Privacy Policy – Surfmate App

Last updated: 25 May 2026

Scope. This privacy policy applies to the Surfmate mobile application (the “App”). For our website, please see our separate notice at Website privacy policy. Rules for using the Service are in our Terms of Service and Community Guidelines.

1. Controller

The controller responsible for processing personal data in connection with the App is:

Surfmate
Jolie Bast
Deelwisch 43
22529 Hamburg
Germany

Phone: +4916091814756
Email: info@surf-mate.de

2. Overview

Surfmate lets you document your surf sessions and related moments—such as sessions, surf spots (including private spots you save for yourself), conditions (including short videos you may share via the Spotcheck feature), notes, photos, how you felt, and other content you choose to save. You can sign in with email and password, Google Sign-In, or Sign in with Apple, optionally add a phone number and optionally use your device contacts only to match phone numbers (we do not store your address book), and connect with others via a personal QR code they can scan in the App. You can also build a profile (similar to other social apps) with a bio, fun facts, an optional link or handle to your Instagram profile, and information about where you have surfed, and a short list of your most recent public sessions (typically the last five), which other users may see when they view your profile in the App. We process personal data only where necessary to provide the App and the features you use, to comply with legal obligations, or where you have given consent.

3. What data do we process?

Depending on how you use the App, we may process in particular the following data:

3.1 Account data and sign-in

When you create or sign in to an account, we process data needed to operate your account. Depending on the method you choose:

  • Email and password: your email address and your password in a technically secure form (e.g. a hash).
  • Google Sign-In: we receive information from Google needed to authenticate you and link your account (e.g. email address, a Google account identifier, and—if you grant it— name or profile image from your Google account). Google processes your sign-in under its own terms and privacy policy; we receive only what is necessary to create or access your Surfmate account.
  • Sign in with Apple: we receive information from Apple needed to authenticate you and link your account (e.g. email address or Apple’s private relay email, an Apple account identifier, and—if you choose to share it—name). Apple processes your sign-in under its own terms and privacy policy; we receive only what is necessary to create or access your Surfmate account.

Further optional information you add to present yourself in the App is described under profile data (section 3.2) and finding other users (section 3.9).

3.2 Profile (bio, fun facts, surf places, Instagram)

You may add profile information to your account, including for example:

  • A bio or short self-description
  • Fun facts or similar prompts (e.g. quick facts about you and your surfing)
  • Information about where you have surfed (e.g. regions, countries, spots, or a list derived from your sessions—depending on how you set up your profile)
  • A profile photo or other media shown on your profile, if you upload one
  • An optional Instagram username, profile URL, or similar reference you choose to add so others can find you on Instagram (we store what you enter; opening Instagram itself is subject to Instagram’s/Meta’s own terms and privacy policy)
  • An optional phone number you add to your account (see section 3.9 for how it is used for contact-based discovery)

Recent public sessions on your profile: When you log surf sessions, you can treat them as public or keep them non-public, depending on the App’s settings. Other users who view your profile in the App may see your most recent public sessions—typically up to the last five—as a summary on your profile (e.g. date, spot or area, and other details you attach to those sessions). Sessions that are not public are not shown in that profile list in the same way.

This data is stored with your account. Depending on how Surfmate is set up, your profile (including bio, fun facts, surf-place information, Instagram details if you add them, and your recent public sessions as described above) may be visible to other users in the App—for example when they open your profile, in discovery or community areas, or in other social areas of the App. Only add information you are comfortable sharing in that context.

3.3 Content you add in the App

You may voluntarily store content that may be personal data, for example:

  • Information about surf sessions (date, duration, spot name, condition short videos, and whether a session is public or not—public sessions may appear on your profile for others as described in section 3.2)
  • Surf spots, including spots you mark as private (e.g. custom names, notes, and—where you save them—location or map coordinates associated with that spot). Private spots are stored like your other App content so you can use them in your personal log; they are not treated like public profile information unless you explicitly choose to share them through other features.
  • Descriptions of wave, break, and other conditions
  • Notes, emotions, and similar entries
  • Photos or other media you add through the App (including videos from the camera or microphone)

You decide how detailed these entries are. Please only record third-party data if you are entitled to do so (e.g. where consent is required)—this also applies to photos and videos that show other people.

3.4 Spotcheck condition videos (24-hour visibility)

You can record and store short videos as part of documenting surf conditions. When you use this feature, we process the video files and related metadata (e.g. time, link to your session or spot, if applicable) on our systems.

If you use the Spotcheck feature, short condition videos can be made available to other users in the App for 24 hours from when they are shared (or as displayed in the App). During that time, eligible users can view the video within the App. This processing is part of delivering the features you actively use.

