§ P Privacy The promise · not the boilerplate

What stays
on your phone.

Bassai is a logbook built for people who don't want their fishing spots mined, sold, or leaked. This page tells you exactly what the app records, what leaves the device, and what never will — written to be read, not to be hidden behind.

Effective   July 17, 2026 App version   1.0 and later Operator   Bassai Inc · Cordova, TN

The promise

You can use Bassai without signing in, without creating an account, and without giving us an email. The app is designed so that the smallest possible amount of data about you leaves your device, and the data that does leave is scoped to the specific service that needs it. Photo filenames and the notes you type for yourself never leave the phone in any pipeline.

Scope-bounded by service. Catch coordinates go to weather, water-gauge, and reverse-geocoding services to fetch data near your trip — and nowhere else. Free-text notes never leave. Photos stay on your device.

What stays on your device

Bassai stores your log on your iPhone. If you use iCloud Backup, your Bassai data may be included when your iPhone is backed up and restored. Bassai does not currently provide cross-device iCloud sync.

None of the above is uploaded to a Bassai server. The opt-in cloud features described in the next section — Chat with Hank, remote push delivery (for the now-dormant Plus trip reminders), and Live Trip condition alerts — send only the specific data listed there; never the raw library, never the free-text notes you attach to catches and spots, never photo filenames, and never your precise location (trip reminders send only an approximate, rounded water-area coordinate; condition alerts send only an approximate, rounded current-area coordinate).

What leaves the device — unavoidably

To enrich a catch with weather, water conditions, tide, and lake name, Bassai pulls from four public scientific APIs. Some are reached directly from your device; weather and water-body lookups flow through Bassai's own proxy at bassai.com, which does not pass your IP to the upstream provider. Each request carries only the minimum needed to answer it, and none of them carry an identifier we could use to build a profile of you.

Open-Meteo Latitude, longitude, and hour of a catch → hourly weather. No cookie, no account, no persistent session.
OpenStreetMap Latitude and longitude of a trip's center → nearest water body name. Used only for the label (e.g. Lake Fork). The bassai.com proxy caches the looked-up name (or "no nearby named water body" marker) in a durable third-party Redis store (Upstash, US-East-1, accessed via the Vercel Marketplace integration) so repeated lookups for the same area don't re-pay OSM round-trips. Cache entries expire after 30 days. The cache key is a rounded approximation of your coordinate (~1 km bucket) plus the search radius; raw GPS is not stored in the durable cache. The cache value is only the public OSM lake name or a null-result marker — never trip photos, notes, catch records, or user identifiers.
USGS water services A bounding box around the trip and a date → the nearest river or reservoir gauge's readings. Public federal data.
NOAA CO-OPS A tide station ID and a date range → tide predictions. The station list itself is bundled in the app, so this call never sees your coordinates directly.

These calls are necessary for the core feature of the app — attaching real weather and water conditions to a catch. If you disable them, Bassai still works as a logbook; it just won't record conditions.

About your IP address

Any network request made from your iPhone carries your IP address — that's how the internet works. Under European and Californian privacy law an IP is treated as personal data, so we want to be precise about who sees yours when Bassai makes a request on your behalf.

Scientific APIs USGS and NOAA CO-OPS are contacted directly from your device. Your IP is visible to them under their own policies. Bassai doesn't receive or log that IP, and we never pair it with your catches.
bassai.com proxy Open-Meteo weather lookups and OpenStreetMap water-body lookups flow through our bassai.com proxy. The proxy terminates the TLS connection from your device and forwards to the upstream service from its own IP — your IP is not passed along, and we do not write it to any persistent log on the proxy. For abuse prevention, Bassai may use a short-lived hashed identifier derived from request metadata such as IP address to rate-limit public endpoints. We do not store raw IP addresses for this purpose, and this data is not used for advertising or tracking.
bassai.com push registration Trip reminders are no longer offered in the app, but the mechanism is retained: a device that opted into a Plus trip reminder while it was available registered its Apple push token and an approximate water-area coordinate with our bassai.com push endpoints. As with our other public endpoints, your IP is used only transiently for abuse-prevention rate-limiting (a short-lived salted hash, never stored raw) and is never written to a persistent log alongside the token or coordinate.
nako.ai proxy Chat with Hank and analytics events flow through our nako.ai proxy. The proxy terminates the TLS connection from your device and forwards to the upstream provider (Google Gemini, PostHog) from its own IP — your IP is not passed along, and we do not write it to any persistent log on the proxy.
Analytics belt-and-suspenders In addition to the proxy hop above, every analytics event also carries $ip set to an empty string and $geoip_disable set to true, so PostHog's ingester discards the IP and skips GeoIP enrichment even if the proxy were bypassed. No country, no city, no IP-derived profile is built for you.

