Privacy Policy – Sailor Croatia

Effective Date: July 7, 2026

1. General

1.1 What Is Personal Data?

Personal data is any information relating to an identified or identifiable natural person. A natural person is considered identifiable if they can be identified, directly or indirectly, in particular by association with an identifier such as a name, an identification number, location data, an online identifier, or one or more factors specific to that person.

1.2 Scope and Data Controller

This Privacy Policy explains how SourceFlow AI d.o.o. (hereinafter “we,” “us,” “our”) collects and processes personal data when you use our mobile application Sailor Croatia on iOS and Android (the “App”) and when you visit our website at sailor-croatia.app (the “Website”).

We process personal data in accordance with Regulation (EU) 2016/679 (General Data Protection Regulation, “GDPR”) and Croatian data protection law. We are the data controller for the processing described herein. No data protection officer has been appointed, as we assess that our processing does not meet the thresholds set forth in Article 37(1) of the GDPR. If you have any questions regarding data protection, please contact us at info@sourceflow.ai.

1.3 What Personal Data We Process

We strive to keep data collection to a minimum. The app does not require an account. During normal use of the app without contacting us, we do not collect your name, email address, phone number, or social media profile. However, personal contact data may be processed if you voluntarily provide it to us via the contact form, by email, or through a feedback feature.

1.3.1 Subscription Identifiers

When you launch the app for the first time, you are automatically assigned a RevenueCat user ID. This is a random, opaque identifier. We treat this identifier as pseudonymous personal data in accordance with the GDPR: it contains neither your name nor your email address; however, since it can be recognized during your use of the app, we protect it accordingly.

In addition, we store the subscription status, product ID, and expiration date for each Pro plan you purchase. The payments themselves are processed by Apple (App Store) or Google (Google Play); we do not receive or store any of your payment card or bank details.

1.3.2 Push Notification Token

To be able to send you push notifications, the app receives a Firebase Cloud Messaging token (“FCM token”), a pseudonymous device identifier generated by Google’s Firebase SDK. The token is created when the app runs; push notifications are only delivered to you if you have granted notification permission. On iOS devices, the Apple Push Notification Service (“APNs”) may also be integrated for technical delivery.

We store this token in our backend (AWS, EU-Central-1) so that we can send you push notifications via the app. Push notifications may include, in particular, feature-related notices, security- or service-related information, information about app updates, and—provided that the appropriate authorization or consent has been granted—notifications about new features. The token does not contain your name or contact information; however, it is linked to your RevenueCat user ID and your device platform (iOS or Android).

You can prevent further notifications from being sent at any time by revoking the notification permission in your device settings. On iOS: Settings → Notifications → Sailor Croatia → disable “Allow Notifications.” On Android: Settings → Apps → Sailor Croatia → Notifications → disable. Revoking permission in your device settings prevents further notifications from being delivered. The token stored by us is deleted when the token is rotated by the operating system or becomes invalid, when you request its deletion, or when the app has not been actively used for a period of 36 months and we can technically detect this inactivity.

1.3.3 Analytics Events

While you use the app, we send analytics events to our backend so that we can track usage, detect errors, plan improvements, and identify popular areas that we would like to include in future app versions.

Each event may contain the following basic data: Timestamp, RevenueCat user ID, device and app fingerprint (platform, operating system version, device model, app version, build type), indication of whether an active Pro subscription exists, and—if available—your approximate location, rounded to one decimal place for latitude and longitude (resolution of approximately 11 km). In addition to these basic fields, individual events may contain technical metadata describing what just happened, such as which feature was used, the route length, the type of error, or similar technical information.

Please note the following specifics: When you save a location, we receive its exact coordinates, the name you assigned it, and its category; we use this to identify popular locations that we can highlight in future versions. If the weather overlay cannot be displayed in the app, we record the exact coordinates and zoom level of the map area on the screen to diagnose the error. Free-text you enter—such as search queries, place names, or feedback messages—may be sent to our backend; therefore,, do not enter any information that could directly identify you or others, such as full names, contact details, private addresses, or boat registration numbers, as well as any other highly personal or health-related information. When you complete or cancel a navigation session, or if your speed exceeds the safety threshold near the coast, we collect speed and threshold violation data linked to your RevenueCat user ID.

