Privacy

Last updated July 10, 2026

This page describes what data the GhostFingers app and the ghostfingers.app website handle, and how. It applies to the iOS app, the marketing website, and the pre-launch waitlist.

Who this policy is from

This policy is published by Ghost Fingers, an independent surf-forecast project. Questions, requests, and corrections go to privacy@ghostfingers.app.

What stays on the device

Favorited spots, custom spots, and rating-tuner adjustments are stored only on the device they were entered on. There is no account system for this data, and none of it is uploaded to any server operated on Ghost Fingers' behalf.

Preferences sync

A short, fixed list of profile and display preferences syncs through the user's own private iCloud account using Apple's iCloud key-value storage: display name, home region, default board, unit choices (height, wind, time format), and onboarding state. The sync carries those preferences to a new device install when the user signs into the same Apple ID, so the new install does not start blank. The data lives inside the user's personal iCloud, governed by the user's Apple account and Apple's terms. Ghost Fingers operates no account system and no server that stores it. The sync degrades to a no-op when iCloud is signed out, and local writes still land on the device.

Logged sessions and iCloud sync

Logged surf sessions are stored on the device by default. The "Sync sessions to iCloud" setting in Account → Data is off unless it is turned on. When it is turned on, logged sessions sync through the user's own private iCloud account (using Apple's iCloud and CloudKit services) so the session log carries across the user's devices. That data lives inside the user's personal iCloud, governed by the user's Apple account and Apple's terms. Ghost Fingers operates no account system and no server that stores logged sessions. The setting can be turned off again in the same place, and a synced copy can be removed by the user from their iCloud storage or by deleting the app and clearing it from iCloud.

Aggregate usage counts

The app may send anonymous usage events to a Ghost Fingers server, where they are combined into aggregate counts (for example, how many times spot pages were opened across all users that day). Each event is a name and, at most, a coarse category such as which tab was opened, batched and sent a few times a day at most. Events carry no device identifier, no user identifier, no IP-based profile, no timestamp, and no location. They cannot be tied to any person or device, are used only to understand which features are used, and are never shared or sold. No third-party analytics service is involved.

What the app does not do

Permissions the app may request

Location, only when "Use my current location" is tapped. When adding a custom spot, the app requests latitude and longitude once from iOS and uses the reading to populate the coordinate fields. The reading is not stored off the device. The permission can be declined (a spot can be added by typing coordinates or dropping a pin) and revoked any time in iOS Settings.

Per-spot alerts, on opt-in. Allowing notifications and setting a per-spot threshold in Account → Alerts schedules local push alerts when a favorited spot crosses the chosen tier. Alerts are scheduled with iOS on the device. Their content is not transmitted through any server.

Morning Call, on opt-in. The Morning Call is an optional feature enabled in Account → Alerts. On opt-in, the iPhone uploads to a delivery service: (1) the APNs push token (a routing identifier issued by Apple that allows a push to reach this specific device, not linked to a name or email), (2) the IANA timezone, (3) the chosen delivery hour, and (4) the text of the next morning's forecast for the selected spots. The forecast text is composed on the device. The delivery service stores the payload until the local delivery hour, sends a single notification through Apple's push service, and is not used to generate forecasts. Toggling Morning Call off requests deletion of the record. If that request fails for network reasons, the record is cleared automatically when Apple reports the token as inactive (typically after the app is uninstalled).

Crash and hang reports, on opt-in. Crash reporting is off by default. When enabled in Account → Support, technical diagnostic data is sent through Sentry so a specific bug can be diagnosed. Each report includes the call stack, iOS version, device model, app version, a short trail of recent technical steps inside the app, and an anonymous event ID. The same setting also reports app hangs (moments the interface stops responding), which carry the same technical data. Reports do not include a screenshot, a snapshot of the on-screen view hierarchy, or your name, email, or location. In Apple's App Privacy terms this is Crash Data and Performance Data, collected only to keep the app working, not linked to your identity, and never used to track you.

Crash reports are read only to diagnose the bug they describe. The technical crash data is never combined with other reports to build a profile of any user, never used to train, tune, or refine the forecast engine, and never shared with any third party beyond Sentry, which processes it solely to deliver and store the report so the bug can be fixed. A report exists only for as long as Sentry retains it under its default retention period, and only for the purpose of fixing the bug it documents. Toggling crash reports off stops new reports on the next launch.

