Privacy Policy

Endless Waves is a surf and foil tracking app for activities including prone foiling, downwinding, and foil training. It runs on iPhone and Apple Watch.

This policy describes what data the app collects, how it is used, and how it is stored. We are committed to being transparent about our data practices.

A. Account Information

When you create an account, we collect your email address. This is used solely for authentication via a one-time passcode (OTP). Your email is stored securely in our cloud database (Supabase).

B. Session & Activity Data

Session metrics including GPS routes, speed, distance, duration, wave counts, and related performance data are stored locally on your device and synced to our cloud database when you are signed in. This sync enables you to access your history across devices and participate in leaderboards and competitions.

C. Location Data (GPS)

The app records your real-time GPS position during sessions to calculate route, speed, and distance. Location data is captured in the background while a session is actively recording, even when your screen is locked. GPS route data is stored locally and may be synced to our cloud database as part of your session record.

Location data is never sold or shared with third parties.

D. Health Data (via Apple HealthKit)

Heart rate data may be accessed from Apple HealthKit with your explicit permission. HealthKit data is used only to display metrics within the app and is never transmitted to our servers or any third party.

E. Voice & Microphone

If you use the voice feedback feature, your audio recording is sent to OpenAI's Whisper API for transcription. The transcribed text is stored as part of your session notes. The audio itself is not retained after transcription. OpenAI's privacy policy governs how they handle audio data during processing.

F. Contact Information (Referral Feature)

If you use the referral feature, the app reads contact names and phone numbers from your device's address book so you can select friends to invite. When you successfully send a referral SMS, the selected contact's name and phone number are stored in our cloud database. This information is used solely to track referral status, prevent duplicate invitations, and award referral rewards. We do not upload your full contacts list — only the specific contact(s) you choose to refer and confirm sending to. This data is not sold or shared with third parties.

G. Photos & Media

The app may access your photo library to include media in session video exports. Generated session videos are saved to your Photos library with your permission. Photos data is processed locally and is not transmitted to our servers.

H. Friends & Social Features

When you use the social features, we store the following in our cloud database:

• Profile fields — your first name (and optionally last name, if you enable “Show last name”) so other authenticated users can identify you in leaderboards, friend requests, and messages.
• Friend requests — the sender, recipient, status (pending / accepted / rejected), and timestamp of each request. Visible to the sender and recipient only.
• Friendships — an active friendship row for each accepted request. When two users are friends, each can view the other's synced sessions (read-only), start direct conversations, and see a “new session” notification when the other records one.
• Direct messages — message body, sender, recipient, timestamp, and read-state. Delivered only between the two participants. Only the sender can edit or delete a message they sent; only the recipient can mark it read.
• In-app notifications — friend request, friend accepted, and friend's new session events write a row to your notifications feed. These are scoped to your account and not shared with anyone else.
• Discoverability (opt-in) — if you mark yourself “Discoverable” in Settings, other users who have recorded sessions at the same spot as you can find you in “Riders Near You” and view a summary preview (session totals, activity types, top spots, leaderboard placings). Discoverability is off by default and can be turned off at any time.
• Search by email — if someone types your sign-in email into “Add by email,” we confirm whether an account with that email exists and return your display name so they can send you a request. Your email is never returned to the searcher.

None of this data is sold or shared with third parties. Friends and their sessions are visible only to each other; messages are visible only to the two participants.

• To provide core app functionality (session tracking, metrics, maps)
• To sync your session history across devices when signed in
• To power leaderboards, competitions, and community features
• To power friends, direct messaging, and session-activity notifications between users who have accepted a friend request
• To show you as a potential connection in “Riders Near You” only if you've opted into discoverability
• To transcribe voice feedback into session notes
• To manage referral rewards and prevent duplicate invitations

We do not use your data for advertising or sell it to any third party.

Your data is stored using the following services:

• Supabase — cloud database and authentication. Stores your account, session data, and referral records. Data is hosted on infrastructure managed by Supabase, Inc.
• OpenAI — used for voice transcription only. Audio is processed transiently and not retained by Endless Waves after transcription.

We do not use third-party advertising SDKs or behavioral analytics services.

The app may request the following permissions:

• Location — required to record GPS routes during sessions, including while the screen is locked
• HealthKit — optional, for heart rate display
• Microphone — optional, for voice feedback transcription
• Contacts — optional, used only for the referral invite feature
• Photo Library — optional, for video export and saving session cards

You may revoke any permission at any time in iOS Settings.

Your session data and account information are retained as long as your account is active. Direct messages, friendships, friend requests, and notifications are retained until you delete them individually or your account is deleted. Deleting your account cascades: your sessions, runs, messages, friend requests, friendships, and notifications are all removed server-side, and your friends' copies of your direct messages are deleted along with your account.

To request deletion of your account, contact us through the App Store listing or at the email below.

Endless Waves is not directed at children under 13. We do not knowingly collect personal information from children.

We may update this Privacy Policy when app functionality changes. The effective date at the top of this page will reflect the most recent revision. Continued use of the app after an update constitutes acceptance of the revised policy.

If you have questions about this Privacy Policy or wish to request data deletion, contact us through the contact form or through the App Store listing for Endless Waves.