Privacy Policy
Privacy PolicyData Handling Policy
How SurfAuddy handles your personal data. We aim to align with GDPR, CCPA, and similar global privacy standards.
Section 01
What data we collect
Guest users (not signed in)
- IP address used for analysis — stored only as a SHA256 hash (raw IP is never stored)
- Uploaded surf video — deleted immediately after analysis
Signed-in users (Google OAuth)
- Email address
- Name
- Profile picture URL
We never receive or store your Google account password — sign-in uses the standard Google OAuth flow.
All users
- Analysis reports (strengths, weaknesses, fixes, drills)
- Frame captures from your video at weakness moments (still images only)
Section 02
Why we collect it
- To analyze your surf clip and return a report
- To enforce daily limits (1/day guest, 3/day signed-in)
- To save reports for signed-in users so they can revisit them later
- To create shareable links to your reports
Section 03
Retention & automatic deletion
| Data | Kept for | How it's deleted |
|---|---|---|
| Uploaded video | ~30–60s during analysis | Auto-deleted immediately after |
| Saved report (signed-in) | 90 days | Auto-deleted daily |
| Share links | 30 days | Auto-deleted daily |
| IP hash | 7 days | Auto-deleted daily |
| Account data | Until you delete it | Deleted upon request |
Section 04
Third-party processors
To run the service, we share data with the providers below. Each one only uses the data to perform its function — not for their own marketing.
| Provider | Purpose | Data handled |
|---|---|---|
| Google (Gemini API) | Generates the report from video | Video (deleted right after) |
| Google (OAuth) | Sign-in | Email, name, profile picture |
| Supabase | User auth & DB hosting | Account info, saved reports |
| Vercel | Web hosting & temporary storage | Video (deleted right after), share-link files |
Section 05
Your rights
- Access — view your saved reports anytime at My Reports
- Deletion— delete any report instantly via the "🗑️ Delete" button on each card
- Full account deletion — email us at the address below
- Revoke Google access — manage app permissions at the Google Account security page (look for "SurfAuddy")
Section 06
Security measures
- IP addresses are SHA256-hashed before storage (raw IP never kept)
- Google account passwords are never received or stored
- Videos are deleted from our server and Gemini right after analysis
- All traffic is HTTPS-encrypted
- Supabase Row Level Security restricts each user to their own data
- Admin credentials live in server environment variables only — never in code
Section 07
Cookies
- Session persistence (Supabase Auth, HttpOnly cookie, expires in 7 days)
- Temporary report storage in your browser's sessionStorage (cleared when the tab closes)
Section 08
Contact & exercising your rights
For privacy questions or to exercise any of the rights above, email us. We respond within 7 business days.
medal2614@gmail.com