When you plan a route, the exact coordinates of each waypoint you specify are included in the route analysis event. If you acknowledge the in-app safety notice or the depth notice before planning a route, we record a safety_disclaimer_acknowledged or route_depth_notice_acknowledged event, respectively; these events are subject to tiered retention for the purposes of asserting, exercising, or defending legal claims (see Section 1.7).

1.3.4 Location Data Used in the App

The app uses your device’s GPS to calculate your position, distance from the coast, speed, and course. Continuous, high-frequency, and precise location tracking is generally processed locally on your device and is not continuously transmitted to our servers as live tracking.

Accurate or rounded location data is transmitted to our backend only in the cases described in this Privacy Policy, in particular during analysis events as described in Section 1.3.3, when saving a location, during route planning, in the event of weather overlay errors, for shared routes or locations as described in Section 1.3.5, for route feedback as described in Section 1.3.11, when generating a trip story (to retrieve coastline for the approximate trip area), and—provided you consent—for feedback as described in Section 1.3.8.

If you enable background tracking or record a trip, the app runs a foreground service (Android) or a background location task (iOS) so that tracking or trip recording can continue even when the screen is off. This ongoing processing takes place locally on your device, unless one of the explicitly described transmission cases applies.

1.3.5 Shared Routes and Locations

If you want to share a route or a saved location, the app uploads the route or location data to our backend and returns a short sharing code. The data may include location names, exact coordinates, route geometry, waypoints, and any notes you’ve added. Anyone who has the sharing code can access the data—so treat sharing codes as public. As sharing codes are public, ensure your notes do not contain personal information. Shared data is automatically deleted 365 days after it is created. After this period or if the app is uninstalled, retrieval of this content may not be possible.

1.3.6 Locally Stored Settings

Settings such as map style, units, travel speed, default fuel cost values, downloaded area packages, saved routes and locations, and the share code cache are stored exclusively on your device (Android Jetpack DataStore or iOS UserDefaults / file storage). They are not transmitted to our servers unless you explicitly share them or they are related to the analytics events described in Section 1.3.3.

1.3.7 Diagnostic and Crash Data

The app may send aggregated diagnostic information (e.g., crashes, ANRs, performance metrics) to platform services provided by Apple or Google. These reports are subject to the privacy policies of the respective platform providers. We do not receive your name, email address, or exact physical location in these reports.

1.3.8 Feedback You Submit

If you use the in-app feedback feature, the message you compose, any attached images, and—only if you consent—your accurate location will be sent to our backend so that we can investigate and respond to the issue. The content of the feedback is stored as described in Section 1.7.

1.3.9 Use of the Website

When you visit the website, your browser automatically sends standard request data (specifically, IP address, user agent, requested URL, date and time of the request, and, if applicable, the referring page) to our content delivery network. The website does not set its own cookies for advertising, retargeting, or social media tracking, nor does it load scripts for these purposes. The technically necessary or analytical services described in Section 5 remain unaffected by this.

1.3.10 Location Reviews and Photos

If you write a review for a location (e.g., a bay, marina, or beach) in the app or upload photos while doing so, the review text and the uploaded photos are stored in our backend (AWS, EU-Central-1). Reviews and photos are linked to your RevenueCat user ID, but not to your name or email address.

Please upload only photos for which you hold the necessary rights, and avoid depicting other people without their consent. If people are recognizable in a photo you have uploaded, we will delete the photo upon a legitimate request for deletion from the affected person, unless overriding legitimate interests or legal grounds prevent this in individual cases.

Reviews and photos are stored indefinitely, as they serve to permanently display user reviews within the app and to develop future app features. The legal basis is Article 6(1)(b) of the GDPR (performance of a contract—provision of the review feature) and Article 6(1)(f) of the GDPR (legitimate interest in the ongoing improvement of map data and app quality).

1.3.11 Route Feedback

The app allows you to submit specific feedback on a route. Route feedback is handled similarly to the general in-app feedback described in Section 1.3.8, but also includes route-specific information—in particular, the exact coordinates of the waypoints you have specified.

