AuroraSpy

Privacy

Privacy Policy

Effective date: 2 June 2026 · Last updated: 2 June 2026

AuroraSpy ("AuroraSpy", "we", "our") is an aurora-forecasting service operated as an individual undertaking by Brynjar M. Bjornsson in Iceland. This policy explains what data we collect when you use the AuroraSpy mobile app or visit auroraspy.com, why we collect it, where it is stored, and the rights you have over it. The service is provided to travellers and residents who want practical guidance on whether tonight is worth chasing the northern lights — not as a general-purpose social platform.

1. Who is the data controller

The data controller is Brynjar M. Bjornsson, operating AuroraSpy as a sole-trader undertaking based in Iceland. You can contact the controller at brynjarbmb@gmail.com with any privacy question, deletion request, or complaint. We will respond within 30 days as required by the GDPR.

2. What we collect, why, and how long we keep it

2.1 Location (when the app is open)

When you grant the app the "While Using the App" location permission, AuroraSpy sends your coarse coordinates (latitude / longitude, rounded to four decimal places) to our forecast API so we can return guidance that matches where you actually are. Coordinates are used to compute the forecast for that request and are not linked to your identity and not retained as a tracking history. They appear in short-lived server logs (see §2.6). You can refuse the permission and the app will fall back to a default Reykjavík location; you can revoke it at any time in your phone's settings.

2.2 Sighting reports and optional photos

If you submit a sighting report, we store the text, the time, the rough location you chose, and any photo you attach. Photos are optional. We use sighting reports to (a) show community context to other users (e.g. "someone reported seeing it nearby") and (b) calibrate the model so the forecast improves over time. We keep sighting reports for as long as the service operates unless you ask us to delete yours.

2.3 Push-notification token (only if you opt in)

If you opt in to aurora notifications, we store a device push token issued by Apple Push Notification service (APNs) or Google Firebase Cloud Messaging (FCM), together with the language and notification preferences you chose. We use the token only to deliver aurora-related alerts and to throttle them so we do not over-notify. You can revoke notifications at any time in your phone's settings or in the app's settings; revoking causes the token to be deleted on next sync.

2.4 Waitlist email (only if you submit it)

If you enter your email on the waitlist form on auroraspy.com, we store the email address and the time of submission. We use it only to notify you when access opens. You can request deletion at any time by emailing the controller.

2.5 Language and device preferences

We store your chosen interface language and similar non-sensitive preferences locally on your device. These never leave the device unless they are sent as part of a forecast or notification request so we can return content in the right language.

2.6 Operational server logs

Our backend logs request paths, response codes, latency, and the originating IP address for security and reliability purposes (rate-limiting, error diagnosis, abuse prevention). These logs are kept for up to 30 days and then deleted. They are not used for advertising and are not sold.

3. Legal bases (GDPR Art. 6)

  • Consent — for push notifications, waitlist email, and the optional photo on sighting reports.
  • Performance of a contract / pre-contract steps — for processing location to return forecast guidance you requested.
  • Legitimate interests — for short-lived operational logs needed to keep the service secure and stable.

4. Sharing

We do not sell personal data. We do not run third-party advertising trackers. We share data only with the technical processors strictly needed to run the service:

  • Fly.io — hosts the backend and database in the Amsterdam region (EU). Fly.io processes data on our behalf under their DPA.
  • Apple Push Notification service (APNs) and Google Firebase Cloud Messaging (FCM) — deliver notifications you opted in to.
  • Expo / EAS — used to build and distribute the app; does not receive runtime user data.

5. International transfers

Backend storage is in the EU (Amsterdam). Apple and Google's push services may process push tokens outside the EEA under the Standard Contractual Clauses or an equivalent transfer mechanism in their respective DPAs.

6. Your rights (GDPR)

You have the right to:

  • access the personal data we hold about you;
  • correct inaccurate data;
  • request deletion ("right to be forgotten");
  • object to or restrict processing;
  • data portability where applicable;
  • withdraw consent at any time (for notifications, waitlist, etc.) without affecting prior processing;
  • lodge a complaint with the Icelandic Data Protection Authority (Persónuvernd, personuvernd.is).

To exercise any of these rights, email brynjarbmb@gmail.com. An in-app "delete my data" action is planned as well.

7. Children

AuroraSpy is not directed at children under 13 and we do not knowingly collect data from them. If you believe a child has provided personal data to us, please contact us and we will delete it.

8. Security

We use HTTPS for all traffic between the app, the website, and the backend. The database is access-controlled and hosted on managed infrastructure. No system is perfectly secure; we will notify affected users without undue delay in the event of a breach that risks their rights or freedoms, as required by law.

9. Changes to this policy

We may update this policy as the service evolves. The effective date at the top of this page will change accordingly. Material changes will be highlighted in-app.

10. Contact

Brynjar M. Bjornsson · Iceland · brynjarbmb@gmail.com

← Back to AuroraSpy · Terms of Service

© AuroraSpy