Privacy Policy

1. Who we are (Controller)

Get Surf Report is a surf forecast service operated by Get Surf Report, registered in Brazil. For any privacy-related matter, please contact our Data Protection Officer (DPO) at the address below.

2. What data we collect

We collect only the data necessary to provide the service.

• Account: name, email address, username, encrypted password (bcrypt), skill level, body weight (optional).
• Usage: favorite spots, notification subscriptions, crowd posts and comments, check-ins, spot requests.
• Analytics: anonymous behavioral events (pages visited, features used) — no name or email linked.
• Purchase: Hotmart transaction data, including subscription status and external IDs. Hotmart may transmit additional personal data in webhook payloads per its own privacy policy.
• Technical: session cookie, language/sport preference cookies, optional geolocation (browser API — only when you click 'Near me'), timezone.

3. Legal basis for processing

We process your data only when we have a valid legal basis.

4. Data sharing

We do not sell your data. We share it only with service providers strictly necessary to operate the platform:

• Render (hosting, Brazil/US region) — infrastructure provider.
• Hotmart (payment processing) — for premium subscriptions.
• Open-Meteo (Switzerland) — weather forecast data provider. No personal data is transmitted.
• Google OAuth — only if you use 'Continue with Google'. Google receives your authentication request; we receive only your email and name.

5. Data retention

We keep your data only as long as necessary.

• Active account data: retained while your account is active.
• Analytics events: anonymized and retained for 12 months.
• Notification logs: 90 days.
• Hotmart payment records: 5 years (legal/fiscal obligation).
• Content you posted (comments, posts): anonymized on account deletion — authorship is removed but content may remain for community integrity.
• Consent records: 5 years.

6. Your rights (LGPD Art. 18)

You have the following rights over your personal data. To exercise them, visit your Account page or contact our DPO.

• Access: obtain confirmation that we process your data and a copy of it.
• Correction: update inaccurate or incomplete data.
• Deletion: request erasure of data processed with your consent.
• Portability: receive your data in a structured, machine-readable format.
• Objection: object to processing based on legitimate interest.
• Withdrawal of consent: revoke consent for notifications at any time from your Account page.
• Information about sharing: know which third parties we share your data with.

7. Cookies

We use only technically necessary cookies: session authentication, CSRF protection, language preference, sport preference, and optional geolocation (only when you explicitly request 'near me' results). No advertising or tracking cookies are used.

You can delete cookies at any time via your browser settings, but some features (login, language preference) will stop working.

8. Security

We apply technical and organizational measures to protect your data: encrypted passwords (bcrypt), HTTPS/HSTS, Content Security Policy (CSP), CSRF protection, and session isolation. Despite these measures, no transmission over the internet is 100% secure.

9. Changes to this policy

We may update this policy to reflect changes in the service or applicable law. We will notify registered users by email when material changes occur. Continuing to use the service after changes become effective constitutes acceptance.