Privacy Policy

Last updated: June 9, 2026 · Version 1.0

This Privacy Policy explains how AWECEAN ("AWECEAN," "we," "us," or "our") collects, uses, discloses, and safeguards personal data when you use awecean.com, our subdomains, mobile or web applications, and related services (collectively, the "Platform"). It applies to Customers booking surf lessons, independent Instructors offering lessons, visitors, and anyone who otherwise interacts with the Platform.

This Policy operates alongside our Terms of Service. Capitalized terms not defined here have the meaning given in the Terms.

1. Who We Are & Scope

AWECEAN is a Mexico-based online marketplace that connects Customers with independent surf Instructors worldwide. We act as the data controller for personal data processed for our own marketplace, payments, communications, safety, and compliance purposes. Instructors independently determine certain processing of Customer data they receive (for example, to deliver and document a lesson) and act as independent controllers for those uses.

This Policy does not cover third-party websites, instructor-operated channels, or off-Platform communications.

2. Data We Collect

2.1 Account & Profile Data

Name, email, password hash, phone number (optional), profile photo, language, country, and authentication identifiers. Instructors additionally provide headline, biography, certifications (self-reported), teaching languages, equipment, lesson tiers, service locations, and availability.

2.2 Booking & Transaction Data

Lesson details, dates, participants, pricing, status history, messages exchanged in relation to a booking, reviews, cancellations, refunds, and dispute records.

2.3 Payment Data

Payments are processed by Stripe. Card numbers, bank account details, KYC documents, and tax identifiers submitted during Stripe Connect onboarding are collected directly by Stripe and are not stored by AWECEAN. We retain only payment metadata (Stripe IDs, amounts, currency, status, payout state, last4 where surfaced by Stripe) needed to operate bookings and payouts.

2.4 Device, Log & Usage Data

IP address, user agent, device type, language, referrer, pages viewed, actions taken, timestamps, error reports, and Web Vitals performance beacons. These signals are used for security, fraud prevention, debugging, and product analytics.

2.5 Location Data

City-level location associated with Instructor profiles, lesson locations, and (where you provide it) Customer location preferences. We do not collect continuous device GPS location.

2.6 Communications

Emails, in-Platform messages, support tickets, and notification preferences. Lifecycle and transactional emails are delivered through our email infrastructure.

2.7 Cookies & Similar Technologies

We use strictly necessary cookies for authentication and session management, and a privacy-respecting analytics solution (Plausible) that does not use tracking cookies or collect personal identifiers. We do not run third-party advertising or cross-site tracking pixels.

If non-essential cookies, advertising technologies, or additional tracking technologies are introduced in the future, we will implement appropriate consent mechanisms where required by applicable law before activating them.

3. How We Use Personal Data

We process personal data to:

  • Operate the marketplace and match Customers with Instructors;
  • Process bookings, payments, refunds, and Stripe Connect payouts;
  • Send transactional and account communications;
  • Provide customer and instructor support;
  • Maintain safety, prevent fraud, abuse, and unauthorized access;
  • Comply with legal, tax, and regulatory obligations;
  • Improve, debug, and secure the Platform;
  • Display reviews and aggregated quality signals;
  • Defend against chargebacks, disputes, and legal claims.

4. Legal Bases (EU/UK Users)

Where the GDPR or UK GDPR applies, we rely on:

  • Contract — to operate bookings, payments, and your account;
  • Legitimate interests — security, fraud prevention, analytics, service improvement, defense of legal claims;
  • Legal obligation — tax, accounting, compliance, and lawful requests;
  • Consent — where required (e.g., optional marketing emails).

5. How We Share Personal Data

5.1 Between Customers and Instructors

To deliver a booking, we share necessary booking details with the other party (name, contact required for the lesson, booking specifics). Instructors must use this data only to provide the lesson and comply with applicable law.

5.2 Service Providers (Processors)

We use vetted providers for hosting, database, authentication, email delivery, analytics, error monitoring, and payment processing. They process data on our behalf under contractual obligations. Key processors include:

  • Supabase — database, authentication, storage;
  • Cloudflare — hosting, CDN, edge runtime, security;
  • Stripe — payments and Stripe Connect payouts (independent controller for regulated activities);
  • Email delivery provider for transactional and lifecycle emails;
  • Plausible — privacy-respecting analytics.

