Privacy Policy - RigSize Live

At RigSize Live, we greatly value the protection of your personal data. This privacy policy explains what data we collect, why we collect it, and how we protect it.

This policy has been drafted in accordance with the General Data Protection Regulation (GDPR).

Last updated: 9 May 2026

1. Data Controller

FTR Management B.V., trading as RigSize Live
Korte Tolstraat 3 H, 1073 SG Amsterdam, Netherlands
CoC (KvK): 53751671 · VAT: NL851002523B01
Email: info@rigsizelive.com
Website: www.rigsizelive.com

2. What Data We Collect

2.1 Account Data

Upon registration, we collect:

Email address
Password (stored in encrypted form)
First name and last name

2.2 Profile Data

Optionally, you may provide the following information:

Sport(s): windsurfing, kitesurfing, wing foiling
Gear data: sail size, board volume, kite size, wing size
Body weight
Gender
Date of birth
Nationality

These demographic data points are used exclusively for leaderboard filters (e.g. filtering by age category or gender) and are never shared with third parties without your consent.

2.3 Location Data

During an active session, we collect:

GPS coordinates (latitude and longitude)
Selected surf spot

Location data is only collected during an active session and with your explicit consent via the browser permission prompt. You can stop sharing your location at any time by ending your session.

2.4 Chat Data

When using the Spot Chat feature:

Text messages
Photos (compressed to a maximum width of 1200px)
Time of sending
First and last name of the sender

Chat messages and photos are automatically deleted after a fixed retention period.

2.5 Session Data

Start and end time of sessions
Selected surf spot
Gear used

2.6 Garmin Connect™ Integration

You can connect RigSize Live to Garmin Connect™. By authorizing the connection, you explicitly give RigSize Live permission to retrieve activity data from your Garmin Connect™ account. The following data is received with your consent:

GPS tracks (latitude, longitude, altitude)
Session duration and time
Speed data
Heart rate (if available via your device)
Activity type (windsurf, kite, wing, etc.)
Device information (model of your sports watch or GPS device)

We use this data exclusively to automatically import your sessions into RigSize Live, so you don't have to enter your session data manually. We do not sell or share this data with third parties. We do not use data from Garmin Connect™ for automated decision-making, profiling, or artificial intelligence.

Data transfer to Garmin: When connecting your account, your authorization is processed via Garmin's servers. This means that certain technical data (such as your authorization request) is shared with Garmin International, Inc. as part of the OAuth2 connection process.

You can disconnect the integration at any time via Settings → Garmin Connect in the app, or directly through your Garmin Connect™ account. Upon disconnection, the access tokens are immediately deleted. Previously imported session data will remain in your account until you delete it or cancel your account.

The data we retrieve via Garmin Connect™ is subject to Garmin's privacy policy. Please review the Garmin Connect™ privacy policy at: www.garmin.com/privacy/connect

2.7 Push Notifications

When you grant permission for push notifications, we store the following:

FCM/APNs token (device-specific push token from Google or Apple)
Device ID (locally generated UUID, so you can receive notifications on multiple devices simultaneously)
Platform (iOS, Android or web)
Language setting and app version (to compose the correct notification)

Push notifications are used for features you opt into yourself: wind alerts, chat messages, kudos on your sessions, leaderboard notifications and other social features. You can disable push notifications at any time via your device settings or via the notification preferences in the app.

2.8 Camera Usage (native app)

In the iOS and Android app you can take photos or select existing ones for your profile picture and session photos. The following applies:

Camera and photo library access is used only at the moment you actively choose or take a photo
Photos are resized and compressed locally on your device before they are uploaded
We have no background access to your camera or photo library

Uploaded photos go through the same route as photos uploaded via the web version (see section 2.4 for chat photos and section 5.2 for storage location).

2.9 Reports

When you report a chat message, we store: the reported message ID, the reason for the report, and your user ID.

2.10 Marketing emails (optional)

If you opt in to marketing emails in your profile settings (the toggle is off by default), we store the following in a separate table:

Your email address (from your account data)
Your first and last name, gender, date of birth and preferred sport (to make emails relevant to your discipline and demographic)
Date and time you gave or withdrew consent (audit trail)
The source of your opt-in (e.g. profile settings)

We use this data exclusively to send you, at most 1 to 2 times per month, an email with tips for your sport and offers from RigSize Live and carefully selected partners (such as surf shops, gear brands and watersports event organisers). A current list of partners is available on request via the contact details in section 15.

You can withdraw your consent at any time via the toggle in your profile settings or via the unsubscribe link at the bottom of every marketing email. After withdrawal, no further marketing emails will be sent, but the audit trail (opt-in/opt-out timestamps) is retained for a limited period to fulfil our GDPR proof obligation.

