Privacy Policy

Who we are

SurfX is operated by Surf X Digital and Services, a company based in Doha, Qatar. This Privacy Policy explains what we collect, how we use it, and the choices you have.

Operating entity: Surf X Digital and Services Address: Lusail Towers 1, Lusail, Qatar Privacy contact: hello@surfxapp.com

This policy covers both surfxapp.com (this website) and the SurfX mobile app (iOS and Android). The two products collect different things, so we've split the sections accordingly.

What the website collects

The website is intentionally light. The only personal data we collect here is your email address, and only if you sign up to our launch list or newsletter.

That email is stored in our database (Supabase) and is used only to email you about SurfX: launch news, app availability, and the occasional venue update. We do not run third-party analytics, ad pixels, or behavioural tracking on the website.

You can ask us to delete your email at any time by writing to hello@surfxapp.com, or by using the unsubscribe link in any email we send.

How you sign in to the app

The SurfX mobile app uses phone-number sign-in with a one-time password (OTP). You enter your phone number, we send a six-digit code via SMS, and you confirm it inside the app. We do not currently offer third-party sign-in (no Apple ID, Google, or social logins), and we do not store passwords.

What the app collects

The SurfX mobile app collects more, because it has to in order to work. We try to keep it to what's actually needed.

Account information

Phone number: required to sign in to the app. We use it to verify your identity at signup via a one-time password (OTP) sent over SMS, and for account recovery. We send the OTP via Twilio.
Name: so venues know who's showing up.
Age: some venues and activities have age requirements (water sports, hotel pools, alcohol-licensed venues), and we use age to filter what's bookable for you.
Email address (optional): used to send booking confirmations and, if you opt in, our newsletter. You can sign in to SurfX and use the app without providing an email.

Location

If you grant location permission, we use your device's location to show you the nearest venue and to sort listings by distance. Location is used in real time on your device. We don't track or store a continuous location history.

When you view venues on a map, the app uses Google Maps to render the map. Google receives the map area you're viewing and, if you've allowed location, your approximate location to centre the map on you. Google's privacy policy applies to the data they handle. You can browse SurfX in list view to avoid sharing location data with Google.

Photos

You can upload photos to your profile or to venue reviews. Photos you upload are stored on our infrastructure and shown to other users only where you've chosen to publish them (e.g. a public review). You can delete uploaded photos from inside the app.

Bookings and payments

When you book a venue or activity, we store the booking record (venue, date, time, party size, total amount) and link it to your account. Payments are processed through a Qatar-licensed payment gateway. The gateway receives the transaction amount, your name, and a booking reference. We do not see or store your full card number, CVV, or expiry date — that information goes directly from your device to the gateway. The gateway's own privacy policy applies to the card data it handles.

Push notifications

If you allow notifications, we store a push notification token issued by your device (via Apple Push Notification Service on iOS, Firebase Cloud Messaging on Android) so we can deliver booking confirmations and venue updates you opt into. You can turn notifications off in your device settings at any time, which invalidates the token on your device.

App diagnostics and crash data

We collect basic diagnostic information about crashes and app stability so we can fix bugs. This data flows through Firebase Crashlytics (a Google service) and includes a device identifier, the device model, the operating system version, the app version, and the screen the crash happened on. We do not link diagnostic data to advertising profiles, and we do not use it for marketing. We do not run any app-usage analytics beyond crash reporting.

Who we share data with

We don't sell your data, we don't share it with advertisers or data brokers, and the SurfX app does not show any ads. We do share specific information with specific service providers, only to make the product work:

SMS verification (Twilio): receives your phone number to send the OTP at signup.
Website launch list (Supabase): stores your email address if you sign up to the launch list on surfxapp.com.
App backend hosting: stores your account, bookings, and uploaded content on our cloud infrastructure in the United States, under access controls.
Payments: when you book through the app, your payment is processed by a Qatar-licensed payment gateway. The gateway receives the transaction amount, your name, and a booking reference.
Maps (Google Maps SDK): when you view venues on a map, Google may receive the map area and your approximate location to render the map.
Push notifications (Apple Push Notification Service for iOS, Firebase Cloud Messaging for Android): deliver booking confirmations and venue alerts to your device, when you've opted in.
Crash reporting (Firebase Crashlytics): receives anonymised diagnostic data when the app crashes or behaves unexpectedly, so we can fix the issue.
Venues you book: receive your name, email, and booking details so they can fulfil the booking.

These providers are contractually bound to use your data only for the service they perform for us.

How we protect your data

All data sent between your device and our servers travels over encrypted connections (TLS). Personal data is stored on cloud infrastructure with access controls, and only the SurfX team members who need access to operate the product have it. Payment card data does not pass through our systems: it goes directly from your device to the payment gateway. We review our security practices regularly and will notify users of any incident that materially affects their personal data, in line with applicable law.

Where your data is stored

SurfX is operated from Qatar. Our app backend is hosted in the United States, and some of our other service providers (SMS, maps, push notifications, payment processing, crash reporting) may also store or process data on servers outside Qatar. When that happens, we rely on the provider's contractual safeguards (including standard data-protection terms) to keep your data protected to a comparable standard. By using SurfX, you understand that your data may be transferred to and processed in those countries.

How long we keep data

We keep account data for as long as your account is active. If you delete your account from within the app, we delete your personal data within a reasonable period (typically within 30 days), except where we're legally required to retain certain records (for example, transaction history for tax purposes, retained for as long as Qatari law requires). Anonymised, non-identifying data may be retained longer for product analytics.

Your choices

You can:

Access or correct the data we hold about you, from inside the app or by writing to us.
Delete your account from inside the app: tap Profile in the navigation, open Settings, and scroll to the bottom to tap Delete account. This removes your account and the personal data tied to it, subject to the retention exceptions above.
Withdraw location, photo, or notification permissions at any time from your device settings. The app will continue to work with reduced functionality.
Unsubscribe from marketing emails using the link at the bottom of any email we send.
Contact us with any privacy concern or request at hello@surfxapp.com. We aim to respond within 14 days.

Children

SurfX is not intended for children under 13. We don't knowingly collect personal data from anyone under 13. If you believe a child under 13 has signed up, contact us and we'll remove the account. Users between 13 and the age of majority in their country should have permission from a parent or guardian to use SurfX.

Changes to this policy

If we materially change this policy, we'll update the "Last updated" date above and, where required, notify you in the app or by email. Continued use of SurfX after changes means you accept the updated policy.

Contact

For any privacy question or request, email hello@surfxapp.com.