Privacy Policy

1. Introduction

Luwatu (“we”, “our”, or “us”) is operated from Biarritz, France. We respect your privacy and are committed to protecting your personal data in accordance with the EU General Data Protection Regulation (GDPR) and applicable French data protection laws. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website and use our services.

2. Information We Collect

Information You Provide

• Account information: Name, email address, and password when you create an account
• Business listing information: Business details, images, and contact information (for business owners)
• Newsletter subscription: Email address and preferences (e.g., home airport for flight deals)
• Payment information: Processed securely by Stripe; we do not store your card details
• Communications: Messages you send to us or to listed businesses through our platform

Information Collected Automatically

• Device information (browser type, operating system)
• IP address and approximate location (country/region level)
• Pages visited and time spent on our site
• Referring website or source

We use Umami Analytics, a privacy-focused analytics tool that does not use cookies and does not collect personal identifiers. All analytics data is aggregated and anonymized.

3. Legal Bases for Processing (GDPR)

We process your personal data based on the following legal grounds:

• Contract performance: To provide our services, manage your account, and process subscriptions
• Legitimate interests: To improve our services, ensure security, and communicate service updates
• Consent: For marketing emails and newsletters (you can withdraw consent anytime)
• Legal obligation: To comply with applicable laws and regulations

4. How We Use Your Information

We use your information to:

• Provide, operate, and maintain our services
• Process account registration and manage your account
• Process payments and subscriptions through Stripe
• Send transactional emails (account confirmations, password resets, subscription receipts)
• Send our flight deals newsletter (if you subscribed)
• Respond to your comments, questions, and requests
• Analyze usage patterns to improve our services (using anonymized data)
• Detect, prevent, and address technical issues and fraud
• Comply with legal obligations

5. Third-Party Services

We work with carefully selected third-party service providers to operate our platform:

• Supabase (Database & Authentication) - Stores account data securely; servers in EU and US
• Stripe (Payments) - Processes subscription payments; PCI-DSS compliant
• Resend (Email) - Sends transactional and newsletter emails
• Umami (Analytics) - Privacy-focused, cookie-free website analytics
• Vercel (Hosting) - Hosts our website; edge locations worldwide

These providers process data on our behalf under data processing agreements that ensure GDPR compliance.

6. Sharing Your Information

We may share your information with:

• Service providers: As listed above, to operate our services
• Business partners: When you request to contact a listed surf camp (we share your message and email)
• Legal requirements: When required by law, court order, or to protect our legal rights
• Business transfers: In connection with a merger, acquisition, or sale of assets (with notice to you)

We do not sell your personal information to third parties.

7. Cookies

We do not use tracking cookies. Our website is designed to respect your privacy:

• No advertising cookies: We don't run ads or use advertising trackers
• No third-party tracking: We use Umami Analytics which is cookie-free
• Essential cookies only: If you log in, we use a session cookie for authentication (required for the service to function)
• Privacy-friendly video embeds: YouTube videos use youtube-nocookie.com; Vimeo uses Do Not Track mode

8. International Data Transfers

Some of our service providers (Supabase, Stripe, Vercel) may process data in the United States. These transfers are protected by appropriate safeguards including Standard Contractual Clauses (SCCs) approved by the European Commission and, where applicable, the EU-US Data Privacy Framework.

9. Data Security

We implement appropriate technical and organizational measures to protect your personal data, including: encryption in transit (HTTPS/TLS), secure password hashing, access controls, and regular security reviews. However, no method of transmission over the Internet is 100% secure, and we cannot guarantee absolute security.

10. Data Retention

We retain your personal data for as long as necessary to fulfill the purposes outlined in this policy:

• Account data: Until you delete your account, then within 30 days
• Newsletter subscriptions: Until you unsubscribe
• Transaction records: 7 years (French legal requirement)
• Analytics data: Aggregated and anonymized, retained indefinitely

11. Your Rights (GDPR)

Under the GDPR, you have the following rights regarding your personal data:

• Access: Request a copy of your personal data
• Rectification: Request correction of inaccurate or incomplete data
• Erasure: Request deletion of your personal data (“right to be forgotten”)
• Restriction: Request limitation of processing in certain circumstances
• Portability: Request transfer of your data in a machine-readable format
• Objection: Object to processing based on legitimate interests or for direct marketing
• Withdraw consent: Where processing is based on consent, withdraw it at any time

To exercise these rights, email us at hello@luwatu.com. We will respond within 30 days. You also have the right to lodge a complaint with the French data protection authority (CNIL) or your local supervisory authority.

12. Newsletter & Marketing

If you subscribe to our Cheap Surf Flights newsletter, we collect your email address and optionally your home airport/region to personalize flight deals. You can unsubscribe at any time using the link in every email. We do not share your email with third parties for their marketing purposes.

13. Children's Privacy

Our services are not intended for children under 16 years of age. We do not knowingly collect personal data from children. If you believe we have collected information from a child, please contact us immediately at hello@luwatu.com.

14. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting a notice on our website and, for significant changes, by email to registered users. We encourage you to review this Privacy Policy periodically.

15. Contact Us

If you have questions about this Privacy Policy or wish to exercise your data rights: