Privacy Policy

Version 1.0 — Effective as of May 15, 2026

This Privacy Policy describes how Individual entrepreneur Hugo Frederic Mourlan (“FishMan”, “we”) collects, uses, shares, and protects your personal data when you use the FishMan mobile application (the “Application”) and the fishman-app.com website.

We are committed to complying with the General Data Protection Regulation (GDPR — EU Regulation 2016/679), the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), the Brazilian Lei Geral de Proteção de Dados (LGPD), as well as local privacy laws applicable in all countries where the Application is available.

1. Data Controller

The data controller is an Individual Entrepreneur under Georgian law (individual entrepreneur registered as a natural person), benefiting from Small Business Status.

Name: Individual entrepreneur Hugo Frederic Mourlan
Legal status: Individual Entrepreneur — Georgian Civil Code — Small Business Status
Registered business address: Nino and Ilia Nakashidze Street N1, Apartment 3, Building 3, Krtsanisi, Tbilisi, Georgia, 0105
Personal identification / registration number: 304808992
Publication director: Hugo Mourlan
Dedicated data protection email: contact@fishman-app.com

2. Data Protection Officer (DPO)

Although appointing a DPO is not formally required for FishMan, a dedicated point of contact is available:

Email: contact@fishman-app.com

3. Data Collected

We collect the following categories of data:

3.1 Account data

Email address,
Pseudonym,
Password (hashed and salted via Firebase Authentication, never accessible in plain text),
Profile picture (optional),
Account creation date,
Country / preferred language.

3.2 Fishing data

Catches (species, size, weight, photo, date, location, associated weather),
Spots created or favorited,
Reported equipment inventory (rods, reels, lures, etc.),
Comments, reactions, follows.

3.3 Photographs and metadata

Catch photos and profile pictures uploaded by the User,
EXIF metadata associated with photos (date, embedded geolocation, device model) — used to pre-fill catch information when the User wishes, and removed from public copies when spot privacy requires it.

3.4 Geolocation

The User’s GPS position when consulting the map or recording a catch,
The position of a created spot.

Geolocation is never enabled without the User’s explicit consent, collected via operating system permissions (iOS / Android). It can be revoked at any time in the device settings.

3.5 Purchase and subscription data

Anonymized purchase identifier (transmitted by RevenueCat / Apple / Google),
Pro subscription status (active, suspended, cancelled),
History of Pro transactions associated with the Account.

No banking data (card number, CVV, IBAN) is collected or stored by FishMan: payments are entirely managed by Apple or Google depending on the Store concerned.

3.6 Technical data

Device model, operating system and version, Application version,
Advertising identifier (IDFA on iOS, AAID on Android), subject to consent,
IP address (collected temporarily for security, fraud prevention, and language personalization purposes),
Technical and performance logs,
Anonymized crash reports (Crashlytics).

3.7 Usage data

Features used, frequency of use, navigation paths within the Application (page views, session duration),
Gamification data (XP, level, unlocked trophies).

3.8 Categories of data we DO NOT collect

Health data,
Sexual orientation, political, religious, or philosophical opinions,
Racial or ethnic origin,
Biometric data,
Bank card numbers or detailed financial data.

4. Purposes and Legal Bases of Processing

In accordance with Article 6 of the GDPR, each processing operation is based on an identified legal basis:

Purpose	Legal basis (GDPR)
Account creation and management	Contract performance (Art. 6.1.b)
Provision of Pro services	Contract performance (Art. 6.1.b)
Map and spot display	Consent (geolocation) — Art. 6.1.a
Species identification (AI Scan)	Contract performance
AI Coach	Contract performance
Personalized weather per spot	Consent (geolocation)
Push notifications	Consent — Art. 6.1.a
Targeted advertising (free version)	Consent — Art. 6.1.a
Audience measurement and usage statistics	Consent or legitimate interest (anonymization) — Art. 6.1.f
Security, fraud prevention	Legitimate interest — Art. 6.1.f
Content moderation	Legitimate interest — Art. 6.1.f
Compliance with legal obligations (accounting, judicial)	Legal obligation — Art. 6.1.c
Improvement of AI models proprietary to the Application	Legitimate interest, after pseudonymization
Response to GDPR rights requests	Legal obligation — Art. 6.1.c

5. Recipients and Data Processors

We never sell your personal data. We share certain data with processors strictly necessary for the operation of the Application, under Data Processing Agreements (DPA) compliant with Article 28 of the GDPR.

