Surfspots
Open Map ↗

Legal · Surfspots.net

Privacy
Policy

Operator

Dungeon Studio Solutions

Last updated

29 March 2026

Effective

29 March 2026

1. Who We Are

Surfspots.net ("we", "us", "our") is a community-driven watersports spot mapping platform operated by Dungeon Studio Solutions. Our website is located at surfspots.net.

For privacy enquiries, contact us at: surfspots.contact@gmail.com

2. Scope

This Privacy Policy applies to all users of surfspots.net, including:

  • Visitors who browse without an account
  • Registered users who submit spot requests
  • Business owners who list their businesses on the platform

We are committed to complying with:

  • EU General Data Protection Regulation (GDPR) — Regulation (EU) 2016/679
  • UK GDPR and the UK Data Protection Act 2018
  • California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) for California residents
  • Irish Data Protection Acts 1988–2018

3. Data We Collect

3.1 Account Data (via Clerk)

When you register or sign in, our authentication provider Clerk collects and processes:

  • Email address
  • Name (if provided)
  • OAuth profile data (if you sign in via Google, GitHub, etc.)
  • IP address and device/browser information for security purposes

Clerk acts as a data processor on our behalf. See Clerk's Privacy Policy at clerk.com/legal/privacy.

3.2 Spot Submission Data

  • Geographic coordinates (latitude / longitude) you place on the map
  • Spot title and description (text you enter)
  • Selected activity categories and amenities
  • Uploaded images (stored in Supabase Storage)
  • Submission timestamp and your user ID

3.3 Business Listing Data

  • Business name, category, description, address, phone number, website
  • Geographic coordinates
  • Uploaded images
  • Contact email address provided in the form
  • Payment-related correspondence (card payments are handled by Stripe — we do not process them directly)

3.4 Rating Data

  • Spot ID, sport/activity type, and rating value (1–5)
  • Your user ID (anonymised in public-facing displays)

3.5 Technical & Usage Data

  • IP address and approximate geolocation
  • Browser type, operating system, device type
  • Pages visited, time on site, referrer URL
  • Error logs

4. Legal Basis for Processing

PurposeLegal Basis
Providing the platform and user accountsContract (Art. 6(1)(b))
Reviewing and publishing spot/business submissionsContract (Art. 6(1)(b))
Sending business renewal reminders by emailLegitimate interest (Art. 6(1)(f))
Improving the platform and fixing bugsLegitimate interest (Art. 6(1)(f))
Complying with legal obligationsLegal obligation (Art. 6(1)(c))
Marketing communications (if opted in)Consent (Art. 6(1)(a))

5. How We Use Your Data

  • Account management — to create and maintain your account via Clerk
  • Spot & business moderation — to review your submissions before they go live
  • Communication — to notify you of decisions on your submissions and send renewal reminders
  • Platform improvement — to analyse usage patterns and improve features
  • Safety — to detect abuse, spam, or fraudulent submissions
  • Legal compliance — to comply with applicable law, court orders, or government requests

We do not sell your personal data to third parties. We do not use your data for automated profiling or decision-making that produces legal or significant effects.

6. Data Sharing

ProcessorPurposeLocation
ClerkAuthenticationUSA (Standard Contractual Clauses apply)
SupabaseDatabase & file storageEU / USA (SCC apply)
StripePayment processingUSA (SCC apply)
ResendTransactional emailUSA (SCC apply)
VercelWebsite hostingUSA (SCC apply)

We may also disclose data if required by law, court order, or to protect the rights, property, or safety of Surfspots.net, its users, or the public.

7. International Data Transfers

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • UK International Data Transfer Agreements (IDTAs) where applicable
  • The EU-U.S. Data Privacy Framework where applicable

8. Data Retention

Data TypeRetention Period
Account dataUntil account deletion request
Pending spot submissionsUntil reviewed (max 30 days if not reviewed)
Approved spot dataIndefinitely while the platform is live
Rejected spot dataDeleted within 14 days of rejection
Business listing dataDuration of listing contract + 12 months
Rating dataUntil the rated spot is deleted
Server logs / technical data90 days rolling
Email correspondence3 years

When you delete your account, your personal identifiers are removed. Anonymised spot/rating data may be retained for platform integrity.

9. Your Rights

EU & UK Residents (GDPR / UK GDPR)

  • Access — request a copy of your personal data
  • Rectification — correct inaccurate data
  • Erasure ("right to be forgotten") — request deletion of your data
  • Restriction — ask us to pause processing while a dispute is resolved
  • Portability — receive your data in a machine-readable format
  • Objection — object to processing based on legitimate interest
  • Withdraw consent — at any time where processing is based on consent

To exercise any right, email surfspots.contact@gmail.com. We will respond within 30 days.

You also have the right to lodge a complaint with:

  • Ireland: Data Protection Commission — dataprotection.ie
  • UK: Information Commissioner's Office (ICO) — ico.org.uk
  • Your local EU supervisory authority

California Residents (CCPA / CPRA)

  • Know what personal information is collected, used, shared, or sold
  • Request deletion of personal information
  • Opt out of the sale or sharing of personal information (we do not sell personal information)
  • Non-discrimination for exercising these rights

To submit a California privacy request, email surfspots.contact@gmail.com with the subject line "CCPA Request".

10. Cookies

We use essential cookies required for authentication and session management (via Clerk). We do not currently use advertising or third-party tracking cookies. If this changes, we will update this policy and request consent where required.

11. Children's Privacy

Surfspots.net is not directed at children under 16 (or under 13 in the USA). We do not knowingly collect personal data from children. If you believe a child has registered, contact us and we will delete the account promptly.

12. Security

  • HTTPS encryption for all data in transit
  • Row-level security on Supabase database tables
  • Access controls limiting which staff can access personal data
  • Regular review of third-party processor security practices

No system is completely secure. If you discover a security vulnerability, please report it responsibly to surfspots.contact@gmail.com.

13. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify registered users by email and update the "Last updated" date above. Continued use of the platform after changes constitutes acceptance of the revised policy.

14. Contact

Emailsurfspots.contact@gmail.com
Websitesurfspots.net
Operated byDungeon Studio Solutions

© 2026 Dungeon Studio Solutions · surfspots.net