Longcast Privacy Policy
Last updated: 2026-07-08
This Privacy Policy explains how Longcast ("we", "us", or "our") collects, uses, and retains information when you use the Longcast mobile application ("App"). By using the App you agree to this policy.
1. What We Collect
1.1 Data stored locally on your device
| Data | Storage | Notes |
|---|---|---|
| Game settings and preferences | UserDefaults (on-device only) |
Never transmitted to our servers |
| Device secret (48-hex credential) | iOS Keychain (on-device only) | The plaintext secret is never transmitted; only a bcrypt hash is stored server-side |
| Motion sensor readings (CMMotion / CoreMotion) | Processed in-memory only | Cast mechanics are computed locally; raw accelerometer and gyroscope data is never recorded or transmitted |
1.2 Data stored on our server (Supabase)
| Data | Purpose |
|---|---|
| Profile UUID (randomly generated on first launch) | Unique identifier for leaderboards and catch history |
| Display handle (chosen by you) | Shown on leaderboards and the catch feed |
| bcrypt hash of your device secret | Authenticates write requests; we never know your plaintext secret |
| Catch records (species ID, weight, venue ID, timestamp) | Powers leaderboards, the catch feed, and your personal history |
| Group membership and group metadata | Private competitive circles |
| Vault payload (JSON blob of progression data) | Cross-device restore |
1.3 Data we do not collect
- Real name, email address, phone number, or government ID
- Precise or approximate geolocation
- Contacts or address book
- Photos, camera, or microphone access
- Device advertising identifier (IDFA)
- Any data for cross-app or cross-site tracking
2. How We Use Your Data
- Leaderboards. Display handles and catch records are used to rank players on global and group leaderboards.
- Catch history and feed. Catch records power the catch feed visible to other players.
- Authentication. The bcrypt hash is used solely to verify that write requests originate from your device.
- Progression sync. The vault payload enables you to restore your game state on a new device.
We do not sell your data. We do not use your data for advertising, profiling, or any purpose beyond operating the game described above.
3. Data Retention
Your data is retained until you delete your account. Account deletion is available in-app via Settings → Account → Delete Account. Upon deletion, all of your catch records, group memberships, vault data, and profile information are permanently and irreversibly removed from our servers.
4. Your Rights
- Access. You may request a description of the data we hold about your profile UUID.
- Deletion. You may delete your account and all associated data at any time from within the App.
- Portability. We do not currently offer a structured data export. Contact us if you need one.
5. Data Security
All data in transit uses TLS. Server-side data is held in a Supabase (PostgreSQL) database. Direct table access is revoked for all API roles; the only access surface is a set of server-side RPC functions that enforce authentication on every write.
6. Children
Longcast is rated 12+ on the App Store. We do not knowingly collect data from children under 13. If you believe a child under 13 has created an account, contact us and we will delete it.
7. Third-Party Services
Longcast uses Supabase (Supabase, Inc.) to host the game database. Supabase's privacy policy is available at https://supabase.com/privacy. No other third-party analytics, advertising, or tracking SDKs are included in the App.
8. Changes to This Policy
We may update this policy to reflect changes to our practices. Material changes will be noted in the App Store release notes. Continued use of the App after an update constitutes acceptance of the revised policy.
9. Contact
Questions about this policy: hello@longcast.app