3. Legal Basis for Processing

Processing	Legal Basis (GDPR)
Account and authentication	Performance of the contract (Art. 6.1.b)
Location sharing and session tracking	Consent (Art. 6.1.a)
Spot Chat messages	Performance of the contract (Art. 6.1.b)
Leaderboards and statistics	Performance of the contract (Art. 6.1.b)
External integrations (Garmin)	Consent (Art. 6.1.a) — you consciously connect your account
Reports and moderation	Legitimate interest (Art. 6.1.f) — user safety
Demographic profile data (gender, date of birth, nationality)	Consent (Art. 6.1.a) — optional, used for leaderboard filters
Own communications about features and updates	Legitimate interest (Art. 6.1.f) — always opt-out available
Offers from selected partners	Consent (Art. 6.1.a) — separate opt-in required, always revocable
Push notifications (wind alerts, chat, social notifications)	Consent (Art. 6.1.a) — opt-in via device settings, per type adjustable in the app

4. Purposes of Processing

We use your data exclusively for:

Providing and improving the RigSize Live service
Displaying your location and gear data to other active users on the real-time map
Storing and displaying your session history and statistics
Facilitating the Spot Chat feature
Compiling leaderboards
Automatically importing session data from external platforms (such as Garmin) when you have given consent
Handling reports and enforcing the code of conduct
Ensuring the safety and integrity of the app

We do not sell your data to third parties.

Own communications: RigSize Live may inform you about new features, updates, and its own offers. We do this on the basis of legitimate interest. You can unsubscribe at any time via your account settings.

Partner offers: In the future, we may collaborate with carefully selected partners to show you relevant offers for surf-related products and services. We will only do this based on your explicit, prior consent (opt-in). You can withdraw this consent at any time via your profile settings in the app, without any consequences for the other services provided.

5. Sharing of Data

5.1 With Other Users

The following data is visible to other users of the app:

Your first and last name
Your location on the map (only during an active session)
Your gear data (only during an active session)
Your chat messages and photos in the Spot Chat
Your session statistics on leaderboards

5.2 With Service Providers

We use the following external service providers (processors):

Service Provider	Purpose	Location
Supabase	Authentication, database, session storage	EU (Frankfurt)
Firebase / Google Cloud	Chat, photo storage	EU (Belgium)
Garmin Connect	Importing session and GPS data (optional)	USA (SCC applicable)
Cloudflare R2	Storage of chat photos and profile photos	EU
Vercel	Application hosting	Worldwide (CDN)

We do not share your data with any other parties unless legally required by a court order or competent authority.

Marketing partners: When you have given consent for marketing emails (see section 2.10), your email address and profile data are not shared with our partners. RigSize Live sends the emails on behalf of partners ourselves; partners do not receive access to our contact list or any personal data about you.

Firebase Analytics (native iOS/Android app only): in the native app for iOS and Android (from the App Store / Google Play Store), the Firebase Analytics SDK is active. It collects anonymized usage statistics such as which screens are opened, app version, OS version, device type (e.g. "iPhone 17"), and geo-location at city level (derived from IP address). We use this data exclusively to improve the app -- for example to see which features are used and where bugs occur. No advertising ID (IDFA on iOS, AAID on Android) is collected and no cross-app tracking takes place. Processor is Google Ireland Ltd. (Firebase EU contracting party) under Standard Contractual Clauses; retention period 14 months as per Google's privacy policy. In the web version (PWA via app.rigsizelive.com), Firebase Analytics is not present.

6. Data Retention Periods

Data	Retention Period
Account data	As long as your account is active
Demographic profile data (gender, date of birth, nationality)	As long as your account is active, or until you delete it yourself
Location data (real-time)	Only during an active session; removed from the map immediately after
Session history	As long as your account is active. After account deletion: anonymised (without name, photo, or identification) and retained indefinitely for app statistics
Chat messages and photos	Automatically deleted after a fixed retention period
Externally imported session data	As long as your account is active, or until you manually delete it
External access tokens (Garmin)	Until you disconnect the integration, then immediately deleted
Reports	Maximum 90 days
Blocked users	Stored locally on your device
Marketing opt-in and associated profile data	As long as your opt-in is active. After opt-out: contact details are removed from the mailing list; opt-in/opt-out timestamps are kept for up to 3 years as GDPR evidence

7. Your Rights (GDPR)

7.1 Account Deletion and Session Anonymisation

You have two ways to have your RigSize Live account and associated data deleted:

Option 1 — Via the app (recommended, immediate):

Open RigSize Live
Go to Profile
Scroll down and tap “Delete my account”
Confirm the double-confirmation prompt

Your account is deleted immediately. You will receive a confirmation email.

