Privacy Policy

Last updated: February 2026

Effective Date: February 20, 2026  |  Last Updated: February 20, 2026

This Privacy Policy ("Policy") describes how friend.surf ("we," "us," or "our"), operated under Friend Surf, registered in Portugal, collects, uses, processes, stores, and discloses your personal data when you access or use our website at friend.surf, our mobile applications, and all related services (collectively, the "Service"). This Policy applies to all users worldwide, with specific provisions for residents of the European Economic Area ("EEA"), United Kingdom, Switzerland, and Portugal.

We are committed to protecting your privacy and processing your personal data in compliance with Regulation (EU) 2016/679 (General Data Protection Regulation, "GDPR"), the Portuguese Lei n.o 58/2019 implementing the GDPR, the Portuguese Constitution (Article 35 on the use of information technology), and all other applicable data protection legislation.

By accessing or using the Service, you acknowledge that you have read, understood, and agree to the practices described in this Policy. If you do not agree with this Policy, please do not use the Service.

1. Data Controller

The data controller responsible for processing your personal data is:

  • Entity: Friend Surf
  • Operating as: friend.surf
  • Registered Address: Available upon written request
  • Data Protection Contact: privacy@friend.surf

For GDPR purposes, we act as the "controller" of your personal data, meaning we determine the purposes and means of processing.

2. Categories of Personal Data We Collect

2.1 Data You Provide Directly

  • Account Registration Data: Email address, display name, username, and password (stored in hashed form using industry standard bcrypt encryption). If you register through Apple Sign In or Google Sign In, we receive your name and email address as permitted by your authentication settings.
  • Profile Data: Biographical information, surf experience level (beginner, intermediate, advanced, professional), preferred stance (regular, goofy), board types, profile photograph, preferred surf spots, and any other information you voluntarily add to your public profile.
  • User Generated Content: Posts, photographs, videos, comments, reviews, session logs, spot reports, and any other content you create, upload, or share through the Service.
  • Communications: Direct messages sent to other users, messages in crew chats and group conversations, and communications you send to us via email, contact forms, or support channels.
  • Form Submissions: Information you submit through our waitlist registration, contact forms, ambassador applications, and feedback surveys, including your name, email, location, and any free text responses.
  • Transaction Data: If you make purchases or subscribe to premium features, we process payment information through our third party payment processor (Stripe, Inc.). We do not store your full credit card number, CVV, or other sensitive payment credentials on our servers. We retain transaction identifiers, purchase amounts, and subscription status.

2.2 Data Collected Automatically

  • Device Information: Device type, manufacturer, model, operating system and version, unique device identifiers (including advertising identifiers where permitted), screen resolution, and browser type and version.
  • Usage Data: Pages visited, features used, actions taken within the Service, time spent on pages, navigation paths, search queries, and interaction patterns.
  • Location Data: With your explicit, informed consent, we collect precise geolocation data from your device to provide location based features such as finding nearby surf spots, connecting you with local surfers, and displaying localized content. You may revoke location permissions at any time through your device settings. When location permission is not granted, we may derive approximate location from your IP address.
  • Log Data: Internet Protocol (IP) address, access timestamps, referring and exit URLs, HTTP method, response codes, and data transfer volumes.
  • Cookie and Tracking Data: Information collected through cookies, pixel tags, web beacons, and similar technologies as described in our Cookie Policy.

2.3 Data from Third Parties

  • Authentication Providers: When you use Apple Sign In or Google Sign In, we receive limited profile information as authorized by your settings with those providers.
  • Analytics Providers: We receive aggregated and, where necessary, pseudonymized usage analytics from PostHog and similar tools.
  • Surf Condition Data: We obtain meteorological and oceanographic data from public APIs (including Open Meteo Marine API) which does not contain personal data.

