Kiteloopers - Kitesurfing spots, trips and destinations worldwideKiteloopers - Kitesurfing spots, destinations and kite trips worldwide

Privacy Policy

Last updated: January 2025

> ⚠️ This English version is a working translation of the French Privacy Policy. The French version is the legally binding reference.

1. Data Controller

The data controller is Mr. Olivier Schmitt, sole trader, SIRET No. 519 897 680 00053, registered office at 6 place Clémenceau, 68250 Rouffach, France.

Contact for any GDPR-related question: olivier.schmitt.pro@gmail.com

2. Data we collect

We collect the following categories of personal data, depending on your use of the Platform:

Account data

  • Identifiers (email, username, password — encrypted)
  • Profile data (display name, biography, photos, age, gender, country, languages, kitesurf level, preferences)
  • Authentication data (OAuth tokens for Google/Apple Sign-in if used)

Usage data

  • Pages viewed, searches, clicks, time spent
  • Map interactions, spots visited or saved
  • Messages exchanged with other Users
  • Reviews published, classified ads, sessions logged

Geolocation data

  • Approximate location (city, country) when you opt in
  • Spot coordinates you mark or visit
  • IP address (anonymized for analytics)

Payment data

  • For paid subscriptions: handled exclusively by Stripe — we never see your card number
  • Billing address and invoice history

Technical data

  • Device type, operating system, browser
  • App version, language preference, time zone
  • Crash reports and performance metrics (anonymized)

3. Legal basis

We process your data on one of the following legal bases (Article 6 GDPR):

  • Performance of a contract: account management, subscription, paid Services
  • Legitimate interest: security, fraud prevention, Platform improvement, analytics
  • Consent: marketing emails, non-essential cookies, sensitive features (geolocation, etc.)
  • Legal obligation: invoicing, anti-money-laundering, retention of payment records

4. Purposes of processing

Your data is processed to:

  • Provide and personalize the Services
  • Allow you to interact with other Users
  • Send transactional emails (account confirmation, password reset, booking notifications)
  • Send optional newsletters (with your consent, opt-out anytime)
  • Detect fraud, abuse and security incidents
  • Comply with legal obligations
  • Produce aggregated, anonymized analytics

5. Data retention

We retain your data for the time strictly necessary:

  • Account data: throughout the duration of your account + 3 years of inactivity, then deletion or anonymization
  • Payment data: 10 years (legal retention obligation for accounting documents in France)
  • Logs and security data: 12 months
  • Cookies: 13 months maximum, refer to the Cookie Policy
  • Backups: 30 days rolling

You can request deletion at any time (see Section 8).

6. Recipients of data

Your data is shared exclusively with:

  • Authorized internal team: developers and moderators, under strict confidentiality
  • Sub-processors:
  • Supabase (database hosting, EU)
  • Vercel (web hosting, EU/US with EU SCC)
  • Stripe (payment processing, EU/US)
  • Open-Meteo (weather data, no personal data shared)
  • Mapbox (maps, anonymized requests)
  • SendGrid / Resend (transactional emails)
  • Other Users: only public profile data you have chosen to expose
  • Authorities: in case of legal request and only for the data legally required

We never sell your personal data to third parties.

7. International transfers

Some sub-processors (Vercel, Stripe) may process data outside the European Economic Area. These transfers are governed by Standard Contractual Clauses (SCC) approved by the European Commission, ensuring an adequate level of protection.

8. Your rights

In accordance with the GDPR, you have the following rights:

  • Right of access: obtain a copy of your data
  • Right of rectification: correct inaccurate data
  • Right to erasure ("right to be forgotten"): delete your account and data
  • Right to restriction of processing: limit certain processing
  • Right to data portability: receive your data in a structured machine-readable format
  • Right to object: object to processing based on legitimate interest
  • Right to withdraw consent: at any time for processing based on consent
  • Right to lodge a complaint: with the CNIL (cnil.fr) or any other supervisory authority

To exercise these rights, write to olivier.schmitt.pro@gmail.com with a copy of your ID. We will respond within one month.

For direct account deletion, see Delete my account.

9. Cookies

The use of cookies is detailed in the dedicated Cookie Policy. You can manage your preferences at any time from the cookie banner or your account settings.

10. Security

We implement state-of-the-art technical and organizational measures: encryption in transit (HTTPS/TLS 1.3) and at rest, password hashing (bcrypt), strict role-based access control, audit logs, regular dependency updates, vulnerability monitoring.

In case of a data breach affecting your rights, we will notify you and the CNIL within 72 hours as required by Article 33 GDPR.

11. Minors

The Platform is not intended for users under 16. If we become aware that we have collected data from a minor without parental consent, we will delete it without delay.

12. Changes to this Policy

We may update this Policy. The substantive version will be notified to you (in-app or email) and you will have the opportunity to accept it again.

13. Contact

For any question or to exercise your rights: olivier.schmitt.pro@gmail.com

Supervisory authority: CNILwww.cnil.fr