Privacy Policy

Last updated: 27 June 2026

Maranox is a marine seabed, chart, weather, and fishing-information app for Irish and UK waters, built and operated by MARANOX TECHNOLOGIES LIMITED ("Maranox", "we", "us", "our"). This policy explains what personal data the app and our website collect, why, the lawful basis for each use, how long we keep it, who we share it with, where it goes, and the rights you have under the General Data Protection Regulation (GDPR) and the Irish Data Protection Act 2018.

1. Who we are (data controller)

The data controller for the personal data described here is:

We have not appointed a Data Protection Officer, as we are not required to. You can raise any data-protection question with us at contact@maranox.ie.

2. What we collect, why, and our lawful basis

For each category of personal data, the lawful basis under Article 6 GDPR is the legal ground that permits us to process your data.

• GPS location (on device) — your live position, recorded GPS tracks and trip logs (latitude, longitude, altitude, speed, heading, timestamp). Collected only while the app is open in the foreground — never in the background. Used to show your position on the chart and record the tracks and trips you ask the app to record. Lawful basis: performance of a contract — Art. 6(1)(b).
• GPS location (cloud sync of your own data) — your tracks, marks, and the live position of your own devices, sent to your private Maranox account if you sign in and enable cloud sync, to sync them across your own devices. Lawful basis: performance of a contract — Art. 6(1)(b).
• GPS location (sharing to other users) — your live boat position and/or locally-received AIS observations, published to the shared Maranox feed so other users can see them. Off by default; only sent when you switch the relevant sharing toggle on. Lawful basis: consent — Art. 6(1)(a). Turning the toggle off withdraws consent, stops new uploads, and removes your own-boat broadcast from the shared feed.
• Account email address — the email you sign in with (email one-time-code) or the email returned by Google sign-in. Used to create and operate your Maranox cloud account, sign you in, and let you recover access. Lawful basis: performance of a contract — Art. 6(1)(b).
• Account & device identifiers — a server-generated account ID, a device identifier stored on your device, and a separate, anonymous per-install analytics identifier. Used to link your synced data to your account, keep per-device settings separate, and count app usage anonymously. Lawful basis: account/device IDs — contract, Art. 6(1)(b); analytics ID — see Usage analytics below.
• Fishing marks — location bookmarks you create (name, latitude, longitude, notes, category, gear and soak-time details, timestamps), saved and synced. Lawful basis: performance of a contract — Art. 6(1)(b).
• GPS tracks & trip logs (synced) — the recorded path of a trip and its summary (start/end time, distance, name), saved and synced. Lawful basis: performance of a contract — Art. 6(1)(b).
• Device settings backup — your app preferences (map layers, units, display options, marker styles) backed up per device. Lawful basis: performance of a contract — Art. 6(1)(b).
• Optional profile — display name and boat name, if you choose to set them, shown as a friendly label across your own devices. Lawful basis: performance of a contract — Art. 6(1)(b).
• Usage analytics — anonymous feature-usage events (e.g. which map layers are toggled, when a route or track starts) tied only to a random per-install identifier. No name, email, account ID, location, IP, advertising ID, or cross-app tracking. Stored on your device first and uploaded to PostHog (EU) when you are online. Lawful basis: legitimate interests — Art. 6(1)(f) — in improving the app, balanced against the fact the data is anonymous, first-party, EU-hosted, and not used for tracking or advertising. You can opt out (section 8).
• Crash reports — anonymous diagnostic data when the app crashes (exception type, stack trace, app version). No user ID, email, or location is attached. Sent via Firebase Crashlytics (Google). Lawful basis: legitimate interests — Art. 6(1)(f) — in keeping the app stable and safe. You can opt out (section 8).
• In-app feedback — the message you send through the in-app feedback form, plus app version, build, and platform. Name and email are optional. Your IP address and User-Agent are recorded by our hosting provider (Cloudflare) when the message is submitted. Lawful basis: legitimate interests — Art. 6(1)(f) — in supporting users and basic abuse-prevention.
• Beta-signup data (website) — name, email, boat name, port, platform, marketing-attribution fields (UTM source/campaign/medium, referrer), plus IP and User-Agent, submitted through the beta-signup form on maranox.ie. Lawful basis: consent — Art. 6(1)(a) — for adding you as a tester; legitimate interests — Art. 6(1)(f) — for the IP/User-Agent security capture.
• Subscription status — when paid billing is live: whether your subscription is active, the plan, and renewal status, linked to your account ID. We never collect or store your payment-card details — billing is handled entirely by the app store / payment provider. Lawful basis: performance of a contract — Art. 6(1)(b).
• AIS observations you publish (Maranox Wheelhouse only) — if you use the desktop Wheelhouse product and enable network sharing, AIS positions your receiver hears (vessel identifier, position, speed, course, heading, timestamp). Off by default. Lawful basis: consent — Art. 6(1)(a).

3. What we do NOT collect

• We do not collect your name, email, or phone number unless you provide it or sign in to a cloud account.
• We do not show advertising; the app contains no ads.
• We do not do cross-app or cross-site tracking, and we build no advertising or behavioural profiles.
• We do not use advertising IDs or device fingerprinting.
• We do not collect or store your payment-card details.
• We do not sell your personal data to anyone, ever.

4. Who we share data with (processors and recipients)

We use the following service providers ("processors") to run Maranox. Each processes personal data only on our instructions, under a written data-processing agreement as required by Article 28 GDPR.

