Privacy Policy
Last updated: June 18, 2026
Our guiding principle: collect only what is needed to understand how the app is used. We do not collect personal information and we never sell data.
1. Data Controller
Pionerska 7/2, 53-213 Wrocław, Poland
NIP: 6912215667
Email: gribgrabapp@icloud.com
2. Legal Basis for Processing
- Analytics and session recordings (PostHog): Article 6(1)(a) GDPR — your consent, given via the cookie banner on first visit. Both anonymous usage events and session recordings only begin after you accept; if you decline, neither is collected. You may withdraw consent at any time by clearing your browser's localStorage or enabling Do Not Track.
- App preferences (localStorage): Article 6(1)(f) GDPR — legitimate interest, as storing your saved cities, language, and timezone on your own device is necessary for the app to function between visits. This data never leaves your device.
- Feedback form (Tally): Article 6(1)(a) GDPR — your explicit, voluntary action of submitting the feedback form. You choose what to write and whether to include your email address.
3. What we collect
| Data | How | Why |
|---|---|---|
| Anonymous usage events e.g. "city loaded: Warsaw", "language changed: EN" |
PostHog analytics (EU cloud) | Understand which features are used and which cities are popular |
| Your city preferences, language, and timezone | Browser localStorage — stays on your device only | Remember your settings between visits |
| Country (derived from IP address) Only on first visit when you have no saved cities |
Request to ipapi.co — a third-party geolocation service | Show a relevant default city (the country capital) instead of a blank screen on first visit. Your IP address is sent to ipapi.co as part of this request. |
Stable anonymous identifier (gg_uid)Only if you accept analytics |
Generated on your device, stored in browser localStorage, sent to PostHog | Links your events across sessions in PostHog so we can measure returning users and per-user patterns. The value is a random string — it contains no personal information. |
| Session recordings (masked) Only if you accept analytics |
PostHog Session Replay (EU cloud). All text and all form inputs are masked before the recording leaves your device | See how the interface is actually used — where people tap, scroll, and get stuck — so we can fix usability problems. Recordings show layout and interactions only, never the text you type or the content on screen. |
| Feedback you submit Only if you use the feedback form |
Collected by Tally.so — a third-party form service (EU) | Read your suggestions, bug reports, and ideas to improve the app. Your email is optional — include it only if you want a reply. |
No account is ever created or required. Email is only collected if you voluntarily provide it in the feedback form.
4. What we do not collect
- Personal identity information (name, email, phone) — unless you voluntarily provide your email in the feedback form
- Your GPS coordinates — they are used in-session to look up a city name and then discarded. We do not log or store them.
- The content of anything you type into the search box beyond what PostHog records as a city-loaded event
- Payment information (the app is free)
5. Location (GPS)
If you tap "Detect my location", your browser prompts you to share your GPS coordinates. We use those coordinates solely to reverse-geocode a city name via Nominatim / OpenStreetMap and load weather data. The coordinates are not sent to our servers, not logged, and not stored.
Granting location access is optional. You can search for any city manually instead.
6. Analytics — PostHog
We use PostHog (EU cloud, eu.i.posthog.com) to collect anonymous usage events. The events we send are:
- city_loaded — city name, country, approximate coordinates, and how the city was loaded (search, GPS, saved list, auto-refresh)
- location_detected — whether GPS detection succeeded or failed (no coordinates are sent)
- city_starred / city_unstarred — city name
- language_changed — PL or EN
- units_changed — Metric or Imperial
- timezone_changed — selected timezone
- city_removed — city name (when a saved city is removed)
- cities_reordered — triggered when you reorder your saved cities (no city names sent)
- consent_shown / consent_given — whether the consent banner appeared and what choice you made
- feedback_opened / feedback_submitted — that the feedback form was opened or submitted, and which trigger was used (icon, menu, or footer). No form content is sent to PostHog.
- $pageview — page URL and referrer (standard PostHog event)
Each event also carries session-level context properties: app version, interface language, timezone setting, unit system (metric/imperial), whether the app is installed as a PWA, and aggregate counts of saved and recently viewed cities (e.g. "2 saved cities"). None of these identify you personally.
