Legal

Privacy Policy

Effective date: 20 March 2026 · Version 1.0

1. Introduction

LocalSurfHero (“we”, “our”, or “the platform”) is a spot-discovery and session-tracking platform for wind sports, including wingfoiling, kiteboarding, and windsurfing. This Privacy Policy explains what personal data we collect, how we use it, and your rights regarding that data.

This policy applies to all users of the LocalSurfHero website (www.localsurfhero.com), any associated web or mobile interfaces, and any integrations you choose to connect, such as Garmin Connect, Strava, or Suunto. Apple Watch users can import their sessions via Strava.

We are committed to being transparent and to handling your data responsibly. If you have questions, contact us at info@localsurfhero.com.

2. Who We Are (Data Controller)

LocalSurfHero is the data controller for personal data processed through the platform. We are based in the Netherlands and are subject to the General Data Protection Regulation (GDPR).

Contact: info@localsurfhero.com

3. What Data We Collect

3.1 Account and profile data

When you create an account, we collect:

Name and username
Email address
Password (stored as a hashed value, never in plain text)
Optional: profile photo, bio, home location, sports practiced

3.2 Spot data

When you add a spot to the platform, we collect:

Spot name, description, and local tips
Geographic coordinates (latitude and longitude)
Photos you upload
Wind information, difficulty level, facilities, and other optional fields
Your user ID as the contributor of the spot

3.3 Session and activity data (GPS / GPX)

You may optionally import activity sessions from Garmin Connect, Strava, or Suunto, or upload GPX files directly. When you do, we process and store:

GPS track data (route coordinates and timestamps)
Session duration and distance
Activity type (e.g. wingfoiling, windsurfing, kiteboarding)
Start time and date of the session

We do not collect or store physiological or health data such as heart rate, body weight, calories, sleep, or stress scores. Activity data imported from Garmin, Strava, or Suunto is limited strictly to GPS coordinates, timestamps, and session metadata as listed above.

3.4 Usage data

We automatically collect limited technical data when you use the platform:

IP address (anonymised after 30 days)
Browser type and device type
Pages visited and actions taken on the platform
Session timestamps

This data is used solely for platform performance monitoring and security purposes.

3.5 Messages

If you use the platform's inbox feature to message other users, we store the content of those messages to enable the messaging service.

4. How We Use Your Data

We use your data only for the following purposes:

Providing the service: creating and managing your account, displaying spots, enabling session import, and running leaderboards and gamification features.
Spot matching: automatically matching imported GPS sessions to spots on the platform based on geographic proximity.
Leaderboards and badges: calculating rankings and awarding badges based on your session data and spot contributions. All logic runs on data stored in our own database.
Platform communications: sending transactional emails such as account confirmations, password resets, and notifications you have opted into.
Security and fraud prevention: monitoring for abuse, spam, and unauthorised access.
Legal compliance: meeting our obligations under applicable law.

We do not use your data for advertising, behavioural profiling, or any purpose not listed above.

5. Legal Basis for Processing (GDPR)

For users in the European Economic Area, our legal basis for processing your data is:

Contract performance (Art. 6(1)(b)): processing necessary to provide the service you signed up for.
Legitimate interests (Art. 6(1)(f)): platform security, fraud prevention, and service improvement.
Consent (Art. 6(1)(a)): for optional integrations such as Garmin Connect, Strava, or Suunto, and for any marketing communications.

6. Third-Party Integrations

6.1 Garmin Connect

If you choose to connect your Garmin account, we request access to your activity data via the Garmin Activity API using OAuth 2.0. The connection is entirely user-initiated and requires your explicit authorisation.

We request access only to the following Garmin data:

Activity summaries (sport type, start time, duration, distance)
GPS track data (coordinates and timestamps)

We do not request or store any Garmin health, wellness, sleep, heart rate, stress, body composition, or menstrual cycle data.

You can revoke our access to your Garmin account at any time via Garmin Connect > Connected Apps. Upon revocation, we will no longer import new data. Previously imported session data will be retained in your account until you choose to delete it or delete your account.

