Privacy Policy

Effective Date: 10 May 2026

Controller: SourceFlow AI d.o.o. za računalne i srodne djelatnosti, Zagreb, Croatia — OIB 71094352026, MBS 081318743, registered with the Commercial Court in Zagreb (Trgovački sud u Zagrebu)

Contact: info@sourceflow.ai

1. Introduction

This Privacy Policy explains how SourceFlow AI d.o.o. ("we", "us", "our") collects and processes personal data when you use our mobile application Sailor Croatia on iOS and Android (the "App") and when you visit our website at sailor-croatia.app (the "Website").

We process personal data in accordance with Regulation (EU) 2016/679 (the General Data Protection Regulation, "GDPR") and Croatian data-protection law. We are the data controller for the processing described here.

No Data Protection Officer (DPO) is appointed, as our processing does not meet the thresholds in GDPR Art. 37(1). For any privacy question you can reach us at info@sourceflow.ai.

2. What Personal Data We Process

We aim to keep data collection minimal. The App does not require an account; we do not collect your name, email address, phone number, or social profile.

A. Subscription identifiers

A RevenueCat user ID — a random opaque identifier assigned automatically when the App first runs. We treat it as pseudonymous personal data under GDPR: it does not contain your name or email, but because it is stable across your activity on the App we still consider it personal data and protect it accordingly.
Subscription status, product ID, and expiry date for any Pro plan you have purchased.

Payments themselves are processed by Apple (App Store) or Google (Google Play). We do not receive or store your payment card or bank details.

B. Analytics events

While you use the App we send analytics events to our backend so we can understand usage, detect bugs, plan improvements, and identify popular places to consider featuring in future App versions.

Each event carries: a timestamp, your RevenueCat user ID, device and app fingerprint (platform, operating-system version, device model, app version, build type), whether you have an active Pro subscription, and your approximate location rounded to one decimal place of latitude and longitude (about 11 km of resolution) when available. Beyond those base fields, individual events include technical metadata describing what just happened — which feature you used, route distance, error type, and so on.

A few things worth knowing:

When you save a place, we receive its precise coordinates, the name you gave it, and its category. We use this to identify popular locations to feature in future versions. If you do not want this, avoid saving sensitive locations like your home address.
When the in-App weather overlay fails to render, we record the precise coordinates and zoom of the on-screen map area to diagnose the bug. This is what was on screen, not your physical position.
Free-form text you type — search queries, place names, feedback messages — reaches our backend. Avoid typing sensitive content into these fields.
When you complete or abandon a navigation, or your speed exceeds the safety threshold close to shore, we record speed and threshold-exceedance metrics tied to your user ID, used to improve the safety feature.

C. Location data used inside the App

The App uses your device's GPS to compute your position, distance to coast, speed, and heading. Continuous, high-frequency precise location is processed on your device only and is never streamed to our servers in real time. The exceptions are the rounded base location described in §B and the events highlighted there.

If you enable background tracking, the App runs a foreground service (Android) or background-location task (iOS) so it can continue to update the on-screen tracking display while the screen is off. This is local processing.

D. Shared routes and places

If you choose to share a route or saved place, the App uploads the route or place data to our backend and returns a short share code. The payload may include place names, precise coordinates, route geometry, waypoints, and any notes you added. Anyone holding the share code can retrieve the payload — treat share codes as effectively public. Shared payloads are deleted automatically 365 days after creation.

E. Locally stored preferences

Settings such as map style, units, cruise speed, fuel-cost defaults, downloaded area packs, saved routes and places, and the share-code cache are stored on your device only (Android Jetpack DataStore or iOS UserDefaults / file storage). They are not transmitted to our servers, except where you explicitly share them or where the analytics events described in §B reference them.

F. Diagnostics and crash data

The App may send aggregate diagnostic information (e.g. crashes, ANRs, performance signals) to platform services provided by Apple or Google. These reports are subject to the platform providers' own privacy policies. We do not receive your name, email, or your precise physical location in these reports.

G. Feedback you submit

If you use the in-App feedback feature, the message you write, any images you attach, and (only if you opt in) your approximate location are sent to our backend so we can investigate the issue and respond. Feedback content is retained as described in §6.