3.5 Location and maps (Mapbox)

If you use features that require or offer location access (e.g. assigning a spot or saving a private surf spot), we process location data only if you grant the relevant permission on your device. You can change or withdraw permissions at any time in your device settings.

Map views in the App are provided using Mapbox. When you use map features, connections to Mapbox are necessarily established so map tiles and related mapping services can be delivered. If you enable location permission, location-related data may also be processed to centre maps or support location-based map functions. For details on how Mapbox processes data, see Mapbox’s privacy policy (section 5).

3.6 Device and technical data

When you use the App, technical information may be generated, such as device type, operating system, app version, language settings, timestamps and—where technically necessary—log data when communicating with our servers (via Supabase; see section 5). This supports providing, securing, and stabilising the App.

3.7 Push notifications

If you enable push notifications, we store and process a device push token or comparable technical identifier (e.g. from your operating system’s push service) so notifications can be delivered to your device. This token is personal data because it may be linked to your user account. Enabling notifications is voluntary via system settings or any consent flow offered in the App.

3.8 Blocking users and reporting users or content

If you use safety features in the App, we process data required to enforce your block lists and to review reports. This may include your user ID, the reported user ID, the reported content reference, the reason category you choose, optional free-text details, and timestamps. We use this data to protect users, enforce our Community Guidelines, and prevent abuse.

3.9 Phone number, contacts, and finding people you know

Surfmate offers features to help you find people you may know. There is an important distinction between what we store and what we only process for matching:

  • Phone number on your account (optional — we store this): If you add a phone number, we save it with your account so it can be used for contact-based discovery. When other users use the contact-matching feature, we check whether a number from their address book matches a registered Surfmate user. If there is a match with your number, those users may see in the App that you use Surfmate (e.g. as a suggested contact)— together with profile information they can already see according to your settings. Your full phone number is not shown to everyone in the App. Only add a number if you are comfortable with this use.
  • Your device contacts (matching only — we do not store your address book): If you use contact-based discovery, you grant the App permission to read entries from your device address book (typically phone numbers; names may be shown on your device from your local contacts, but we do not need to keep a copy of your contact list on our servers). Those numbers are used only to find matches with phone numbers of registered Surfmate users. We do not store your address book, a list of your contacts, or contact names on our systems for this feature. Processing happens when you use the feature (e.g. you open “find friends” or refresh matches); numbers are compared for that purpose and are not retained as a contact database after the match is done. You only see results such as which contacts appear to use Surfmate or can be invited. We do not use this for unrelated advertising. You can decline or revoke contact access in your device settings or stop using the feature in the App.

Contact matching requires your consent (including any device permission the operating system asks for). Under the GDPR, even data that is not stored long-term is still “processed”; this section describes that short-term processing clearly. We do not require you to use contact matching or add a phone number to use the core logging features of the App.

3.10 QR code to connect with other users

The App can show you a personal QR code linked to your account. Another person who uses Surfmate can scan this code with the App (e.g. using the device camera) to find your profile or start connecting with you as offered in the App (e.g. follow or friend request, depending on the feature).

The QR code encodes a reference to your account or profile in the App; it is not intended to expose data beyond what is needed for that connection flow. Scanning is voluntary for both sides. We process scan events and related technical data only as needed to complete the connection you initiate.

4. Purposes and legal bases

We process personal data under the EU General Data Protection Regulation (GDPR), in particular:

  • Performance of a contract and pre-contractual steps (Art. 6(1)(b) GDPR): providing the App and the features you use (e.g. storing and displaying your entries, account administration, displaying your profile (including up to the five most recent public sessions) to other users as described in section 3.2, and making Spotcheck condition videos available to other users for the period described in section 3.4), sign-in via Google or Apple (section 3.1), and QR-based connection flows (section 3.10).
  • Legitimate interests (Art. 6(1)(f) GDPR): IT security, proportionate troubleshooting, abuse prevention, moderation and enforcement of community rules (including block and report workflows), and improving App stability, where your interests do not override ours.
  • Consent (Art. 6(1)(a) GDPR): where required, for optional features and permissions you actively enable (e.g. push notifications; access to location, camera, microphone, or photos; contact access for one-off matching (section 3.9 — we do not store your address book) and adding a phone number for contact-based discovery). Device-level permissions can be managed in your device settings. You can withdraw consent at any time with future effect.
  • Legal obligations (Art. 6(1)(c) GDPR): compliance with statutory retention and documentation duties, where applicable.

