50% of every subscription funds junior angling. Learn more →
AAnglingAI

Privacy Policy

Last updated: 2026-05-16

We take privacy seriously. This page explains, in plain English, what data AnglingAI collects, why, how long we keep it, and what rights you have under UK GDPR.

1. Who is the data controller

The AnglingAI team (operating from England) is the data controller for the personal data we collect. Contact: [email protected].

2. What we collect

  • Account data: email, name (optional), hashed password, plan, created/updated timestamps.
  • API keys: we store only a SHA-256 hash of each key, plus a 12-character prefix for display. The plaintext is shown to you once and never stored.
  • Usage records: for each request to our API we record the endpoint, the upstream model name, an input/output token estimate, status, and timestamp. This is used for quotas, billing, and abuse prevention.
  • Prompts & uploads: the text you type, the photos you upload, and the data your saved chat history contains.
  • Social account data (optional): if you connect a Facebook / X / Instagram / LinkedIn account, we store the platform handle and OAuth access token so we can publish on your behalf.
  • Cookies: a single, signed session cookie (httpOnly) for keeping you logged in. We do not use third-party advertising cookies.
  • Server logs: standard request logs (IP, path, status, user-agent) retained for 30 days for security and debugging.

3. Why we use it (legal bases)

  • Contract — to provide the service you signed up for: account, dashboard, API access, billing.
  • Legitimate interests — to keep the service secure, prevent abuse, monitor performance, and improve product quality.
  • Legal obligation — to comply with tax, accounting, and lawful information requests.
  • Consent— for any optional marketing emails (we don't send them yet).

4. AI providers and where your data goes

When you use AnglingAI, your prompts and uploaded images are forwarded to one of the following third-party AI providers, chosen automatically per task: OpenAI (US), Anthropic (US), and Google (US/EU). We use enterprise / API plans that, by default, do not use your prompts to train their models. However, providers may briefly retain data (typically up to 30 days) for abuse monitoring.

Weather and tide data is fetched from Open-Meteo, which receives only the location string you submit. Web search for venue research, when enabled, uses Tavily.

Data transferred outside the UK is protected by either the UK International Data Transfer Agreement, the EU Standard Contractual Clauses, or the US Data Privacy Framework, depending on the provider.

Do not upload personal data of minors, medical information, financial details, or other sensitive content into AnglingAI.

5. How long we keep it

  • Account, keys, billing: for as long as your account is active, then up to 7 years for tax/accounting.
  • Chat & tool history: until you delete it or close your account.
  • Server logs: 30 days, then deleted.
  • Backups: rolling 30 days.

6. Your rights under UK GDPR

You have the right to:

  • Access the personal data we hold about you;
  • Have it corrected if it's wrong;
  • Have it deleted ("right to be forgotten") — we action this within 30 days unless we're legally required to retain it;
  • Receive your data in a portable format;
  • Object to processing based on legitimate interests;
  • Withdraw consent at any time for any processing based on consent;
  • Complain to the UK Information Commissioner's Office (ICO) at ico.org.uk.

To exercise any of these, email [email protected]. We'll verify your identity before acting.

7. Security

Passwords are hashed with bcrypt. API keys are stored as SHA-256 hashes only. All traffic is TLS-encrypted. Sessions are signed JWT cookies. We follow industry-standard practice but, like everyone, cannot guarantee perfect security.

8. Children

AnglingAI is intended for adults (16+). We do not knowingly collect personal data from children. If a child has signed up, email us and we'll delete the account.

9. Changes

When we materially change how we handle data, we'll update the "Last updated" date and email registered users.