Privacy Policy — Ancora Sicura (Anchor Alarm)
Effective date: 23 May 2026 · Last updated: 26 May 2026
This Privacy Policy explains how the iOS application Ancora Sicura (marketed as “Anchor Alarm”, hereafter the “App”) and its Apple Watch companion (AncorWatch) process information when you install and use them. The App turns an iPhone into an always-on anchor sentinel: it monitors the boat’s GPS position relative to a chosen anchor point, raises an alarm if the boat drifts outside a safety radius, displays nautical charts, fetches weather data and records session history.
We have written this policy to be specific. The App contains advertising, in-app subscriptions and a position-sharing feature; we describe these here in detail rather than hide them.
1. Data controller
- Andrea Piani, independent developer, Italy.
- Privacy contact: andreapiani.dev@gmail.com.
The App is distributed through the Apple App Store. Apple Inc. and Apple Distribution International Ltd. act as independent controllers for the data they process during download, purchase and subscription management, in accordance with their own privacy policies.
2. Scope
This policy covers the iPhone App and the AncorWatch watchOS companion. It does not cover the third-party services listed in Sections 6, 7 and 8, each of which operates under its own privacy notice.
3. Summary at a glance
- The App does not require an account.
- The App requests Always location permission because anchor monitoring must run while the App is in the background. See Section 4.1.
- The App displays advertising through Google AdMob (app open, interstitial, rewarded) to free users only. See Section 7.
- The App offers optional auto-renewing subscriptions (monthly and annual) that remove all advertising. Payment is handled entirely by Apple. See Section 8.
- The App presents an App Tracking Transparency (ATT) prompt because the advertising SDK may use the IDFA if you grant permission.
- Anchor sessions, settings and the local audit log are stored on your device.
- Position and sensor data used by monitoring and drift prediction are processed locally on the device.
- The optional position-sharing feature generates a self-contained URL whose payload is encoded in the link itself; no session data is uploaded to a developer-controlled database. See Section 4.6.
- The App does not include analytics or crash-reporting SDKs.
4. Categories of data the App processes
4.1 Precise location (GPS) — including background
Anchor monitoring is the core function of the App. To compare your boat’s position to the anchor point even while your phone is locked or the App is in the background, Core Location authorization is requested in two steps:
- While Using the App. Used to centre the map, place the anchor, measure drift and feed live displays.
- Always (background). Required to keep monitoring while the App is not in the foreground. The iOS “Background Modes › Location updates” capability is declared for this purpose. Without Always permission, the alarm cannot fire reliably when the screen is off.
Location data is processed on your device through Core Location (with a Kalman filter to reduce GPS jitter) and Core Motion (used by the optional drift predictor and barometric refinement). The App does not transmit your raw location to a server controlled by the developer. When the App requests weather or chart tiles for an area, the upstream server only receives the geographic bounding box.
Legal basis (GDPR Art. 6): performance of the safety service you have requested (Art. 6(1)(b)) and your explicit consent given through the iOS permission dialog (Art. 6(1)(a)). You may revoke this consent at any time in iOS Settings › Privacy › Location Services. Revoking Always permission will disable background monitoring.
4.2 Motion sensors
The drift predictor and altimeter use Apple’s Core Motion (accelerometer, gyroscope, CMAltimeter). Readings are processed in memory and used to refine the heading and drift estimates. They are not transmitted off the device.
Legal basis: consent (Art. 6(1)(a)) given via the iOS Motion & Fitness prompt and the contractual purpose of providing the monitoring feature (Art. 6(1)(b)).
4.3 Anchor sessions and local content
The App stores the following on the device, inside its own sandbox, using Core Data and the local file system:
- Anchor sessions: start/end time, anchor coordinates, safety radius, maximum recorded drift, duration, optional notes.
- Saved presets, multi-anchor configurations and polygon-anchoring areas.
- An audit log of monitoring events (alarm trigger, threshold change, session resume) used for diagnostics and for the CSV export you may produce yourself.
- App settings, units, calibration data, premium entitlement flag.
None of this content is uploaded to a developer-controlled server. CSV export is initiated only by you, through the standard iOS share sheet.
Legal basis: performance of the service (Art. 6(1)(b)).
4.4 Network connections (third-party data sources)
To display maps and weather, the App connects to the third-party services listed in Section 6. The information transmitted is what is technically necessary to fulfil the request: typically your IP address (visible to the server because of the nature of the internet), the geographic bounding box being queried and timestamps. No personal identifiers are added by the App.
4.5 Local notifications and critical alarms
The anchor alarm is delivered through Apple’s UserNotifications framework as a local notification with the “Critical” or “Time-Sensitive” interruption level, so it can sound even with the phone in silent mode (subject to your iOS settings). The App does not use remote push notifications and does not register a push token with any server. You may disable or limit notifications from iOS Settings › Notifications › Ancora Sicura.
