Privacy Policy for Grota

1.1 Location data

If you grant location permission, Grota uses your device's GPS coordinates (latitude and longitude) to:

1. Center the map on your current position when you tap the "Locate" button.

2. Animate the map to your last known position on app launch — only if the location permission has already been granted in a previous session. We never prompt for location on first launch.

3. Fetch weather, marine, coastline, and terrain data for the location you select on the map (see §3).

Location is requested only while the app is in use (NSLocationWhenInUseUsageDescription on iOS, ACCESS_FINE_LOCATION / ACCESS_COARSE_LOCATION on Android). Background location tracking is disabled and not requested.

We do not store location data on any server controlled by us — we do not operate servers.

If you deny location permission, the app remains fully functional: you can still pan the map manually, drop a pin anywhere along the coast, and view a complete beach analysis for that point.

1.2 Preferences and saved beaches stored on your device

The following data is saved in the app's local storage (AsyncStorage) on your device only:

• Preferred wind speed unit (km/h, knots, m/s)

• Saved beaches (custom name, coordinates, orientation, pinned status, creation date)

• Onboarding/hint dismissal flags

This data never leaves your device, is not backed up to our servers, and can be removed at any time using the "Delete all favorites" action in the Settings screen, or by uninstalling the app.

2. Information we do NOT collect

Grota does not collect, process, or have access to:

• Your name, email, phone number, or any account identifier.

• Contacts, photos, calendar, microphone, camera, or motion sensor data.

• Advertising identifiers (IDFA, GAID).

• Analytics events, crash reports, or telemetry.

• Purchase history, payment, or billing information (the app is free and has no in-app purchases).

• Browsing history or data from other apps.

Grota has no login, no user accounts, and no ads.

3. Third-party services

Grota fetches data from the following public, open-source services. When the app makes a request, only the coordinates (and in some cases a small bounding box around them) and the requested data variables are sent. No device identifier, advertising identifier, or personal information is included in these requests.

3.1 Open-Meteo (weather and marine data)

Grota uses Open-Meteo (open-meteo.com) to fetch wind, temperature, UV index, sunrise/sunset, wave height, and sea temperature forecasts. The following is sent to Open-Meteo's servers:

• The latitude and longitude of the location you are analyzing

• The date range of the forecast request

• The requested weather and marine variables

Open-Meteo is an open-source weather service based in Bürglen, Switzerland. Per their privacy policy, Open-Meteo does not require an API key, does not require registration, and states that no personally identifiable information is collected. Standard HTTP server logs may briefly retain IP addresses for abuse prevention.

3.2 Nominatim (reverse geocoding)

Grota uses Nominatim (nominatim.openstreetmap.org) to convert the coordinates of a selected pin into a human-readable place name (for example, "Cape Kamenjak, Croatia"). The latitude and longitude are sent to Nominatim, which is operated by the OpenStreetMap Foundation.

3.3 Overpass API (coastline geometry)

Grota uses the Overpass API (overpass-api.de) to retrieve the surrounding coastline geometry near a selected pin. This is used locally to compute beach orientation, shelter, and wave-fetch length. A small geographic bounding box around your selected coordinates is sent. The Overpass API is operated by the OpenStreetMap community.

3.4 Open-Elevation (terrain elevation)

Grota uses Open-Elevation (api.open-elevation.com) to retrieve elevation samples around a selected pin. This is used locally for viewshed (terrain-shelter) analysis. A list of nearby coordinates is sent.

Grota is not affiliated with Open-Meteo, the OpenStreetMap Foundation, or Open-Elevation. Each of these services applies its own privacy policy; we recommend reviewing them if you would like further detail.

4. Legal basis for processing (GDPR)

For users in the European Economic Area, the legal bases for processing are:

• Consent (Art. 6(1)(a) GDPR): for access to your device location when you grant the location permission.

• Legitimate interest (Art. 6(1)(f) GDPR): for local on-device processing of preferences and saved beaches, and for the network requests strictly necessary to provide the app's functionality.

You can withdraw location consent at any time via your device's system settings. Doing so does not affect the lawfulness of processing carried out before withdrawal.

5. Your rights

Because we do not collect or store your personal data on our servers, there is nothing we can access, modify, export, or delete on your behalf. You retain full control on your device:

• Revoke location permission: iOS Settings → Grota → Location, or Android Settings → Apps → Grota → Permissions.

• Delete saved beaches and preferences: use "Delete all favorites" in the app's Settings screen, or uninstall Grota to remove all locally stored data.

• Opt out of data sent to third-party services: deny or revoke the location permission and do not drop pins on the map. Without a coordinate, the app will not send requests to the services in §3.

Users in the EU/EEA have rights under GDPR (access, rectification, erasure, restriction, portability, objection). Users in California have rights under the CCPA (right to know, right to delete, right to opt out of sale — we do not sell data). To exercise any rights or ask questions, contact us at sime@sikira.co.

6. Data retention

We do not retain any user data on our servers because we do not operate servers. Data stored on your device remains until you delete it or uninstall the app.

7. Children's privacy

Grota is not directed at children under 13 (or under 16 in the EEA). We do not knowingly collect any personal information from children. If you believe a child has provided us with personal information, please contact us and we will take steps to address it, though in practice the app does not collect information that could identify anyone.

8. International data transfers

When the app contacts the third-party services listed in §3, data is transferred to those services' servers, located in Switzerland and the European Union. Switzerland is recognised by the European Commission as providing an adequate level of data protection.

9. Security

All network requests from the app use HTTPS (TLS). App Transport Security is enforced — arbitrary loads are disabled. Local preferences and saved beaches are stored using the platform's standard secure preferences storage (iOS NSUserDefaults / Android SharedPreferences via AsyncStorage).

10. Changes to this policy

We may update this Privacy Policy from time to time. The "Last updated" date at the top reflects the latest revision. Material changes will be communicated within the app or alongside an app update. Continued use of the app after changes means you accept the revised policy.

11. Contact

Developer: Sime Basioli
Email: sime@sikira.co