# Privacy Policy
Effective date: April 16, 2026
SurfVault, Inc. ("SurfVault", "we", "us", or "our") operates the SurfVault website at surf-vault.com and the SurfVault mobile application (collectively, the "Service"). This Privacy Policy explains what information we collect, how we use it, how we share it, and the choices you have.
By using the Service, you agree to the collection and use of information in accordance with this Policy.
---
## 1. Information We Collect
### 1.1 Information you provide directly
Account information. When you sign up, we collect your email address and name through our authentication provider (Auth0). If you sign in with Apple or Google, we receive your email and name from that provider.
Profile information. You can add a handle (username), profile picture, bio, status note, social links (Instagram, YouTube, website), tags, home surf break, and photographer/surfer preference. You can also mark your profile as Public or Private.
Content. You can upload surf session photos and create sessions tied to surf breaks, dates, and locations. You can tag other users in sessions. You can create named groups within sessions to organize photos.
Direct messages. When you message another user, we store the message content so it can be delivered, displayed, and retrieved by the recipient.
Access requests. If you request access to a private user's photos, we store the request and its status. Approved requests grant you time-limited access to view and download specified photos.
### 1.2 Information collected automatically
Location. With your permission, we collect your device's precise location to show you nearby surf breaks, photographers, and sessions on the map and discover feed. You can revoke this permission at any time in your device settings.
Device and push information. When you enable notifications, we collect an Expo push token that identifies your device for the purpose of delivering notifications. We also collect standard device information (operating system, app version) as part of normal API requests.
Usage and interaction data. We collect information about how you interact with the Service, including:
- Pages and sessions you view (used to surface "popular" and "recently viewed" content, and to provide view counts to photographers)
- Search queries (used to show your recent searches and improve discovery)
- Follow, favorite, and access-request events
Billing information (web only). If you subscribe to a paid plan on surf-vault.com, our billing provider (Chargebee) collects and processes your payment information directly. We do not store or collect payment card numbers ourselves. The mobile app does not accept payments.
---
## 2. How We Use Your Information
We use the information we collect to:
- Create and maintain your account
- Display your profile and content to other users according to your privacy settings
- Deliver messages, notifications, and access request updates
- Find and display surf breaks, sessions, and photographers near you
- Operate subscription and billing features (via Chargebee)
- Keep the Service secure and prevent abuse
- Improve the Service through internal analytics on how features are used
- Communicate with you about your account, service updates, and support requests
We do not use your information for advertising and we do not share your data with third-party advertising networks or data brokers.
---
## 3. How We Share Your Information
We share your information only as described below:
### 3.1 With other users
Your public profile, handle, profile picture, verification status, tags, and — if your profile is Public — your sessions and photos are visible to other users of the Service. If you make your profile Private, your sessions and photos are only visible to users who have been granted access.
Your active status ("currently shooting at [break]") and status note, if set, are visible to other users.
### 3.2 With service providers
We share limited information with the following third-party processors that help us operate the Service:
- Auth0 (Okta, Inc.) — authentication, sign-in, and identity management
- Amazon Web Services (AWS) — hosting of our API, database (RDS), and photo storage (S3), content delivery (CloudFront)
- Chargebee, Inc. — subscription billing (web only)
- Pusher Ltd. — real-time delivery of notifications and messages (WebSockets)
- Expo (650 Industries, Inc.) — push notification delivery
- Geoapify — geocoding for location search
- Google LLC — Google Picker API (if you choose to import photos from Google Drive)
- Apple Inc. — Sign in with Apple and App Store services
Each processor handles data only for the purposes described, subject to their own privacy policies and our data processing agreements.
### 3.3 For legal reasons
We may disclose your information if required by law, subpoena, or other legal process, or if we believe disclosure is necessary to protect the rights, property, or safety of SurfVault, our users, or the public.
### 3.4 Business transfers
If SurfVault is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any change in ownership or use of your personal information.