Processor	Service provided	Location	Safeguards
Google Ireland Ltd. (Firebase)	Authentication, database (Firestore), Cloud Functions, notifications (FCM), Gemini AI, Crashlytics, Analytics, Storage	Ireland / EU + United States	Google DPA + EU Standard Contractual Clauses (SCCs)
RevenueCat, Inc.	Pro subscription management	United States	RevenueCat DPA + SCCs
Google Ireland Ltd. (AdMob)	Advertising delivery (free version)	Ireland / United States	Google DPA + SCCs + user consent
MapTiler AG	Cartographic tiles	Switzerland	Switzerland adequacy decision
OpenStreetMap Foundation	Cartographic data (ODbL license)	United Kingdom	UK adequacy decision
Apple Distribution International Ltd.	iOS distribution, payment collection	Ireland	Apple App Store terms + DPA
Google LLC (Google Play)	Android distribution, payment collection	United States	Google Play terms + SCCs
Google Firebase Hosting	fishman-app.com website hosting	Google Ireland (EU) + United States	Google DPA + SCCs

All our processors are bound contractually and undertake a level of protection compliant with the GDPR.

6. Transfers Outside the European Union

Some data may be transferred outside the EU, in particular to the United States (Google, RevenueCat). These transfers are framed by:

The Standard Contractual Clauses adopted by the European Commission (Decision 2021/914),
The EU-U.S. Data Privacy Framework for certified processors,
Additional technical measures (in-transit and at-rest encryption, pseudonymization),
Transfer Impact Assessments conducted on a case-by-case basis.

7. Retention Periods

Data category	Retention period
Active account	For the entire duration of use
Account inactive for 3 years	Deletion or anonymization
Account deleted by the User	Deletion within 30 days, except for legal retention obligations
Billing and transaction data	10 years (accounting obligations)
Technical and security logs	12 months maximum
Advertising data (identifiers, targeting)	13 months maximum
Public photos and Content	As long as the User does not delete them (then 30 days)
Customer support data	3 years after last contact

8. Security

We implement technical and organizational measures appropriate to the risks:

TLS 1.3 encryption for all client/server exchanges,
Passwords hashed and salted (Firebase Authentication, bcrypt algorithm),
AES-256 encryption for sensitive stored data,
Restricted and logged access to data,
Regular and redundant backups,
Periodic security testing,
Incident response plan and procedure for notifying breaches to the competent supervisory authority within 72 hours and to data subjects when necessary (Art. 33 and 34 GDPR).

8.1 Internal Governance and Compliance

The Publisher maintains the following governance documentation, in accordance with Articles 24, 30, 32, and 35 of the GDPR:

A Record of Processing Activities (RoPA) listing all processing operations, their purposes, legal bases, categories of data subjects, retention periods, and recipients,
A Data Protection Impact Assessment (DPIA) for processing presenting a high risk, in particular AI Scan, geolocation, and profiling features,
A breach management policy specifying the internal procedure for detection, qualification, and notification within 72 hours to the competent supervisory authority,
A retention policy reviewed annually,
An annual review of processors verifying the maintenance of an adequate level of protection (DPA, certifications, international transfers),
A documented procedure for handling rights requests.

These internal documents are available upon reasoned request from competent supervisory authorities.

9. Your Rights

In accordance with the GDPR, the CCPA, the LGPD, and equivalent laws, you have the following rights over your personal data:

Right of access (Art. 15 GDPR): obtain confirmation that data concerning you is being processed and obtain a copy,
Right to rectification (Art. 16): correct inaccurate or incomplete data,
Right to erasure or “right to be forgotten” (Art. 17),
Right to restriction of processing (Art. 18),
Right to object (Art. 21): object to processing based on legitimate interest or used for direct marketing,
Right to data portability (Art. 20): receive your data in a structured, commonly used, machine-readable format,
Right to withdraw consent at any time, without affecting the lawfulness of prior processing,
Right to define post-mortem directives on the fate of your data after death (French Law No. 2016-1321),
Right not to be subject to a solely automated decision with legal effect (Art. 22).