4.6 Optional position sharing
The App can generate a sharable link that lets a trusted person (typically a co-owner, partner or family member ashore) see your anchor point and last known boat position on a static web page. The implementation is privacy-preserving by design:
- The payload (anchor latitude/longitude, safety radius, optional last boat position, timestamp, expiration, random session ID and HMAC signature) is encoded directly in the URL as a base64 query parameter.
- The static page hosted at
https://ancora-sicura-share.web.appdecodes the URL client-side and renders a map preview. No session data is stored in a developer-controlled database. - The link contains an expiration timestamp (default 24 hours) and a HMAC signature generated with a key kept in the iOS Keychain, used to detect tampering.
- The hosting domain is Firebase Hosting, which receives the HTTP request (URL, IP address of the viewer, User-Agent) according to its own logging policies. The developer does not receive these logs in identifying form.
- You decide whether to generate a link, with whom to share it, and you can stop updating the boat position at any time inside the App.
Anyone who receives the link can view its content. Treat shareable links as you would treat a one-time message.
Legal basis: performance of the sharing service you have explicitly initiated (Art. 6(1)(b) GDPR).
4.7 Apple Watch companion
The optional AncorWatch companion on Apple Watch mirrors the live monitoring state and lets you stop a session from the wrist. Communication between iPhone and Apple Watch uses Apple’s WatchConnectivity framework and remains entirely on your paired devices.
5. App Tracking Transparency (ATT)
On first launch (after onboarding) the App presents the iOS App Tracking Transparency prompt. Your choice controls whether the advertising SDK (Google Mobile Ads, see Section 7) may access the Identifier for Advertisers (IDFA) for the purposes described in the prompt:
- If you choose Ask App Not to Track, the App and its SDKs cannot read the IDFA. Ads served are limited to non-personalized advertising.
- If you choose Allow, the advertising SDK may read the IDFA and serve personalized advertising in accordance with Google’s policies.
You can change this choice at any time from iOS Settings › Privacy & Security › Tracking. The premium tiers described in Section 8 remove all advertising and, as a consequence, prevent any IDFA use by the advertising SDK, regardless of your ATT choice. The Google Mobile Ads SDK is also deferred until onboarding is complete: it is not initialized before the ATT prompt is shown.
6. Map and weather providers
- Apple MapKit — base map tiles and search. Governed by the Apple Privacy Policy.
- OpenSeaMap — nautical chart overlay tiles. Site.
- OpenWeather / Open-Meteo — weather forecasts and current conditions. Governed by the providers’ respective privacy policies (OpenWeather, Open-Meteo).
- Overpass API — optional querying of harbours and marine points of interest. Site.
Each provider may, in accordance with its own policy, log the IP address of incoming requests for security and abuse prevention. The developer does not receive these logs.
7. Advertising — Google AdMob
The App displays advertising through the Google Mobile Ads SDK (Google AdMob), publisher ID pub-1193280742171051. Free users may see:
- App open ads when the App is brought back to the foreground from background;
- Interstitial ads at natural break points (end of an anchor session, opening the History view), subject to a global frequency cap (no more than once every 60 seconds);
- Rewarded ads that you may opt into to temporarily unlock a premium feature.
Google, acting as an independent controller, may process the following categories of data for the purposes of ad delivery, frequency capping, attribution, fraud prevention and (where you have granted ATT permission) personalization: IP address, device identifiers (including IDFA when ATT permission is granted), advertising-related events, coarse location derived from IP, device and OS information.
Google’s processing is governed by the Google Privacy Policy and, where applicable, by Google’s contractual commitments under the Ads Data Processing Terms. Standard Contractual Clauses are used for transfers outside the European Economic Area. An app-ads.txt file authorizing Google as a direct seller for this publisher ID is published at privacypolicyhub.vercel.app/app-ads.txt.
Users subscribed to a premium tier (Section 8) do not see any ads and, for them, the advertising SDK is not loaded.
Legal basis: for non-personalized advertising, the legitimate interest in funding a free safety application (Art. 6(1)(f) GDPR); for personalized advertising, your consent given through the ATT prompt and any consent banner (Art. 6(1)(a) GDPR).
8. In-app purchases — Apple StoreKit
The App offers two optional in-app purchases for the premium tier, handled entirely through Apple’s in-app purchase system (StoreKit 2):
- Monthly subscription — product ID
securanchormontly, auto-renewing. - Annual subscription — product ID
securanchorannual, auto-renewing.
Both options remove every form of advertising described in Section 7 and unlock premium features.
Payment processing. Pricing, billing, refunds, invoicing, taxes and any change to your payment method are handled by Apple. The developer does not receive or store your credit card number, Apple ID, purchase email, billing address or any other payment data. The payment contractual relationship is governed by the Apple Media Services Terms and Conditions.
Data received by the App. Through StoreKit, the App receives only — on-device — the information necessary to verify your active entitlement: transaction ID, product ID, purchase date, expiration date (subscriptions only) and optional revocation date. This information is signed by Apple and validated by the StoreKit 2 framework on your device. It is not sent to any server controlled by the developer.