This data is stored in our backend (AWS, EU-Central-1) so that we can analyze the feedback and improve route quality and app functionality. Route feedback is stored for up to 24 months after submission and is subsequently deleted or anonymized, unless longer retention is necessary to assert, exercise, or defend legal claims. The legal basis is Art. 6(1), sentence 1, lit. f of the GDPR (legitimate interest in improving route quality and app features).

1.3.12 Trip recordings and trip stories

When you record a trip or create a trip story, the GPS track of the trip, any photos and videos you add, your boat image and name, and the rendered trip-story videos are stored only on your device; they are not uploaded to our servers. To draw the coastline shown in a trip story, the app requests coastline and map data from our backend (AWS, EU-Central-1) for the approximate area of your trip; this retrieves map data for that area and does not upload your photos, videos, or the full recorded track. The analytics events we receive about trips and trip stories contain only aggregate statistics (such as trip distance, duration, and counts) together with the coarse, ~11 km-rounded location attached to all analytics events (see Section 1.3.3) — never your precise track, photos, or videos.

1.3.13 Trip-story feedback

When you submit feedback on a trip story — a rating and, optionally, a comment — the rating and any comment you write are sent to our backend through the same feedback channel as our in-app feedback feature (Section 1.3.8), together with the trip and story identifiers, so that we can review the feedback and improve the trip-story feature; the trip story itself, including the underlying recording, photos, and videos, is not uploaded. The legal basis is Art. 6(1)(f) GDPR (legitimate interest in improving the feature). This data is stored and retained in the same way as in-app feedback (see Section 1.7).

1.4 Legal Bases for Processing

We process your personal data exclusively on the basis of the applicable legal grounds in accordance with Article 6 of the GDPR.

The legal basis for providing the app’s core functions, managing Pro subscriptions, and operating the “Share via Link” feature for routes and locations is Article 6(1), first sentence, letter b of the GDPR (performance of the contract with you).

The legal basis for functional, security-, or service-related push notifications; the processing of analytics events to improve and troubleshoot the app; the assertion, exercise, or defense of legal claims; and the response to support requests is Article 6(1), first sentence, (f) of the GDPR (legitimate interests). To the extent that push notifications go beyond purely functional, security, or service-related information and consent is required under applicable law, processing is based on Article 6(1), first sentence, letter a of the GDPR.

The legal basis for fulfilling tax and accounting obligations, as well as for processing legitimate requests from public authorities, is Article 6(1), first sentence, letter c of the GDPR (legal obligation).

You may object to processing based on legitimate interests at any time by sending an email to info@sourceflow.ai. If you object, we will cease the processing in question unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights, and freedoms, or the processing is necessary for the establishment, exercise, or defense of legal claims.

1.5 Disclosure of Data

We do not sell your personal data. We do not share your personal data for advertising purposes.

We use service providers who process personal data on our behalf, in some cases as data processors pursuant to Article 28 of the GDPR. To the extent that providers pursue their own purposes or make independent technical or legal decisions regarding certain processing operations, they act as independent data controllers. The specific involvement of these providers is described in more detail in Section 5.

The app also relies on third-party data sources, to which, as a general rule, no personal data about you is transmitted; these include, in particular, OpenStreetMap data as well as osmdata.openstreetmap.de (coastline and land data, preprocessed and aggregated in the backend) and the Državni hidrometeorološki zavod — DHMZ (Croatian Meteorological and Hydrological Service; weather data is retrieved exclusively via our backend). This is distinct from the use of the website’s route-sharing page, where your browser may retrieve map tiles directly from OpenStreetMap (see Section 5.7).

We may also disclose data if required by law, pursuant to a court or regulatory order, or as necessary to protect our legal rights.

1.6 International Data Transfers

Some of the providers mentioned in Section 5 are based outside the European Economic Area (EEA), specifically in the United States. Our primary backend infrastructure (AWS) is located in EU-Central-1 (Frankfurt, Germany), so the backend data under our direct control is generally processed within the EEA. However, depending on the provider, support case, technical implementation, or platform service, transfers or access outside the EEA cannot be completely ruled out.