H. Website usage

When you visit the Website, your browser automatically sends standard request data (IP address, user-agent, referring page) to our content-delivery network. We additionally use these processors on the Website:

Amazon CloudFront (Amazon Web Services) — content delivery and TLS termination. Receives request metadata for routing and DDoS protection.
Cloudflare Web Analytics — privacy-friendly aggregate analytics (page views, country, referrer, basic device class, Core Web Vitals). It does not set cookies, does not use cross-site identifiers, and does not build user profiles. The beacon script is loaded from static.cloudflareinsights.com.
Formspree (United States) — when you submit the contact form on the support page, your name, email address, and message are transmitted to Formspree, which stores the submission on its servers and forwards it to us. Submissions are retained on Formspree under their own retention policy (see Formspree's Privacy Policy); we additionally retain support correspondence as described in §6.
OpenStreetMap Foundation — on the route-share page, your browser fetches map tiles directly from tile.openstreetmap.org (United Kingdom). The OpenStreetMap Foundation receives standard request data including your IP address. See the OSMF Tile Usage Policy.
unpkg.com — on the route-share page, the Leaflet map library is loaded from this CDN. unpkg receives standard request data including your IP address.

The Website does not set any cookies of its own and does not load advertising, retargeting, or social-media tracking scripts. Cloudflare Web Analytics is cookie-free by design.

3. Why We Process Your Data and Our Legal Basis

For each purpose, the legal basis under GDPR Art. 6 is shown below.

Purpose	Categories of data	Legal basis (GDPR Art. 6)
Provide core App functionality (navigation, distance to coast, tracking)	On-device GPS, on-device preferences	Art. 6(1)(b) — performance of contract with you
Manage Pro subscriptions and verify entitlement	RevenueCat user ID, subscription status	Art. 6(1)(b) — performance of contract with you
Operate the share-by-link feature for routes and places	Shared payload (route or place data)	Art. 6(1)(b) — performance of contract with you
Understand how the App is used; detect bugs and performance regressions; plan improvements	Analytics events (see §2.B)	Art. 6(1)(f) — legitimate interests in maintaining and improving the App. We have assessed that our minimised, anonymised analytics do not override your rights or freedoms.
Respond to support requests, refund-support claims, and exercise of your rights	Information you provide in the request, plus any minimum data needed to identify your subscription	Art. 6(1)(f) — legitimate interests; or Art. 6(1)(c) where required by law
Comply with legal obligations (tax, accounting, lawful requests by authorities)	Subscription records held by Apple, Google, or RevenueCat as applicable	Art. 6(1)(c) — legal obligation

You may object to processing based on legitimate interests at any time by emailing info@sourceflow.ai. If you object, we will stop the relevant processing unless we have compelling legitimate grounds that override your interests.

4. Who We Share Your Data With

We do not sell your personal data. We do not share your personal data for advertising. We share data only with the service providers below, who act as our data processors under written agreements (GDPR Art. 28):

RevenueCat, Inc. (United States) — manages subscription state. Receives the anonymous user ID and subscription information.
Amazon Web Services, Inc. (EU-Central-1, Frankfurt) — hosts our backend (AWS Lambda, DynamoDB, S3). Receives analytics events and shared route/place payloads.
Mapbox, Inc. (United States, Android only) — supplies map tiles and the Maps SDK on Android. Mapbox receives map tile requests for the area you view and SDK-level telemetry events (map loads, performance signals, coarse device information) under Mapbox's own privacy policy. You can opt out of Mapbox telemetry by tapping the "i" attribution button shown on the map and choosing to disable telemetry collection.
Apple Inc. / MapKit (United States, iOS only) — supplies map tiles, search, and geocoding on iOS. Apple receives the map area you view and any place searches you perform inside the App, under Apple's privacy policy.
Apple Inc. / Google LLC — process payments for In-App Purchases and provide platform services (push notifications, crash diagnostics). Their processing is governed by their respective privacy policies.

The App also relies on third-party data sources that do not receive personal data from you:

OpenStreetMap (© OpenStreetMap contributors, ODbL) — supplies the basemap rendered through Mapbox on Android, the bundled places / points-of-interest dataset, and the coastline geometry used for the 300 m safety zone, radar overlay, and downloadable area packs. The places and coastline data are bundled into the App or pre-processed and hosted on our backend; from inside the App, no requests flow directly to the OpenStreetMap Foundation. (On the Website route-share page the browser does fetch tiles from OSMF directly — see §2.H.)
Državni hidrometeorološki zavod (DHMZ), the Croatian Meteorological and Hydrological Service — supplies the weather forecast (wind, precipitation, temperature) shown in the in-App weather overlay. Weather data is fetched through our backend (AWS, EU-Central-1); your device does not contact DHMZ directly, and we do not transmit personal data to DHMZ.

We may also disclose data where required by law, by court order, or to protect our legal rights.