3. Legal Bases for Processing (GDPR Article 6)

We process your personal data only when we have a valid legal basis under the GDPR:

  • Performance of Contract (Article 6(1)(b)): Processing necessary to provide the Service you have requested, including account creation, profile management, content delivery, messaging, and community features.
  • Legitimate Interests (Article 6(1)(f)): Processing necessary for our legitimate interests, provided those interests are not overridden by your fundamental rights. This includes fraud prevention, security monitoring, service improvement, analytics, and direct marketing to existing users (with opt out). We conduct legitimate interest assessments for each processing activity relying on this basis.
  • Consent (Article 6(1)(a)): Processing based on your freely given, specific, informed, and unambiguous consent. This includes precise location data collection, non essential cookies, and marketing communications to non users. You may withdraw consent at any time without affecting the lawfulness of processing performed before withdrawal.
  • Legal Obligation (Article 6(1)(c)): Processing necessary to comply with applicable laws, including tax regulations, court orders, and data retention requirements under Portuguese and EU law.

4. Purposes of Processing

We use your personal data for the following specific purposes:

  • Service Provision: To create and manage your account, deliver the core features of the Service, process your requests, and facilitate community interactions.
  • Personalization: To customize your experience, including personalized content recommendations, suggested connections, and relevant surf spot information based on your preferences and location.
  • Communication: To send you Service related notifications (session invitations, crew updates, direct messages), respond to your inquiries, and provide customer support.
  • Safety and Moderation: To detect and prevent fraud, abuse, harassment, and violations of our Terms of Service and Community Guidelines, including automated content screening and manual review where necessary.
  • Analytics and Improvement: To understand how the Service is used, identify trends and issues, measure the effectiveness of features, and improve the overall user experience.
  • Marketing: To send you promotional communications about new features, events, and updates, subject to your communication preferences and applicable opt in/opt out requirements.
  • Legal Compliance: To comply with applicable laws, regulations, legal processes, and enforceable governmental requests.

5. Data Sharing and Disclosure

We do not sell your personal data. We share personal data only in the following circumstances:

  • With Other Users: Your public profile information, posts, and crew memberships are visible to other users of the Service as part of its community functionality. You control what information appears on your public profile.
  • Service Providers: We engage trusted third party companies to perform services on our behalf, including cloud hosting (Cloudflare, Inc.; Supabase, Inc.), payment processing (Stripe, Inc.), analytics (PostHog), email delivery, and content delivery networks. These providers are contractually bound to process your data only on our instructions and in accordance with this Policy.
  • Legal Requirements: We may disclose your data when required by law, subpoena, court order, or governmental regulation, or when we believe in good faith that disclosure is necessary to protect our rights, your safety, the safety of others, investigate fraud, or respond to a government request.
  • Business Transfers: In the event of a merger, acquisition, reorganization, bankruptcy, or sale of all or a portion of our assets, your personal data may be transferred as part of that transaction. We will notify you via email and/or a prominent notice on the Service before your data is transferred and becomes subject to a different privacy policy.
  • With Your Consent: We may share your data for any other purpose with your explicit consent.

6. International Data Transfers

Your personal data may be transferred to and processed in countries outside the EEA, including the United States, where our service providers operate. When we transfer data outside the EEA, we ensure appropriate safeguards are in place, including:

  • Standard Contractual Clauses (SCCs) adopted by the European Commission (Commission Implementing Decision (EU) 2021/914)
  • Adequacy decisions by the European Commission where applicable
  • The EU U.S. Data Privacy Framework for certified U.S. recipients
  • Binding Corporate Rules where applicable

You may obtain a copy of the safeguards we use for international transfers by contacting us at privacy@friend.surf.

7. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, including satisfying legal, accounting, or reporting requirements.

  • Account Data: Retained for the duration of your account. Upon account deletion, we remove or anonymize your data within 30 days, except where longer retention is required by law.
  • User Generated Content: Retained until you delete it or delete your account. Cached copies may persist in our backup systems for up to 90 days after deletion.
  • Transaction Records: Retained for 7 years in accordance with Portuguese tax and commercial law requirements.
  • Log Data: Retained for up to 12 months for security and analytics purposes, then automatically deleted or anonymized.
  • Marketing Preferences: Retained until you modify your preferences or delete your account.

8. Your Rights Under the GDPR

If you are located in the EEA, United Kingdom, or Switzerland, you have the following rights regarding your personal data. These rights are not absolute and may be subject to limitations as provided by applicable law:

  • Right of Access (Article 15): You have the right to obtain confirmation of whether we process your personal data and to receive a copy of that data, along with information about the processing.
  • Right to Rectification (Article 16): You have the right to have inaccurate personal data corrected and incomplete data completed.
  • Right to Erasure (Article 17): You have the right to request deletion of your personal data in certain circumstances, including when the data is no longer necessary for its original purpose, when you withdraw consent, or when the data has been unlawfully processed.
  • Right to Restriction of Processing (Article 18): You have the right to request that we restrict processing of your data in certain circumstances, such as when you contest the accuracy of the data or object to processing.
  • Right to Data Portability (Article 20): You have the right to receive your personal data in a structured, commonly used, machine readable format and to transmit that data to another controller.
  • Right to Object (Article 21): You have the right to object to processing of your personal data based on legitimate interests or for direct marketing purposes. When you object to direct marketing, we will cease processing immediately.
  • Right to Withdraw Consent (Article 7(3)): Where processing is based on consent, you have the right to withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing performed before the withdrawal.
  • Right Not to Be Subject to Automated Decision Making (Article 22): You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects or similarly significantly affects you.

To exercise any of these rights, please contact us at privacy@friend.surf. We will respond to your request within 30 days, as required by the GDPR. If we need additional time (up to 60 additional days for complex requests), we will inform you of the extension and the reasons for the delay.

9. Right to Lodge a Complaint

If you believe that our processing of your personal data infringes the GDPR or applicable data protection law, you have the right to lodge a complaint with a supervisory authority. The relevant supervisory authority for Portugal is:

  • Comissao Nacional de Protecao de Dados (CNPD)
  • Rua de Sao Bento, 148, 3o, 1200 821 Lisboa, Portugal
  • Website: www.cnpd.pt
  • Email: geral@cnpd.pt

You also have the right to lodge a complaint with the supervisory authority of your habitual residence, place of work, or the place of the alleged infringement.

10. Security Measures

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures include:

  • Encryption of data in transit using TLS 1.3
  • Encryption of sensitive data at rest using AES 256
  • Password hashing using bcrypt with appropriate cost factors
  • Row Level Security (RLS) policies in our database to enforce access controls
  • Regular security assessments and vulnerability scanning
  • Access controls based on the principle of least privilege
  • Secure software development practices including code review and dependency auditing
  • Incident response procedures for data breach detection and notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the CNPD within 72 hours of becoming aware of the breach, as required by GDPR Article 33. Where the breach is likely to result in a high risk to your rights and freedoms, we will also notify affected individuals without undue delay, as required by GDPR Article 34.

11. Children's Privacy

The Service is not directed to individuals under the age of 16. We do not knowingly collect personal data from children under 16. If we become aware that a child under 16 has provided us with personal data without verifiable parental consent, we will take steps to delete that information. If you believe that a child under 16 has provided us with personal data, please contact us at privacy@friend.surf.

12. Third Party Links and Services

The Service may contain links to third party websites, applications, or services that are not operated by us. We are not responsible for the privacy practices of these third parties. We encourage you to review the privacy policies of any third party service before providing your personal data. This Policy applies solely to data collected through the Service.

13. Changes to This Policy

We may update this Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of material changes by posting a prominent notice on the Service and, where required, by sending you an email notification at least 30 days before the changes take effect. Your continued use of the Service after the effective date of any changes constitutes your acceptance of the updated Policy.

We encourage you to review this Policy periodically for the latest information on our privacy practices.

14. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data processing practices, please contact us:

We aim to resolve all privacy related inquiries and complaints within 30 days of receipt.