SurfEye — Privacy & Data

This notice explains how SurfEye (SurfEye AB) (“we”, “us”) collects and uses your personal data when you use our apps and website (the “Service”). We are the data controller for this Service.

1) What we collect

• Account basics — email, display name, and (optional) profile photo (via Firebase Authentication & Storage).
• Preferences — units, appearance, webcam playback, alert settings.
• Your surf places — Home spot and Favorites.
• Notifications — in-app alert items we show you.
• Plan usage — counters such as webcam view counts to enforce plan limits.
• Diagnostics — app version, device type, crash logs, and minimal server logs for reliability and security.
• Location — only if you enable Location Services; we use it on-device to center the map and show nearby spots. We do not store precise GPS on our servers.

2) Sources

Data comes from you (when you sign up or change settings), from your device (when you use features), and from our service providers (e.g., Firebase auth state, storage links).

3) Purposes & legal bases (GDPR/UK GDPR)

• Provide the Service (account, sync, alerts, plan enforcement) — contract.
• Improve and secure (diagnostics, abuse prevention) — legitimate interests.
• Communications (support emails) — legitimate interests or consent where required.
• Optional features (location, certain notifications) — consent.
• Legal compliance (tax, accounting) — legal obligation.

4) Sharing & processors

We do not sell your personal data. We share it only with service providers under contracts that protect your data and act on our instructions:

• Google Firebase & Google Cloud — Authentication, Firestore/Storage, Hosting, Cloud Run (us-central1).
• Email — when you contact support@surfeye.com (your email provider and ours will process the message).

5) International transfers

We may process data in or transfer it to countries outside your own. When we transfer personal data from the EEA/UK to countries without an adequacy decision, we rely on appropriate safeguards such as the EU/UK Standard Contractual Clauses included in our providers’ data protection terms.

6) Retention

• Account data: for the life of the account; deleted upon account deletion (subject to legal record-keeping).
• Plan usage counters: reset periodically; aggregate totals may be kept for fraud/security.
• Server logs & diagnostics: typically ≤ 30–180 days, unless needed for security or legal reasons.

7) Your rights

Depending on where you live, you may have rights to access, correct, delete, port, restrict or object to processing. To exercise rights, email support@surfeye.com. We will verify your request and respond in time required by law.

• EEA/UK: You may lodge a complaint with your data protection authority; our lead authority is likely in Sweden.
• California (CPRA): You have rights to know, delete, correct, and to opt-out of “sale”/“sharing” for cross-context advertising. SurfEye does not sell or share personal information as defined by CPRA.

8) Cookies & similar tech

On the web, Firebase Authentication and our app use local storage/cookies for secure sessions. We do not currently run third-party advertising cookies. You can control cookies through your browser settings.

9) Security

We use industry-standard security measures including encryption in transit, protected infrastructure (Google Cloud/Firebase), least-privilege access, and monitoring. No system can be 100% secure.

10) Children

SurfEye is not directed to children under 13. If you believe a child provided personal data to us, contact support and we will address it.

11) Changes

We may update this notice; we will notify you of material changes in-app or by email and state the effective date.

12) Contact

SurfEye (SurfEye AB)
Email: support@surfeye.com

Last updated: 06 Sep 2025