Flux Fishing Forecast ("Flux Fishing Forecast," "we," "our") is a subscription fishing-forecast service owned and operated by FLUX LLC, a Florida limited liability company. This policy explains what personal information we collect about you when you use fishing.fluxboating.com, how we use it, and your rights over it.
1. What we collect
We collect only the data necessary to provide the service. Specifically:
- Account information: your email address, name if you provide it, profile picture if you upload one, display name and bio if you set them, and your authentication method (Google OAuth or email magic link). Email is required; everything else is optional.
- Payment information: we do NOT store credit card numbers. Stripe processes all payments and gives us only the transaction outcome plus an opaque customer ID linking back to your subscription.
- Usage data: which dashboard regions you view, which catches you log, which waypoints you create, which AI reports you download. We use this to operate the service and improve the product.
- Catch logs: if you submit catch reports, we store the species, optional photos, optional GPS location, your privacy choice (private/fuzzed/public), and timestamps.
- Custom GPS waypoints: any pins you drop on the interactive map, the names you give them, and any notes you attach.
- Comments + forum posts + DMs: any text you submit to the community features. Every piece is passed through automated content moderation before being made visible.
- Device data: your browser's User-Agent string and IP address are logged for security (anti-abuse, fraud detection, authentication session validation). IPs are retained for up to 30 days.
- Feedback submissions: when you click "Feedback" in the header, we store your description, optional screenshot, the page URL you were on, and your User-Agent so we can reproduce and fix what you reported.
2. How we use it
- To operate the service — render your dashboard, generate AI forecasts, charge your subscription, send transactional emails.
- To run automated content moderation. Every comment, forum post, and DM is sent to a third-party AI moderation service (Anthropic Claude Haiku) and labeled as approved, flagged, or rejected before becoming visible. Rejected content is stored for audit but never rendered.
- To improve the product — aggregate usage patterns inform what data sources we prioritize and what features we build. We do not personally identify users in aggregate analytics.
- To detect and prevent fraud, abuse, or violations of our terms of service.
- To send you notifications you have opted in to (push notifications, retention emails you can unsubscribe from at any time).
3. Who we share data with
We share the minimum data necessary with each of the following service providers, each bound by their own privacy and security commitments:
- Google (OAuth sign-in): your email and basic profile if you sign in with Google. Governed by Google's Privacy Policy.
- Stripe (payments): your name, email, billing address, and payment details when you subscribe or buy a one-off report. Governed by Stripe's Privacy Policy.
- Anthropic (Claude API): the satellite data, fused snapshot payload, recent catch logs (anonymized), and free-text comments/posts/DMs you submit. Used to generate forecasts and moderate content. Anthropic's commercial terms prohibit them from training on this data.
- Amazon Web Services (hosting + storage): all data is stored in AWS RDS (PostgreSQL) and AWS S3 in the us-east-2 region. AWS does not access your data except to provide the underlying infrastructure.
- Amazon SES (transactional email): your email address when we send sign-in links, receipt emails, push-alert digests, and similar.
- NOAA, NASA, NDBC, NWS, OPC (data ingest): we query their public oceanographic + meteorological APIs. We do NOT send them any personal information.
We do NOT sell your personal information. We do NOT share it with advertisers or data brokers. We do NOT use third-party advertising trackers (no Google Analytics, no Meta Pixel, no Hotjar).
4. Cookies & local storage
We use only essential cookies and local storage:
- An authentication session cookie set by NextAuth.js when you sign in, expiring after 30 days of inactivity.
- A CSRF token cookie for form submissions.
- Local storage for non-personal UI preferences (e.g., remembered map layer toggles).
We do not use tracking cookies. We do not require a cookie banner because we do not set cookies for the EU ePrivacy Directive's definition of "tracking".
5. How long we keep your data
- Account data: while your account is active, plus 90 days after deletion for fraud-prevention purposes.
- Catch logs + waypoints + comments: while your account is active, deleted when you delete your account.
- Payment records: 7 years as required by US tax law.
- Server logs (IP, User-Agent): 30 days.
- Moderation audit log: indefinitely (anonymized after account deletion).
- Database backups: 7 days rolling.
6. Your rights
- Access: email privacy@fluxboating.com for a copy of all data we have on you. We respond within 30 days.
- Correction: update your name, display name, bio, and profile picture directly on the /profile page.
- Deletion: email privacy@fluxboating.com to request account deletion. We delete your account within 7 days; backup retention adds up to 7 more days before complete erasure.
- Export: we can deliver a JSON export of all your data on request.
- Opt-out of email: every retention email has an unsubscribe link. Transactional emails (receipts, sign-in links) you cannot opt out of while the account is active.
7. California (CCPA) and EU (GDPR) residents
You have additional rights under the California Consumer Privacy Act and the EU General Data Protection Regulation. These include: the right to know what data is collected, the right to delete, the right to non-discrimination for exercising your rights, and (for EU residents) the right to lodge a complaint with your local supervisory authority.
We process data on the legal basis of (a) contract performance (operating your subscription), (b) legitimate interest (operating and improving the service, preventing fraud), and (c) consent (push notifications, marketing emails).
8. Children
Flux Fishing Forecast is not intended for users under 13. We do not knowingly collect information from children under 13. If you believe a child has provided information to us, email privacy@fluxboating.com and we will delete it.
9. Security
All traffic is encrypted in transit (HTTPS / TLS 1.2+). All data at rest is encrypted with AWS-managed keys. Passwords are not stored at all — we use Google OAuth or email magic links. We do not have access to your passwords.
10. Changes to this policy
We may update this policy as the product evolves. The "Last updated" date at the top of the page reflects the latest revision. Material changes (e.g., a new third-party data processor) will be announced via email to all active accounts.
11. Contact
Questions, requests, or concerns: privacy@fluxboating.com. Postal mail: FLUX LLC, c/o Flux Fishing Forecast Privacy, [physical address to be added].