Privacy Policy

Effective: [EFFECTIVE DATE] · Last updated: [LAST UPDATED DATE]

Privacy by Design. PaddleReady is built to collect the minimum data necessary to operate. We don't require account registration for core features, we don't sell or rent your data, we don't display third-party advertisements, and we don't store your GPS coordinates on our servers.

🔒 This page mirrors the Privacy Policy shown inside the PaddleReady app. The authoritative version is the one in the app at the time of your acceptance, and counsel has redlined both versions to match. If they ever differ, the in-app version controls for privacy matters per Section 14.

1. Who we are

PaddleReady is operated by Brainstorm Innovative Technologies, LLC, a Florida limited liability company. For all privacy matters, contact privacy@paddleready.app.

For purposes of GDPR, CCPA, and equivalent privacy laws, Brainstorm Innovative Technologies, LLC is the data controller.

2. What we collect — and why

Location data (GPS)

Your GPS coordinates are used in real time only to fetch weather, tides, advisories, sun times, water quality, and nearby launch points. We do not log, store, cache, or retain GPS coordinates on our servers. The coordinates travel directly from your device to the third-party data APIs (Open-Meteo, NOAA, USGS, OpenStreetMap, Overpass) over encrypted connections.

Anonymous device identifier

To enforce spam-prevention rate limits on community submissions, the app generates a random UUID-style identifier stored locally in AsyncStorage on your device. It contains no PII, cannot be reversed to identify you, and is not linked to your Apple ID, Google account, name, or email.

User-submitted content

When you submit a comment, review, launch point, or amenity vote, the text, an optional display name (default: "Anonymous Paddler"), an optional 1–5 star rating, any amenity tags, the anonymous device ID, and a timestamp are stored on our servers. Do not include personally identifying information in your submissions.

User-submitted photographs

All uploaded photos are re-processed using PHP's GD image library before storage. This process creates a brand-new image file from the pixel data only — all EXIF metadata (GPS coordinates, device model, timestamps) is permanently discarded. Images larger than 1,600 px on the longest edge are downscaled. MIME type is validated against the actual binary content via finfo, not the file extension.

Registered account data (optional)

If you create an account, we store your username, email address, and a bcrypt-hashed password. We never store plaintext passwords. Account data is used for authentication and Pro subscription status only.

Hazard reports

Submitted by signed-in users only: hazard type, title, description, severity, GPS coordinates of the hazard, the submitter's account ID, and the timestamp. Hazards are publicly visible on the map. Reports are clearly labeled as user-submitted and unverified.

Trip Check-In (Pro)

If you use Trip Check-In, we store: planned launch + return times, location, vessel notes, paddler count, trip notes, and your trip contact's name, phone, and email. Stored 90 days post-return then permanently deleted. The trip contact must opt in via a confirmation email before we will send them any alert (CAN-SPAM compliance).

What we do NOT collect

No GPS history or location logs
No advertising identifiers (IDFA / GAID)
No tracking cookies, pixels, or web beacons
No camera roll, contacts, microphone, or biometric data
No browsing history outside the app
No payment card numbers (Pro billing handled by PCI-compliant processor)

3. How we share data

We do not sell, rent, trade, or commercially exploit your information. Limited sharing only:

Third-party data APIs. Your GPS coordinates travel directly from your device to: Open-Meteo, NOAA, USGS, Sunrise-Sunset.org, OpenStreetMap Nominatim, Overpass API, and Apple Maps / Google Maps for tile rendering.
Legal process. Court orders, subpoenas, warrants with proper jurisdiction. We will challenge overly broad requests.
CSAM. Any image we reasonably believe constitutes child sexual abuse material is immediately removed, reported to the NCMEC CyberTipline as required by 18 U.S.C. § 2258A, and preserved for law enforcement.
Corporate transactions. In a merger or acquisition, user data may transfer. The successor entity must honor this Policy.

4. Security

All data in transit between the app and our servers is encrypted with TLS 1.2 or higher. Backend infrastructure is hosted on DreamHost. Inputs are validated and SQL uses parameterized queries. Rate limiting is enforced on submission endpoints. File uploads pass MIME validation and are re-processed through the GD library, which destroys embedded payloads.

NO METHOD OF ELECTRONIC TRANSMISSION OR STORAGE IS 100% SECURE. WE CANNOT GUARANTEE ABSOLUTE SECURITY. YOU TRANSMIT DATA TO US AT YOUR OWN RISK.

Security vulnerability reports: security@paddleready.app.

5. Your rights

Regardless of where you live:

Request a copy of data tied to your anonymous device ID
Request deletion of your submitted content
Stop submitting at any time — no opt-out form needed

California residents (CCPA / CPRA): the right to know, delete, correct, opt out of sale (we don't sell), and non-discrimination for exercising these rights. Email privacy@paddleready.app with subject "CCPA Request."

EEA / UK / Swiss residents (GDPR): rights of access, rectification, erasure, restriction, data portability, and to object. Lawful bases: legitimate interest (spam prevention, community safety, app functionality), implied consent (voluntary submission), and explicit consent (location permission). Subject: "GDPR Request."

6. Account deletion

Delete your account at any time:

In the app: Account → Settings → Delete my account.
Without the app: use the form at paddleready.app/delete-account.

We process deletion within 30 days. Anonymous device-ID submissions can also be deleted on request to privacy@paddleready.app.

7. Children

PaddleReady is intended for users 13+. We do not knowingly collect personal information from children under 13. If you believe your child under 13 has submitted data, email privacy@paddleready.app and we will investigate and delete promptly. In jurisdictions with a higher digital-consent age (e.g., 16 in some EU member states), the higher threshold applies.

8. Changes

We may update this Policy. Material changes will be communicated in-app and via a notice on the website. Continued use after a revised Policy constitutes acceptance.

9. Contact

Privacy: privacy@paddleready.app
Security: security@paddleready.app
Legal / DMCA: legal@paddleready.app
Support: support@paddleready.app
Abuse / CSAM: violations@paddleready.app

Brainstorm Innovative Technologies, LLC
27160 Hickory Hill Road, Brooksville, FL 34602
brainstorminnovative.com