Privacy Policy

This Privacy Policy describes how the sharktopus open-source software (the “Tool”) handles data when you use it to fetch Global Forecast System (GFS) weather data via your own cloud account. sharktopus is distributed under the MIT License and runs locally on your machine; there is no hosted service, no central server operated by the maintainers, and no user database.

1. Scope

This policy applies to:

• The sharktopus Python package installed on your local machine.
• The deploy scripts under deploy/gcloud, deploy/aws, and deploy/azure that provision compute resources in your own cloud account.
• The Google OAuth 2.0 flow used by sharktopus --auth browser to deploy to Google Cloud Run.

It does not cover third-party services (Google Cloud, AWS, Azure, NOAA NOMADS, NOAA Open Data on S3/GCS, etc.), which have their own terms and privacy policies.

2. What data we access

2.1 Google OAuth credentials (only when you use --auth browser)

When you run sharktopus's Google Cloud deploy with --auth browser, a standard Google “installed application” OAuth flow opens in your default browser and asks you to grant the https://www.googleapis.com/auth/cloud-platform scope. Google then returns an OAuth refresh token to the Tool.

The token lets the Tool provision and invoke resources in the Google Cloud project you specify (typically your own) on your behalf: enabling APIs, creating a small Cloud Run service, creating the sharktopus-invoker service account, and minting short-lived ID tokens to invoke that service. The Tool does not read Gmail, Drive, Calendar, Contacts, or any other Google surface — the cloud-platform scope is restricted to Google Cloud Platform resources only.

You can revoke access at any time from myaccount.google.com/permissions and delete the local cache with rm ~/.cache/sharktopus/gcloud_token.json.

2.2 AWS and Azure credentials

For AWS and Azure deploys, sharktopus uses the credentials you have already configured locally (~/.aws/credentials, az login session, or environment variables). It does not upload these credentials anywhere; it uses them in-process to call each vendor's SDK.

2.3 Weather data

GFS data is public, and sharktopus downloads it from official NOAA mirrors (NOMADS, the NOAA Open Data AWS/GCS buckets) or, when deployed, through your own cloud worker. No personal data is involved in these transfers.

3. What data we do NOT collect

• We do not run a server that you connect to.
• We do not collect analytics, telemetry, crash reports, or usage statistics.
• We do not use cookies (the Tool is not a web service) or tracking pixels.
• We do not ingest your weather-model outputs, domain configurations, or simulation results. They stay on your machine and in your cloud account.
• We do not share, sell, or transfer any user data — because we do not hold any.

4. OAuth app verification

The Google OAuth application used by sharktopus is registered under the GCP project sharktopus-oauth and is currently in the process of Google's OAuth verification review. During the unverified period, you may see an “unverified app” warning in the consent screen; this is Google's standard pre-verification notice and does not indicate a security issue with the Tool itself.

5. Children's privacy

sharktopus is a scientific research tool. It is not directed at children and does not knowingly collect any data from anyone, including children under 13.

6. Changes to this policy

If this policy changes materially, we will update the “last updated” date above and note the change in the project's CHANGELOG.md. Because sharktopus is software you install, you control when you upgrade and therefore when any policy change starts applying to your copy.

7. Contact

Questions or concerns about this policy: sharktopus.convect@gmail.com, or open an issue at github.com/sharktopus-project/sharktopus/issues.