Privacy Policy
Last updated: March 12, 2026
We take your privacy seriously. This policy explains what data we collect, why we collect it, who we share it with, and how you can control it. We are GDPR-compliant and committed to data minimisation.
1. Data Controller
Surf-Connect operates this platform. For GDPR purposes, Surf-Connect is the data controller for personal data collected through this website and app. Contact: privacy@surf-connect.com.
2. Data We Collect
Account data — name, email address, profile photo, role, bio, phone number. Collected when you register via Supabase Auth.
Booking data — lesson preferences, dates, payment status, instructor communications. Stored in our Supabase database.
Payment data — Stripe processes your payment card details. We never store raw card numbers. We receive tokenised payment confirmations and payout records.
Location data — if you grant permission, the Radar page uses your browser's geolocation to find nearby instructors. This is never stored on our servers.
Usage data — page views, session analytics (anonymous), and error logs to improve the platform.
3. How We Use Your Data
- To create and manage your account (legal basis: contract).
- To process bookings and payments (legal basis: contract).
- To send transactional emails: booking confirmations, reminders, and session photos notifications (legal basis: contract).
- To verify instructor certifications (legal basis: legitimate interest).
- To prevent fraud and abuse (legal basis: legitimate interest).
- To improve the platform via aggregated analytics (legal basis: legitimate interest).
4. Third-Party Services
- Supabase — our database and auth provider. Data is stored on servers within the EU (Frankfurt region).
- Stripe — payment processing. Stripe is PCI-DSS Level 1 compliant. See Stripe's Privacy Policy.
- CARTO / OpenStreetMap — map tiles for the Radar feature. No personal data is sent to tile providers.
5. Data Retention
We retain account data for as long as your account is active. If you request account deletion, we will remove your personal data within 30 days, except where retention is required by law (e.g. financial records for 7 years under EU accounting rules).
6. Your Rights (GDPR)
- Access — request a copy of your data.
- Rectification — correct inaccurate data via your profile settings.
- Erasure — request deletion of your account and personal data.
- Portability — receive your data in a machine-readable format.
- Objection — object to processing based on legitimate interest.
- Restriction — request limited processing in certain circumstances.
To exercise your rights, email us at privacy@surf-connect.com. We will respond within 30 days.
7. Cookies
We use only essential cookies — specifically, the Supabase authentication session cookie. We do not use advertising or tracking cookies. No cookie consent banner is required for essential cookies under GDPR.
8. Security
All data is transmitted over HTTPS. Passwords are hashed by Supabase Auth (bcrypt). Payment processing is handled entirely by Stripe — we never touch raw card data. Database access is row-level secured (RLS) via Supabase policies.
9. Changes
Material changes to this policy will be communicated via email 14 days in advance. The "Last updated" date above reflects the most recent revision.
📬 Data Protection Enquiries
Email: privacy@surf-connect.com
You also have the right to lodge a complaint with your national data protection authority (e.g. CNPD in Portugal, CNIL in France).