Effective July 15, 2026
Privacy Policy
This Privacy Policy explains how Zach Smet, the operator of FinDex ("FinDex," "we," "us," or "our"), handles information when you use the FinDex mobile application or this public website. Contact support@findexaquarium.com with privacy questions.
1. Scope
This policy covers the FinDex app, FinDex Pro subscription features, optional AI features, support communications, and this website. It does not replace the privacy notices of Apple or the service providers described below.
2. Information FinDex handles
Account and authentication information
FinDex requires an account. We use Supabase Authentication to process your email address, password authentication record when email sign-in is used, email-verification status, connected sign-in methods, account timestamps, session information, and a generated Supabase user UUID. Resend delivers transactional authentication messages, such as confirmation, sign-in, recovery, and security-notification emails, on Supabase's behalf. FinDex does not receive your readable password from Supabase after authentication.
When offered and selected, Sign in with Apple or Google sign-in may provide Supabase and FinDex with a provider identifier, verified email claim, and optional name information. Apple may provide a private-relay email address. FinDex accepts relay addresses and uses provider name information only to fill an otherwise blank account profile. Provider access tokens are not retained in FinDex application storage.
The UUID links your account to your FinDex records and is also used as your RevenueCat App User ID so purchases can be associated with the signed-in account. A profile table can store an optional display name.
Aquarium and fish records
You may create tank records containing a name, water type, volume, temperature, setup date, cover image, notes, and timestamps. You may create fish or livestock records containing a tank assignment, selected or entered species names, custom name, quantity, acquisition date, health status, photo, notes, and timestamps. These records are linked to your account and stored through Supabase.
The app also includes a reference species catalog. Species searches are sent to Supabase to return matching catalog entries; FinDex does not intentionally maintain a separate species-search-history table.
Photos
When you choose to take or select a fish or aquarium photo, the app may resize and convert it before upload. Saved record and scan images are stored in a private Supabase Storage bucket under an account-specific path. The app uses time-limited signed URLs to display them. Camera and photo-library access are optional and requested only when you choose a photo feature.
AI prompts, results, and history
When you use an AI feature, FinDex may store the question you submit, attached or selected image path, conversation and message records, scan status and metadata, fish-identification candidates, aquarium observations, user-confirmed identification, care-report input snapshots and results, model and prompt versions, provider response identifier, token counts, errors, and timestamps. This information is linked to your account and stored through Supabase so the app can display eligible history, avoid duplicate processing, and apply access rules.
AI consent and usage records
FinDex stores the version and timestamps of your AI data-sharing acceptance or withdrawal. It also stores a server-managed complimentary allowance and an AI usage ledger. The ledger can include the feature, request key, access source, credit amount, reservation status, whether provider processing began, result linkage, errors, model, token usage, provider request ID, and timestamps. These records enforce the shared two-use allowance, monthly and hourly limits, retries, and security controls.
Subscriptions and purchases
Apple processes App Store payments. FinDex does not receive your complete payment-card details. RevenueCat manages product offerings, purchase and restore flows, customer and entitlement status, and subscription management. FinDex receives or caches information such as the RevenueCat customer identifier, product identifier, active entitlement, expiration or grace-period dates, status-check time, and purchase or transaction status made available by Apple and RevenueCat.
Support communications
If you contact support, we receive the email address and content you choose to send, along with attachments and a Support ID if you include one. Cloudflare routes messages sent to the public support address to a Google mailbox. Do not send a password, API key, complete payment-card number, or an unnecessary sensitive photo.
Technical and operational information
FinDex service providers may automatically process IP address, device and operating-system details, app version, request time, request or response metadata, network and error information, update checks, store identifiers, and similar operational information needed to deliver, secure, troubleshoot, and account for their services. Supabase maintains API, authentication, database, Storage, and Edge Function logs according to the project plan and settings. Apple may provide crash or diagnostic information under the user's and developer's Apple settings.
FinDex has not added a third-party advertising, behavioral analytics, session-replay, or crash-reporting SDK. This website contains no FinDex analytics, advertising pixel, account login, form, or cookie-setting script. GitHub may still process ordinary web request and usage information when it hosts and delivers these pages.
3. Optional AI processing and AI data sharing
AI features are optional. Manual tank and fish tracking remains available if you decline or withdraw AI data-sharing consent.
Before an AI request can be sent, FinDex asks you to accept a separate AI data-sharing disclosure. When you initiate a supported AI feature after accepting, FinDex sends OpenAI the selected or attached photo when applicable, your question or requested task, recent relevant conversation content, and relevant saved tank, fish, species, and care details needed for that request. The code does not intentionally place your email address or Supabase UUID in the AI prompt.
FinDex calls OpenAI's Responses API from a Supabase Edge Function and sets store to false. OpenAI states that API data is not used to train its models by default unless an account opts in. OpenAI may still retain limited content and metadata for safety and abuse monitoring under its current API data controls, generally for up to 30 days by default, with limited exceptions or longer retention when legally required. FinDex does not claim that its OpenAI project has Zero Data Retention.
AI output may be incomplete or incorrect. A user-confirmed fish identification is treated as user-provided context, not independent verification. FinDex provides general aquarium guidance, not veterinary diagnosis or medication instructions.
4. Why we use information
- Create, authenticate, verify, secure, and recover accounts.
- Store, display, edit, and delete tank, fish, note, photo, and history records.
