Privacy Policy
This policy explains what TallyTracker collects, why we collect it, who we share it with, and how you can see, change, or delete it. We've written it in plain English. If something here doesn't make sense, email us at tallytrackercustomerservices@gmail.com and we'll explain.
1. Who we are
TallyTracker is a water-safety companion app for sailing clubs, paddling groups, swimming clubs, commercial vessel operators, race officers, and solo voyagers. The app is operated by Peter Hoyle, trading as TallyTracker, United Kingdom. We are the data controller for the data described below. Contact: tallytrackercustomerservices@gmail.com.
2. What the app actually does
When you "tally on" before going afloat, the app:
- Records who you are (name, sail number, fleet, boat, emergency contact), how to reach you (phone, email), and where you are (live GPS).
- Tells the people running your session — safety team, beachmaster, race officer, club admin, and anyone you have explicitly shared a spectator code with — that you are afloat, and lets them see your live position and status until you tally off.
- Optionally lets you request assistance, send chat messages to safety responders, and capture session photos.
When you tally off, the live sharing stops. The session and its track are kept for your history (and the club's, where the session was a club session) so you can replay it later.
3. What we collect
The lists below mirror the iOS Privacy Manifest shipped with the app. None of this is used to track you across other apps or websites, and none of it is sold or shared with data brokers.
Identity and contact
- Name — sailor display name, emergency contact name, crew name, beachmaster name.
- Email address — the email you use to sign in, plus the emails of any spectators you invite.
- Phone number — the mobile number on your sailor profile, your emergency contact's number, and (optionally) a beachmaster's mobile so safety can call them.
Location
- Precise GPS — latitude, longitude, accuracy, speed, heading, and battery level from your device, recorded as a continuous breadcrumb trail while you are afloat.
- Coarse location — used to find nearby clubs and nearby voyagers within five nautical miles when those features are enabled.
Identifiers
- Firebase Auth user ID (UID) — a random string Firebase assigns to your account.
- Device ID — a per-install identifier (Apple
identifierForVendor) we use to register the device with a club and resume an active session after a relaunch. - FCM push notification tokens — a per-install token Apple/Google issues so we can deliver push notifications.
Media
- Photos — your profile photo, club branding photos you upload as an admin, and any session photos you add during or after a session.
Health (Apple Watch only, with your permission)
- Heart rate — read from HealthKit while the Watch workout session is active during a tally-on.
Session data
Tally on/off events, status changes, assistance requests, ship's log entries, race results, mark crossings, wind observations, photos, and chat messages — everything that makes the session a usable record afterwards.
Subscription
Apple subscription status — we use Apple's StoreKit to check whether you have an active TallyTracker subscription and (optionally) the Race Officer Portal add-on. We never see your card details; Apple handles that.
Crash and diagnostic data
Firebase Crashlytics collects crash stack traces and basic device model/OS information to help us fix bugs. This is anonymous and not linked to your account.
4. What we don't collect or do
- We don't track you across other apps or websites.
- We don't sell or share your data with brokers.
- We don't show ads.
- We don't collect contacts, calendar, browsing history, financial information, or sensitive personal information such as race, religion, sexual orientation, biometrics, or government IDs.
5. Why we collect each thing
Safety oversight
Your name, contact details, live GPS, status, and assistance requests are visible to the people running the session you tallied into. This is the entire point of the app; it's what gives you accountability if you don't return.
Spectator following
Friends, family, or coaches you have given a six-character spectator code can see what you allow. You can pause sharing per session, pause it indefinitely, or remove a follower from your profile.
Session history
Your tracks and session events are saved against your sailor profile so you can replay them and so the club has an audit trail. You can export or delete a session at any time.
Account and subscription
Authentication, profile setup, subscription validation, and customer-service correspondence.
6. Who we share data with
People in the same session as you
By tallying into a club session or pass session, you make your tally-on details and live status visible to the safety team, beachmaster, organiser, race officer, and club admin for that session. That's how oversight works. If you don't want to share, don't tally on.
Spectators you have invited
Each follower sees only what your sharing settings allow. You can pause or remove them at any time from your profile.
Service providers we use to run the app
- Google Firebase — Authentication, Firestore (database), Cloud Functions, Cloud Storage (photos), Crashlytics, Firebase Cloud Messaging (push), and Firebase Hosting. Firebase services are configured to use the
europe-west2region (London), so data resides in the United Kingdom under Google's data processing terms. - Apple — App Store / StoreKit (subscriptions), Push Notification Service, HealthKit (heart rate, on-device).
