Effective 16 July 2026 · Version 2.0
Ocean Safe is a free beach-safety guide for Hawaiʻi, run by Tropical Agronomics LLC dba OceanSafe. There are no accounts, no signup, and no login. Nobody types a name into this app.
But "no accounts" is not the same as "no data." This page explains exactly what happens when you open the app — what stays on your phone, what leaves it, and who else sees your visit. We went through the code line by line to write it. Where an earlier version of this policy was wrong, we say so at the bottom.
These live in your browser's local storage. No account, no sync, no upload. Nothing reads them and sends them anywhere:
You can wipe all of it from your browser settings. Clearing site data for oceansafety.app deletes every item above. We keep no copy, because we never had one.
If you install the app to your home screen, it also caches the app shell so it works offline. Same deal — on your device, never transmitted.
This is the part the old policy got wrong, so here it is in detail.
When you tap Locate Me, your browser asks your permission and hands us your coordinates. Three things happen:
1. Your exact position stays on your phone. It draws the blue dot, centers the map, and sorts beaches by distance from you. That math runs entirely in your browser. Nothing is sent.
2. A rounded copy is sent to our server. We cut your coordinates to two decimal places — roughly a 1.1 km square — and send them to oceansafety.app/api/wx. Our server uses them to pull the forecast for your specific microclimate, then throws them away. Kauaʻi can be 80°F in Līhuʻe and 65°F in Kōkeʻe at the same moment, which is the whole reason we bother.
Our server forwards that rounded point to Open-Meteo to get the data. Open-Meteo sees our server's address, not yours, on that request.
3. Only if you're actually on the island. If your coordinates fall outside the island you're viewing — you're planning from the mainland — we discard them and use a fixed point offshore instead. Your real position is never sent in that case.
Our hosting provider, Netlify, records web requests including their URLs, and the rounded coordinates are in the URL. So they are in a server log. We do not build anything from those logs, and we do not connect them to anything else about you. But "we do not see, store, or transmit it" was not true, and we're not going to say it again.
Three separate systems. They run in different places and collect different things.
We use PostHog, a product-analytics service hosted in the United States, to understand how the app gets found and used. It records:
That last one deserves a plain statement: if you tap a tour listing, we record which tour on which site. We use it to see whether the recommendations are any good. We do not follow you to that site or watch what you do there.
What PostHog does not do here: no session recording (off in our config), no person profiles (we never call identify, so no profile is ever built), no cookies. It keeps a random id in your browser's local storage instead of a cookie. That is not a meaningful privacy win and we're not going to pretend it is — it's a durable id either way. The reason it matters is that we never attach a name to it, because we never have one.
When the app breaks, Sentry tells us. It records the error, the stack trace, and the page it happened on. We configured it to strip the query string off the URL and to discard cookies, headers, and any user field before the report is sent. No performance tracing, no session replay. Errors only.
This was not disclosed in our previous policy. It should have been.
Hotels and shops that carry Ocean Safe get a dashboard showing whether guests use it. That dashboard is fed by this counter. When you arrive through a partner link, it sends to our own server:
That last item is the one to read twice. A card in room 204 carries a link that says room 204. So a visit can be tied to a room, and a hotel knows who is in room 204. We do not receive your name and we never will — but this is not anonymous, and calling it anonymous would be a word game.
So here is what we do about it. Our contract with every partner bars them from receiving guest-level records, from connecting anything here to their reservation system, and from using any of it to market to a named guest. They get counts. If you'd rather not be counted at all, open oceansafety.app directly instead of scanning the card, or turn on Do Not Track.
If your browser sends a Do Not Track signal, all three systems above stay off. No product analytics, no error reports, no partner counter.
Most sites ignore this signal. We honor it. It is in Firefox under Settings → Privacy, and in Safari and Chrome via extensions or the equivalent privacy setting.