6.2 Strava

If you choose to connect your Strava account, we request read-only access to your activities via the Strava V3 API using OAuth 2.0. We import activity type, GPS data, duration, and distance only. We do not write data back to Strava. You can revoke access at any time via Strava Settings > My Apps.

6.3 Suunto

If you choose to connect your Suunto account, we request access to your workout data via the Suunto Cloud API using OAuth 2.0. The connection is entirely user-initiated and requires your explicit authorisation.

We request access only to the following Suunto data:

Workout summaries (sport type, start time, duration, distance)
GPS track data (coordinates and timestamps), where available

We do not request or store any Suunto health, heart rate, lap, or other sensor data beyond GPS and session metadata. You can revoke our access at any time via the Suunto app or your Suunto partner connections settings. Previously imported session data will be retained in your account until you choose to delete it or delete your account.

Apple Watch users can import their sessions into LocalSurfHero via Strava (see Section 6.2). We do not have a direct integration with Apple HealthKit, and we do not request access to Apple Health data.

6.4 Infrastructure and service providers

We use the following third-party services to operate the platform:

Supabase: database, authentication, file storage, and real-time messaging (EU-hosted).
Firebase / Google Cloud: website hosting and deployment.
OpenStreetMap / Leaflet: interactive maps.
Resend: transactional email delivery.

Each provider processes data only on our behalf and under data processing agreements. We do not sell your data to any third party.

8. Data Retention

We retain your data for as long as your account is active or as needed to provide the service:

Account data: retained until you delete your account.
Spot data: retained until you delete the spot or your account. Spots may be anonymised rather than deleted if they form part of the platform's shared spot database.
GPS and session data: retained until you delete the session or your account.
Usage and technical data: anonymised or deleted within 90 days.
Messages: retained until deleted by either party, or upon account deletion.

9. Your Rights

Under GDPR and applicable privacy law, you have the right to:

Access: request a copy of the personal data we hold about you.
Rectification: correct inaccurate or incomplete data.
Erasure: request deletion of your personal data (“right to be forgotten”).
Portability: receive your data in a structured, machine-readable format.
Restriction: ask us to restrict processing of your data in certain circumstances.
Objection: object to processing based on legitimate interests.
Withdraw consent: revoke consent for optional integrations (Garmin, Strava, Suunto) or marketing communications at any time, without affecting the lawfulness of prior processing.

To exercise any of these rights, contact us at info@localsurfhero.com. We will respond within 30 days. You also have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) at autoriteitpersoonsgegevens.nl.

10. Account and Data Deletion

You can delete your account at any time via Settings > Account > Delete account. Upon deletion:

Your profile, session data, and messages will be permanently deleted within 30 days.
Spots you contributed may be retained in anonymised form to preserve the platform's spot database, unless you explicitly request full removal.
All active OAuth connections (Garmin, Strava, Suunto) will be revoked as part of the deletion process.

11. Security

We take appropriate technical and organisational measures to protect your data:

Passwords hashed using bcrypt
All data transmitted over HTTPS / TLS
Row-level security policies on the database
OAuth 2.0 for all third-party integrations — we never store your Garmin, Strava, or Suunto password
Access to production data restricted to authorised personnel only

In the event of a data breach posing a risk to your rights, we will notify affected users and relevant authorities as required by applicable law.

12. Cookies

We use only essential cookies required for the platform to function (authentication session cookies). We do not use tracking, advertising, or analytics cookies without your explicit consent. A cookie preference banner is shown on first visit and can be adjusted at any time.

13. Children's Privacy

LocalSurfHero is not directed at children under 16 years of age. We do not knowingly collect personal data from children under 16. If we become aware that we have done so, we will delete it promptly.

14. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or via a notice on the platform at least 14 days before the change takes effect. The current version is always available at www.localsurfhero.com/privacy-policy.

15. Contact

For any questions or requests regarding this Privacy Policy or your personal data:

LocalSurfHero
Email: info@localsurfhero.com
Website: www.localsurfhero.com

We aim to respond to all privacy-related requests within 5 business days.

LocalSurfHero Privacy Policy · Version 1.0 · 20 March 2026