Privacy Policy — VisLab

Last updated: 2026-05-15 · Version: 1.0

This Privacy Policy explains how VisLab ("we", "us", "the app") collects, uses, stores, and protects your personal data when you use the VisLab mobile application. We comply with the EU General Data Protection Regulation (GDPR) and the Dutch UAVG.

1. Data Controller

Controller: LabUnie
Address: Witte de Withstraat 9, 1521 KE Wormerveer, the Netherlands
Email for privacy requests: apps@labunie.nl

You can contact us at any time using the email above to exercise the rights described in section 7.

2. What Data We Collect

We collect only the data necessary to operate VisLab's fishing-log, competition, and social features.

2.1 Account & identity

Email address (required for sign-up and authentication)
Username (chosen by you)
Password (stored only as a hashed credential by our auth provider — we never see the plaintext)
First name, middle name, last name (optional)
Avatar image (optional; note: stored in a publicly readable storage bucket, see section 4)
Preferred language
Profile preferences (e.g. show_real_name_to_friends, angler types)

2.2 Location data

With your permission, the app accesses your device's precise GPS location (ACCESS_FINE_LOCATION / ACCESS_COARSE_LOCATION on Android; equivalent on iOS) to:

Tag your catches with the location where they were made
Save fishing spots and swims you create
Display nearby map content

Location coordinates are stored in the following database fields:

catch.location — coordinates of a catch
catch_photo.exif_location — GPS metadata extracted from photos you upload
swim.location — coordinates of a swim you create
spot.location — coordinates of a spot you create

You control sharing of catch-locations with the share_location_spot setting. Swims and spots can be marked private (is_private = true).

Important:photos you upload may contain GPS coordinates in their EXIF metadata. We extract and store this metadata separately from the visible photo. If you do not want a photo's location revealed, strip EXIF before uploading.

2.3 Photos

Photos of your catches, uploaded to a private storage bucket (catch-photos); only you and users you grant access (friends, competition members) can view them
Avatar images, uploaded to a publicly readable storage bucket (avatars) — anyone with the URL can view your avatar
EXIF metadata (capture time, GPS) extracted from uploaded photos

The app requests permission to access your camera and photo library to enable upload.

2.4 Content you create

Catch records (species, weight, length, notes, weather, water conditions, time captured)
Swims, spots, fishing sessions
Competition participation (membership, invitation status, responses)
Catch proposals submitted to other users

2.5 Social graph

Friend requests sent and received
Friendships (which users you are connected to)
Notifications about social activity

2.6 Technical & device data

Authentication tokens (stored locally in secure device storage)
Draft data (e.g. catch proposals in progress) stored locally on your device via AsyncStorage

We do not use third-party analytics, advertising SDKs, or crash-reporting tools. The app declares NSPrivacyTracking = falseon iOS — we do not track you across other companies' apps or websites.

2.7 What we do NOT collect

Date of birth or age
Phone number
Postal address
Payment information
Government identifiers
Biometric data
Browsing history outside the app

3. Why We Collect Data and the Legal Basis

Purpose	Data used	Legal basis (GDPR Art. 6)
Provide your account & authenticate you	Email, password hash, username	Contract (Art. 6(1)(b))
Display your profile to friends/competitors	Name, avatar, preferences	Contract / your consent via profile settings
Save and display catches, swims, spots	Location, photos, notes, EXIF	Contract
Enable friendships and competitions	Social graph, notifications	Contract
Show map content	Approximate location sent to Google Maps for tile rendering	Legitimate interest (Art. 6(1)(f)) — app cannot function without a map
Secure the service (abuse prevention)	Account + content data	Legitimate interest (Art. 6(1)(f))

We do not use your data for advertising or for automated decision-making with legal effects.

4. Who Receives Your Data

We share data only with the processors required to run the service:

Supabase Inc. — our backend provider (PostgreSQL database, authentication, file storage, realtime). Project hosted in Frankfurt, Germany (EU). Supabase acts as a data processor under a Data Processing Agreement.
Google LLC (Google Maps SDK)— receives map-tile requests from the app, which include the approximate area you are viewing. Governed by Google's privacy policy.
Apple Inc. / Google LLC (push notifications) — if you enable notifications, Apple Push Notification Service or Firebase Cloud Messaging delivers messages to your device.

We do not sell your data and do not share it with advertisers or data brokers.

5. International Data Transfers

Your account, content, photos, and location data are stored on Supabase infrastructure in Frankfurt, Germany — inside the EU/EEA. No additional safeguard is required for this processing.

Some processors (notably Google LLC for Maps and push delivery) are US-based companies. Where personal data is transferred to the United States, the transfer is protected by the EU Standard Contractual Clauses (SCCs) under Commission Implementing Decision (EU) 2021/914, together with supplementary technical and organisational measures.

6. How Long We Keep Your Data

Category	Retention
Account & profile data	Until you delete your account
Catches, photos, swims, spots, competition history	Until you delete the item or your account
Friendships, notifications	Until you delete your account or the related item
Authentication tokens (on your device)	Until you log out
Server logs	30 days

After account deletion, personal data is removed from the production database. Daily backups are retained for 7 days, after which the data is permanently removed from backups as well.

7. Your Rights

Under the GDPR you have the right to:

Access (Art. 15) — request a copy of the personal data we hold about you
Rectification (Art. 16) — correct inaccurate data
Erasure / "right to be forgotten" (Art. 17) — delete your account and associated data
Restriction (Art. 18) — limit how we process your data
Data portability (Art. 20) — receive your data in a machine-readable format
Objection (Art. 21) — object to processing based on legitimate interest
Withdraw consent at any time, without affecting the lawfulness of prior processing

To exercise any of these rights, email apps@labunie.nl. We respond within 30 days. You may also lodge a complaint with the Dutch supervisory authority:

Autoriteit Persoonsgegevens
Postbus 93374, 2509 AJ Den Haag
autoriteitpersoonsgegevens.nl

8. Security

We protect your data with:

Encrypted transport (HTTPS/TLS) for all network communication
Encryption at rest provided by Supabase
Row Level Security (RLS) policies in the database that enforce per-user access on every query
Authentication tokens stored in the device's secure storage (Keychain on iOS, EncryptedSharedPreferences on Android)
Private storage buckets for catch photos; only the owner and explicitly authorised users can access them

No system is 100% secure. If a personal-data breach occurs that poses a risk to your rights and freedoms, we will notify the Autoriteit Persoonsgegevens within 72 hours and inform affected users where required by Art. 34 GDPR.

9. Children

VisLab is not intended for users under the age of 16. We do not knowingly collect personal data from children under 16. If you believe a child has provided us with personal data, contact apps@labunie.nl and we will delete it.

10. Changes to This Policy

We may update this Privacy Policy. When we make material changes, we will update the "Last updated" date at the top and, where appropriate, notify you in the app. Continued use of VisLab after the change means you accept the updated policy.

11. Contact

Questions about this policy or about your data: apps@labunie.nl