Privacy Policy

We only collect the minimum personal information necessary to deliver your surf alerts and manage your account:

• —First name and last name — used to personalise your alerts and account communications.
• —Phone number — used to deliver your daily surf forecast via SMS or WhatsApp.
• —Email address (optional) — used for account notifications and billing receipts.
• —Timezone — used to send your alerts at your chosen local time.
• —Surf spot preferences — the location(s) you subscribe to, including spot name and geographic coordinates sourced from Surfline.
• —Alert configuration — your preferred alert time, days of the week, and minimum wave height threshold.
• —Payment information — processed and stored securely by our payment provider (Stripe). We never store raw card details on our servers.
• —Message logs — a record of messages sent to you, including delivery status and cost, for service quality and billing purposes.

If you subscribe via a Facebook Lead Ad, we receive the information you provide in the lead form (typically your name and phone number) through the Meta Leads API, subject to Meta's own data-sharing policies.

We use your information solely to operate and improve the SurfSnap.io service:

• —To send your daily surf forecast alerts via SMS or WhatsApp at your configured time and location.
• —To verify your identity during sign-up and login using a one-time passcode (OTP) sent to your phone.
• —To manage your subscription, process payments, and generate invoices.
• —To provide customer support and respond to your enquiries.
• —To improve our service — for example, analysing delivery rates to optimise message reliability.
• —To comply with legal obligations and enforce our Terms of Service.

We do not use your personal information for advertising, profiling, or any purpose unrelated to delivering the SurfSnap.io service.

To provide the SurfSnap.io service, we share limited data with the following trusted third-party providers. Each provider operates under their own privacy policy and data-processing agreements:

• —Surfline (surfline.com) — we query Surfline's public forecast API to retrieve wave height, swell, wind, and surf condition data for your chosen spot. No personal data is sent to Surfline.
• —SimpleTexting — our SMS delivery provider. Your phone number and message content are transmitted to SimpleTexting to deliver your alerts. See their privacy policy at simpletexting.com.
• —Meta (WhatsApp Business API) — if you choose WhatsApp delivery, your phone number and message content are transmitted through the Meta WhatsApp Business platform. See Meta's privacy policy at meta.com.
• —Stripe — our payment processor. Payment card details and billing information are handled directly by Stripe under PCI-DSS compliance. See their privacy policy at stripe.com.
• —Meta Leads API — if you subscribed via a Facebook Lead Ad, your lead data is received through the Meta Leads API and is subject to the terms you agreed to on Meta's platform.

We do not sell, rent, or trade your personal information to any third party for marketing purposes.

We retain your personal information for as long as your account is active or as needed to provide you with our services. Specifically:

• —Account data (name, phone, email, timezone) is kept for the duration of your account and for up to 12 months after deletion to comply with legal and audit obligations.
• —Message logs are retained for 24 months for billing reconciliation and service quality monitoring.
• —Invoice and payment records are retained for 7 years in compliance with applicable financial regulations.
• —OTP verification codes expire automatically after 5 minutes and are permanently purged from our systems.

You may request deletion of your account and associated data at any time by contacting us at the address below. We will action your request within 30 days, subject to any legal retention requirements.

Depending on your location, you may have the following rights regarding your personal data:

• —Right of access — you can request a copy of the personal information we hold about you.
• —Right to rectification — you can ask us to correct inaccurate or incomplete information.
• —Right to erasure — you can request deletion of your personal data, subject to legal retention obligations.
• —Right to restriction — you can ask us to limit how we process your data in certain circumstances.
• —Right to data portability — you can request your data in a machine-readable format.
• —Right to object — you can object to the processing of your data for certain purposes.
• —Right to withdraw consent — where processing is based on your consent, you may withdraw it at any time.

To exercise any of these rights, please contact us at Wade@surfsnap.io. We will respond within 30 days.

We take the security of your personal information seriously and implement appropriate technical and organisational measures, including:

• —All data is transmitted over HTTPS/TLS encrypted connections.
• —Authentication tokens are signed and verified using industry-standard JWT with separate access and refresh token secrets.
• —Passwords are never stored — we use OTP-based authentication exclusively.
• —Our database and infrastructure are hosted in secure, access-controlled environments.
• —Access to personal data is limited to authorised personnel only.

While we take every reasonable precaution, no method of transmission over the internet or electronic storage is 100% secure. If you become aware of any security vulnerability, please notify us immediately at Wade@surfsnap.io.

Our website uses essential cookies only — specifically secure, HTTP-only authentication cookies to maintain your login session. We do not use tracking cookies, third-party analytics cookies, or advertising cookies.

You can configure your browser to refuse cookies, but doing so may prevent you from logging in to your account.

SurfSnap.io is not directed at children under the age of 13. We do not knowingly collect personal information from children. If you believe we have inadvertently collected information from a minor, please contact us immediately and we will delete it promptly.

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. When we make material changes, we will notify you via SMS or email (if provided) at least 7 days before the changes take effect, and update the "Last updated" date at the top of this page.

Your continued use of SurfSnap.io after the effective date of any changes constitutes your acceptance of the updated policy.

If you have any questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us:

• —Email: Wade@surfsnap.io
• —Website: surfsnap.io

We are committed to resolving any privacy concerns promptly and transparently.