Every website hands your address to whoever serves its pictures, maps, and scripts. That is how the web works, and most sites never tell you who those parties are. Here is our complete list.
| Who | What they get | When |
|---|---|---|
| Netlify (our host) | Every request, including the rounded coordinates in the weather URL | Always |
| PostHog (US) | IP, browser, pages, dwell time, outbound link addresses | oceansafety.app only; off under DNT |
| Sentry (US) | IP, error details, page address without the query string | oceansafety.app only; off under DNT; only when something breaks |
| Cloudflare (our worker) | IP, plus the partner counter data above | Only on ?ref= partner links; off under DNT |
| CartoDB / OpenStreetMap | IP and which map tiles you're viewing — which is roughly where you're looking | Whenever the map is open |
| Esri | Same, for satellite view | Whenever satellite view is on |
| Open-Meteo | Your IP, and a fixed grid over the island — not your position | Only when the rain radar overlay loads, which calls them directly |
| Unsplash, Wikimedia, Flickr | IP and that you came from oceansafety.app | Whenever a beach photo loads |
| Clearbit | IP and which business logo we asked for | When a business logo loads |
| Supabase | IP and which partner you arrived through | Only on partner pages |
| GetYourGuide and Viator | Their code runs inside our page, so they see what any script in a page sees, and they set their own storage | Only on the tours tab |
NOAA (tides) and USGS (stream flow) are fetched by our server, not your browser. They never see you.
About those two tour widgets. GetYourGuide and Viator are commercial travel platforms, and their booking widgets are their code running in our page. We do not control what they collect, and we would be lying if we claimed otherwise. They are the least private thing in this app. We are looking at replacing them with plain links.
Some tour and dining listings pay us a commission if you book. That is disclosed next to the listing, before you tap it. When you tap through, you're on their site under their privacy policy, and they will set their own tracking. We have no say in it.
If a partner shop has a live storefront in the app and you start a checkout, the item, quantity, and shop go to our payments backend and then to Square, who handles the payment. We never see your card. If you don't check out, none of this touches you.
Roughly two dozen hotels and shops carry Ocean Safe under their own logo. Same app, their branding.
This policy governs those copies too. The hotel is a place you found it, not the operator of it. We decide what is collected; they don't. On those copies our product analytics does not run at all — only the partner visit counter described above.
A hotel showing you our beach ratings is not vouching for them. Read the Safety Notice.
Ocean Safe is a family tool, and we hope kids use it — knowing which beach has a lifeguard is exactly the kind of thing a family should look up together.
But we're going to be straight about the mechanics: this app is not directed at children under 13, there is no age gate, and the analytics described above count every visitor, including a kid on a parent's phone. What we collect is a visit and a rounded location, never a name, an email, or a photo.
A previous version of this policy said the app "does not knowingly collect any data from anyone." That was wrong and we've removed it.
If you think a child gave us something they shouldn't have, email privacy@oceansafety.app and we'll delete it.
Delete everything on your device: clear site data for oceansafety.app in your browser settings. Saved beaches, notes, plans, ids, cache — gone.
Turn off all counting: enable Do Not Track.
Skip the partner counter: open oceansafety.app directly instead of using a QR code or partner link.
Ask us anything, including deletion: privacy@oceansafety.app. Fair warning about how this works in practice — we hold no account and no name, so there's usually nothing to look up. If you send us your random id (visible in your browser's local storage under cg_sid) we can find and delete the events tied to it. We'll answer within 30 days.
Visiting from outside the US: everything described here is processed in the United States. We do not target advertising, we do not profile you, and Do Not Track shuts the counting off.
Beach photos are licensed — Creative Commons via Wikimedia Commons and Flickr, plus Unsplash. Every photo carries its credit in our public source tree. If we have used a photo of yours without proper credit, email privacy@oceansafety.app and we will credit it or pull it that day.
When this policy changes materially, we bump the version, date it, and note what changed here.
Version 2.0 — 16 July 2026. Full rewrite following a code audit. Corrections to the May 2026 version:
Tropical Agronomics LLC dba OceanSafe
4489 Panihi Rd, Kapaʻa, HI 96746