Feedback, on send

The feedback form in Account → Support sends a note only when "Send" is tapped. Each report contains: the chosen category, the text of the note, the app version and build number, the device model, the iOS version, and a timestamp. It is delivered to a Ghost Fingers server (with Mail as the fallback if that server is unreachable) and is read only to act on the report. No name, email, or account is attached; the note contains only what is typed into it. "Save only" keeps the note on the device and sends nothing.

Pro spoken forecasts and chat, on use

Spoken forecasts. The optional Pro spoken-forecast feature reads a forecast summary aloud in a chosen voice. When it is used with a Pro voice, the text of that summary (the same plain-language read shown on screen) is sent through a Ghost Fingers server to a text-to-speech provider, ElevenLabs, which returns synthesized audio. The text carries no name, email, or location, and no device or user identifier beyond a short-lived session token used to authorize the request. When the feature is not used, or the device's built-in system voice is kept, no text is sent to the provider. The returned audio is played and cached on the device.

Forecast chat. The optional Pro chat feature answers questions about the forecast. When a question is sent, its text is relayed through a Ghost Fingers server to an AI provider, Anthropic, which returns the answer. The question text carries no name, email, or location, and no device or user identifier beyond the same short-lived session token. Ghost Fingers operates no account tied to a real identity for these features. Both providers process the text solely to return the audio or the chat answer under their API terms; the text is not used for advertising, is not sold, and is not used by Ghost Fingers to build a profile of any user.

Email signup at ghostfingers.app

Submitting an email through the "Get notified at public launch" form on ghostfingers.app stores a record so a single launch notification can be sent. Each record contains: the email address, the page on the site the form was submitted from, the referring URL if the browser provided one, the IP address of the request, the browser's user-agent string, and a timestamp. The record is held by Cloudflare's storage service on Ghost Fingers' behalf.

The email address is not added to a newsletter, not sold, and not shared with third parties. When the launch notification has been sent, the records are deleted. To be removed sooner, email privacy@ghostfingers.app.

The ghostfingers.app website

The website sets no cookies and carries no third-party advertising or cross-site tracking. It uses Cloudflare Web Analytics, a cookieless, privacy-preserving measurement service that counts page views and reports aggregate figures such as referring site, browser, and country. It does not fingerprint the browser, does not follow visitors across other sites, and does not build a profile of any individual. Standard server-level request logs (IP address, user-agent string, page requested, timestamp) are produced by the hosting service for security and operational purposes and are retained for the hosting service's default period.

Forecast data requests

To produce a forecast, the app makes anonymous requests to public weather and ocean data services run by government agencies, universities, and public data providers. Each request includes a User-Agent string identifying the app and names the spot, buoy, or station being fetched (its coordinates or station id) so the right data comes back; it does not include the device's own location. No request includes name, email, or other personal information. The device's IP address is visible to those services for the duration of the request, the same way it would be when visiting any website.

The app and its home-screen widget also fetch precomputed forecast content and map imagery from Ghost Fingers' servers, and base-map tiles from a third-party map-tile service. Those requests name only the spot, region, or map area being drawn and carry no identifiers. The widget refreshes on its own schedule, so its fetches can happen while the app is closed.

Surf cams, on use

The cams screen shows live webcam pages published by third parties (harbor districts, city and tourism sites, and video platforms), loaded inside the app the same way a browser would load them. Opening a cam sends a standard web request to that operator, which sees the device's IP address and can load its own content, cookies, and measurement or advertising services under its own privacy policy. Ghost Fingers adds no identifiers to those requests and sends the operators nothing else: no name, no email, and no information about you or your use of the app. Cams load only when opened.

Service providers used to operate the app and site

A small number of third-party services are used to deliver specific features. None are used for advertising or cross-site tracking.

How long data is kept

Choices and requests

A request to access, correct, or delete personal information held off the device (the waitlist record described above, a feedback note, or any pending Morning Call payload) can be sent to privacy@ghostfingers.app. California residents may exercise the same rights under the California Consumer Privacy Act through that address. Requests will be honored within a reasonable period.

The app's on-device data is under the user's direct control: deleting the app removes it. Opting in to or out of iCloud session sync, notifications, Morning Call, and crash reports is done in Account → Data, Account → Alerts, and Account → Support.

Children

The app and the website are not directed to children under 13, and personal information from children under 13 is not knowingly collected.

Changes to this page

If practices change, this page is updated and the date at the top is revised.

Governing law

This policy is governed by the laws of the State of California.

Contact

Questions about privacy or requests to access or delete data: privacy@ghostfingers.app