For California residents (CCPA / CPRA): you also have the right to know what categories of data are collected, sold, or shared (we do not sell any data), the right to deletion, the right to limit the use of sensitive data, and the right not to be discriminated against for exercising your rights.

9.1 How to exercise your rights

From the Application: Settings > Privacy > My data,
By email: contact@fishman-app.com — response within one (1) month, extendable by two months for complex requests,
By postal mail: Nino and Ilia Nakashidze Street N1, Apartment 3, Building 3, Krtsanisi, Tbilisi, Georgia, 0105.

A proof of identity may be required if there is reasonable doubt about the identity of the requester, in accordance with Article 12.6 of the GDPR.

9.2 Complaint to a supervisory authority

If you believe your rights are not respected, you may lodge a complaint with the competent supervisory authority:

France: Commission Nationale de l’Informatique et des Libertés (CNIL) — https://www.cnil.fr/en/plaintes
Other EU countries: national data protection authority — EDPB directory: https://edpb.europa.eu/about-edpb/about-edpb/members_en
United Kingdom: Information Commissioner’s Office (ICO) — https://ico.org.uk
United States (California): California Privacy Protection Agency — https://cppa.ca.gov

10. Minors

The Application is not intended for children under 16 years of age in the EEA, under 13 years of age in the United States (COPPA), or under the equivalent minimum age applicable in each country.

We do not knowingly collect data from children below this age. If you are a parent or legal representative and find that your child has provided data without authorization, contact us at contact@fishman-app.com to delete it.

11. Automated Decisions and Profiling

The Application uses automated models for:

Species identification (AI Scan) — purely indicative result, with no legal effect,
Automated moderation of reported Content — human review is guaranteed before any final sanction (suspension, account deletion).

None of these decisions produce legal effects or significantly affect you within the meaning of Article 22 of the GDPR.

12. Cookies and Trackers

The Application and the fishman-app.com website use trackers under the conditions described in our Cookie Policy: https://fishman-app.com/legal/cookies.

13. Modifications to the Policy

We may modify this Privacy Policy to reflect regulatory, technical, or commercial developments. Any substantial modification will be notified by email to the address associated with the Account and/or by in-app notification at least 30 days before taking effect.

The date of last update appears at the top of the document.

14. Contact

Dedicated data protection email: contact@fishman-app.com
Postal address: Nino and Ilia Nakashidze Street N1, Apartment 3, Building 3, Krtsanisi, Tbilisi, Georgia, 0105

Legal Notices

Publisher

The Application and the fishman-app.com website are published by an Individual Entrepreneur under Georgian law (individual entrepreneur registered as a natural person), benefiting from Small Business Status.

Publisher’s name: Individual entrepreneur Hugo Frederic Mourlan
Legal status: Individual Entrepreneur — Georgian Civil Code — Small Business Status
Registered business address: Nino and Ilia Nakashidze Street N1, Apartment 3, Building 3, Krtsanisi, Tbilisi, Georgia, 0105
Personal identification / registration number: 304808992
Publication director: Hugo Mourlan
Email: contact@fishman-app.com
Website: https://fishman-app.com

Hosting

Application (backend): Google Firebase / Google Cloud Platform — Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland.
Website: Google Firebase Hosting / Google Cloud Platform — Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland.

Intellectual Property

All elements of the Application and the fishman-app.com website (texts, images, logos, graphics, icons, sounds, videos, source code) are the exclusive property of Individual entrepreneur Hugo Frederic Mourlan or its partners. Any reproduction, representation, modification, publication, transmission, or full or partial exploitation without prior written authorization is prohibited and constitutes infringement subject to penalties under intellectual property law.

The FishMan trademark and logo are [registered / unregistered] trademarks belonging to Individual entrepreneur Hugo Frederic Mourlan.

Credits

AI: Google Gemini.
Typeface: Urbanist (Google Fonts, OFL license).