For transfers to recipients outside the EEA, we rely, where necessary, on appropriate transfer mechanisms pursuant to Art. 44 et seq. of the GDPR, in particular adequacy decisions, certifications under the EU-U.S. Data Privacy Framework, and/or standard contractual clauses in accordance with Commission Decision (EU) 2021/914.

In particular, the following transfer mechanisms apply:

1.7 Retention

Push notification tokens are retained until the token is invalidated or rotated by the operating system, until you request deletion, or until the app has not been actively used for a period of 36 months and we can technically detect this inactivity.

Analytics events are retained for up to 24 months from the date of collection and are subsequently deleted or aggregated into non-personally identifiable data for long-term statistical purposes. This also applies to analytics events that contain precise coordinates, unless a more specific retention rule is provided for these events in this Privacy Policy.

Confirmation events for safety and depth notices (safety_disclaimer_acknowledged, route_depth_notice_acknowledged, and navigation_safety_agreed) and the terms-acceptance event (terms_update_acknowledged) are subject to a tiered retention policy for the purpose of asserting, exercising, or defending legal claims: The complete event data record is retained for 24 months; after that, location data and the Pro subscription status are deleted. The remaining data record (timestamp, RevenueCat user ID, event name, app version, platform, operating system version, device model, and build type) is then retained for a total of 5 years from the date of collection. This period is based on long statutory limitation periods for potential claims for compensation for personal injury, particularly in Croatia, to the extent that such claims may arise in individual cases. The record of your acceptance of an updated version of our Terms of Use or Privacy Policy (your RevenueCat user ID, the version accepted, and the acceptance timestamp) is likewise retained for up to 5 years for the same purpose. Requests to delete this category of data may be denied to the extent that continued storage is necessary for the establishment, exercise, or defense of legal claims (Art. 17(3)(e) GDPR).

Shared route and location data are automatically deleted 365 days after they are created.

User-specific subscription and authorization data (RevenueCat user ID, product ID, and expiration date) are retained for as long as the subscription is active and subsequently for up to three years after the subscription expires, to the extent necessary for restoring purchases, processing support cases, or asserting, exercising, or defending legal claims. After this period expires, the data is deleted or anonymized.

To the extent that SourceFlow AI is legally required to retain accounting records relevant under commercial or tax law—in particular, payout reports from Apple and Google, commission invoices, and bank statements—these records are retained for the period required by law, typically for up to 11 years after the end of the calendar year in which the respective transaction was completed. These documents do not contain any individual user data, as Apple and Google provide SourceFlow AI exclusively with aggregated payout reports.

Support correspondence, including email inquiries, contact form messages, in-app feedback, and trip-story feedback, is retained for up to 36 months after the matter is resolved and is subsequently deleted or anonymized, unless longer retention is necessary to assert, exercise, or defend legal claims or to comply with legal obligations.

Contact form submissions processed via Formspree are deleted by Formspree no later than 12 months after receipt, unless they have already been deleted earlier. Our own copy of support correspondence is subject to the retention period specified above for support correspondence.

Device data (settings, saved routes, downloaded areas) is stored on your device until you delete the app, clear the app data, or remove the data within the app, provided the app offers a corresponding feature.

Location reviews and associated photos are retained indefinitely, as they serve to permanently display user reviews and to develop future app features. If individuals are recognizable in a photo, we will delete the photo upon a legitimate request for deletion from the data subject, unless overriding legitimate interests or legal grounds prevent this in individual cases.

Route feedback is stored for up to 24 months after submission and is subsequently deleted or anonymized, unless longer retention is necessary to assert, exercise, or defend legal claims.

Standard request data generated when visiting the website and the route-sharing page—to the extent that it is stored in server or CDN logs—is retained for up to 12 months and subsequently deleted or anonymized, unless longer retention is necessary for security reasons, to combat abuse, or to assert, exercise, or defend legal claims.

1.8 Children

The app is not intended for children under the age of 16. We do not knowingly collect personal data from children under the age of 16. If you believe that a child has provided us with personal data, please contact us at info@sourceflow.ai, and we will delete it.