5.3 Payments & Disputes

As described in our Terms (§7.5 and §27), we may share booking records, messages, transaction data, and platform logs with Stripe, card networks, banks, dispute providers, insurers, regulators, and law-enforcement authorities to investigate or respond to chargebacks, fraud, refund disputes, safety incidents, or compliance obligations.

5.4 Legal & Safety

We may disclose data to comply with law, valid legal process, or to protect the rights, property, or safety of AWECEAN, our users, or the public.

5.5 Business Transfers

In a merger, acquisition, financing, reorganization, or sale of assets, personal data may be transferred subject to this Policy.

We do not sell personal data, and we do not share it for cross-context behavioral advertising.

6. International Transfers

AWECEAN operates from Mexico and serves international users. Personal data may be processed in Mexico, the United States (Stripe, Cloudflare), the European Union, and other jurisdictions where our processors operate. Where required, we rely on appropriate safeguards such as Standard Contractual Clauses or equivalent mechanisms.

7. Data Retention

We retain personal data for as long as needed to provide the Platform, comply with legal, tax, and accounting obligations, resolve disputes, and enforce our agreements. Typical retention windows:

  • Account & profile data — for the life of the account, plus a reasonable archive period;
  • Booking & transaction records — minimum 5–10 years for tax, accounting, and dispute defense;
  • Support communications — up to 3 years after resolution;
  • Server logs & analytics — typically up to 12 months;
  • Suppression lists (for unsubscribe enforcement) — retained indefinitely.

8. Security

We implement administrative, technical, and organizational measures including encryption in transit, hashed passwords, role-based access controls, row-level security on production data, signed webhooks, audit logging, and rate limiting. No system is perfectly secure; we cannot guarantee absolute security.

8.1 Security Incident Notification

We may notify affected users and competent authorities of security incidents involving personal data when required by applicable law.

9. Your Rights

Depending on your jurisdiction, you may have rights to access, correct, delete, restrict, or port your personal data, to object to certain processing, and to withdraw consent where processing is based on consent. EU/UK users may lodge a complaint with their local supervisory authority. Mexican users may exercise ARCO rights (Access, Rectification, Cancellation, Opposition) under the LFPDPPP.

To exercise rights, contact us at the address in §13. We may need to verify your identity before responding. Some data must be retained for legal, accounting, or dispute-defense purposes and cannot be deleted on request.

9.1 Account Deletion

Users may request deletion of their account at any time. Certain information, including booking records, payment metadata, communications, and audit logs, may be retained for tax, accounting, fraud-prevention, dispute-resolution, and legal-compliance purposes even after account deletion.

9.2 Marketing Communications

Transactional and service-related communications — such as booking confirmations, payment receipts, safety notices, and account alerts — cannot be opted out of while an account remains active. Marketing communications may be unsubscribed from at any time using the link provided in each message or by contacting us.

10. Children

The Platform is not directed to children under 16, and we do not knowingly collect personal data from them. Minors may participate in lessons only when booked and supervised by a parent or legal guardian, who is solely responsible for any data provided about the minor.

11. Instructors as Independent Controllers

Instructors are independent contractors and not employees or agents of AWECEAN. When an Instructor receives Customer data through the Platform, they act as an independent controller for any further processing (e.g., maintaining their own records, complying with local law). Instructors must handle Customer data lawfully, use it only as needed for the booked lesson, and not market to Customers without a lawful basis.

12. Changes to This Policy

We may update this Policy from time to time. Material changes will be communicated through the Platform or by email. Continued use after the effective date constitutes acceptance.

13. Contact

Questions, requests, or complaints regarding this Policy or your personal data may be sent to the contact details below.

13.1 Data Protection Contact

13.2 Entity & Registered Address

Legal entity name and registered business address will be published here once formally established. Until then, the email address above is the designated contact for all data-protection inquiries.