Privacy Policy

Last updated: April 14, 2026 · Effective immediately

Your privacy matters. This policy explains plainly what data ShouldISail collects, why, and how it is protected. We do not sell your data or use it for advertising.

1. Who Is Responsible for Your Data

ShouldISail is operated by Eran Yanikov, an individual based in Israel. For all privacy enquiries or data-removal requests, contact: info@shouldisail.com.

We process personal data in accordance with the Israeli Privacy Protection Law 5741-1981 and its regulations. Where applicable (e.g. users located in the European Economic Area), we also comply with the EU General Data Protection Regulation (GDPR).

2. Data We Collect and Why

Category	What we collect	Why / Legal basis
Account data	Name, email address, and profile picture URL — obtained via Google OAuth 2.0 or Apple Sign-In when you choose to sign in.	To create and identify your account, and to personalise the service. Legal basis: contract performance (Art. 6(1)(b) GDPR).
GPS & location data (mobile)	Device GPS coordinates collected during live navigation, track recording, and anchor watch sessions. Raw GPS tracks are processed on-device; coordinates are transmitted to our servers only when needed (e.g. to fetch weather for a tapped point, or to save a route you explicitly choose to save).	To provide live navigation, track recording, anchor drag detection, and route saving features. Legal basis: contract performance / consent (location permission).
Saved routes & favorites	Route names, waypoint coordinates, and favorite spot names and coordinates that you explicitly save to your account.	To allow you to access saved content across sessions and devices. Legal basis: contract performance.
Usage data — sailing lookups	Geographic coordinates (latitude / longitude) of points you request weather for, timestamps, and the weather assessment returned.	To enforce usage quotas, cache weather responses, and improve forecast accuracy. Legal basis: legitimate interests (Art. 6(1)(f) GDPR).
Guest usage data	A one-way SHA-256 hash of your IP address (the raw IP address is never stored), used to count daily free previews.	To enforce the guest click quota without identifying individuals. Legal basis: legitimate interests.
Billing data	Paddle customer ID, Paddle subscription ID, subscription start and end dates. We never see or store your payment card details — those remain exclusively with Paddle.	To activate, track, and expire your paid subscription. Legal basis: contract performance.
Technical / log data	Server-side error logs, including request paths, HTTP status codes, and timestamps. IP addresses may appear in error logs temporarily.	Security monitoring, debugging, and service reliability. Legal basis: legitimate interests.
Preferences	Your chosen boat type, preferred language, and UI preferences.	To personalise your experience across sessions. Legal basis: contract performance / legitimate interests.

3. Cookies and Local Storage

ShouldISail uses a minimal set of cookies — no advertising or third-party tracking cookies:

shouldisail_token — HttpOnly, SameSite=Strict authentication cookie containing your JWT. Expires after 24 hours (or on sign-out). Required for login.
shouldisail_session — Server-side session cookie used for CSRF protection. Session lifetime only.
sis_lang — Stores your language preference (e.g. en or he). Expires after 1 year. Non-sensitive.

Mobile app: The iOS/Android app does not use browser cookies. Authentication is managed via a short-lived JWT transmitted as a Bearer token in API request headers. The token is stored in the device's secure local storage and is never written to a cookie.

Paddle may set its own cookies when the checkout overlay is opened. These are governed by Paddle's Privacy Policy.

4. Third-Party Services (Sub-processors)

We share data with the following third parties only to the extent necessary to operate the service:

Service	Data shared	Purpose & Privacy Policy
Google LLC	OAuth token exchange (name, email, profile picture URL)	Authentication. Google Privacy Policy
Apple Inc.	Sign-In token exchange (name, email — email may be relayed/anonymised by Apple)	Authentication (iOS). Apple Privacy Policy
Paddle.com	Email address, subscription ID, transaction data	Payment processing and subscription management. Paddle is the Merchant of Record and handles all tax obligations on our behalf. Paddle Privacy Policy
StormGlass	Geographic coordinates of map clicks	Real-time and forecast weather & ocean data. StormGlass Privacy Policy
Mapbox Inc.	Map tile requests (may include approximate location)	Interactive map rendering. Mapbox Privacy Policy
OpenSeaMap	Nautical chart tile requests (IP address, standard CDN request)	Crowd-sourced nautical overlay (depth contours, buoys, hazard markers). OpenSeaMap Imprint
GEBCO	Sea coordinates sent to retrieve approximate depth values	Global bathymetric (sea depth) data used in anchor watch scope calculations and depth display. Data returned is publicly available and non-personal. GEBCO
Google Fonts	IP address (standard web font CDN request)	Serving web fonts (Inter, Assistant). Google Fonts FAQ

We do not use any advertising networks, analytics platforms (e.g. Google Analytics), or social media pixels. We do not sell, rent, or trade your personal data to any third party.

5. Data Retention

Account data (name, email, preferences) — retained for as long as your account is active. Deleted within 30 days of an account deletion request.
Sailing click history — retained for as long as your account is active, then deleted with your account. Anonymised aggregate statistics may be retained indefinitely.
Guest IP hashes — automatically purged after 24 hours by the daily quota rollover.
Billing identifiers (Paddle customer ID) — retained for 7 years after last transaction to meet legal accounting obligations, then deleted.
Server logs — retained for up to 90 days, then automatically deleted.

6. Data Security

We apply reasonable technical and organisational measures to protect your data:

Authentication tokens are stored in HttpOnly, SameSite=Strict cookies — inaccessible to JavaScript.
All production traffic is served over HTTPS (TLS 1.2+).
Passwords are never stored — authentication is delegated entirely to Google OAuth.
Payment card data is handled exclusively by Paddle and never touches our servers.
Database credentials and API keys are stored in environment variables, not in source code.

No method of transmission or storage is 100% secure. In the event of a data breach that affects your personal data, we will notify you and the relevant authorities as required by applicable law.

7. Your Rights

Depending on your location, you may have the following rights regarding your personal data:

Right of access — request a copy of the data we hold about you.
Right to rectification — ask us to correct inaccurate data.
Right to erasure — request deletion of your account and associated data.
Right to portability — receive your data in a structured, machine-readable format.
Right to object — object to processing based on legitimate interests.
Right to restrict processing — ask us to pause processing in certain circumstances.

To exercise any of these rights, email info@shouldisail.com with your account email address. We will respond within 30 days. We do not charge a fee for reasonable requests.

If you are located in the EEA and believe we have not handled your data correctly, you have the right to lodge a complaint with your local data protection authority.

8. Children's Privacy

ShouldISail is not directed at children under the age of 13. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will promptly delete it.

9. International Data Transfers

ShouldISail is operated from Israel, which the European Commission has recognised as providing an adequate level of data protection for EEA residents. Our third-party service providers (Google, Paddle, StormGlass, Mapbox) may process data in the United States or other countries. Where applicable, these transfers are covered by Standard Contractual Clauses or equivalent safeguards.

10. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated to registered users by email at least 14 days before taking effect. The "Last updated" date at the top of this page will always reflect the current version. Continued use of the service after the effective date constitutes acceptance of the revised policy.

11. Contact

For privacy questions, data access or deletion requests, or any other enquiry:
ShouldISail
info@shouldisail.com