When you accept analytics, GribGrab generates a random anonymous identifier (gg_uid) on your device and uses it to create a person profile in PostHog. This enables cross-session analytics such as returning user counts and per-user usage patterns. The identifier is a random string — it contains no personal information. No name or email is attached to any event. PostHog's EU infrastructure is GDPR-compliant. See PostHog's Privacy Policy.
6a. Session recordings (Session Replay)
If — and only if — you accept analytics, GribGrab also records anonymised replays of your session using PostHog Session Replay (EU cloud). A session recording lets us watch how the interface is used — where people tap, scroll, hesitate, or hit a dead end — so we can find and fix usability problems we cannot see from event counts alone.
Everything sensitive is masked on your device before anything is sent:
- All text is masked — city names, forecast values, and every other piece of on-screen text appear as blocked-out placeholders in the replay, never as readable content.
- All form inputs are masked — anything you type, including into the search box, is never captured.
What remains is the page layout and your interactions with it (taps, clicks, scrolls, navigation). Recording does not start until you accept the consent banner — if you decline, or before you choose, no recording is ever made. Recordings are stored on PostHog's EU infrastructure and are linked to the same anonymous gg_uid person profile described above. They contain no name, email, or readable text.
7. Cookies and local storage
On your first visit, GribGrab shows a consent banner. Your choice is stored in localStorage as gg_consent.
- If you accept: PostHog sets a first-party cookie (
ph_*) to maintain an anonymous session identifier between visits. A stable anonymous identifier (gg_uid) is also stored inlocalStorageand used to link your sessions in PostHog as a person profile. - If you decline: PostHog runs in cookieless mode — no cookies are set and nothing is written to
localStorageby PostHog. Anonymous aggregate events (e.g. which cities are viewed) are still sent without any device-linked identifier.
No other cookies are set by GribGrab itself. When you open the feedback form, Tally.so may store temporary form state in your browser. GribGrab uses localStorage to remember your saved cities, language preference, timezone, and unit system (metric/imperial). This data never leaves your device.
8. Third-party data sources
Weather data and geocoding are fetched directly from third-party APIs. Their privacy policies apply:
- Open-Meteo — weather forecast data
- OpenStreetMap / Nominatim — reverse geocoding for GPS location
- ipapi.co — IP-based country detection, used only on first visit (no saved cities) to show a default weather location. Your IP address is disclosed to ipapi.co as part of this request. No query is made on subsequent visits.
- Tally.so — feedback form service. Used only when you open and submit the feedback form. Your feedback text and optional email are stored by Tally on EU infrastructure.
9. Data Retention
- Anonymous PostHog events: retained by PostHog for 24 months
- Session recordings: retained by PostHog for 30 days, then automatically deleted
- Consent choice (
gg_consent): stored in your browser's localStorage until you clear it - Anonymous person profile identifier (
gg_uid): stored in your browser's localStorage until you clear it; the corresponding PostHog person profile is retained for 24 months - Saved cities, language, timezone: stored in your browser's localStorage until you clear it
- GPS coordinates: discarded immediately after geocoding — never stored anywhere
- Feedback submissions: stored by Tally.so according to their retention policy
10. Your rights (GDPR)
You have the right to:
- Access — obtain information about data processed about you
- Rectification — correct inaccurate data
- Erasure ("right to be forgotten") — request deletion of your data
- Restriction of processing — in certain circumstances
- Data portability — receive your data in a structured, machine-readable format
- Objection — to processing based on legitimate interest
- Withdrawal of consent — at any time, without affecting the lawfulness of prior processing
- Lodge a complaint — with the President of the Personal Data Protection Office (UODO), ul. Stawki 2, 00-193 Warsaw, Poland, uodo.gov.pl
Because we do not collect personal data linked to your identity, most rights apply in a limited way. To exercise any right, or to have PostHog session data associated with your browser removed, contact us by email.
You can also opt out of PostHog tracking at any time by enabling "Do Not Track" in your browser settings — PostHog honours the DNT header.
11. Children
GribGrab is not directed at children under 13 and does not knowingly collect any information from them.
12. Changes
We may update this policy to reflect changes in the app or applicable law. The "last updated" date at the top of this page will change accordingly. We will not retroactively use your data in ways that contradict a prior version of this policy.
13. Contact
Questions or requests: gribgrabapp@icloud.com