Privacy Policy — Sea Maps & AR

Effective date: 23 May 2026 · Last updated: 23 May 2026

This Privacy Policy describes how the iOS application Sea Maps & AR (the “App”) processes personal data within the meaning of Regulation (EU) 2016/679 (“GDPR”) and applicable U.S. state privacy laws, including the California Consumer Privacy Act as amended by the CPRA (collectively “CCPA/CPRA”). The App is published by an independent developer, has no proprietary back-end, requires no account, and never creates a server-side user profile.

1. Data controller

Pursuant to Art. 4(7) GDPR the data controller is:

Because the project is run by a single natural person acting as a sole developer, no Data Protection Officer (DPO) is appointed under Art. 37 GDPR; the controller acts as the sole point of contact for all privacy-related requests.

2. Scope of this policy

This policy applies exclusively to the Sea Maps & AR iOS app distributed through the Apple App Store, including its Apple Watch companion. It does not cover third-party services that you may reach through the App (for example tile servers, marine data providers, the Google ad network or the Apple App Store itself), each of which is governed by its own privacy policy. Where this document references such third parties, links are provided for transparency.

3. Summary at a glance

4. Categories of data the App processes

4.1 Precise location (GPS) — Core Location

The App uses Apple’s Core Location framework with two authorization modes:

Location data is processed on the device. It is never transmitted to a developer-controlled server. When the App contacts third-party data sources (tiles, weather, tides), only anonymous geographic coordinates or a bounding box are included — no identifiers, no IDFA, no cookies. Legal bases: Art. 6(1)(b) GDPR (performance of the requested navigation service) and, where applicable, Art. 6(1)(a) GDPR (your iOS authorization).

4.2 Camera and motion sensors (AR) — ARKit

The AR view uses Apple’s ARKit framework, the rear camera and the device motion/IMU sensors to overlay waypoints, distance labels and a luminous beacon on the live camera feed. The camera stream is processed entirely on the device, in real time, and is never recorded, stored or transmitted. Legal basis: Art. 6(1)(a) GDPR (your iOS authorization). You can revoke this permission at any time from iOS Settings.

4.3 Routes, waypoints, POIs, and settings — sandbox + private CloudKit

Routes you create, waypoints, saved POIs, weather preferences and unit settings are stored locally inside the app sandbox. If you have enabled iCloud, this data is also synchronized to your private CloudKit database under your own Apple ID. The developer cannot read or access that database; Apple acts as the data processor and applies its own protections, including end-to-end encryption for the private CloudKit database where supported. No copy is ever sent to a developer-controlled server. Legal basis: Art. 6(1)(b) GDPR.

4.4 Network connections (third-party data sources)

The App connects directly from your device to third-party endpoints to fetch map tiles, POI metadata, weather, tides, currents and bathymetry. Those endpoints inevitably observe your public IP address and the geographic bounding box you are viewing. No user identifier, IDFA or cookie is attached. See section 8 for the full list and their privacy policies. Legal bases: Art. 6(1)(b) GDPR (performance of the service you requested) and Art. 6(1)(f) GDPR (legitimate interest in delivering the chart you opened).

4.5 Local notifications (UserNotifications, no remote push)

The App schedules local notifications through Apple’s UserNotifications framework for anchor-drag alarms, off-route warnings, weather alerts and waypoint proximity. The App does not use Apple Push Notification service (APNs) for remote push and the developer has no notification server. No device token is collected and no message content leaves your device.

4.6 Diagnostics and crash reports (Apple system, no third-party SDKs)

If you have enabled “Share With App Developers” in iOS Settings, Apple may forward anonymized diagnostic and crash data to the developer through Apple’s system tooling. No third-party crash or analytics SDK (no Firebase Crashlytics, no Sentry, no Mixpanel, no Facebook SDK, no AppsFlyer, no Adjust) is integrated. You can opt out at any time in iOS Settings › Privacy & Security › Analytics & Improvements.

4.7 Apple Watch companion — route, distance, anchor watch, MOB

The optional Apple Watch app mirrors the active route, distance to the next waypoint, anchor watch status and Man Overboard (MOB) events on your wrist. The watch communicates with the iPhone exclusively through Apple’s WatchConnectivity framework on a paired-device basis. No data is sent from the watch to a developer-controlled server. Watch location, when used, follows the same Core Location rules described in section 4.1.

5. App Tracking Transparency (ATT)

On iOS, before any tracking identifier may be shared with third parties, the App shows the standard App Tracking Transparency prompt required by Apple. The prompt explains that allowing tracking lets the App share the IDFA with Google AdMob for personalized advertising.

You can change your decision at any time in iOS Settings › Privacy & Security › Tracking › Sea Maps & AR.

