Legal

Privacy Policy

Last updated: 2025-12-23

The German version is legally binding.

DE EN

Controller

Stephan Mirlach

Eichenstraße 10

85609 Aschheim

E-Mail: datenschutz@swellatlas.com

General information

This privacy policy informs you about the nature, scope and purpose of processing personal data when using Swell Atlas.

Personal data are all data that can be used to identify you personally.

Hosting and access data

This website is hosted by HOSTINGER, UAB, Švitrigailos Str. 34, LT-03230 Vilnius, Lithuania. When you access the website, we process access data (e.g., IP address, date/time of access, browser type, operating system, referrer URL, requested file).

Processing is necessary to deliver the website, to analyze errors and to ensure security (e.g., attack detection) based on Art. 6(1)(f) GDPR. Log data are stored only as long as required for these purposes (e.g., for defense and investigation of security incidents).

Where HOSTINGER acts as our processor, a data processing agreement (DPA) is in place.

Processors

We use service providers as processors. Data processing agreements (DPAs) are in place with these providers.

  • Hostinger: hosting and infrastructure (HOSTINGER, UAB, Švitrigailos Str. 34, LT-03230 Vilnius, Lithuania)
  • Supabase: authentication, database and file storage
  • Cloudflare Turnstile: bot/spam protection for forms

User accounts and app content

When you register and use the app, we process your email address, user ID and any additional profile data you provide.

Processing is required to provide an account, authenticate you and deliver app features (Art. 6(1)(b) GDPR).

Content such as spots, sessions and photos are stored in the app and may be visible to other signed-in users depending on your settings and the specific feature. Recipients of your content may therefore include other app users.

Please do not upload content you do not have rights to publish or that contains sensitive personal data.

You can request deletion of your account and content at any time (see retention below).

Account deletion is currently only possible upon request via email to datenschutz@swellatlas.com. Please send the request from the email address associated with your account; if identification is otherwise not possible, we may request suitable proof.

Supabase (auth and database)

We use Supabase (Supabase Inc., 65 Chulia Street #38-02/03, OCBC Centre, Singapore 049513) for authentication, database and file storage.

Depending on configuration/region, data are processed in data centers within the EU (e.g., Frankfurt). Processing or access in third countries (e.g., for support, maintenance or by subprocessors) cannot be fully excluded.

Supabase acts as a processor on our behalf. A data processing agreement (DPA) is in place. For possible third-country transfers, Supabase refers, among other things, to Standard Contractual Clauses (SCC) pursuant to EU Commission Decision (EU) 2021/914.

Note: A static PDF version of the Supabase DPA is available; for a legally binding signature, Supabase provides execution via the Supabase dashboard.

More information: https://supabase.com/privacy and https://supabase.com/legal/dpa

Email communication (account confirmation and security)

We send transactional emails as part of registration and account use (e.g., account confirmation, password reset, security notices). For this we process your email address and delivery metadata.

Delivery is handled via Supabase Auth and an SMTP email service integrated there or a provider used by Supabase. Data may be processed outside the EU; legal basis is Art. 6(1)(b) GDPR (contract/registration) and, where security-related, Art. 6(1)(f) GDPR.

More information on Supabase Auth emails: https://supabase.com/docs/guides/auth/auth-email-templates and SMTP: https://supabase.com/docs/guides/auth/auth-smtp

Location data (geolocation)

If you use the location feature (e.g., "Use my location"), your device can determine and transmit your approximate or precise location. This only happens with your explicit consent via the browser/OS prompt.

We use location data to center maps, show nearby places or provide location-based features. Location data are not stored permanently unless you save them as content (e.g., spot/session) in the app.

The legal basis is your consent (Art. 6(1)(a) GDPR). Where access to information on your device is relevant, this is additionally based on your consent under § 25(1) TDDDG. You can withdraw consent at any time by disabling location access in your browser/device settings.

Maps and geoservices

To display interactive maps, tiles, styles and related resources are loaded from MapTiler (MapTiler AG, Switzerland). Your browser/device connects to MapTiler (e.g., api.maptiler.com) or their CDN to deliver map content. Technical data such as IP address, date/time, requested resources and technical headers are processed.

Processing is necessary for user-friendly map display and security (e.g., misuse/attack detection) based on Art. 6(1)(f) GDPR. MapTiler may store IP addresses for security purposes for a limited period (according to the provider up to 2 months).

MapTiler is based in Switzerland; the EU Commission has issued an adequacy decision for Switzerland.

More information about MapTiler: https://www.maptiler.com/privacy-policy/

Map data are based on OpenStreetMap data (© OpenStreetMap contributors). Copyright/licensing and attribution: https://www.openstreetmap.org/copyright

Note: As long as tiles/styles are loaded via MapTiler, the technical retrieval of the map display is performed against MapTiler; OpenStreetMap provides the underlying geodata as data source/licensor.

We use the public geocoding service of the OpenStreetMap Foundation (OSMF) at nominatim.openstreetmap.org. For this service, the OSMF Privacy Policy and Nominatim Usage Policy apply: https://osmfoundation.org/wiki/Privacy_Policy and https://operations.osmfoundation.org/policies/nominatim/

The OpenStreetMap Foundation (OSMF) processes requests to nominatim.openstreetmap.org under its own responsibility. See the OSMF privacy notices linked above for details.