In plain English: Bassai's own servers never link an IP to your catches; the scientific APIs Bassai contacts directly (USGS, NOAA) see an IP but not who you are; and Open-Meteo, water-body, AI, and analytics traffic all flow through our proxies, which do not pass your IP to the upstream provider.

What leaves the device — only with your consent

Each of these stays under your control. Cloud AI (Chat with Hank) and analytics have their own toggles in Settings; trip reminders are no longer offered in the app — the "Remind Me" control has been removed, and the dormant delivery mechanism is described below; Live Trip condition alerts are controlled by their own switch inside the Live Trip screen (off by default) and the same notification permission. You can turn any of them off at any time, and turning one off doesn't affect the others.

Trip reminders · push delivery (not currently offered)

Trip reminders are not currently offered in the Bassai app. The "Remind Me" control has been removed, so you can no longer turn them on and the app no longer registers new devices for them. We still describe the feature here because its delivery mechanism is retained but dormant, and a device that opted in while it was available may still be registered. This is what a trip reminder involved: it was a Bassai Plus feature you started by tapping "Remind Me" on a Trip Opportunity card, and opting in registered your device by sending a small, fixed payload to its bassai.com server:

That was the entire payload. Bassai did not send your photos, catch or spot notes, exact spots, live GPS route, water names, trip history or counts, raw install identifier, email, or Apple ID. The push token is a delivery address — it is not an advertising identifier and is never used to build a tracking or advertising profile. To deliver a reminder to a device that is still registered, Bassai may send a generic notification request to Apple's Push Notification service (APNs) using that push token. The notification text is generic ("Saturday is a good day to fish.") — the APNs request does not include exact GPS, water names, catches, notes, photos, trip history, raw install identifier, email, or Apple ID. Because the in-app "Remind Me" control has been removed, no new reminders can be enabled from the app.

Live Trip condition alerts · weather checks

Condition Alerts is an opt-in switch inside the Live Trip screen, off by default — starting a trip does not turn it on. While the switch is on and a trip is recording, Bassai periodically (at most once every 20 minutes) asks its bassai.com weather proxy for the next hour's forecast near you, and if the forecast shows hard rain moving in or wind building, your iPhone shows you a notification. The request sends only an approximate, 0.01°-rounded coordinate for your current general area (roughly a ~1 km grid cell) — not your precise GPS position, and not your route. This is a separate, finer-grained check than the 0.1° water-area coordinate a Plus trip reminder registered (described above): condition-alert coordinates are used transiently to answer the forecast request and are not registered or stored with a push token.

The alert itself is generated and shown locally on your device — no push token, no server registration, no Apple Push Notification service involvement, and nothing else is sent: no GPS route, no catches, no spots, no notes, no photos, no water names. Your live-trip breadcrumb path stays on your device exactly as described below. Flip the switch off (or end the trip) and the checks stop.

Chat with Hank · conversational AI

The chat surface inside Bassai sends what you type, prior Hank chat context, and a small profile Hank maintains on this device — your experience level, fishing style, target species, preferred lakes, budget range, and any free-text notes Hank keeps about your preferences from your conversations — to our nako.ai proxy, which forwards it to Google's Gemini model. The chat content, prior context, and profile are required for Hank to answer in context. Visible trip or catch details from the page you started chat from may also be sent so Hank can answer about that trip or catch; those details are a fixed set of structured fields (such as weather, water, gear, and conditions) and never include the free-text notes you attach to catches or spots. We do not send raw GPS, photo filenames, or trip / catch identifiers in chat requests. Because Chat with Hank is opt-in, turning it on means your chat messages and that saved profile — including any profile notes Hank keeps — are sent to Google's Gemini through our proxy; you can disable Chat with Hank at any time in Settings → Controls, which stops chat data from leaving your device.

