What we hold
Every piece of data WAVOA stores about you, by category:
Identity
- Email address (or Apple relay address).
- Display name.
- Account creation timestamp.
- Authentication provider (Apple, Google, or email).
Usage
- Favourite spots — the IDs of starred spots, plus a per-device sort order.
- Alert rules — JSON blob describing each rule (spot, wind range, direction, time).
- Subscription state — Drift / Plane / Foil, expiry date.
- Last-seen timestamp — used only to flag dormant accounts after 24 months.
Optional, opt-in
- Logbook entries — synced to our Supabase Postgres database (EU region) and protected by row-level security. Sync is enabled by default; you can disable it per device under Profile → Sync.
- My Gear — sails, boards, weight. Only synced if you tap “Sync gear”.
- Custom spots — pins you've dropped yourself.
Diagnostics (anonymised)
- Crash reports — stack traces, device model, OS version. No account ID.
- Anonymous events — “user opened meteogram”, “user logged session”. Not joinable to your account.
Where it lives
Geography matters. Here's where each category sits.
| Category | Region | Provider |
|---|---|---|
| Website (static, no user data) | Global edge CDN | Vercel |
| Identity, favourites, alerts, subscriptions, logbook, gear | EU (Frankfurt, DE) | Supabase (Postgres + RLS) |
| Database backups | EU (Frankfurt, DE) | Supabase (managed) |
| Push notification routing | USA (Apple) / EU (Google) | APNs / FCM |
| Payment metadata | EU/IE | Stripe Payments Europe |
| Product analytics (anonymised) | EU (Frankfurt, DE) | PostHog Cloud EU |
| Crash reports | EU (Frankfurt, DE) | Sentry EU |
User data lives in Supabase's EU region and is protected by Postgres row-level security policies. The website itself is statically rendered and served from Vercel's global edge CDN — that's HTML, CSS, and JavaScript with no personal data. The exceptions for cross- region data flow are push tokens, which traverse APNs (Apple, US) or FCM (Google, EU); push payloads contain only the notification text — never your identity.
How long we keep it
- While your account exists — identity, favourites, alert rules, subscription state, logbook, gear.
- 30 days — crash reports, server logs.
- 13 months — anonymised analytics, in aggregate.
- 10 years — billing records, where French tax law requires.
Dormant accounts (no sign-in for 24 months) get a heads-up email and are deleted 30 days later unless you sign back in.
Access your data
You have a right to a copy of everything we hold on you. Use the data-export form; the topic dropdown is already set so it routes correctly. Per GDPR Article 12, we respond within 30 days, usually within two business days.
We send a single bundle containing your account record, favourites, alert rules, gear, and logbook entries — in commonly-used, machine-readable formats — plus a README explaining each file. The link expires after 7 days; re-request any time.
Delete your account
One tap. We honour it within 7 days, no friction.
- Profile → Privacy → Delete my account.
- You'll see a list of what's about to disappear. Tap “Yes, delete everything”.
- Within 7 days: identity, favourites, alerts, gear, custom spots, and your logbook — all permanently destroyed.
- Up to 30 days: backups age out and are overwritten.
- 10 years: billing records (the only thing we have to keep, per French tax law) — but disconnected from your identity within 7 days, so they read as
FORMER_USER_a3f2….
Breach response
If we ever discover a personal-data breach, we will notify the CNIL within 72 hours of becoming aware, as required by GDPR Article 33. We will email every affected user without undue delay, plain-English, with a clear list of: what happened, what data was involved, what we've done, and what you should do.
Data subject requests
EU/UK residents can lodge a complaint with their local data protection authority. In France, that's the CNIL. California residents can use the contact formwith “CCPA Request” in the subject. We respond within 45 days.