Privacy Policy
Last updated: March 2026
1. Who we are
SurfPing (ABN 87 393 634 852), operated from Australia. Contact: waves@surfping.net.
2. What personal information we collect
- Email address (required for account creation and alerts)
- Password (hashed and stored by AWS Cognito — we never see your plaintext password)
- Phone number (optional, if you choose SMS alerts)
- Beach preferences (which beaches you track, swell/wind/tide preferences)
- Subscription and payment information (processed by Stripe — we store your Stripe customer ID but never your card details)
- Usage data (alert history, matched sessions — auto-deleted after 35 days)
3. How we collect it
- Directly from you when you create an account, add beaches, or update settings
- From Stripe via webhooks when your subscription status changes (e.g., payment confirmed, subscription cancelled)
- We do not use tracking cookies or collect data from any other third parties
4. Why we collect it (purpose)
- To match surf conditions to your preferences and send alerts (email or SMS)
- To process your subscription payment
- To improve the service (aggregated, non-identifying usage patterns)
5. How we use and disclose it
We only use your information for the purposes described above. We do not sell, rent, or trade your personal information. We share limited information with these service providers:
| Provider | Data shared | Purpose | Location |
|---|
| AWS (Cognito, DynamoDB, SES) | Email, hashed password, preferences | Authentication, data storage, email delivery | Sydney, Australia (ap-southeast-2) |
| Stripe | Email, Stripe customer ID | Payment processing | United States |
| Twilio | Phone number, SMS content | SMS alert delivery | United States |
| Open-Meteo | None (anonymous API calls) | Surf forecast data | European Union |
6. Overseas disclosure (APP 8)
Your email address is shared with Stripe (US) for payment processing and your phone number is shared with Twilio (US) for SMS delivery. Both companies maintain privacy practices consistent with the Australian Privacy Principles. AWS stores all data in the Sydney (ap-southeast-2) region. No personal information is sent to Open-Meteo — forecast API calls are anonymous.
7. Data security (APP 11)
- All data transmitted over HTTPS (TLS encryption in transit)
- Data encrypted at rest by AWS managed encryption
- Passwords hashed by AWS Cognito (never stored in plaintext)
- Payment card details handled entirely by Stripe (PCI DSS compliant) — never touch our servers
8. Data retention
- Account data: retained until you delete your account
- Alert history: auto-deleted (DynamoDB TTL)
- Matched sessions: auto-deleted after 35 days
- Forecast cache: auto-deleted after 24 hours
9. Your rights
- Access (APP 12): You can request a copy of all personal information we hold about you by emailing waves@surfping.net. We will respond within 30 days.
- Correction (APP 13): You can update your email, phone number, and preferences in Settings. For other corrections, email us.
- Deletion: You can delete your account at any time from Settings. This permanently removes all your data from our systems, cancels your subscription, and deletes your authentication record.
- Unsubscribe: Every email includes an unsubscribe link. You can also manage email preferences in Settings.
10. Cookies and tracking
We do not use cookies for tracking or advertising. We store authentication session tokens in your browser's localStorage to keep you logged in. We use Plausible Analytics, a privacy-friendly, cookieless analytics tool that collects no personal data and does not track individual users. No other third-party tracking scripts are used.
11. Transactional emails
We send transactional emails that are essential to the operation of your account — such as email verification codes when you sign up. These emails are not marketing and do not include an unsubscribe option, as they are required for account security.
12. Children's privacy
SurfPing is not directed at children under 16. We do not knowingly collect information from children.
13. Changes to this policy
We may update this policy from time to time. Material changes will be notified by email. The “last updated” date at the top of this page will always reflect the most recent version.
14. Complaints
If you believe we have breached the Australian Privacy Principles, please contact us at waves@surfping.net. If you are not satisfied with our response, you can lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au.