Local entitlement caching. To remember the premium status across launches — and avoid a brief “flash” of advertising before online verification — the App stores a single flag and a subscription expiration date in UserDefaults, inside its own sandbox. No payment or personal data is included.
Renewal, cancellation and refunds. Subscriptions auto-renew at the end of each period unless cancelled at least 24 hours before. You can cancel at any time in iOS Settings › Apple ID › Subscriptions. Refunds are subject to Apple’s refund policy.
Legal basis: performance of the purchase contract requested by the user (Art. 6(1)(b) GDPR).
9. Analytics and crash reporting
The App does not embed third-party analytics or crash-reporting SDKs (no Firebase Analytics, no Crashlytics, no third-party telemetry). Apple may make aggregated, anonymized crash and usage information available to the developer through App Store Connect only if you have separately opted into “Share with App Developers” in iOS Settings › Privacy & Security › Analytics & Improvements; this is handled entirely by Apple under its own privacy policy.
10. What the App does NOT do
- No collection of contacts, photos, microphone, health data, calendar, or files outside the App’s own sandbox.
- No background tracking of your location for advertising or analytics. Background location is used only for anchor monitoring.
- No mandatory accounts, sign-in, or social login.
- No direct handling of payment data: purchases are fully intermediated by Apple.
- No upload of anchor sessions, tracks or the audit log to a developer-controlled server.
- No sale of personal data within the meaning of CCPA/CPRA. Sharing for the limited advertising purposes described in Section 7 may qualify as “sharing” under CPRA; California residents can opt out via the ATT prompt, or purchase a premium tier to remove advertising entirely.
11. Where data is processed and international transfers
Data created by you is processed on your iOS device, located wherever you are. Map and weather requests are routed to providers operating servers in the European Union and in third countries (notably the United States for some Apple, Google and Overpass mirrors). Purchase processing by Apple, and advertising processing by Google, take place in their respective global infrastructures, including the United States, with the safeguards described in Sections 7 and 8.
12. Data retention
- The developer does not store your personal data on developer-controlled servers.
- Anchor sessions and the audit log are retained on the device until you delete them inside the App or uninstall the App.
- StoreKit transaction information is kept on the device while the entitlement is active; the local entitlement flag is held in
UserDefaultsand cleared on expiration or App uninstall. Apple retains transaction records under its own policies. - Shareable links expire automatically after the configured duration (default 24 hours); after expiration the static page rejects the payload.
- Advertising data is retained according to Google’s policies.
13. Security
The App uses HTTPS for all network requests where supported by the upstream provider. The HMAC signing key used for shareable links is generated locally and stored in the iOS Keychain. StoreKit transactions are signed by Apple and verified on-device by the StoreKit 2 framework. Local content benefits from iOS data protection when your device is passcode-locked. Because the developer does not operate a backend, there is no developer-managed credential store that could be breached.
14. Your rights
If you are located in the European Economic Area, the United Kingdom, or a jurisdiction with similar laws, you have the rights of access, rectification, erasure, restriction, portability and objection regarding personal data:
- Erase local data: delete sessions inside the App or uninstall the App.
- Withdraw permissions for location, motion and notifications: iOS Settings › Privacy & Security.
- Withdraw ATT consent: iOS Settings › Privacy & Security › Tracking.
- Reset the advertising identifier: iOS Settings › Privacy & Security › Tracking › Allow Apps to Request to Track → toggle.
- Manage or cancel the premium subscription: iOS Settings › Apple ID › Subscriptions, or directly from the App’s Settings screen.
- Disable notifications: iOS Settings › Notifications.
- Exercise rights against Apple for purchase and subscription handling: through the Apple Privacy Policy.
- Exercise rights against Google for advertising processing: through the Google Privacy & Terms centre.
You may also contact the developer at andreapiani.dev@gmail.com. You have the right to lodge a complaint with a supervisory authority. In Italy this is the Garante per la protezione dei dati personali.
15. Children
The App is not directed at children under the age of 13 (or under 16 where required by local law) and does not knowingly collect personal data from children. Advertising delivered through the App is configured to comply with Google’s policies regarding ad serving to children where the App audience requires it. In-app purchases may be restricted via iOS Screen Time or Family controls.
16. Automated decision-making
The App does not perform automated decision-making or profiling that produces legal or similarly significant effects. The drift prediction algorithm is a navigational aid; it does not make decisions about you.
17. Safety disclaimer
Ancora Sicura is a navigation aid, not a substitute for proper seamanship, an anchor watch by the crew, or compliance with the rules of the road. Always keep a manual lookout and verify your anchor holding. The developer assumes no liability for damages arising from reliance on the App.
18. Changes to this policy
This policy may be updated to reflect new features, new third-party providers, or changes in applicable law. The “Last updated” date at the top tracks the latest revision. Material changes will be announced inside the App on first launch after the update.
19. Contact
For any question regarding this policy, please contact the developer at andreapiani.dev@gmail.com. We aim to respond within 30 days, in accordance with Article 12(3) GDPR.