Privacy Policy
Effective date: May 25, 2026 · Last updated: May 25, 2026
FirstByte, LLC ("FirstByte," "we," "us") operates SailTrace, an iOS application and web service that lets sailors record, replay, and analyze sailboat races (the "Service"). This Privacy Policy explains what personal information we collect, why we collect it, who we share it with, and the choices you have.
This Policy covers the SailTrace iOS app, the SailTrace web dashboard, and the SailTrace API. It does not cover third-party services that we link to or that process payments on our behalf — those services have their own privacy notices.
1. Who we are
FirstByte, LLC, a Delaware limited liability company. Contact us at support@firstbytestudio.com.
2. Information we collect
We collect the following personal information. These categories match the data types declared in SailTrace's Apple App Privacy disclosure and in the app's PrivacyInfo manifest. For California residents, each item maps to a statutory category under Cal. Civ. Code §1798.140(v)(1); the mapping is in Section 7.1.
(a) Account information
- Name (display name on your sailor profile).
- Email address.
- Password (stored as a salted hash; we never see your plaintext password).
- Optional profile photo.
(b) Sailing data you create
- Precise GPS location while you are recording a session. Precise geolocation is "Sensitive Personal Information" under California law; see Section 7.1.
- Boat metadata you enter (boat name, class, hull number, sail number).
- Race participation, course mark positions, line reads, and wind observations you capture during a race.
- Recordings and the derived race geometry we compute from them.
- Yacht club, team, event, and series memberships you join.
(c) Subscription and billing information
- Whether you have an active Pro subscription, when it began, and when it renews or ends.
- Billing identifiers issued by Apple (in-app purchase) or Stripe (web checkout). We do not receive your full credit-card number; payment data is collected directly by Apple or Stripe under their own privacy notices.
(d) Device and diagnostic information
- Crash reports and performance data via Apple's diagnostic channel (only if you have opted in via iOS Settings → Privacy & Security → Analytics).
- Basic device information needed to operate the Service: iOS version, SailTrace app version, device model, and locale.
- IP address used to issue your session.
(e) Communications
- Email we send you and any reply you send to support, retained for the period necessary to handle the request.
We do not collect device advertising identifiers, do not track you across other apps or websites, and have no third-party ad SDKs in the app.
3. How we use the information
| Purpose | Information used | Legal basis (where applicable) |
|---|---|---|
| Operate the core Service — record sessions, reconstruct races, show maps | GPS location, sailing data, account information | Contract / app functionality |
| Authenticate your account and keep it secure | Email, password hash, IP address | Contract; legitimate interest in security |
| Process Pro subscriptions and sponsored-access entitlements | Subscription and billing information, account information | Contract |
| Respond to support requests | Communications, account information | Contract; legitimate interest |
| Detect, prevent, and investigate fraud or abuse | Account information, IP address, device information | Legitimate interest |
| Improve race reconstruction and our machine-learning models | Aggregated or de-identified sailing data only — see below | Legitimate interest |
| Send service announcements (e.g., security notices, terms changes) | Email address | Legitimate interest; legal obligation |
| Comply with legal obligations and respond to lawful requests | Any of the above as required | Legal obligation |
We do not use your personal information for advertising and we do not sell it.
Machine-learning and aggregated data
We use aggregated and de-identified data derived from sailing activity — such as anonymized GPS tracks, boat-class performance distributions, and fleet-wide wind observations — to train and improve the machine-learning models that power race reconstruction, wind inference, and other automated features of the Service. Aggregated and de-identified data does not identify you, is not personal information, and we may use it for any purpose consistent with this Policy, including publishing aggregate insights.
4. How we share information
We share personal information only with the parties listed below, only for the purposes shown, and only under written agreements that require them to protect the data and use it solely for the services they provide to us.
| Recipient | Purpose | Data shared |
|---|---|---|
| Amazon Web Services (AWS S3) | Storage of recordings, profile photos, and ML artifacts | Sailing data, profile photo |
| Mapbox | Rendering maps in the app and web dashboard | Map view requests (no account identifiers passed to Mapbox by SailTrace) |
| Stripe | Processing Pro subscriptions purchased on the web | Email, name, subscription identifiers; payment details collected by Stripe directly |
| Apple | In-app purchases of Pro on iOS; Apple Diagnostics | Per Apple's privacy notice |
| Postmark | Sending transactional email (password resets, receipts, security alerts) | Email address, message content |
| Government authorities | Where required by law and only in response to a valid legal request | The minimum necessary |
We do not sell personal information. We do not share personal information with third parties for their own marketing or advertising purposes.
In the event of a corporate transaction (merger, acquisition, sale of assets, or bankruptcy), personal information may be transferred to the successor entity, which will remain bound by this Policy or a successor with equivalent protections.
5. Data retention
| Category | Retention |
|---|---|
| Account information | While your account is active. Deleted within 30 days of account deletion, except where we are required to retain it longer (tax, fraud, or legal hold). |
| Sailing data (recordings, races, marks, line reads) | While your account is active or until you delete the item. Deleted within 30 days of account deletion. |
| Subscription and billing records | 7 years after the transaction, to meet US tax and accounting requirements. |
| Crash and performance data | Up to 13 months. |
| Support communications | Up to 3 years after the last message. |
| Server access and security logs | Up to 90 days. |
When you delete your account or an individual recording, we will confirm completion by email. Backup copies may persist for up to an additional 30 days before being overwritten in the ordinary course of our backup rotation.