5. Storage, hosting, and processors

Data you enter in the App and your account (including email, password hash, push token, and your content) are stored and protected in the cloud infrastructure of Supabase (Supabase, Inc., USA). We use Supabase as a processor under Art. 28 GDPR on the basis of a data processing agreement. Further information: https://supabase.com/privacy

We use Mapbox (Mapbox, Inc., USA) to display maps. Mapbox processes requests needed to render map content; as described in section 3.5, location-related data can be involved when you use location-based map functions. The legal basis is providing the App functionality you request (Art. 6(1)(b) GDPR) and, where applicable, our legitimate interest in maintaining a stable map service (Art. 6(1)(f) GDPR). Further information: https://www.mapbox.com/legal/privacy

If you sign in with Google or Apple, those providers process authentication data on their systems when you use their sign-in buttons. We receive only the account information described in section 3.1. Further information: Google Privacy Policy; Apple Privacy Policy.

Transfers to the USA or other third countries may occur in connection with these services. We ensure an adequate level of data protection (in particular through the EU Commission’s standard contractual clauses and, where required, supplementary measures), unless an adequacy decision applies.

6. Sharing with third parties

We generally share your data with third parties only if you have consented, we are legally required to do so, or it is necessary to perform our contract with you. Specifically, data is transmitted to Supabase for storage and operation of the App, and to Mapbox when you use map features, each as described in section 5 (processing / service relationship). When you use Google Sign-In or Sign in with Apple, authentication is handled by those providers as described in section 3.1 and section 5.

We do not sell your personal data to third parties for their advertising purposes without your consent.

Other users in the App: Information you put on your profile (section 3.2)—such as your bio, fun facts, optional Instagram link or handle, where you have surfed, and typically your last five public surf sessions—may be shown to other users when they view your profile or use social features in the App. Private surf spots you save in your session log (section 3.3) are intended for your personal use in the App and are not shared with other users as part of that private-spot feature, unless a separate sharing function explicitly applies. When you share short condition videos via Spotcheck, other users can view that content in the App for 24 hours as described in section 3.4. If you add a phone number and other users use contact matching (without us storing their address book), matched users may see that you use Surfmate as described in section 3.9. When someone scans your QR code, they can access the connection flow for your account as described in section 3.10. These disclosures are not sales to independent third-party advertisers; they are part of the social functionality offered inside Surfmate between you and other users.

7. Retention

We keep personal data only as long as needed for the purposes described here or as required by statutory retention periods. We delete account and App content when you delete your account or when the purpose no longer applies and no retention duty conflicts, unless you expressly request longer storage and this is lawful.

Spotcheck condition videos: Videos shared via Spotcheck are visible to other users in the App for 24 hours. After that period they are no longer available to other users in the App via Spotcheck. The underlying files remain stored in our systems until you delete them (where deletion options are available) or your account is deleted, unless statutory retention obligations require longer storage in specific cases.

Block and report data: We store block lists and moderation/report records for as long as needed to operate safety features, investigate misuse, and document moderation decisions. Where legally required or reasonably necessary for legal defence, selected records may be retained longer.

Phone number and contact matching: Your optional phone number on your account is kept for as long as it remains on your account (or until you remove it). We do not retain your address book on our servers; contact numbers are processed only when you use contact matching, as described in section 3.9.

You can contact us at any time for more detail on deletion periods.

8. Your rights

Subject to the conditions in applicable law, you have the right to:

  • Access (Art. 15 GDPR)
  • Rectification (Art. 16 GDPR)
  • Erasure (Art. 17 GDPR)
  • Restriction of processing (Art. 18 GDPR)
  • Data portability (Art. 20 GDPR)
  • Object to processing (Art. 21 GDPR), where we rely on legitimate interests
  • Withdraw consent at any time with future effect (Art. 7(3) GDPR)

To exercise your rights, contact us using the email address above. You also have the right to lodge a complaint with a supervisory authority (Art. 77 GDPR), in particular in the EU member state of your habitual residence, place of work, or the place of the alleged infringement.

For instructions on requesting deletion of App data (including your account and push-related identifiers), see our Data deletion request page.

9. Security

We implement appropriate technical and organisational measures to protect your data against loss, misuse, and unauthorised access. Please note that transmission over the internet (including mobile networks) may have security gaps; complete protection is not possible.

In addition, safety features such as blocking users and reporting users or content support account and community protection inside the App.

10. Children

The App is not directed at children under 16. We do not knowingly collect data from children under 16. If you believe we have done so, please contact us.

11. Changes to this policy

We may update this privacy policy so that it reflects current legal requirements or changes to the App (e.g. new features). The version published here applies when you visit this page.

Note: This policy is not legal advice. Have it reviewed by qualified counsel if in doubt, especially when services or App features change.