OSMF is based in the United Kingdom; the EU Commission has issued an adequacy decision for the UK.

Please do not enter personal data or confidential content into the search field.

Security service (Cloudflare Turnstile)

We use Cloudflare Turnstile (Cloudflare, Inc., USA) as bot and spam protection for forms and access.

Turnstile is embedded via challenges.cloudflare.com. Your browser connects to Cloudflare.

Cloudflare processes signals such as IP address, TLS fingerprint, user agent, sitekey information and the associated origin information.

Roles: For bot detection, Cloudflare acts as our processor. In addition, Cloudflare processes certain signals in its own responsibility to improve Turnstile.

Processing may take place in the USA. The basis for third-country transfers includes Standard Contractual Clauses (SCC) in the Cloudflare Customer DPA and, where applicable, other suitable safeguards (e.g., certification under the EU-U.S. Data Privacy Framework).

Turnstile issues a one-time token by default. Pre-clearance is disabled by default; with Turnstile only, no cf_clearance cookie is typically set. If pre-clearance is enabled, a technically necessary cf_clearance cookie may be set.

In Managed Mode, Cloudflare decides based on client-side signals and a risk level whether an interaction is required.

Note on automated processing: bot/fraud detection may involve automated risk scoring. This serves security purposes only and has no legal effect or similarly significant impact under Art. 22 GDPR.

More information: https://www.cloudflare.com/turnstile-privacy-policy/ and https://www.cloudflare.com/privacypolicy/

Cookies, local storage and cache

We use technical storage mechanisms such as local storage and the service worker cache to store settings and speed up the app.

In addition, it may be technically necessary for embedded services (e.g., Cloudflare Turnstile) to transmit tokens and/or set technically necessary cookies (e.g., cf_clearance only if pre-clearance is enabled).

No advertising/tracking cookies are used.

Consent is not required for technically necessary storage/access; these are used solely to operate the app.

Legal basis for storing/reading technically necessary information on your device is § 25(2) TDDDG (formerly TTDSG), where applicable.

Legal bases

  • Art. 6(1)(b) GDPR for providing the user contract and the app.
  • Art. 6(1)(f) GDPR for legitimate interests (operation, security, abuse prevention).
  • Art. 6(1)(a) GDPR where we request your consent in individual cases.
  • § 25(1) TDDDG where we request consent for access to device information (e.g., location access).
  • § 25(2) TDDDG (formerly TTDSG) for technically necessary storage/access on end devices.

Provision requirement

Providing certain data (especially email address) is required for registration and use of a user account. Without this information, the account cannot be created or the app used as intended.

Data protection officer

We are currently not required to appoint a data protection officer and have not appointed one.

Retention

We store personal data only as long as necessary for the stated purposes or where legal retention obligations apply.

If you delete your user account, associated account data and content are generally deleted or anonymized unless legal retention obligations or legitimate reasons (e.g., abuse prevention, legal enforcement) require retention.

Your rights

  • Right of access to your stored data (Art. 15 GDPR)
  • Right to rectification of inaccurate data (Art. 16 GDPR)
  • Right to erasure (Art. 17 GDPR)
  • Right to restriction of processing (Art. 18 GDPR)
  • Right to data portability (Art. 20 GDPR)
  • Right to object to processing based on Art. 6(1)(f) GDPR (Art. 21 GDPR)
  • Right to withdraw consent with effect for the future (Art. 7(3) GDPR), where processing is based on consent

Right to lodge a complaint

You have the right to lodge a complaint with a supervisory authority. The competent authority for us (Bavaria) is the Bavarian State Office for Data Protection Supervision (BayLDA), Promenade 18, 91522 Ansbach, Germany. Online services and contact: https://www.lda.bayern.de/de/index.html

Contact via WhatsApp

You can also contact us via WhatsApp (WhatsApp: +49 160 5455463). If you use WhatsApp, personal data (especially your phone number, profile information, message content as well as connection and device data) are processed by WhatsApp.

Provider for users in the EU/EEA is WhatsApp Ireland Limited (Meta), 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland. WhatsApp processes data under its own responsibility; WhatsApp's privacy policy applies.

We process the data you submit via WhatsApp solely to respond to your request and to conduct communication (Art. 6(1)(b) GDPR for pre-contract/contract communications, otherwise Art. 6(1)(f) GDPR). Please do not send particularly sensitive content (e.g., health data) via WhatsApp and prefer email for time-sensitive declarations.

Transfers to third countries (especially the USA) cannot be excluded when using WhatsApp. WhatsApp refers to safeguards such as EU-U.S. Data Privacy Framework certification and/or Standard Contractual Clauses (SCC).

More information: https://www.whatsapp.com/legal/privacy-policy-eea and https://www.whatsapp.com/legal/data-privacy-framework

Contact

For data protection inquiries, contact us at datenschutz@swellatlas.com.

Alternatively (general inquiries): WhatsApp: +49 160 5455463

Account deletion: Please send your request from the email address associated with your account. We usually process requests within one month.

Changes

We reserve the right to update this privacy policy as needed.