reverse geocoder to turn coordinates into a state or province code. Only the code leaves the device.
Your catch collection and notes. Stored locally in iOS UserDefaults and your app sandbox. Deleted when you uninstall the app.
Tide and regulation caches. Cached locally for performance; expire automatically.

5. Why We Use It

Each data element listed above is used only for the purposes below. We do not repurpose data for unrelated uses without asking you first.

Deliver the Service — display regulations for your jurisdiction, check Pro entitlement, rate-limit traffic.
Maintain and improve the Service — diagnose bugs, monitor uptime, investigate abuse, prevent fraud.
Legal compliance — respond to lawful requests and enforce our Terms.

Under GDPR/UK GDPR terminology, our legal bases are (a) performance of a contract for providing the Service you requested, (b) our legitimate interest in keeping the Service working and free of abuse, and (c) your consent where consent is required by law (for example, location and camera permissions, granted through iOS).

6. iOS Permissions

The Service only works with the permissions you grant through iOS. You can change any of these at any time in Settings → CatchRules. Revoking a permission disables the feature that depends on it but does not affect the rest of the app.

Location (When In Use). Used on-device to reverse-geocode your coordinates to a state or province. Only the code is sent to our servers.
Camera. Used to capture photos for species identification and to drive AR / LiDAR measurement. Images are processed on-device.
Photo Library. Used to let you pick existing photos for identification. Images are processed on-device.

7. Third-Party Services

We rely on a small number of third parties to operate the Service. Each one has its own privacy policy, which applies to the data they process on their own behalf.

Provider	What they do	What they receive
Supabase (Supabase Inc., United States)	Hosts our Postgres database and edge functions	Device token, home jurisdiction code, Pro status, species and jurisdiction queries, and standard server logs (IP address, user agent) retained only as long as needed for security and abuse prevention.
Apple (Apple Inc.)	App Store distribution, StoreKit subscription billing, App Store Connect analytics (opt-in)	Your payment information and Apple ID are handled by Apple directly and are not shared with us. We do not request access to your device’s advertising identifier (IDFA) and do not present an App Tracking Transparency prompt. Any crash diagnostics you have opted into are provided to us by Apple in aggregated, de-identified form.
NOAA CO-OPS (U.S. Dept. of Commerce)	Tide prediction data	Only the station ID and date range you look up. No device token or user data.
iNaturalist, Fishial.ai, and similar public data sources	Species photographs and reference data	Read-only image URLs; no user data is transmitted to them.
State and provincial wildlife agencies (and other regulation publishers)	Source of the regulations we crawl and display	Our automated crawler fetches publicly-available pages using a descriptive User-Agent. No user data is transmitted.

We do not use third-party analytics SDKs (Firebase, Mixpanel, Amplitude, Segment, Google Analytics, Facebook SDK, AppsFlyer, or similar). We do not use third-party advertising networks or attribution services. We do not embed tracking pixels.

8. No Sale, No Tracking, No Ads

We do not sell your personal information. We do not share it with any third party for cross-context behavioral advertising. We do not track you across other apps or websites. We do not use your data to train advertising or marketing models.

9. Retention

Device token and Pro status: retained while your device is active. Deleted at your request (see Contact). We periodically review device records and remove inactive ones.
Home jurisdiction code: retained until you change it or delete the device record.
Server access logs and query logs: retained only as long as needed for security, abuse prevention, and debugging, then aggregated or deleted.
On-device data (photos, collection, caches): removed when you uninstall the app or clear iOS storage.
Regulation snapshots (archived HTML of the public government pages we crawl): retained up to seven (7) years as a record of the source content we relied on. These snapshots contain only publicly-published regulatory content, not user data.

10. Security

We take reasonable steps to protect the data we hold:

Transport security. All network traffic between the app and our servers is encrypted in transit using TLS 1.2 or higher.
Keychain storage. The device UUID is held in the iOS Keychain with kSecAttrAccessibleAfterFirstUnlock scope, separate from regular app storage.
Access controls. Postgres Row-Level Security policies restrict reads and writes to the minimum necessary for each feature.
Principle of minimum data. We do not collect what we do not need. Fields such as your name, email, and phone number are never requested.

