Privacy Policy

Last updated June 17, 2026

Gotcha is a real-life creature index for iOS. You photograph an animal, the app cuts it out and identifies it, and it joins your collection.

This policy explains what the Gotcha iOS app and the waitlist website at gotcha.catchy.fan collect, why, and the choices you have. We do not sell your data or use it for cross-app advertising or tracking, and we try to collect as little as possible.

What changed

Earlier versions of Gotcha worked without any account and kept everything on your device. Gotcha now offers optional accounts and a Gotcha+ subscription, so some information is now stored on our backend. Your creature collection still lives on your device. This policy reflects those changes.

Who we are

Gotcha is an independent app built by Jurre de Ruiter (the “data controller” under GDPR). For any privacy question or request, contact gotcha-support@catchy.fan.

What the app collects

Account information (optional)

You can use Gotcha without an account. If you choose to sign in (with Apple, Google, or a one-time email code), we create an account and store a few things on our backend so it works across devices: your email address, a unique handle you pick (your collector ID), an optional display name, an optional avatar image, and an account identifier issued by our authentication provider. With Sign in with Apple you can use Apple’s Hide My Email, in which case we only ever see the relay address.

Photos you take

When you catch a creature, the app uses your camera to take a photo. The subject is cut out on your device. Only the cut-out subject image is then sent to our identification service to recognize the species. We do not upload your full camera roll. Your original photos and finished stickers are stored locally on your device and are not uploaded to our servers.

Device identifier

Each catch is sent with your device’s vendor identifier (Apple’s identifierForVendor). We use it only to enforce fair-use catch limits (to prevent abuse and control costs) and to understand overall usage. It is tied to your device, not to your name, and resets if you delete the app.

Location (optional)

If you grant location permission, a catch may be tagged with the coordinates where it was made, so you can remember where you found a creature and see it on your catch map. If you deny location, Gotcha still works fully and catches are simply not tagged with a place.

Catch analytics

For each identification attempt we log a small event so we can keep the app working and decide which species to add. An event may include: the device identifier above and, if you are signed in, your account identifier; whether a creature was detected; whether it appeared to be a live subject (our anti-cheat check); the identified common and scientific name and confidence; whether it matched our catalog; the outcome; and the optional location. These events do not contain your photos.

Subscriptions (Gotcha+)

Gotcha+ is sold through the Apple App Store. Apple processes your payment, and we never receive your card or payment details. We use RevenueCat to manage subscriptions, and we receive your subscription status (for example active or expired, the product, and renewal or expiry dates) linked to your account identifier so we can unlock Gotcha+ features.

What the website collects

• Email address: only if you join the waitlist, so we can send you one launch email. No spam, and you can ask us to remove it at any time.
• Basic analytics: we use PostHog to understand how the website is used (for example page views and waitlist sign-ups). This helps us improve the page.

Why we’re allowed to use this data (legal bases)

Under the GDPR, we rely on:

• Performance of the service: to identify creatures, run the app, manage your account and subscription, and store your collection.
• Consent: for camera access, optional location, and joining the waitlist. You can withdraw consent at any time (for example in iOS Settings).
• Legitimate interests: to keep the service secure, prevent abuse, and improve the product, balanced against your rights.

Who we share data with

We do not sell your data. We share the minimum necessary with service providers (“processors”) that help us run Gotcha:

• Apple distributes the app, provides Sign in with Apple, and handles App Store subscription billing.
• Google provides Sign in with Google, if you choose it.
• OpenAI processes the cut-out subject image to identify the species. OpenAI does not use data submitted through its API to train its models by default.
• Supabase hosts our backend, authentication, database, avatar storage, and the function that performs identification.
• RevenueCat manages subscriptions.
• Upstash provides the rate-limiting that enforces fair-use catch limits.
• Vercel hosts the waitlist website.
• PostHog provides website analytics.

Some of these providers may process data outside your country, including in the United States, under appropriate safeguards such as Standard Contractual Clauses.

How long we keep it

• Account and profile data (email, handle, display name, avatar) is kept while your account exists and is deleted when you delete your account.
• On-device data (your catches, stickers, photos) stays on your device until you delete it or remove the app.
• Catch analytics events are retained only as long as needed to operate and improve the service, then deleted or aggregated.
• Waitlist email is kept until launch or until you ask us to remove it.

Your rights

You can delete your account directly in the app under Settings, then “Delete account.” That permanently deletes your account, profile, handle, and avatar, and anonymizes your catch analytics (we remove your account identifier, device identifier, and precise location from those events, keeping only non-identifying aggregates). You can also log out at any time, which leaves your on-device collection untouched.

Depending on where you live (for example under the GDPR or California’s CCPA/CPRA), you can also request access to your data, correction, deletion, a copy of it, or object to certain processing. We do not sell or “share” personal information for cross-context behavioral advertising. To make a request, email gotcha-support@catchy.fan and we’ll respond. You may also revoke camera or location permissions, or delete the app, at any time in iOS Settings.

Children

Gotcha is not directed to children under 13 (or the minimum age of digital consent in your country), and we do not knowingly collect personal information from them. If you believe a child has provided us data, contact us and we will delete it.

Security

Data is transmitted over encrypted connections (HTTPS/TLS), and access to backend data is restricted by per-user security rules so you can only read and change your own profile. No method of transmission or storage is perfectly secure, but we take reasonable measures to protect your information.

Changes to this policy

We may update this policy as the app evolves. Material changes will be reflected here with a new “last updated” date.

Contact

Questions or requests: gotcha-support@catchy.fan.