6. Advertising — Google AdMob

The App integrates the Google Mobile Ads SDK (Google AdMob) to display advertising. The following formats are used:

Consent and ad personalization:

Categories of data that Google AdMob may receive (as declared by Google for the Mobile Ads SDK): IDFA (only if ATT is granted), Advertising Data, Coarse Location derived from the IP address, Product Interaction events, Crash Data and diagnostic information needed to render and measure the ad.

In the European Union, the European Economic Area, the United Kingdom and Switzerland the App also displays the Google User Messaging Platform (UMP) consent form to collect your choices under the IAB Transparency & Consent Framework v2 (TCF v2). Vendors covered include Google’s ad network and Google’s IAB TCF partners; the full, current list of purposes and vendors is presented inside the UMP form itself, which you can reopen at any time from the in-app Settings sheet (“Manage ad preferences”).

For more information on how Google processes ad-related data, see the Google Privacy Policy and the Google Advertising pages.

7. In-app purchases — Apple StoreKit

The App offers an optional Pro subscription with three tiers: monthly, yearly and a lifetime one-time purchase. Pricing, billing, taxation, refunds and family sharing are managed by Apple under your Apple ID. The transaction flow uses Apple’s StoreKit 2 framework.

Legal basis: Art. 6(1)(b) GDPR (performance of the purchase you requested).

8. Third-party data sources

The App fetches charts, environmental data and points of interest directly from public, anonymous HTTP endpoints. No user identifier, IDFA or cookie is attached. Each provider has its own privacy policy:

These services may log your public IP address and the requested area as part of their normal HTTP operation. The developer has no agreement to receive that data back.

9. Apple platform services

Distribution and operation of the App rely on Apple platform services, each governed by Apple’s privacy policy:

Apple acts as an independent controller for the platform-level processing it performs and as a processor where it stores your private CloudKit data on your behalf. See the Apple Privacy Policy.

10. Where data is processed and international transfers

Personal data handled on-device stays on your device or in your private iCloud. Where third-party services are contacted (section 8) or where advertising data is shared with Google AdMob (section 6), processing may occur outside the European Economic Area, including in the United States. Such transfers are covered by the Standard Contractual Clauses adopted by the European Commission and, for Google, by the EU–U.S. Data Privacy Framework, in accordance with Chapter V GDPR. Apple platform transfers are governed by Apple’s own transfer mechanisms and supplementary measures.

11. Data retention

12. Security

The App enforces HTTPS / App Transport Security for all network requests. Local persistence relies on the iOS app sandbox and on Apple file-protection classes. iCloud synchronization relies on CloudKit’s private database, encrypted in transit and at rest by Apple. Because no developer-controlled server exists, there is no developer-side credentials database that could be attacked. You are responsible for protecting your device with a passcode and Face ID/Touch ID.

13. Your rights

Under Articles 12 and 15–22 GDPR you have the rights of access, rectification, erasure, restriction, portability and objection, as well as the right to withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal. In practice, because the App holds no server-side data about you, these rights are exercised as follows:

You also have the right to lodge a complaint with a supervisory authority (in Italy, the Garante per la protezione dei dati personali).

California residents (CCPA/CPRA). The developer does not sell personal information for money. The sharing of the IDFA with Google AdMob for personalized advertising, when you have granted ATT, may qualify as “sharing” or “cross-context behavioral advertising” under the CPRA. You can exercise your right to opt out of sharing at any time by denying or revoking ATT in iOS Settings, which immediately switches AdMob to non-personalized mode. You also have the rights to know, to delete, to correct and to non-discrimination, exercisable by writing to andreapiani.dev@gmail.com.

14. Children

The App is not directed to children under 13 and carries an App Store age rating of 4+. The developer does not knowingly collect personal data from children. If you believe a child has provided personal data through the App, please contact the developer so that any local data on the device can be removed and, where applicable, consent flows can be reviewed.

15. Automated decision-making

The App does not perform automated decision-making producing legal or similarly significant effects on you within the meaning of Art. 22 GDPR. Ad selection performed by Google AdMob is governed by Google’s own policies and is not used by the developer to make any decision about you. Route guidance is a real-time geometric computation and is not used to evaluate you as a person.

16. Changes to this policy

This document may be updated to reflect new features, new third-party services or regulatory changes. The effective date at the top of the document indicates the current version. Continued use of the App after an update means you have read the revised policy; significant changes affecting consent will be re-prompted through the ATT and/or UMP flows.

17. Contact

For privacy questions or to exercise the rights described above, write to andreapiani.dev@gmail.com. Replies are provided within 30 days in accordance with Art. 12(3) GDPR. For complaints in Italy, you may also address the Garante per la protezione dei dati personali.