Plain-English summary
WAVOA collects the minimum needed to give you a forecast (wind & swell), sync favourites and your logbook across your devices, and send the alerts you ask for — for any of the four sports we support. We don't sell your data. We don't profile you. We don't pass your data to ad networks. If you want it gone, tap Profile → Delete account.
If anything in the long version contradicts this summary, the summary wins. We'll fix the long version.
Scope & controller
This policy covers the WAVOA mobile apps (iOS, Android), the WAVOA website (wavoa.app), and any forecasts, alerts, or sync features delivered as part of those products.
The data controller is WAVOA SAS, registered in Bordeaux, France (RCS 901 234 567). For privacy questions, use the contact form — a human reads every submission within five business days.
What we collect
You give us, directly
- Account info. An email address and a name. If you sign in with Apple, we receive only a relay email by default.
- Favourite spots. The list of spots you star, so we can sync them across devices.
- Alert rules. The conditions you've set up — spot, wind range, direction, time window.
- Logbook entries. Synced to our Supabase EU database, protected by row-level security so only your account can read your rows. Appears on every device you sign in to.
- My Gear. The sails, kites, wings and boards you've registered, your weight if you choose to enter it.
We collect automatically
- Device type & OS version — to know if a crash report came from iOS 17 or iOS 18.
- App version — to know which build is hitting our API.
- Coarse country — derived from IP at request time, then discarded.
- Anonymous usage events — “user opened the meteogram”, never tied to an account.
We do not collect
- Your contacts, photos, calendar, or microphone.
- Cross-app advertising identifiers (IDFA / GAID).
- Background location when the app is closed.
How we use what we collect
| Purpose | Legal basis (GDPR) | Retention |
|---|---|---|
| Deliver forecasts to your favourite spots | Contract | While account exists |
| Send push alerts you've configured | Contract | Until rule is deleted |
| Sync favourites across devices | Contract | While account exists |
| Crash & performance diagnostics | Legitimate interest | 30 days |
| Anonymous product analytics | Legitimate interest | 13 months, aggregated |
| Billing & receipts (Plane / Foil) | Contract + legal obligation | 10 years (FR tax law) |
Who we share with
A short, fixed list. We will update it here within 14 days of any change.
- Stripe Payments Europe Ltd. — payment processing. Receives card last-4, billing country, amount.
- Apple App Store / Google Play. — subscription management. Receives only what they need to sell you Plane.
- Vercel Inc. (USA). — global edge CDN that serves the wavoa.app website. Static content only; no user data.
- Supabase Inc. (EU region, Frankfurt). — our application database (Postgres). Holds your account record, favourites, alert rules, gear, and logbook. Row-level security keeps your rows scoped to your account.
- Apple Push Notification service / Firebase Cloud Messaging. — to deliver push alerts. We push the notification text, not your account ID.
- PostHog Inc. (EU region, Frankfurt). — anonymised product analytics. Configured in privacy mode: IP scrubbed, person profiles disabled, no cross-site tracking, no session recording.
We do not share with: ad networks, data brokers, social networks, or AI training companies.
Location data
Location is opt-in and per-purpose:
- “Show spots near me” — uses your location only at the moment you tap the button. Never stored.
- “Auto-detect spot when I log a session” — uses your location for ~30 seconds when you tap “Log session”. Stored only as the resulting spot ID.
- Background location — never used. WAVOA does not run while you're in your wetsuit.
Retention
The retention table above is the contract. In addition: dormant accounts (no sign-in for 24 months) get a heads-up email and are deleted 30 days later unless you sign back in.
Your rights
Under the GDPR (EU), CCPA (California), and the LGPD (Brazil), you have the right to:
- Access — get a copy of every byte we hold on you. Use the data-export form and we send the bundle within 30 days (usually within 2).
- Rectify — fix anything inaccurate. Edit in-app or use the privacy form.
- Erase — delete your account. Profile → Delete account. Honoured within 7 days.
- Port — receive your data in a machine-readable format on request. Same channel as Access.
- Object — opt out of analytics in Profile → Privacy → Analytics.
- Complain — to the CNIL (France) or your local data protection authority.
Security
All connections to WAVOA use TLS 1.3. Passwords are hashed with Argon2id. The Supabase Postgres database that holds your data is protected by row-level security policies — every table requires your auth token to return rows, so another signed-in user (or someone with our public anon key) gets back zero rows for queries against your data. We run third-party penetration tests annually; the most recent report is from 2026-02-14 and available on request to verified journalists or enterprise customers.
Changes to this policy
We'll email you (and post a banner in-app) at least 30 days before any material change. Cosmetic changes — typo fixes, clarifications — happen silently, and the version stamp at the top of the page bumps.
Contact
Privacy questions: contact form, topic “Privacy & data”
Data Protection Officer: contact form, topic “Data Protection Officer”
Postal: WAVOA SAS, 12 rue Sainte-Catherine, 33000 Bordeaux, France