5. International Data Transfers

Some of our processors are based outside the European Economic Area (EEA), primarily in the United States. Our primary backend infrastructure (AWS) is located in EU-Central-1 (Frankfurt, Germany), so the personal data we control directly stays inside the EEA. For transfers to processors outside the EEA, the legal mechanisms are:

RevenueCat (US) — Standard Contractual Clauses (Commission Decision (EU) 2021/914).
Mapbox (US) — certified under the EU-U.S. Data Privacy Framework, with Standard Contractual Clauses available as a secondary safeguard.
Apple (US) and Google (US) — for the platform services they provide, transfers are governed by their respective privacy frameworks and Data Privacy Framework certifications.
Cloudflare (US, global edge) — for Web Analytics. Cloudflare is certified under the EU-U.S. Data Privacy Framework; Standard Contractual Clauses are available as a secondary safeguard.
Formspree (US) — Standard Contractual Clauses (Commission Decision (EU) 2021/914).
unpkg.com (US, Cloudflare-fronted CDN) — used only to deliver third-party JavaScript on the route-share page. The transfer is incidental to loading a static asset; no personal data is sent beyond the standard request metadata generated by your browser.
OpenStreetMap Foundation (United Kingdom — outside the EEA) — covered by the UK adequacy decision (Commission Implementing Decision (EU) 2021/1772). The transfer is incidental to fetching map tiles on the route-share page.

6. Retention

Analytics events — retained for up to 24 months from collection, then deleted or aggregated to non-personal form for long-term statistical use.
Shared route / place payloads — automatically deleted 365 days after creation.
Subscription records — retained while your subscription is active and for any further period required by applicable Croatian accounting and tax law.
Support correspondence — retained for up to 24 months after the matter is closed.
On-device data (preferences, saved routes, downloaded areas) — kept on your device until you delete the App or clear its data.

7. Your Rights

If you are in the EEA you have the following rights under GDPR Articles 15–22 in respect of your personal data:

Access — you can request a copy of the personal data we hold about you.
Rectification — you can ask us to correct inaccurate or incomplete data.
Erasure ("right to be forgotten") — you can ask us to delete your data, subject to legal retention requirements.
Restriction — you can ask us to limit the processing of your data in certain circumstances.
Portability — where processing is based on contract or consent and is automated, you can ask for a copy of your data in a machine-readable format.
Objection — you can object at any time to processing based on legitimate interests, including analytics.
Withdraw consent — where processing is based on consent, you can withdraw it at any time. Withdrawal does not affect lawfulness of processing before withdrawal.
Lodge a complaint — you can complain to the Croatian Personal Data Protection Agency (AZOP, azop.hr) or to the supervisory authority of your country of residence.

To exercise any of these rights, email us at info@sourceflow.ai. Because we hold very little identifying data, we may need a small amount of additional information to locate your records.

As an alternative, you can submit a message via the in-App feedback feature. Feedback submissions reach our backend with your RevenueCat user ID attached, which is enough for us to find your data. The feedback form has no reply channel, so if you want a written response include a reply email address inside the feedback message itself; otherwise we can act on your request but cannot write back.

We aim to respond within one month, as required by GDPR Art. 12(3).

8. Children

The App is not directed at children under 16. We do not knowingly collect personal data from children under 16. If you believe that a child has provided us with personal data, please contact us at info@sourceflow.ai and we will delete it.

9. Automated Decision-Making

We do not carry out automated decision-making that produces legal effects concerning you or significantly affects you in a similar way (GDPR Art. 22).

10. Source of Data

All personal data we process is collected directly from you through your use of the App. We do not buy, rent, or otherwise obtain personal data about you from third parties.

11. Security

We apply appropriate technical and organisational measures to protect personal data, including TLS/HTTPS for data in transit, restricted backend access, and processor agreements with our service providers. No system is perfectly secure.

If we become aware of a personal data breach we will notify the Croatian supervisory authority (AZOP) within 72 hours where required by GDPR Art. 33. Where the breach is likely to result in a high risk to your rights and freedoms (GDPR Art. 34), we will inform affected users by means of a prominent in-App banner on next launch and a notice published at sailor-croatia.app. Because we hold no email address or other direct contact for most users, this constitutes the public communication permitted by GDPR Art. 34(3)(c) where individual notification would require disproportionate effort.

12. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will update the Effective Date at the top of this page. If a change is material we will notify you within the App or by another appropriate means before it takes effect. Your continued use of the App after the change takes effect constitutes acknowledgement of the updated Policy.

13. Contact

SourceFlow AI d.o.o. za računalne i srodne djelatnosti
Zagreb, Croatia
OIB 71094352026 · MBS 081318743 · registered with the Commercial Court in Zagreb (Trgovački sud u Zagrebu)
Email: info@sourceflow.ai
Web: sailor-croatia.app

Croatian supervisory authority: Agencija za zaštitu osobnih podataka (AZOP) — azop.hr.