Option 2 — Via email (if you no longer have the app installed):

Send an email to info@rigsizelive.com with:

Subject: “Account deletion request”
The email address registered with your RigSize Live account

We will delete your account within 30 days of receiving the request and send you a confirmation.

What happens on deletion:

Permanently deleted: your profile (name, photo, date of birth, gender, nationality, email address), gear library, friend relationships, kudos, comments, chat messages, photos, push notification settings, and Garmin integration.
Retained anonymously: your session data (spot, gear, wind, speed, duration) is retained indefinitely without any link to you. Name, photo, email, and all other identifying information are erased. Anonymous sessions contribute to app statistics and benchmarks (such as “average wind strength for a 5.4 sail” or “total number of sessions at Muiderberg”) but no longer appear in the feed or leaderboards.

Legal basis for anonymous retention: legitimate interest (Art. 6.1.f GDPR). Anonymous aggregates are essential for the operation of RigSize Live as a community app for other users, and no longer contain personal data.

Under the GDPR, you have the following rights:

Right of access — you can request to see what data we process about you
Right to rectification — you can have incorrect data corrected
Right to erasure — you can request deletion of your data
Right to restriction — you can have the processing of your data restricted
Right to data portability — you can request your data in a structured format
Right to object — you can object to processing based on legitimate interest
Right to withdraw consent — you can withdraw previously given consent (e.g., location sharing, Garmin connection) at any time

To exercise any of these rights, please contact us at info@rigsizelive.com. We will respond to your request within 30 days.

You also have the right to file a complaint with the Dutch Data Protection Authority (www.autoriteitpersoonsgegevens.nl).

8. Security

We take appropriate technical and organisational measures to protect your data:

All communication takes place over encrypted connections (HTTPS/TLS)
Passwords are stored in hashed form (never in plain text)
Database access is restricted through security rules (Row Level Security)
Chat photos are stored with security rules that limit uploads to verified users
Chat messages are automatically deleted after a fixed retention period
Third-party integrations use industry-standard OAuth 2.0 authentication; we never store your third-party passwords

9. Cookies and Local Storage

RigSize Live uses:

Local storage (localStorage) — for storing your session settings, authentication tokens, list of blocked users and a locally generated device ID (UUID, for multi-device push notifications). This is necessary for the app to function.
Session cookies — for authentication with Supabase and Firebase.

We do not use tracking cookies or advertising cookies. For analytics: see section 5 (Firebase Analytics is only active in the native app, not in the web version).

10. Children

RigSize Live is not intended for children under the age of 16. We do not knowingly collect data from children under 16. If we discover that we have collected data from a user under 16, we will delete this data and the associated account as soon as possible.

11. International Data Transfers

We strive to keep your data within the European Economic Area (EEA). Where service providers process data outside the EEA (such as Vercel's CDN or Garmin's servers), we ensure that appropriate safeguards are in place, such as Standard Contractual Clauses (SCC) or an adequacy decision.

12. App Store Distribution

RigSize Live is available as a Progressive Web App (PWA) at www.rigsizelive.com and as a native app via the Apple App Store and Google Play Store. When you download the app via an app store:

The App Store terms of Apple or Google apply to the download process
Apple and Google may receive technical and statistical data in accordance with their own privacy policies
At this time, RigSize Live does not offer in-app purchases or paid subscriptions. Should this change in the future, we will inform you clearly via the app and update this privacy policy before such features are activated.

This privacy policy applies to the use of the app itself, regardless of the platform through which you downloaded it.

13. Device Permissions (native app)

The iOS and Android app requests the following permissions. None of them are required for the basic functionality of the app — you can decline them individually or revoke them later via your device settings.

Permission	Used for
Location	Only during an active session, to display your position on the spot map and store session tracks
Camera	Take photos for profile picture or session photo, only at the moment you actively initiate this
Photo library	Pick a photo from your existing library for profile or session photo, only when you actively initiate this
Push notifications	Wind alerts, chat messages, social notifications — only for the types you activate yourself in the notification settings
Vibrate (Android)	Tactile feedback when starting and stopping a session

14. Changes to This Privacy Policy

We reserve the right to modify this privacy policy. In the event of significant changes, we will notify you via the app. The most recent version is always available on this page.

15. Contact

For questions about this privacy policy or to exercise your rights:

FTR Management B.V. (trading as RigSize Live)
Korte Tolstraat 3 H, 1073 SG Amsterdam, Netherlands
CoC (KvK): 53751671 · VAT: NL851002523B01
Email: info@rigsizelive.com
Website: www.rigsizelive.com