1.9 Source of Data

All personal data we process is collected directly from you through your use of the app or website, or through your voluntary contact with us. We do not purchase, rent, or obtain personal data about you from third parties.

1.10 Changes to This Privacy Policy

We may update this Privacy Policy from time to time. In such cases, we will update the effective date at the top of this page.

In the event of material changes—i.e., changes to the purposes of processing, the categories of data collected, or the legal bases—we will notify you via a prominent notice within the app or by other appropriate means before the change takes effect. If consent is required for the modified processing, we will actively seek your consent and will not rely solely on your continued use of the app as consent.

In the case of non-material changes—e.g., clarifications, updated contact information, or new subprocessors with an equivalent level of protection—updating this page with a corresponding in-app notification is sufficient.

2. Your Rights

2.1 Right of Access

You may request information from us regarding whether we process your personal data. If this is the case, you have the right to access this personal data and to receive the additional information specified in Article 15 of the GDPR.

2.2 Right to Rectification

You have the right to have inaccurate personal data concerning you rectified and may request the completion of incomplete personal data in accordance with Article 16 of the GDPR.

2.3 Right to Erasure

You have the right to request that we erase your personal data without undue delay if one of the grounds listed in Article 17 of the GDPR applies. This is particularly the case if your personal data is no longer necessary for the purposes for which it was collected or otherwise processed, if you withdraw your consent and there is no other legal basis for the processing, or if your data has been processed unlawfully.

The right to erasure does not apply if your personal data is necessary to comply with a legal obligation or to assert, exercise, or defend legal claims. Requests for erasure related to confirmation events for security and depth notifications may be denied for the duration of the retention period described in Section 1.7 to the extent that continued storage is necessary to assert, exercise, or defend legal claims.

2.4 Right to Restriction of Processing

You have the right to request that we restrict the processing of your personal data if: you contest the accuracy of the data and we are therefore verifying its accuracy; the processing is unlawful and you oppose erasure but instead request restriction of use; we no longer need the data, but you need it to assert, exercise, or defend legal claims; or you have objected to the processing of your data and it has not yet been determined whether our legitimate grounds override your interests.

2.5 Right to Data Portability

You have the right to receive the personal data concerning you that you have provided to us in a structured, commonly used, and machine-readable format. You also have the right to transmit this data to another controller without hindrance from us, provided that the processing is based on consent or a contract and is carried out by automated means.

2.6 Right to Withdraw Consent and Right to Object

To the extent that the processing of your personal data is based on consent (Art. 6(1)(a) GDPR), you have the right to withdraw this consent at any time. This does not affect the lawfulness of the processing carried out on the basis of consent prior to its withdrawal.

To the extent that the processing of your personal data is based on Article 6(1)(e) of the GDPR or Article 6(1)(f) of the GDPR, you have the right, pursuant to Article 21 of the GDPR, to object at any time to the processing of personal data concerning you on grounds relating to your particular situation. We will then no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights, and freedoms, or the processing is necessary for the establishment, exercise, or defense of legal claims.

2.7 General Information and Right to File a Complaint

Exercising your rights as described above is generally free of charge. You have the right to file a complaint directly with the competent data protection supervisory authority: Croatian Personal Data Protection Agency (Cro. Agencija za zaštitu osobnih podataka (AZOP), azop.hr). If you are a resident of another EU member state, you may also contact the competent supervisory authority in that country.

To exercise any of these rights, please send us an email at info@sourceflow.ai. Since we store very little identifying information, we may need some additional details to locate your data. Alternatively, you can send a message via the in-app feedback feature; feedback messages reach our backend with your RevenueCat user ID attached, which is sufficient for us to locate your data. Since the feedback form does not have a reply channel, please include an email address for the reply in the feedback message itself if you would like a written response. We strive to respond within one month in accordance with Article 12(3) of the GDPR.

2.8 Automated Decision-Making, Including Profiling

We do not engage in automated decision-making as defined in Article 22 of the GDPR—that is, decisions based solely on automated processing (including profiling) that produce legal effects or similarly significantly affect you.

3. Data Security

We implement appropriate technical and organizational measures to protect personal data, including TLS/HTTPS for data in transit, restricted backend access, and data processing agreements with our service providers. No system is completely secure.

