Wavemaps Privacy Policy

Privacy Policy  Effective Date: October 12, 2025

1. Introduction    

Wavemaps (“Wavemaps,” “we,” “us,” or “our”) develops the Wavemaps mobile application (the “App”) for iOS and Android, along with limited web content it links to (e.g., https://www.wavemaps.com/global). This Privacy Policy explains how we collect, use, share, and safeguard personal  data, and describes your rights under applicable laws including the EU/UK General Data Protection Regulation (GDPR). By using the App, you acknowledge that you have read and understand this Policy.  

2. Data Controller & Contact    

Wavemaps is the data controller for processing described here. Email (privacy inquiries): info@wavemaps.com     Email (general support): info@wavemaps.com  

3. Scope & Updates    

This Policy applies to the App, its embedded mini-apps, and any in-app browsers that open Wavemaps-owned pages. It does not cover third-party sites or services we link to. We may update the Policy; material changes will be highlighted in-app or on our website. Continued use after an  update constitutes acceptance.  

4. Personal Data We Collect    

4.1 Account & Authentication Data: Email address, password (hashed and stored by Firebase), optional display name/photo, and unique user ID when you create an account or sign in with email, Google, or Apple.    

4.2 Subscription & Purchase Data: From RevenueCat we receive your anonymized app-user ID, active subscription identifiers, entitlement status, and transaction metadata; Apple App Store or Google Play process payment details directly.    

4.3 User Preferences & Favorites: Theme, measurement units, onboarding state, preferred mesh/region, notification toggle, favorite spot slugs, and similar selections stored in your Firebase Firestore “users” document.    

4.4 Location Data: With your consent, the App reads the device’s current location to center maps, calculate distances, and list nearby spots. Coordinates are kept in device memory and are not persisted to our databases.    

4.5 Usage & Diagnostics: Firebase Analytics records sign-in method, sign-out, guest-mode selection, and certain error events. Mapbox (our mapping SDK) may collect device identifiers, IP address, rough location, and interaction data per its own policy.    

4.6 Support Communications: If you email us, we process the contents of your message and the contact details you provide.    

4.7 Device Storage: AsyncStorage keeps session timestamps, last viewed tabs, and similar UI state to improve usability; entries auto-reset after approximately ten minutes of inactivity or when you clear the App’s storage.  We do not intentionally collect special categories of data (e.g., health, racial, biometric) or data from children under 16.

5. How We Use Personal Data

 - Provide and secure account-based access, including email verification and password reset.  - Remember your forecasting preferences, favorite spots, and onboarding completion.  - Deliver localized map experiences and nearby recommendations when you grant location access.  - Enable and reconcile in-app purchases and subscriptions.  - Monitor authentication flow health, detect abuse, and fix issues using aggregated analytics.  - Respond to support requests and communicate material updates.  - Comply with legal obligations and enforce our terms.

6. Legal Bases for Processing (EU/UK)

 - Contract performance: operating the App, providing paid features, and responding to user requests.  - Legitimate interests: safeguarding the service, analyzing anonymized usage to improve features, enforcing rights.  - Consent: accessing precise device location; sending optional marketing if you opt in (none at present).  - Legal obligation: handling lawful requests and maintaining necessary records.

7. Sharing & Disclosure    

We do not sell or rent personal data. We share it only with:

 - Firebase (Google LLC): authentication, Firestore storage, and analytics (United States/EU data centers).  - Google Sign-In / Apple Sign-In: identity verification for social login.  - RevenueCat Inc.: subscription and entitlement management (USA).  - Mapbox Inc.: map tiles, geospatial rendering, and location puck services (USA/EU).  - Cloud hosting providers that serve static forecast assets under Wavemaps’ control. - Professional advisors or authorities when legally required or to protect our rights.    All vendors act as processors under agreements that require appropriate safeguards.

8. International Transfers    

Our primary infrastructure and key vendors operate in the United States. When transferring data from the EEA, UK, or Switzerland, we rely on Standard Contractual Clauses or equivalent safeguards and assess partner practices to protect your information.  

9. Retention

 - Account and preference data: retained while your account is active and for up to 30 days after deletion to complete closure, unless legal obligations require longer storage.  - Subscription records: retained as needed for financial reconciliation and audit requirements (generally seven years).  - Analytics: retained according to Firebase defaults (currently up to 14 months) unless we shorten the window.  - Location data: processed in real time only.  - Support emails: kept while resolving your request and for up to two years afterward for reference.    We anonymize or delete data once retention needs expire.

 10. Security    

We apply technical and organizational measures including HTTPS encryption, Firebase security rules, role-restricted access to Firestore, credential hashing by Firebase Auth, and monitoring of third-party SDK updates. No system is perfectly secure; report suspected incidents to info@wavemaps.com.  

11. Your Privacy Choices

 - Account management: update profile or delete your account from within the App (where available) or by emailing us at info@wavemaps.com.  - Location: enable or disable in your device settings at any time; functionality may degrade if disabled.  - Email preferences: unsubscribe or opt out by contacting privacy@wavemaps.com.

12. Your Rights    

If you are in the EEA, UK, or similar jurisdictions you may request: access, rectification, erasure, restriction, portability, or objection to certain processing, and withdrawal of consent where given. California residents may request disclosure, deletion, and confirmation of no “sale”  of personal data. Submit requests to info@wavemaps.com, and we will respond within applicable timelines. You may lodge a complaint with your local supervisory authority if you believe we have violated data protection laws.  

13. Guest Mode    

If you continue as a guest, we do not create a Firebase user record. Only device-level analytics events and map interactions are processed, as described above. You can later create an account to sync preferences.  

14. Children     The App is not directed to individuals under 16, and we do not knowingly collect their personal data. If you believe a child has provided personal data, contact us so we can delete it promptly.  

15. Changes to This Policy    

We may revise this Policy to reflect new features or regulatory changes. We will post the effective date at the top and, where required, notify you of material updates before they take effect.  

16. Contact    

For privacy questions, data requests, or complaints, email info@wavemaps.com. We aim to respond within 30 days.