Analytics · PostHog

If you leave analytics enabled, Bassai sends structured event payloads to PostHog so we can see which features get used and where the app is failing. Event properties are booleans, enum values, numeric counts, and randomly-generated UUIDs (trip_id, catch_id, share_id) used only to correlate steps in a flow. Event properties are never raw GPS, never free-text notes, never photo filenames. Every event also carries $ip="" and $geoip_disable=true so PostHog's ingester discards the IP and skips GeoIP — we don't learn your country, city, or ISP from analytics. You can disable analytics at any time in Settings → Controls.

For funnel analytics (so we can tell that "tap import → see review sheet → split a group" is one flow rather than three unrelated taps), PostHog assigns each install a random anonymous ID, stored on your device. Analytics and diagnostic events are associated with that per-install ID across sessions for the same install, so we can follow a flow rather than isolated taps. That ID is not tied to your Apple ID, email, phone, a Bassai account, an advertising identifier (IDFA), your raw IP, or any cross-app advertising profile — and it resets when you reinstall Bassai. Disabling analytics in Settings → Controls stops events and the ID from leaving your device entirely.

Purchases & subscriptions

Bassai Plus is an auto-renewing subscription sold through Apple's App Store. The purchase is handled entirely by Apple through StoreKit — Bassai reads your StoreKit transaction and entitlement state on your device for that purpose.

Bassai does not receive or store your Apple ID, payment card, billing address, or full App Store receipt on its own servers — those stay within Apple's payment system. Because Apple records your subscription, your purchase history is linked to your Apple ID within Apple's system; we disclose it in the App Store privacy section as Purchase History, used only to provide the app's paid features and never to track you.

The only purchase-related data Bassai's own analytics record are coarse paywall events — which paywall appeared, which plan tier was tapped, whether a subscription completed — as fixed enum and context values. They never include a transaction ID, receipt data, an Apple account identifier, or any payment detail.

The former launch email list on bassai.com

Before Bassai 1.0 reached the App Store, this website ran a notify-me-at-launch email form. That form has been removed, and bassai.com no longer accepts new email addresses through a signup form. The form was the one place Bassai ever collected an email, and it was separate from the iOS app — the app itself still has no sign-in, no account, and no email field. If you submitted your address while the form was live, this section stays as the record of exactly what was collected and what happens to it.

What was collected Your email address, plus the timestamp recorded when you submitted. The form had no name, no phone, and no tracker beyond Vercel's standard server access logs.
Where it lives A contact list inside Resend, our transactional-email vendor. Resend acts as a third-party data processor; their privacy notice covers what they do with the address while it's stored.
What we may send Infrequent Bassai product updates — such as availability news — only while you stay subscribed. Promotional churn is not the point of this list.
What it's not connected to This email never touches any in-app data — your trips, catches, GPS, photos, or analytics events. The website and the app are separate surfaces. Being on this list does not create an account inside Bassai.
How to leave There's an unsubscribe link in the footer of every email we send, handled by Resend so we can't keep emailing after you opt out. You can also write to hi@bassai.com and we'll remove you within 7 days.

What we never collect

Children

Bassai is intended for people 13 years and older. We do not knowingly collect data from anyone under 13. There is no account system and no retained user-uploaded content, so the surface area for this is small by design.

Security

All network calls use HTTPS. Structured payloads sent to Chat with Hank are held in request memory only — our AI proxy (the nako.ai path for Chat) does not log request bodies and does not retain prompts or responses. Google Gemini's data handling is governed by Google's own policies, which our proxy configures for no-training, no-retention inference. If you stop using the app, there is no AI-side server record to delete because there is no account and no retained history. (The separate bassai.com waterbody-lookup proxy does keep a bucketed-coordinate durable cache — see "What leaves the device" above for that disclosure. It never stores photos, notes, or AI prompts.)

Your rights

Because Bassai does not operate an account system, most data rights (access, correction, deletion, portability) are exercised directly on your phone. Your log is yours: export it, edit it, or delete it from within the app. If you believe we are processing personal data of yours outside this contract, write to hi@bassai.com and we'll respond within 30 days.

Changes to this policy

If we change what leaves the device, change what a toggle does, or add a new toggle, we'll update the Effective date above and post the change inside the app before the new behavior takes effect. We won't quietly expand consent — privacy-affecting toggles always start off.

Contact

Bassai Inc · Cordova, TN · United States
hi@bassai.com