Security | FISHMARKS GPS Fishing App

Effective Date: April 11, 2026 • Last Updated: April 12, 2026

Honest disclosure first. Fishmarks is built and maintained by a small team. We are not SOC 2, ISO 27001, or HIPAA audited as an organization. We don’t claim certifications we don’t hold. What follows is a plain-language description of the actual practices we use to protect your data.

Infrastructure

We don’t reinvent security primitives. Fishmarks runs on infrastructure providers that have done the hard compliance work, and we leverage their certifications rather than pretending to hold our own:

Supabase — PostgreSQL database, authentication, edge functions, file storage. Independently audited for SOC 2 Type 2 and HIPAA compliance. Hosted on AWS infrastructure.
Cloudflare — Static site hosting (Cloudflare Pages), TLS termination, DDoS protection, and WAF. Maintains SOC 2 Type 2, ISO 27001, ISO 27018, and PCI DSS certifications.
Stripe — All payment processing. PCI DSS Level 1 certified. We never see, store, or transmit your card details — cards are tokenized in your browser before reaching our servers.
Resend — Transactional email delivery (verification, list sharing, password resets, friend requests). SOC 2 Type 2 certified.
Apple App Store / TestFlight — Distribution and in-app purchases for the Fishmarks Connect mobile companion app. Subject to Apple’s App Review Guidelines and platform security model.

Encryption

In transit

Every connection between your browser, the Fishmarks Connect mobile app, and our servers uses TLS (HTTPS). Our certificates are managed automatically by Cloudflare. We do not accept unencrypted connections.

At rest

All data stored in our database is encrypted at rest using AES-256, managed transparently by Supabase’s underlying AWS infrastructure. Backups are similarly encrypted.

Optional client-side encryption

For users who want maximum protection of their fishing spots, Fishmarks supports optional client-side encryption. When enabled from Settings > Security, your waypoint coordinates, names, and notes are encrypted in your browser using AES-256-GCM before they ever leave your device. The encryption key is derived from a passphrase that only you know — we never see it, never store it, and cannot recover it for you. Even if our database were compromised, your encrypted waypoints would be unreadable without your passphrase.

When you share a list with another user, the waypoints in that list are automatically stored as plaintext so the recipient can read them. They are re-encrypted if you later remove all guests from the list.

Access Control

Database-enforced isolation

Every database query is enforced with Row-Level Security (RLS), a PostgreSQL feature that restricts access at the database engine itself, not in application code. This means a bug in our application code cannot accidentally expose one user’s data to another user — the database itself rejects the query. RLS policies are version-controlled and reviewed alongside application code.

Internal access

Production database access is limited to a small number of authorized personnel and uses time-limited credentials. We do not browse user data. We do not analyze or mine your waypoints. We have no business interest in where you fish.

Authentication

Account passwords are hashed with bcrypt by Supabase before storage — we never see plaintext passwords. We support email/password sign-in, Sign in with Apple, and Sign in with Google. Email-based password resets and email verification links are time-limited and single-use.

Data Ownership & Portability

Your data belongs to you, and you can take it with you at any time:

Export — Download all of your waypoints, lists, trips, catches, routes, and tracks at any time in standard GPX or CSV format from Settings > My Data.
Delete — Permanently delete your account and all associated data from Settings > Delete Account. Deletion is irreversible — there is no soft-delete or hidden retention period for deleted accounts.
No vendor lock-in — GPX is the universal standard for GPS waypoint data. Anything you export from Fishmarks can be imported into any other GPS or chartplotter system that reads GPX.

Sharing & Privacy

Your data is private by default. Nothing is ever shared unless you explicitly choose to share a list with another user. List sharing is invitation-based — the recipient must accept the invitation before they can see anything. You can revoke sharing access at any time, and any client-side-encrypted waypoints are automatically re-encrypted when the last guest is removed.

We do not sell, rent, or trade your personal information or fishing data to anyone, ever. See our Privacy Policy for full details on what we collect and how we use it.

Data You Store

Fishmarks is designed to store fishing waypoints, trip logs, catch records, and related notes. It is not designed to store sensitive personal data, and you should treat it accordingly.

Do not store sensitive data. You should never enter personally identifiable information (PII) such as social security numbers, dates of birth, government IDs, financial account numbers, health or medical records, passwords, or any other sensitive personal data into Fishmarks — whether in waypoint names, notes, or any other field. The service is not built to the compliance standards required for that kind of data, and we do not want to be responsible for it.

Do not upload intellectual property you do not own. Only store content — waypoints, notes, photos, and other data — that you created yourself or have explicit permission to use. Do not upload proprietary waypoint data, copyrighted charts, or any other material belonging to someone else without their authorization.

In the event of a data breach, the worst-case exposure should be limited to fishing-related data, your contact information, and account metadata — not data that could lead to identity theft or legal liability. Keeping sensitive data out of the system is the single best thing you can do to protect yourself.

Incident Response

In the unlikely event of a security incident affecting user data, we will notify affected users by email as soon as we have a reasonable understanding of the scope and impact. Notifications will include what happened, what data was affected, what we have done about it, and what (if anything) you should do.

Reporting a Vulnerability

If you believe you have found a security vulnerability in Fishmarks, please report it to us privately so we have a chance to fix it before it becomes public knowledge.

Security Contact

Email: [email protected]

Please include enough detail to reproduce the issue, the URL or feature affected, and any proof-of-concept code if applicable. We will acknowledge receipt within a few business days.

We do not currently offer a paid bug bounty, but we’re happy to credit researchers who report valid issues responsibly. Please do not test against other users’ accounts or attempt to access data you do not own.

Our published security contact information is also available at /.well-known/security.txt in the format defined by RFC 9116.

What We Are Not

In the spirit of transparency, here is what Fishmarks is not:

Not SOC 2 audited as an organization. Our infrastructure providers are. We are not.
Not ISO 27001 audited. Same as above.
Not HIPAA covered. Fishmarks is not a healthcare service, does not handle protected health information, and is not designed for use by HIPAA-covered entities.
Not a uptime-SLA backed service. We do our best to keep Fishmarks available, but we don’t publish or guarantee a formal SLA. Service interruptions may occur.
Not appropriate for life-safety navigation. Fishmarks is a waypoint management and trip-logging tool. It is not certified for marine navigation, emergency use, or any safety-of-life application. Always carry appropriate marine safety equipment and use certified navigation tools.

If any of these are dealbreakers for your use case, we’d rather you know up front than discover it later.