Legal
Privacy Policy
Last updated: April 2026
Overview
MysticSwell ("we", "us", "our") is a UK surf forecasting platform. We are committed to protecting your privacy and being transparent about how we handle your data. This policy explains what we collect, why, and how you can control it.
What We Collect
Account information
When you create an account, we collect:
- Email address — used for passwordless sign-in (magic link codes) and surf alerts.
- Name (optional) — first and last name, if you choose to provide them during sign-up.
- Surf ability level (optional) — used to tailor forecast recommendations.
We do not collect passwords. Authentication uses one-time verification codes sent to your email.
Account activity
- Favourite spots — saved to your account so they appear across devices.
- Surf alerts — your configured alert thresholds (wave height, wind speed, quality) and which spots you're tracking.
- Forecast feedback — if you submit accuracy feedback, we store the spot, date, and your response.
- Unit preferences — whether you prefer metric or imperial units.
User-generated content
If you upload photos or post local knowledge:
- Photos — uploaded images are stored on our servers. We strip EXIF metadata (including GPS location data) before storage. Photos are re-encoded to remove any embedded data.
- Posts and captions — text content you submit is stored alongside your first name and the associated spot.
- Likes — we record which photos and posts you've liked.
All user-generated content is reviewed before publication. We may remove content that violates our terms.
Automatically collected data
- Server logs — IP address, pages visited, browser type, and referring URL. Retained for up to 30 days for operational and security purposes.
- Session data — a secure session cookie to keep you logged in. Session tokens are hashed before storage.
- Last visited spot — stored as a cookie to personalise your homepage.
Analytics
We may use privacy-respecting analytics (such as Google Analytics 4) to understand how the site is used. This helps us improve the service. We do not use analytics data for advertising or share it with advertisers.
How We Use Your Data
- Provide the service — deliver forecasts, manage your account, save your preferences.
- Send verification codes — one-time codes for passwordless sign-in via email.
- Send surf alerts — email notifications when conditions at your favourite spots meet your thresholds. You can disable these at any time.
- Improve forecast accuracy — aggregate forecast feedback helps us calibrate our scoring models.
- Moderate content — review user-uploaded photos and posts before publication.
- Maintain security — detect and prevent abuse, rate limiting, and ban enforcement.
What We Don't Do
- We do not sell your data to third parties.
- We do not use your data for targeted advertising.
- We do not use tracking pixels or advertising cookies.
- We do not share your email address with other users (only your first name is visible on community content).
- We do not retain GPS/EXIF data from uploaded photos.
Cookies
We use the following cookies:
- session — authentication session cookie. HttpOnly, secure in production, expires after 7 days.
- lastVisitedSpotId — remembers your last viewed spot for homepage personalisation. Expires after 30 days.
We also use browser local storage for unit preferences (metric/imperial) and UI state. This data never leaves your device.
All cookies are first-party and functional. We do not use advertising or third-party tracking cookies.
Third-Party Services
- NOAA (GFS wave model) — publicly available forecast data. No user data is sent to NOAA.
- UK Hydrographic Office (Admiralty) — tidal prediction data. No user data is shared.
- OpenRouter AI — we use AI models to generate surf condition summaries. No personal user data is included in AI requests.
- CARTO / MapLibre — the interactive swell charts load map tiles from third-party servers. Their standard privacy policies apply to tile requests.
- Google Fonts — web fonts are loaded from Google's servers. Google's privacy policy applies.
- SMTP email provider — verification codes and surf alerts are sent via our email service provider. Your email address is shared with this provider solely for delivery purposes.
Data Retention
- Account data — retained for as long as your account is active. You can request deletion at any time.
- Uploaded photos — retained until you delete them or we remove them during moderation.
- Community posts — retained until you delete them or we remove them during moderation.
- Server logs — rotated and deleted after 30 days.
- Session tokens — automatically expire after 7 days.
- Magic link codes — expire after 15 minutes and are single-use.
Data Security
We take reasonable measures to protect your data:
- HTTPS encryption for all connections in production.
- Session tokens are hashed (SHA-256) before database storage.
- Magic link verification codes are hashed before storage and compared using timing-safe functions.
- Uploaded images are re-encoded to strip metadata and prevent malicious payloads.
- Rate limiting on authentication and upload endpoints to prevent abuse.
- Content Security Policy (CSP) headers to mitigate cross-site scripting.
Your Rights
Under UK data protection law (UK GDPR), you have the right to:
- Access — request a copy of the personal data we hold about you.
- Rectification — update or correct your account information.
- Erasure — request deletion of your account and all associated data.
- Portability — receive your data in a machine-readable format.
- Withdraw consent — unsubscribe from surf alerts or delete your account at any time.
To exercise any of these rights, contact us at [email protected].
Children's Privacy
MysticSwell is not directed at children under 13. We do not knowingly collect personal data from children. If you believe a child has created an account, please contact us and we will delete it.
Changes to This Policy
We may update this policy from time to time. Changes will be reflected on this page with an updated date. If we make material changes, we will notify registered users by email. Continued use of the service constitutes acceptance of the current policy.
Contact
If you have questions about this privacy policy or how we handle your data, please email [email protected].