Privacy Policy
Last updated: May 15, 2026
This policy describes how the DownwindTracker iOS and watchOS app ("DownwindTracker", "the app", "we") collects, uses, stores, and transfers personal data. This policy applies only to the DownwindTracker app and the Downwind Cloud backend service operated by the same publisher.
Plain summary: The app records sensor data (motion and GPS) from your Apple Watch when you start a paddle session. To upload that data for analysis, the app asks you to sign in with your email. Your sensor data and the analysis results are stored on our backend and are tied to your account. We do not sell your data, we do not run advertising, and we do not use third-party analytics or tracking SDKs inside the app.
1. Data we collect
The app collects the following categories of data:
| Category | What | When |
|---|---|---|
| Account | Email address (used by Supabase magic-link authentication) and a Supabase user identifier (UUID). | When you sign in. |
| Location | GPS coordinates, altitude, speed, course, and per-sample accuracy values from Core Location, recorded approximately once per second. | Only while a paddle session is actively recording on the watch. |
| Motion / sensor | Three-axis accelerometer readings from Core Motion at approximately 100 Hz. | Only while a paddle session is actively recording on the watch. |
| Health / fitness | The app starts a HealthKit workout session in order to keep recording running in the background. The app does not read additional HealthKit data and does not write user-visible workout summaries to the Health app. | For the duration of a recording session. |
| Session metadata | Session ID, recording duration, sample counts, observed sample rates, schema version, SHA-256 checksums of the recorded files, dropped sample counts, and any annotations you add (session type, conditions, focus, notes). | Generated automatically; annotations are optional. |
| Diagnostics | Standard iOS crash reports and performance metrics through Apple's built-in mechanisms, when you opt in via iOS Settings. We do not embed third-party crash or analytics SDKs. | If enabled by your device settings. |
What we do not collect
- We do not collect contacts, photos, or files outside the recorded session bundle.
- We do not access your microphone or camera.
- We do not use advertising identifiers (IDFA) or run any ad networks.
- We do not embed third-party analytics SDKs (no Google Analytics, no Firebase Analytics, no Mixpanel, no Amplitude, no Segment).
2. How we use your data
We use the data described above to:
- Authenticate your account and keep you signed in;
- Upload, store, and analyze your paddle sessions so we can return bump detection, dead-water identification, and session summary metrics to you;
- Allow you to view your session history and analysis results;
- Investigate bugs, reliability issues, and capture-quality problems that you report;
- Improve the analysis pipeline. Aggregate, de-identified summary statistics may inform model improvements. We do not use the contents of any individual session for marketing or advertising.
3. How your data is stored and transmitted
- On your devices: Recordings are written to local storage on the Apple Watch, transferred to your iPhone over WatchConnectivity, and held in the iOS app's sandboxed storage until you upload or delete them. Authentication tokens are stored in the iOS Keychain.
- In transit: All communication with the backend uses HTTPS (TLS 1.2+) with certificate pinning. Authentication uses Supabase-issued JWT bearer tokens.
- On the backend: Session files and analysis results are stored on infrastructure operated by Fly.io (host of the Downwind Cloud API) and Supabase (host of the authentication service and user-account database). Both providers operate from data centers in the United States.
4. Who we share data with
We do not sell, rent, or trade your personal data. We share data only with the following service providers, and only as needed to operate the app:
- Supabase, Inc. — authentication service. Supabase processes your email address and assigns the account UUID used by the app. See Supabase's privacy notice for details.
- Fly.io (Fly, Inc.) — application and storage hosting for the Downwind Cloud API. Session files and analysis results are stored on Fly-managed infrastructure.
- Apple Inc. — App Store distribution, TestFlight beta delivery, push notification routing (if used), and platform-level crash reporting if you have opted in.
We may also disclose data when required by law, valid legal process, or when necessary to protect the rights, property, or safety of users or the public.
5. Data retention and deletion
Sessions you upload are retained until you delete them. You can delete an individual session from the iOS app's session list (this removes both the raw files and the analysis results from the backend). To delete your entire account and all associated data, email support@downwindtracker.com from the address associated with your account. Account deletion requests are processed within 30 days.
Local recordings that have not been uploaded are removed when you delete the app from your devices.
6. Your rights
Depending on where you live, you may have rights under data-protection laws such as the EU/UK GDPR or the California Consumer Privacy Act (CCPA), including the right to access, correct, port, or delete your personal data, and the right to object to or restrict certain processing. To exercise these rights, contact us at the email below. We will not discriminate against you for exercising any of these rights.
7. Children
DownwindTracker is not directed at children under 13, and we do not knowingly collect personal data from children under 13. If you believe a child has provided us with personal data, please contact us so we can delete it.
8. International transfers
The app and its backend are operated from the United States. If you access the app from outside the United States, your data will be transferred to and processed in the United States. By using the app, you consent to this transfer.
9. Security
We use TLS with certificate pinning for all network transmissions, store authentication tokens in the iOS Keychain, and rely on Supabase and Fly.io for backend security controls. No system is perfectly secure; we will notify affected users of any data breach that materially affects them, as required by applicable law.
10. Changes to this policy
We may update this policy from time to time. Material changes will be indicated by the "Last updated" date at the top of this page and, where appropriate, communicated in-app or by email. Your continued use of the app after a change indicates acceptance of the revised policy.
11. Contact
Questions, privacy requests, or complaints:
support@downwindtracker.com