- Google Sign-In and Apple Sign-In — if you use these to sign in, the provider passes your email and name to us. We don't get your password or any other Google/Apple profile data.
- Gmail SMTP — used to send transactional emails (password reset, club approval notifications) from
tallytrackercustomerservices@gmail.com.
We do not share data with any other third party.
When the law requires
We will disclose data if compelled by a valid legal request from UK authorities. We will tell you unless we are legally prohibited from doing so.
7. International transfers
Firebase services are configured to keep your data in the United Kingdom (europe-west2). Firebase Authentication and Apple Push Notification Service may briefly route metadata through Google or Apple infrastructure outside the UK to deliver pushes or verify credentials. These transfers happen under Google's and Apple's own standard contractual clauses.
8. How long we keep things
- Sailor profile — kept until you delete it.
- Session history — kept until you or the club admin delete it.
- GPS breadcrumbs — kept with the session they belong to.
- Session photos — automatically deleted from Cloud Storage 10 days after the session ends.
- Assistance chat — moved to an archive subcollection when the assistance request is resolved, then deleted from the live collection.
- Solo sessions — auto-expire 12 hours after tally on if you don't tally off.
- Push notification tokens — invalidated at sign-out; stale tokens left under a previous profile are automatically swept and stamped
signedOutAton every fresh sign-in so push for the old profile never leaks to the device. - Email queue — outbound emails older than 7 days are deleted.
- Crashlytics — Firebase's default retention applies (typically 90 days).
- Liability acceptances — kept indefinitely as proof the disclaimer was accepted.
9. Your rights
You can, at any time:
- See your data — your profile, session history, followers, and any racing or admin data is visible inside the app. We can also send you a JSON export by email on request.
- Correct your data — edit your profile, session, boats, crew, or club details in the app.
- Delete your data — delete your profile via Profile → Account. Sessions you participated in inside a club may be retained by the club admin as part of their oversight log.
- Withdraw consent — unfollow sailors, pause sharing, sign out, or stop using the app.
- Object, restrict, or request portability — under UK GDPR. Email us.
- Complain to the ICO — the UK Information Commissioner's Office. We'd rather you tell us first so we can fix it.
Most requests are handled within seven days; complex requests within one month.
10. How we protect your data
- All traffic between the app and Firebase is over TLS.
- Firestore data is encrypted at rest by Google.
- Server-side rules restrict who can read or write what. Multiple rounds of hardening were done in May–June 2026 to lock down audit logs, assistance chat, race results, role membership, and FCM tokens.
- Sign-in uses Firebase Authentication. Passwords are hashed by Google; we never see them.
- Your Apple Watch syncs auth credentials over Apple's encrypted WatchConnectivity channel.
11. Children
TallyTracker is rated 4+ but it is intended for use by people who are competent on the water (or under the supervision of an adult who is). The app supports an "Under 18" flag on a sailor profile so club admins know when a participant is a minor — typically used by youth sailing programmes where the responsible adult holds the iPhone and tallies the child on.
We do not knowingly collect data from children under 13 without verifiable parental consent. If you believe a child has provided us with personal data without consent, email us and we'll delete it.
12. Push notifications
Push is used for assistance alerts, race start countdowns, spectator follow updates, status changes, and chat messages. You can disable push entirely in iOS Settings → Notifications → Tally Tracker.
13. Subscriptions
TallyTracker is free to download. The annual TallyTracker subscription (£19.99 / $19.99 / 1 year) unlocks live tracking, voyage log, ship's log, Watch app, Live Activities, and competing in races. The Race Officer Portal add-on (£9.99 / 1 year) is for race officers and clubs running races. Apple handles billing; we receive a yes/no entitlement from StoreKit. Cancel any time via Settings → Apple ID → Subscriptions on your device.
14. Liability and the on-water disclaimer
Before using safety-critical features you accept a separate liability disclaimer (currently version 2026-04-v2). That disclaimer is a contract between you and TallyTracker and is not part of this privacy policy, but you can review it in the app at any time under Profile → Liability Acceptance.
15. Cookies and analytics
The iOS app doesn't use cookies. We don't use Google Analytics, Mixpanel, Amplitude, Segment, Adjust, AppsFlyer, Branch, or any other analytics/attribution SDK. The only diagnostic data we collect is Firebase Crashlytics for crash reports.
16. Changes to this policy
We'll update this page when the app changes in a way that affects what we collect or how we use it. Material changes will be announced in the app and via push notification. The "Last updated" date at the top of this page tells you when the policy last changed.
17. Contact
TallyTracker · United Kingdom · tallytrackercustomerservices@gmail.com
If you've read this far — thanks. Stay safe on the water.