---
## 4. Data Retention
- Account data is retained for as long as your account is active.
- Photos and uploads are retained while your account is active and follow the lifecycle we've configured for storage costs (originals move to lower-cost storage tiers after 30 days and 90 days).
- Messages are retained indefinitely for both participants. If one participant deletes their account, the messages remain visible to the other participant but the deleted user is shown as "Deleted User".
- Watermarked previews and download archives are temporary and expire within 7 days.
- Search history and product interaction events are retained for operational and analytics purposes.
---
## 5. Account Deletion
You can delete your SurfVault account at any time from within the app or on the website:
- Mobile: Profile → Account → Close Account
- Web: Plans page → Close Account
When you request deletion:
- Your account is immediately scheduled for permanent deletion in 30 days
- Your profile is hidden from other users
- Your active status is cleared, push notifications stop, and any paid subscription is set to cancel at the end of your current billing period
- You can log back in during the 30-day window to cancel the deletion and restore your account
After the 30-day grace period ends, we permanently delete:
- All of your uploaded photos from every storage bucket (originals, previews, thumbnails, and watermarked variants)
- Your profile picture
- Your sessions, uploads, favorites, follows, access requests, notifications, search history, bookings, and download job records
- Your Auth0 identity
Your user record is then anonymized: your name is set to "Deleted User", your handle is replaced with a non-identifying string, your email is removed, and all profile fields are cleared. This anonymization preserves conversation integrity for other users you may have messaged, but nothing personally identifying you remains.
This deletion is permanent and cannot be undone after the 30-day grace period.
---
## 6. Your Privacy Rights
Depending on where you live, you may have the following rights:
- Access — Request a copy of the personal information we hold about you
- Correction — Correct information that is inaccurate or incomplete (most profile fields can be edited directly in the app)
- Deletion — Delete your account and associated data (see Section 5)
- Portability — Receive your personal information in a portable format
- Opt-out of communications — Disable push notifications in your device settings; we do not send marketing email
To exercise any of these rights, or to ask questions about your data, contact us at the email below. We will respond within 30 days.
### California residents (CCPA/CPRA)
California residents have the right to know, delete, correct, and opt-out of the sale or sharing of their personal information. We do not sell or share personal information as those terms are defined under California law.
### European Economic Area, UK, and Switzerland (GDPR / UK GDPR)
If you are in the EEA, UK, or Switzerland, our legal basis for processing your personal information is:
- Contract — to provide the Service you signed up for
- Legitimate interests — to operate, secure, and improve the Service
- Consent — for location access and push notifications
You may also lodge a complaint with your local data protection authority.
---
## 7. Security
We use industry-standard security measures to protect your information, including:
- Encrypted connections (HTTPS/TLS) for all network traffic
- Encrypted storage for sensitive tokens on your device (expo-secure-store / iOS Keychain)
- Signed JWT access tokens for authenticated API requests
- Presigned S3 URLs for direct, scoped photo access
- Automated backups of our primary database
No method of transmission or storage is 100% secure. While we take reasonable steps to protect your data, we cannot guarantee absolute security.
---
## 8. Children's Privacy
SurfVault is not directed to children under 13, and we do not knowingly collect personal information from children under 13. If you believe a child under 13 has provided us information, please contact us and we will delete the account.
---
## 9. International Users
SurfVault is operated from the United States. If you use the Service from outside the United States, your information will be transferred to and processed in the United States, where data protection laws may differ from those in your country.
---
## 10. Third-Party Links and Content
The Service may contain links to third-party websites or services (for example, social media links you add to your profile). We are not responsible for the privacy practices of those third parties. We encourage you to review their privacy policies.
---
## 11. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will notify you through the Service and update the effective date at the top of this page. Your continued use of the Service after a change means you accept the updated Policy.
---
## 12. Contact Us
If you have any questions about this Privacy Policy or our data practices, please contact us at:
Email: logan@surf-vault.com
Website: https://www.surf-vault.com