6. Security
We use industry-standard administrative, technical, and physical safeguards to protect personal information, including encryption in transit (HTTPS/TLS), encryption of database backups at rest, scoped access controls, and audit logging on our admin tooling. No system is perfectly secure, and we cannot guarantee that personal information will never be accessed, disclosed, altered, or destroyed in breach of our safeguards.
7. Your rights
You can do the following at any time:
- Update your name, email, profile photo, and password from the SailTrace app or web dashboard.
- Delete individual recordings or races from the app.
- Delete your entire account from Account → Delete Account in the app, or by emailing support@firstbytestudio.com. We will action a deletion request within 30 days.
- Export your sailing data on request to support@firstbytestudio.com.
- Withdraw consent for optional iOS permissions (Location, Photos, Diagnostics) in iOS Settings; this may disable parts of the Service.
7.1 California, Colorado, Connecticut, Virginia, Utah, and other US state residents
If you live in California, Colorado, Connecticut, Virginia, Utah, or another US state with a comprehensive privacy law, you may have additional rights:
- Right to know / access: to receive the categories and specific pieces of personal information we have collected about you, the sources, the purposes, and the categories of recipients.
- Right to delete: to request deletion of personal information we collected from you.
- Right to correct: to request correction of inaccurate personal information.
- Right to opt out of "sale" or "sharing" for cross-context behavioral advertising: SailTrace does not sell personal information and does not share it for cross-context behavioral advertising, so there is nothing to opt out of (see "No sale or sharing" below).
- Right against retaliation for exercising any of the above.
Categories collected (California residents, last 12 months). The following statutory categories of personal information under Cal. Civ. Code §1798.140(v)(1) have been collected:
| Category | What we collect | Source | Disclosed to |
|---|---|---|---|
| (A) Identifiers | Name, email, user ID, IP address | You, your device | AWS, Postmark |
| (B) Customer records (§1798.80(e)) | Name, email, billing identifiers | You | Stripe |
| (D) Commercial information | Subscription history, sponsored-access status | You, Stripe, Apple | Stripe, Apple |
| (F) Internet or network activity | App usage events, session logs | Your device | AWS |
| (G) Geolocation data — precise (Sensitive PI) | GPS location recorded during sailing sessions | Your device | AWS |
| (I) Sensory information — visual | Profile photo, if you upload one | You | AWS |
| (K) Inferences | Inferred wind, race geometry, maneuvers, derived sailing analytics | Computed from (G) | AWS |
Categories not listed are not collected.
Sensitive Personal Information. SailTrace collects precise geolocation, which California treats as Sensitive Personal Information under Cal. Civ. Code §1798.140(ae). We process precise geolocation only for the purposes listed in Section 3 — operating the Service, security, fraud prevention, and aggregated improvement of the Service — all of which are permitted under Cal. Civ. Code §1798.121(a). We do not use or disclose Sensitive Personal Information for any other purpose. No "Limit the Use of My Sensitive Personal Information" link is required.
No sale or sharing. SailTrace does not sell personal information and does not share personal information for cross-context behavioral advertising as those terms are defined under California law. No opt-out link is provided because nothing is sold or shared.
Right to non-discrimination. We will not deny you the Service, charge you different prices, or provide a different level of service because you exercised a privacy right.
To submit a request, email support@firstbytestudio.com with the subject line "Privacy Rights Request" and tell us which right you wish to exercise. We will verify your identity using the email associated with your SailTrace account. You may use an authorized agent; we will require written authorization. We respond within 45 days and may extend once by an additional 45 days where permitted.
7.2 If you are in the European Economic Area, United Kingdom, or Switzerland
SailTrace is offered from the United States and is intended primarily for use in the United States and Canada. If you nonetheless use the Service from the EEA, UK, or Switzerland, you have rights of access, rectification, erasure, restriction, portability, and objection. You can also lodge a complaint with your local supervisory authority. International transfers of your data to the United States rely on appropriate safeguards (Standard Contractual Clauses where applicable). For requests, email support@firstbytestudio.com.
8. Children
SailTrace is not directed to children under 13, and we do not knowingly collect personal information from anyone under 13. If you believe a child has provided us with personal information, contact support@firstbytestudio.com and we will delete it. Users between 13 and 18 should use SailTrace only with the involvement of a parent or guardian.
9. Changes to this Policy
We may update this Policy from time to time.
Material changes — such as new categories of personal information collected, new categories of recipients, or new purposes of use — will be announced by updating the "Last updated" date and by emailing or in-app notifying users with active accounts at least 7 days before the change takes effect.
Non-material changes — clarifications, formatting changes, contact updates, and corrections — may be made without notice; the "Last updated" date will reflect the change.
Continued use of the Service after the effective date constitutes acceptance of the updated Policy.
10. Contact us
FirstByte, LLC
Attn: Privacy
support@firstbytestudio.com