• Supabase (EU) — cloud accounts, authentication, sync, and sharing backend: account email, account/device IDs, marks, tracks, device settings, live device positions, profile, AIS network observations, and subscription entitlements.
• PostHog (EU) — product analytics: anonymous per-install analytics events only.
• Cloudflare (EU) — website backend (feedback + beta-signup storage) and chart-pack file hosting: feedback and beta-signup form data, including IP address and User-Agent; chart files contain no personal data.
• Google (Firebase Crashlytics) — crash diagnostics: anonymous crash reports (no user ID, email, or location). May process data in the United States (see section 6).
• Apple App Store / Google Play — billing, payments, and app distribution. They act as merchant of record; we never see your card details.
• RevenueCat (not yet active) — subscription management once paid billing goes live: subscription/purchase records linked to your account ID; no card details.

We may also disclose personal data if we are legally required to (for example to comply with a court order or lawful request from a public authority), or to protect the rights, safety, or property of Maranox, our users, or others. We do not sell your data and do not share it for advertising.

5. How long we keep it (retention)

• Marks, tracks, device settings, profile (cloud) — kept until you delete them in the app or delete your account, then permanently erased (section 8).
• Account record (email, account ID) — kept while your account is open; erased when you delete your account.
• Live device positions (cloud) — removed when you sign out or delete your account; updated in place while sharing is on.
• On-device data (local marks, tracks, settings, downloaded charts) — stored on your device; deleted when you uninstall the app or clear its data.
• Usage analytics — held briefly on your device (capped, newest kept), then uploaded to PostHog and deleted from the device. PostHog retention: kept for our analytics retention period and then deleted.
• Crash reports — Firebase Crashlytics retains crash data for 90 days (Google's default), after which it is deleted.
• In-app feedback — held in Cloudflare storage until we have actioned it, then deleted.
• Beta-signup data — deleted once you are onboarded as a tester, or on request.
• Shared AIS observations — short-lived: pruned automatically (live feed rows expire within minutes; pilot observations expire on a short TTL).

We may keep certain data for longer where we are required to by law (for example tax or accounting records relating to subscriptions), and only for as long as that obligation requires.

6. Sending data outside the EU/EEA (international transfers)

Most of your data stays in the EU: Supabase, PostHog, and Cloudflare process Maranox data on EU-hosted infrastructure. Some data is processed outside the EEA:

• Crash reports are processed by Google LLC (Firebase Crashlytics), which may process data in the United States. This transfer is protected by the EU–US Data Protection Framework (under which Google LLC is certified) and/or Google's Standard Contractual Clauses approved by the European Commission.
• RevenueCat (once paid billing is live) may process subscription data in the United States under Standard Contractual Clauses and/or the EU–US Data Protection Framework.

You can ask us for more information about these transfers and a copy of the relevant safeguards by emailing contact@maranox.ie.

7. Cloud sync and security

Cloud sync is optional. When you enable it, your data is sent over encrypted HTTPS and stored in our Supabase project, protected by account login and database Row-Level Security so other users cannot read it.

This is not end-to-end encryption: authorised Maranox operators may technically access cloud-stored data where necessary for support, security, or to meet a legal obligation. We do not inspect your fishing grounds or personal data as a normal part of running the service, and we never sell it or use it for advertising.

8. Your rights

Under the GDPR you have the right to be informed, to access, to rectify, to erase ("right to be forgotten"), to restrict processing, to object (including to direct marketing), to data portability, and to withdraw consent where we rely on consent. In the app you can already export your marks and tracks as GPX, KML, or CSV, and switch off any sharing/consent toggle (this does not affect processing done before you withdrew consent). We will respond to any request within one month, in line with Article 12(3) GDPR. There is normally no charge.

Opting out of analytics and crash reporting. You can opt out of usage analytics and crash reporting at any time using the in-app privacy controls in Settings.

Deleting your account and data. You can permanently delete your Maranox account and all the data we hold for it:

• In the app: open the Cloud screen and choose "Delete account & data", then confirm. This permanently erases your account record and all data linked to it — marks, tracks and track points, device positions, device settings, profile, AIS network observations, and any subscription entitlement records — from our servers. This is a true erasure, not a recoverable "hide".
• On the web: you can also start deletion, without signing into the app, at maranox.ie/delete-account.
• By email (fallback): email contact@maranox.ie and we will delete the account data, feedback, or beta-signup details we hold, subject to any legal retention obligation.

Deleting your account stops billing only if you also cancel your subscription in your app-store account (subscriptions are managed by the store) — see our Terms of Use.

9. Complaints — the Irish Data Protection Commission

If you are unhappy with how we have handled your personal data, you can complain to the Irish supervisory authority:

If you live in another EU/EEA country or the UK, you may also complain to your local supervisory authority (in the UK, the Information Commissioner's Office, ico.org.uk). We would, however, appreciate the chance to address your concern first — please contact us at contact@maranox.ie.

10. Children

Maranox is a general marine awareness tool for boaters of all kinds. It is not directed at children. Where creating a cloud account relies on your consent, you should be at least 16 (the digital age of consent in Ireland under the Data Protection Act 2018) or have the consent of a parent or guardian. The app is rated for general audiences in the app stores.

11. Data from public sources

The app displays reference data from public sources, including INFOMAR (Geological Survey Ireland & Marine Institute), EMODnet, Marine Institute ERDDAP, OpenStreetMap, and OpenSeaMap. This data is publicly available under open licences (such as CC-BY 4.0, CC-BY-SA, and ODbL) and is credited in the app. It is not personal data about you.

12. Changes to this policy

If we change this policy we will update the date at the top and, where the change is significant, tell you in the app or by email. Continued use of the app after a change means you accept the updated policy.