Privacy Policy

Groundswell (groundswell.surf) is operated by Kevin McCalley, Portugal. For all privacy-related matters, including data subject requests, contact us at support@groundswell.surf.

We are the data controller for personal data collected through this Service. This policy explains what data we collect, why, how it is used, and your rights under the EU General Data Protection Regulation (GDPR) and applicable Portuguese data protection law.

Account data: When you register, we collect your email address and any profile information you provide. Account authentication is handled by Clerk, Inc.

Payment data: Billing information (card details, billing address) is collected and stored exclusively by Stripe, Inc. We do not store your full card number or CVV on our servers.

Usage data: We collect anonymized analytics (page views, feature usage) through Vercel Analytics to improve the Service. No personal identifiers are included.

Location data: When you search for a surf location, that location is used to fetch forecast data. We do not persistently store your search history or link it to your account identity.

Technical data: Standard server logs (IP address, browser type, request timestamps) are retained for up to 30 days for security and debugging purposes.

• Contract performance: Account and payment data are processed to provide and bill for the Service.
• Legitimate interests: Usage analytics and server logs are processed to maintain security and improve the Service.
• Legal obligation: We retain certain transaction records as required by Portuguese and EU tax law.

We share data with the following processors, each bound by appropriate data processing agreements:

• Clerk, Inc. — authentication and account management (US, EU Standard Contractual Clauses apply)
• Stripe, Inc. — payment processing (US/EU, PCI-DSS compliant)
• Vercel, Inc. — hosting, deployment, and analytics (US, EU SCCs apply)
• Redis Ltd. — short-term caching of non-personal forecast results (US)

We do not sell, rent, or share your personal data with any third party for marketing purposes.

• Account data: retained for the duration of your subscription plus 12 months, then deleted on request.
• Payment records: retained for 7 years as required by EU tax law.
• Server logs: deleted after 30 days.
• Cached forecast data: automatically expires within 6 hours, contains no personal identifiers.

As a data subject in the EU/EEA, you have the following rights, which you may exercise at any time by contacting us:

• Access: request a copy of all personal data we hold about you.
• Rectification: request correction of inaccurate data.
• Erasure: request deletion of your data ("right to be forgotten"), subject to legal retention obligations.
• Restriction: request that we limit processing of your data in certain circumstances.
• Portability: receive your data in a structured, machine-readable format.
• Object: object to processing based on legitimate interests.
• Withdraw consent: where processing is based on consent, you may withdraw it at any time.

To exercise any of these rights, email support@groundswell.surf. We will respond within 30 days.

If you believe we have not handled your data lawfully, you have the right to lodge a complaint with the Portuguese data protection supervisory authority: Comissão Nacional de Proteção de Dados (CNPD), Av. D. Carlos I, 134 — 1º, 1200-651 Lisboa, Portugal. Website: cnpd.pt.

We use only strictly necessary cookies for authentication session management (via Clerk). We do not use advertising, tracking, or third-party marketing cookies. No cookie consent banner is required as we do not use non-essential cookies.

Some of our processors are located in the United States. Where personal data is transferred outside the EU/EEA, we ensure appropriate safeguards are in place, including the use of EU Standard Contractual Clauses (SCCs) as approved by the European Commission.

We may update this policy from time to time. We will notify you of material changes by email. The current version is always available at groundswell.surf/privacy.