No system is perfectly secure. If we become aware of a security incident affecting your personal data, we will notify affected users and the relevant supervisory authorities without undue delay, and within seventy-two (72) hours where required by the GDPR or analogous law.

Global Privacy Control & Do Not Track.CatchRules is an iOS application and does not operate in a web browser, so we do not receive Global Privacy Control (GPC) or Do-Not-Track signals. Because we do not sell or share personal information for cross-context behavioral advertising under any circumstances, the absence of such a signal does not change how we handle your data.

11. Children

CatchRules is not directed to children under the age of 13 and we do not knowingly collect personal information from children under 13. If you are a parent or guardian and believe a child under 13 has provided us with personal information, please email us at hello@catchrules.com and we will delete the information. Users between 13 and the age of majority in their jurisdiction may only use the Service with a parent or guardian’s involvement as described in our Terms of Service.

12. International Transfers

Our servers (Supabase) and Apple’s App Store infrastructure are located in the United States. If you access the Service from outside the United States, information we collect will be transferred to, stored, and processed in the United States, which may not have the same data-protection laws as your country. Where required by law, we rely on appropriate safeguards such as the Standard Contractual Clauses for transfers from the European Economic Area, United Kingdom, or Switzerland.

13. California Rights (CCPA / CPRA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act as amended by the California Privacy Rights Act:

Right to know the categories and specific pieces of personal information we have collected about you, the sources, the purposes, and the categories of third parties we have shared it with.
Right to delete personal information we have collected from you, subject to legal exceptions.
Right to correct inaccurate personal information.
Right to opt out of sale or sharing. We do not sell or share your personal information for cross-context behavioral advertising, so there is nothing to opt out of. You may request written confirmation of this from us at any time.
Right to limit use of sensitive personal information.We do not use sensitive personal information for any purpose beyond what is necessary to operate the Service.
Right to non-discrimination for exercising these rights.

To exercise any of these rights, email us at hello@catchrules.com from the device you used with CatchRules, or include the device token shown in-app under Settings → About. We will verify your request and respond within 45 days (with a possible 45-day extension).

If you are located in the European Economic Area or the United Kingdom, the EU General Data Protection Regulation (GDPR) or UK GDPR gives you the rights listed below. If you are located in Switzerland, the Swiss Federal Act on Data Protection (FADP) gives you substantively similar rights, and references in this section to the GDPR apply to the FADP with necessary adaptations.

You have the right to:

Right of access to your personal data;
Right to rectification of inaccurate data;
Right to erasure (“right to be forgotten”);
Right to restrict processing;
Right to data portability;
Right to object to processing based on our legitimate interests;
Right to withdraw consent, where processing is based on consent;
Right to lodge a complaint with a supervisory authority in your country of residence or work.

To exercise any of these rights, email us at hello@catchrules.com. We will respond within 30 days (with possible extensions for complex requests).

15. Canadian Rights (PIPEDA / Quebec Law 25)

If you are a resident of Canada, PIPEDA and (for Quebec residents) Law 25 give you the right to access the personal information we hold about you, to request correction of inaccurate information, and to withdraw your consent to processing. Please contact us at hello@catchrules.com to exercise these rights. If you are not satisfied with our response, you may contact the Office of the Privacy Commissioner of Canada or, for Quebec residents, the Commission d’accès à l’information du Québec.

16. Changes to This Policy

We may update this Privacy Policy from time to time. If a change is material, we will give you reasonable advance notice through the Service or by other reasonable means before it takes effect, and we will update the “Last updated” date above. Your continued use of the Service after the effective date of an updated version constitutes acknowledgement of the updated policy. Historical versions are retained on request.

17. Contact & Complaints

Questions, privacy requests, and complaints should be sent to:

Lunana Global Inc. — Privacy
hello@catchrules.com

Please include enough information for us to verify your identity (for example, your device token shown in Settings → About) and describe the nature of your request. Requests that do not include sufficient verification information cannot be honored.