Privacy Policy

At Surfspotter, your privacy matters. This Privacy Policy explains how we collect, use, store, and protect your personal information when you use our platform. Surfspotter is operated from Switzerland and complies with the Swiss Federal Act on Data Protection (FADP) and, where applicable, the EU General Data Protection Regulation (GDPR).

By using our Service, you consent to the data practices described in this policy. If you do not agree, please do not use the Service.

1.1 Information You Provide

When you create an account, we collect:

• Name, email address, and username
• Profile information (bio, avatar, location, user type)
• Payment information (processed securely by Stripe — we never store full card numbers)
• Content you upload (photos, comments, messages)

1.2 Information Collected Automatically

When you use the Service, we automatically collect:

• Device information (browser type, operating system, device model)
• Usage data (pages visited, features used, session duration)
• IP address and approximate location
• Cookies and similar tracking technologies (see our Cookie Policy)

1.3 Photo Metadata

Photos uploaded to Surfspotter may contain EXIF metadata including GPS coordinates, camera settings, and timestamps. We use this data to improve the Service (e.g., auto-tagging spots, matching session times). You can strip EXIF data before uploading if you prefer.

1.4 Location Data

We collect location data in the following ways:

• Approximate location: From your IP address, used for language preferences and content relevance
• Precise GPS (opt-in): From your device when you enable location services, used for nearby spots and sessions

2.1 What We Collect

When you opt in to face recognition, we process:

• Facial geometry embeddings (mathematical representations, not photos of your face)
• These embeddings are used solely to match you with photos taken of you at surf spots
• Embeddings are generated on-device where possible, or in our secure infrastructure
• We do not create databases of facial images or sell biometric data

2.2 Purpose & Legal Basis

Face recognition data is processed based on your explicit consent (FADP Art. 6, GDPR Art. 6(1)(a)):

• To help you find photos of yourself at surf sessions
• To improve photo matching accuracy over time
• To power the "Get Spotted" feature for surfers
• Never for advertising, profiling, or surveillance purposes

2.3 Storage & Retention

Biometric data is handled with the highest security standards:

• Encrypted at rest and in transit using AES-256 encryption
• Stored separately from your profile data
• Automatically deleted within 30 days of account deletion or opt-out

We do NOT:

• Share biometric data with third parties
• Use biometric data for advertising or marketing
• Retain biometric data after you withdraw consent
• Use biometric data for any purpose other than photo matching

2.4 Your Rights

You have the following rights regarding your biometric data:

• Right to consent: Face recognition is strictly opt-in
• Right to withdraw: Disable face recognition anytime in Settings
• Right to deletion: Request immediate deletion of all biometric data
• Right to access: Request a copy of your stored biometric data

2.5 Third-Party AI Providers

Face recognition processing may use third-party AI services under strict data processing agreements:

• Processing only: Third parties process data on our behalf, never for their own purposes
• No retention: Third-party processors delete data immediately after processing
• EU/CH servers: Processing occurs in European or Swiss data centers
• Audited: Providers undergo regular security audits
• Contractual safeguards: Strict data processing agreements (DPAs) are in place

In addition to face recognition, Surfspotter can identify you in photos using your equipment:

• Wetsuit: Brand, color, pattern, and size recognized from your profile
• Surfboard: Shape, color, fin setup, and brand logos detected
• Accessories: Leash color, booties, gloves, hood patterns
• Camera gear: For photographers, specific camera and lens setups
• Helmet/Impact vest: Distinctive safety equipment patterns
• Surf vehicle: If registered, van/car identification at spot parking areas

Note: Gear-based matching is entirely opt-in. You control what equipment is registered in your profile. Gear data is never shared with equipment manufacturers or advertisers.

We use your information for the following purposes:

• Providing and improving the Service
• Processing payments and transactions
• Sending notifications about your activity, purchases, and messages
• Matching surfers with their photos (face recognition and gear matching)
• Personalizing your experience (recommended spots, photographers, content)
• Communicating important Service updates and security notices
• Analyzing usage patterns to improve performance and features
• Complying with legal obligations and enforcing our Terms

We share your data only in the following circumstances:

• Service providers: Stripe (payments), Supabase (hosting), Vercel (CDN), Resend (email)
• Other users: Your public profile, photos, and interactions are visible to other users
• Legal requirements: When required by law, court order, or government request
• Business transfers: In connection with a merger, acquisition, or sale of assets
• With your consent: When you explicitly authorize sharing with a third party

5.1 We Never Sell Your Data

Surfspotter does not sell, rent, or trade your personal information to third parties for their marketing purposes. We do not participate in data broker networks or advertising exchanges.

We implement industry-standard security measures to protect your data:

• All data is encrypted in transit (TLS 1.3) and at rest (AES-256)
• Authentication is handled by Supabase Auth with secure session tokens
• Row-level security (RLS) policies ensure users can only access their own data
• Regular security audits and penetration testing

While we take every reasonable precaution, no system is 100% secure. Please report any security vulnerabilities to privacy@surfspotter.app.

7. Your Rights

Depending on your jurisdiction, you may have the following rights:

• Right of access: Request a copy of all your personal data
• Right to rectification: Correct inaccurate personal data
• Right to erasure: Request deletion of your data ("right to be forgotten")
• Right to portability: Receive your data in a machine-readable format
• Right to object: Object to processing based on legitimate interests

To exercise any of these rights, contact us at privacy@surfspotter.app. We will respond within 30 days.

8. Cookies

Surfspotter uses cookies and similar technologies to provide core functionality and improve the user experience. For full details, see our Cookie Policy.

Types of cookies we use:

• Essential cookies: Required for authentication and security
• Functional cookies: Remember your preferences (language, theme, map view)
• Analytics cookies: Help us understand usage patterns (privacy-first, no ad tracking)
• Third-party cookies: Set by our service providers (Stripe, Supabase)

9. Data Retention

We retain your personal data for as long as your account is active or as needed to provide the Service. After account deletion, we remove your data within 30 days, except where retention is required by law (e.g., financial records, tax compliance). Anonymized analytics data may be retained indefinitely.

10. Children’s Privacy

Surfspotter is intended for users aged 13 and older. We do not knowingly collect personal information from children under 13. If you are a parent and believe your child has provided us with personal data, please contact us at privacy@surfspotter.app and we will promptly delete the data.

11. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or in-app notification at least 30 days before they take effect. Continued use of the Service after changes constitutes acceptance.

If you have questions about this Privacy Policy or want to exercise your data rights, contact us: