Privacy Policy for Lazy Surf Report

Last updated: September 15, 2025

Legal Entity: LAZY SURF REPORT (Pty) Ltd.

1. Information We Collect

Information You Provide

• Account Information
  Email address, name, phone number (WhatsApp) and timezone when you register.
• Surf Preferences
  Your selected surf spots, favorite locations, and surf-related preferences.
• Surf Session Logs
  When you log surf sessions, we collect: date, time, surf spot location, wave conditions, your assessment of the session, and any notes you add.
• Chat Messages
  Conversations with our AI-powered WhatsApp assistant, including your questions and our responses, are stored to improve service quality and provide personalized recommendations.
• Payment Information
  Payment details are processed and stored by Polar (our payment processor). We do not store your full credit card information.

Information Automatically Collected

• Technical & Usage Data
  Via PostHog analytics: IP address, browser type, device identifiers, operating system, pages visited, time spent, and interaction patterns.
• Cookies & Similar Technologies
  We use cookies for authentication, preferences, and analytics. See Section 4 for details.

2. How We Use Your Information

• Service Delivery
  To provide surf forecasts, send WhatsApp messages, display personalized dashboards, and manage your subscription.
• AI-Powered Features
  Your chat messages are processed by OpenAI's API to power our intelligent WhatsApp assistant. Chat history is used to provide context-aware responses and improve personalization.
• Surf Forecasting
  We use Stormglass API to fetch surf forecast data for your selected spots.
• Personalization
  Your surf session logs and preferences help us tailor forecasts and recommendations to your surfing style and favorite spots.
• Analytics & Improvement
  To analyze usage patterns via PostHog and improve our service.
• Marketing Communications
  To send promotional or educational messages via WhatsApp (only with your consent).
• Account Management
  To authenticate you, process payments, and provide customer support.
• Legal Compliance
  To comply with legal obligations and enforce our Terms & Conditions.

3. Third-Party Sharing

We share your information with the following third-party service providers:

• Supabase
  Backend database hosting and user authentication. Data stored in their cloud infrastructure.
• Vercel
  Web application hosting and deployment.
• Polar
  Payment processing and subscription management. Polar collects and processes payment information according to their privacy policy.
• PostHog
  Product analytics and user behavior tracking.
• OpenAI
  AI-powered chat processing. Your WhatsApp messages are sent to OpenAI's API to generate responses. OpenAI's data usage policy applies.
• Stormglass
  Surf forecast data provider. We share surf spot locations to retrieve forecast data.
• WhatsApp (Meta)
  Message delivery platform. Your phone number and messages are processed by WhatsApp according to their terms.
• QStash (Upstash)
  Background job processing for scheduled messages and tasks.

We do not sell your personal data to third parties.

• Legal Compliance
  We may disclose information to comply with legal obligations, court orders, or to protect our rights and safety.

4. Cookies & Tracking Technologies

We use cookies and similar technologies to provide and improve our service:

• Essential Cookies
  Required for authentication, security, and core website functionality. These cannot be disabled.
• Analytics Cookies
  PostHog cookies track visitor engagement, page views, and user interactions to help us improve the service.
• Preference Cookies
  Remember your settings and preferences (e.g., timezone, theme).

Cookie Consent: Currently, we do not have a cookie consent banner. By using our service, you consent to our use of cookies as described. If you object to cookies, you can disable them in your browser settings, though this may affect functionality.

Managing Cookies: You can control cookies through your browser settings. Note that disabling essential cookies may prevent you from using certain features.

5. Data Retention

• Account Data
  Retained until you delete your account.
• Chat History
  WhatsApp chat messages are retained until you delete your account.
• Surf Session Logs
  Retained until you delete your account.
• Analytics Data
  PostHog analytics data is retained according to PostHog's retention policy (typically 7 years).
• Payment Records
  Polar retains payment records for tax and legal compliance purposes (typically 7 years).
• After Account Deletion
  When you delete your account, we permanently erase your personal data within 30 days, except where we're legally required to retain certain records (e.g., payment history for tax purposes).

6. Data Security

We implement appropriate technical and organizational measures to protect your data:

• Encryption in transit (HTTPS/TLS) and at rest
• Secure authentication via Supabase
• Regular security updates and monitoring
• Access controls and role-based permissions
• Secure API integrations with third-party services

Data Breach Notification: In the event of a data breach that affects your personal information, we will notify you and relevant authorities as required by applicable law, typically within 72 hours of discovery.

7. International Data Transfers

Your data may be transferred to and processed in countries outside South Africa, including:

• United States (Supabase, Vercel, OpenAI, Polar)
• European Union (Stormglass, PostHog)

For transfers from the EU/EEA, we rely on Standard Contractual Clauses (SCCs) and adequacy decisions under GDPR. For South Africa (POPIA), we ensure appropriate safeguards are in place.

8. Your Privacy Rights

Depending on your location, you have the following rights:

• GDPR (EU/EEA)
  Right to access, rectify, erase, restrict processing, data portability, object to processing, and withdraw consent.
• CCPA (California)
  Right to know what personal information is collected, right to delete, right to opt-out of sale (we do not sell your data), and right to non-discrimination.
• POPIA (South Africa)
  Right to access, correct, delete, object to processing, and lodge a complaint with the Information Regulator.

How to Exercise Your Rights: Contact us at support@lazy-surf-report.com. We will respond within 30 days. You can also delete your account directly through your account settings.

Account Deletion Process: Go to your profile settings → Account tab → Delete Account button. This will permanently delete your account and all associated data within 30 days.

9. Children's Privacy

Our service is not intended for individuals under 16. We do not knowingly collect data from minors. If you believe we have collected information from a child under 16, please contact us immediately.

10. Changes to This Policy

We may update this policy to reflect changes in practices or legal requirements. When we make material changes, we will update the "Last updated" date and notify you via email or through the service. Your continued use after changes constitutes acceptance.

11. Contact Us & Data Protection Officer

If you have questions, concerns, or wish to exercise your data rights, contact us at:

Email: support@lazy-surf-report.com
Legal Entity: LAZY SURF REPORT (Pty) Ltd.
Location: South Africa

For POPIA-related complaints, you may also contact the South African Information Regulator: inforegulator.org.za