Should we become aware of a personal data breach, we will notify the Croatian Data Protection Authority (AZOP) within 72 hours, provided that this is required under Article 33 of the GDPR. If the breach is likely to pose a high risk to your rights and freedoms (Article 34 of the GDPR), we will inform affected users via a prominent in-app banner the next time they launch the app, as well as through a notice on sailor-croatia.app. Since we do not have an email address or other direct contact information for most users, this may constitute a permissible public notice under Article 34(3)(c) of the GDPR, provided that individual notification would require a disproportionate effort.

4. Contact Form

If you send us inquiries via the contact form on the support page, your information—including the contact details you provide (name, email address, and message)—will be stored to process your inquiry and for any follow-up questions.

The data is transmitted via the Formspree service (Formspree, Inc., 21750 Hardy Oak Blvd Ste 104 #26968, San Antonio, TX 78258, USA), which stores the submissions on its servers and forwards them to us. We delete contact form submissions stored with Formspree no later than 12 months after receipt, unless they have already been deleted earlier. We retain our own support copy for up to 36 months after the matter is resolved, unless a longer retention period is necessary to assert, exercise, or defend legal claims or to comply with legal obligations.

The legal basis is Art. 6(1)(b) of the GDPR (pre-contractual measures or performance of a contract), or alternatively Art. 6(1)(f) of the GDPR (legitimate interest in processing your inquiry).

5. Third-Party Services

5.1 Hosting and Content Delivery

The website is operated using the services of Amazon Web Services, Inc. (410 Terry Ave North, Seattle, WA 98109, USA). Amazon CloudFront is used as a content delivery network, which receives standard request data (in particular, IP address, user agent, requested URL, date and time of the request, and, if applicable, the referring page) for routing, delivery, security, and DDoS protection.

A data processing agreement pursuant to Article 28 of the GDPR has been concluded with Amazon Web Services to the extent that AWS processes personal data on our behalf. The legal bases are Article 6(1)(b) of the GDPR and Article 6(1)(f) of the GDPR (legitimate interest in the secure, fast, and efficient provision of the online service).

5.2 Web Analytics

We use Cloudflare Web Analytics (Cloudflare, Inc., 101 Townsend Street, San Francisco, CA 94107, USA) for privacy-friendly web analytics on the website. The service collects aggregated statistics (page views, country, referrer, basic device class, Core Web Vitals). It does not set cookies, does not use cross-site identifiers, and does not create user profiles. The beacon script is loaded from static.cloudflareinsights.com.

We have a data processing agreement with Cloudflare in accordance with Article 28 of the GDPR, to the extent that Cloudflare processes personal data on our behalf. Data transfers to the United States are based on the EU-U.S. Data Privacy Framework; standard contractual clauses are available as an additional or secondary safeguard, as necessary. The legal basis is Article 6(1)(f) of the GDPR (legitimate interest in analyzing website usage to improve our services).

5.3 App Backend Infrastructure

The app backend (API, database services, storage) is hosted on Amazon Web Services, Inc. (EU-Central-1, Frankfurt, Germany). AWS receives, in particular, analytics events, push notification tokens, feedback, ratings, and photos, as well as shared route and location data.

A data processing agreement has been concluded with Amazon Web Services in accordance with Article 28 of the GDPR. The legal bases are Article 6(1)(b) of the GDPR (performance of a contract) and Article 6(1)(f) of the GDPR (legitimate interests in the operation, security, and improvement of the app).

5.4 Subscription Management

We use RevenueCat, Inc. (1032 E Brandon Blvd #3003, Brandon, FL 33511, USA) to manage in-app subscriptions and verify purchase eligibility. RevenueCat receives the anonymous or pseudonymous RevenueCat user ID as well as subscription information (product ID, status, expiration date).

We have a data processing agreement with RevenueCat in accordance with Art. 28 of the GDPR, to the extent that RevenueCat processes personal data on our behalf. The transfer to the U.S. is based on standard contractual clauses in accordance with Commission Decision (EU) 2021/914. The legal basis is Art. 6(1)(b) of the GDPR (performance of a contract).