- Perform AI analysis only when a user chooses it and has active consent.
- Provide two lifetime complimentary AI analyses per eligible verified account.
- Verify FinDex Pro access, process purchases and restores, apply limits, and prevent duplicate requests.
- Operate, protect, troubleshoot, improve, and support FinDex.
- Comply with legal obligations and enforce applicable terms.
5. Service providers and disclosures
- Supabase: authentication, PostgreSQL database, private image Storage, Edge Functions, and operational logs.
- Resend: delivery and operational processing of transactional account authentication and security emails.
- OpenAI: user-requested text and image analysis through the Responses API.
- RevenueCat: subscription offerings, purchase and restore support, customer records, entitlement verification, and subscription management.
- Apple: optional Sign in with Apple, iOS distribution, App Store purchases, subscription billing, refunds, TestFlight, and optional platform diagnostics.
- Expo/EAS: managed builds, signing and distribution workflows, app updates, and related operational logs.
- GitHub Pages: static hosting for this public website and ordinary website request logs.
- Cloudflare: domain registration, DNS, and routing of messages sent to the public support address.
- Google: optional basic-profile OAuth sign-in and delivery/storage of routed support messages.
We may also disclose information when required by law, to respond to valid legal process, or when reasonably necessary to protect users, FinDex, service providers, or others.
6. Advertising, sale, and cross-app tracking
FinDex does not sell personal information. FinDex does not use personal information for cross-context behavioral advertising and does not configure cross-app tracking. The reviewed app includes no advertising network or data-broker integration. If these practices change, this policy and applicable consent and store disclosures must be updated first.
7. Retention
Account records, aquarium content, private photos, AI history, consent records, allowance records, and the FinDex copy of subscription status are generally kept while your account exists, unless you delete or replace an individual supported record sooner. A deleted AI result does not restore a complimentary use because the usage ledger records whether provider processing began.
Operational logs are retained according to each provider's service plan and settings. Supabase database backups may retain deleted database content until the applicable backup or recovery window expires. OpenAI, RevenueCat, Apple, GitHub, Expo, Resend, Google, and other processors may retain independent operational, security, transaction, backup, or legal records under their own policies. Support messages are kept only as long as reasonably needed to address the request, security concerns, disputes, or legal obligations, then deleted from the active support mailbox when no longer needed.
8. Editing records, deleting photos, and account deletion
You can edit tank and fish details in the app. Deleting a tank removes its tank photo and related tank reports and leaves fish records in the library without a tank. Deleting a fish removes its saved fish photo and record. Replacing a saved record photo causes FinDex to attempt removal of the previous image.
To delete the entire FinDex account, open Settings, choose Delete Account, review the information, type DELETE, and confirm your identity with a connected sign-in method. If Apple is connected, FinDex requires a fresh Apple confirmation and attempts to revoke the Apple app authorization before deleting the account. The server removes account-owned image objects, then deletes the Supabase authentication account. Database relationships are configured to remove the active profile, tanks, fish, scans, AI results, chats, care reports, consent, allowance and usage records, deletion-attempt record, and FinDex subscription-status cache.
Account deletion is designed to remove active FinDex application data immediately after successful confirmation, while provider backups and independent processor records may age out later. RevenueCat customer deletion is requested during the flow; if it cannot be confirmed, the app reports that processor cleanup remains pending. Apple and RevenueCat may retain transaction records for store, fraud, accounting, or legal purposes.
Deleting a FinDex account does not cancel an Apple subscription. Manage or cancel FinDex Pro separately in Apple subscription settings.
9. Your privacy choices
You can decline optional AI features, withdraw future AI data-sharing consent in Settings, later review and accept the disclosure again, edit or delete supported records and photos, restore purchases, manage an Apple subscription, and delete the FinDex account. See Privacy Choices for the exact in-app controls.
You may email support@findexaquarium.com to ask a privacy question or request help with rights that may apply where you live. We may need to verify that a request relates to your account. Email is not the normal substitute for the in-app deletion flow.
10. AI consent withdrawal
Open Settings, choose View AI Data Sharing Information, and select Withdraw AI Data Sharing Consent. Withdrawal blocks future OpenAI requests until you accept again. It does not erase AI processing already completed; delete individual records where supported or delete the account to remove active FinDex copies.
11. Security
FinDex uses account authentication, row-level database policies, private Storage rules, server-side authorization, limited signed image URLs, input validation, and HTTPS connections provided by its platforms. Administrative keys remain in server secrets rather than the mobile bundle. No method of transmission or storage is perfectly secure, so we cannot guarantee absolute security.
12. Children's privacy
Children under 13 may not create or control a FinDex account independently. A parent or legal guardian may use their own account with a child under supervision and is responsible for account activity, photos, and any optional AI use. FinDex does not intentionally request a child's date of birth or knowingly create an independent account for a child under 13. Contact support@findexaquarium.com if you believe a child provided personal information without appropriate adult involvement.
13. International processing
FinDex and its service providers may process information in the United States and other countries where they operate. Those locations may have data-protection rules different from those where you live. Applicable legal rights are not waived by this statement.
14. Changes to this policy
We may update this policy as FinDex, its providers, or legal requirements change. The revised page will show a new effective date, and we will provide additional notice when appropriate.
15. Contact
Privacy questions may be sent to support@findexaquarium.com.