← BackFishTale

Privacy Policy

EGO HERO LTD ("we", "us", "our") operates FishTale from Whangarei, New Zealand. This policy explains how we handle your personal information under the New Zealand Privacy Act 2020, and — for users in the European Economic Area, the United Kingdom, and Switzerland — under the General Data Protection Regulation (GDPR) and UK GDPR.

1. Who we are (data controller)

The controller of your personal information is EGO HERO LTD, Whangarei, New Zealand. You can contact us at support@fishtale.app. We are not currently required to appoint a Data Protection Officer under GDPR Article 37, but the same address handles all privacy enquiries within the same timelines a DPO would be expected to meet.

2. What we collect

  • Account information— email address, username, avatar, optional bio, self-declared age (we don't verify age beyond the signup declaration).
  • Authentication data — sign-in events, magic link or one-time code use, Google OAuth identifier if you sign in with Google.
  • Catches you log — photos, short videos, species, weight, length, the date you caught the fish, gear used, and any location you choose to attach.
  • Social activity — follows, reactions, reports you submit, catches you delete.
  • Moderation outcomes — whether your post was auto-flagged, hidden, restored, or removed; your aggregate flag count; any account-level suspension we apply.
  • Subscription information— if you subscribe to Pro, Stripe processes your payment. We don't see or store full card numbers; we keep the subscription state and a Stripe customer ID.
  • Device and usage— basic technical info like browser type, OS, and a session cookie used by Supabase Auth. We don't use third-party advertising cookies. See our Cookie Policy.

3. Why we collect it (purpose and lawful basis)

Under IPP 1 of the Privacy Act we collect personal information only for purposes connected with running FishTale. For EU/UK users, the same collection is justified under one of the lawful bases in GDPR Article 6:

  • Account, auth, and content storage— necessary to perform the contract between you and us (GDPR Art 6(1)(b)).
  • Content moderation, abuse detection, anti-bot— legitimate interests in keeping FishTale safe, lawful, and on-mission (GDPR Art 6(1)(f)).
  • Service emails (magic links, billing receipts)— necessary to perform the contract (GDPR Art 6(1)(b)).
  • Aggregated, non-identifying analytics— legitimate interests in product improvement (GDPR Art 6(1)(f)).
  • Legal and tax compliance— legal obligation (GDPR Art 6(1)(c)), including 7-year retention of payment records under New Zealand Inland Revenue and Companies Office rules.

4. Who else handles your data

We use a small set of trusted processors to run FishTale. None of them sell your data. We work to put a data processing agreement (DPA) or the provider's equivalent terms in place with each. If you'd like the current list of executed DPAs, email us:

  • Supabase — database, authentication, file storage (hosted in the United States).
  • Mux — short video hosting and transcoding (United States).
  • Cloudflare — Turnstile anti-bot challenge on signup (global edge network).
  • Stripe — payment processing for Pro subscriptions (United States and Ireland for EU customers).
  • Google Cloud (Vision AI) — automated moderation of uploaded images and a few sampled video frames (United States).
  • Brevo — transactional email delivery (European Union).

5. Sending your information overseas

Most of the processors above sit outside New Zealand, so your personal information is transferred to and stored in jurisdictions including the United States and the European Union. As required by IPP 12 of the Privacy Act 2020, we use providers who either operate from a jurisdiction with comparable privacy protections, or agree to comparable protections by contract. For EU/UK transfers under GDPR Chapter V, we rely on the European Commission's Standard Contractual Clauses (or equivalent UK clauses) where the destination country does not have an adequacy decision.

6. How long we keep it

Retention varies by data category. Once the retention period expires, data is removed from live systems within that window. Encrypted backups cycle on a longer schedule (typically up to 90 days), after which the data is overwritten in the backup as well.

  • Account and profile data — for as long as your account exists. Removed from live systems within 30 days of account deletion.
  • Catch media (photos, videos) — immediately removed from public view when you delete a catch; removed from live storage within 30 days; purged from backups within 90 days.
  • Moderation records — kept for up to 12 months after your account is deleted, so we can investigate appeals and detect repeat offenders.
  • Payment records — 7 years from the end of the tax year of the transaction, to satisfy Inland Revenue and Companies Office obligations.
  • Server / authentication logs — typically 30–90 days.

7. Automated decision-making

We use Google Cloud Vision AI to scan every catch photo and a sample of video frames at upload time. If the system rates a piece of content as likely off-topic or unsafe, the catch is automatically hidden from the feed and queued for human review. After three flagged posts your account is auto-suspended pending human review.

You have the right to request human review of any automated moderation decision that significantly affects you. Email support@fishtale.appand we will re-examine the decision. For EU/UK users this is also your right under GDPR Article 22 (right not to be subject to a decision based solely on automated processing).

8. Your rights

Wherever you live, you can ask us to:

  • show you the personal information we hold about you,
  • correct it if it's wrong,
  • delete your account and the content tied to it,
  • export a copy of your content (a contractual right we extend to all users — for EU/UK users it is also a statutory right under GDPR Art 20).

Email support@fishtale.app for any of the above.

For New Zealand users:the Privacy Act 2020 gives you the rights of access (IPP 6) and correction (IPP 7). We will respond within 20 working days, although s 46 of the Act lets us extend that period by a further 20 working days where a request is large or complex — we will tell you in writing if we need to do that.

For EU/UK/Swiss users:in addition to access and correction, the GDPR (Art 15–22) gives you the rights to erasure ("right to be forgotten"), restriction of processing, objection (including objection to processing based on legitimate interests), data portability, and not to be subject to solely automated decision-making. We respond to GDPR rights requests within one calendar month, extendable by two further months for complex requests.

If you are not satisfied with how we handle a privacy concern, you can complain to:

  • New Zealand — the Office of the Privacy Commissioner at privacy.org.nz.
  • European Economic Area — the supervisory authority in your country of residence. A list is at edpb.europa.eu.
  • United Kingdom— the Information Commissioner's Office at ico.org.uk.

9. Children

FishTale is intended for users aged 13 and over. We rely on a self-declaration during signup — we do not run age verification beyond the declaration. If you are under 16, your parent or guardian must agree to the Terms on your behalf. If we discover that an account belongs to a user under 13, we will delete it. If you believe such an account exists, email us and we'll act on it.

10. Security and breach notification

We use TLS in transit, encryption at rest, scoped database access via row-level security, and strict access controls for the small team that runs FishTale. No service is perfectly secure. If a breach affects your personal information in a way that may cause you serious harm:

  • We will notify the New Zealand Privacy Commissioner as soon as reasonably practicable, as required by Privacy Act s 114.
  • For breaches affecting EU/UK personal data, we will notify the relevant supervisory authority within 72 hoursas required by GDPR Article 33.
  • We will notify affected users as soon as reasonably practicable after notifying the regulator.

11. Changes to this policy

When we update this policy materially we'll surface the change in-app and update the date below.

12. Contact

EGO HERO LTD, Whangarei, New Zealand.
Privacy enquiries: support@fishtale.app

Last updated: May 2026