5.5 Push Notifications

We use Firebase Cloud Messaging, a service provided by Google LLC (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA), to send push notifications to app users. Google receives the FCM token and the notification usage data when a notification is sent. On iOS devices, Apple Inc. / Apple Push Notification Service (One Apple Park Way, Cupertino, CA 95014, USA) may also be integrated for technical delivery.

Firebase is certified under the EU-U.S. Data Privacy Framework. We have a data processing agreement with Google in accordance with Article 28 of the GDPR, to the extent that Google processes personal data on our behalf. The legal basis is Article 6(1)(f) of the GDPR (legitimate interest in transmitting relevant app information to users), unless consent is required in individual cases.

5.6 Map Services in the App

On Android devices, map tiles and the Maps SDK are provided by Mapbox, Inc. (1133 15th Street NW, Suite 825, Washington, DC 20005, USA). Mapbox receives requests for map tiles for the area you are viewing, as well as SDK-level telemetry events (map loads, performance signals, and general device information) in accordance with Mapbox’s own privacy policy. You can disable Mapbox telemetry by tapping the “i” button displayed on the map and then turning off telemetry data collection.

Mapbox is certified under the EU-U.S. Data Privacy Framework; standard contractual clauses are available as an additional or secondary safeguard, as necessary. A data processing agreement has been entered into with Mapbox in accordance with Article 28 of the GDPR, to the extent that Mapbox processes personal data on our behalf. To the extent that Mapbox makes its own decisions regarding certain processing activities, Mapbox may be the independent controller in those instances. The legal basis is Article 6(1)(b) of the GDPR (performance of a contract).

On iOS devices, map tiles, search functions, and geocoding are provided by Apple Inc. / MapKit (One Apple Park Way, Cupertino, CA 95014, USA). Apple receives the map area you view as well as all location searches you perform within the app, in accordance with Apple’s Privacy Policy. Apple may be the independent controller in this regard. The legal basis is Article 6(1)(b) of the GDPR (performance of a contract).

5.7 Map Tiles and Script Libraries on the Website

On the route-sharing page, your browser retrieves map tiles directly from tile.openstreetmap.org. The service is operated by the OpenStreetMap Foundation (St John’s Innovation Centre, Cowley Road, Cambridge, CB4 0WS, United Kingdom), which receives standard request data, including your IP address. Data is transferred to the United Kingdom based on the European Commission’s adequacy decision for the United Kingdom (Implementing Decision (EU) 2021/1772). The legal basis is Article 6(1)(b) of the GDPR (performance of a contract — display of shared routes).

On the same page, the Leaflet map library from unpkg.com is loaded; this is a CDN operated by Cloudflare, Inc. (101 Townsend Street, San Francisco, CA 94107, USA). Cloudflare receives standard request data, including your IP address; no other personal data is transferred. The transfer to the United States is based on the EU-U.S. Data Privacy Framework. The legal basis is Article 6(1), first sentence, (b) of the GDPR (performance of a contract — display of shared routes).

5.8 Weather Data

The weather forecast displayed in the app (wind, precipitation, temperature) comes from the Croatian State Meteorological and Hydrological Service (Cro. Državni hidrometeorološki zavod (DHMZ)),. Weather data is retrieved via our backend (AWS, EU-Central-1); your device does not contact DHMZ directly, and we do not transfer any personal data to DHMZ.

5.9 Payment Processing and Platform Services

In-app purchases are processed exclusively through the respective app platform: Apple Inc. (App Store, One Apple Park Way, Cupertino, CA 95014, USA) for iOS users and Google LLC (Google Play, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA) for Android users.

We do not receive or store any payment card or bank details. Payment processing and the platform services provided by Apple and Google (e.g., push notification infrastructure, crash diagnostics, platform reports) are subject to the respective privacy policies of these providers. Apple and Google may be independently responsible in this regard. The legal basis for the use of platform services in connection with in-app purchases is Article 6(1)(b) of the GDPR (performance of a contract).

6. Data Controller

SourceFlow AI d.o.o. for computer and related activities
Prisavlje 12
10000 Zagreb
Croatia
OIB: 71094352026

Email: info@sourceflow.ai
Website: sailor-croatia.app