Privacy Policy

SURF NEXT ("we", "us", "our") delivers surf forecasting, spot discovery, and related services online. We are based in Australia and set up this policy with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs) in mind. They apply to our handling of your personal information wherever those laws reach our operations.

People use SURF NEXT from many places. If you live outside Australia, local privacy laws may give you additional rights on top of what you read here. The overseas disclosure notes in section 6 still matter, because some of our suppliers store or process data outside your country.

By continuing to use SURF NEXT you agree to this policy. If you disagree with how we handle personal information, please stop using the service. Under the Privacy Act, personal information means information or an opinion about an identified individual, or someone reasonably identifiable, whether or not it is true and whether or not it is recorded.

The service is offered under the name SURF NEXT. We operate from Australia. When we publish a postal or PO Box for formal notices, it will appear here; until then, reach us through the in-app Support channel.

Use Support for privacy questions, access or correction requests, and complaints. We aim to reply within a reasonable period, in many cases within 30 days where the APPs apply.

Depending on how you use SURF NEXT, we may collect:

• Identity and account details: name, email, profile fields, and preferences you enter yourself. Sign-in may run through a provider such as Clerk; they process certain data under their own policies.
• Usage and technical information: pages or screens viewed, interactions, device type, browser version, and similar diagnostics we need to run the platform securely.
• Approximate or precise location: only where you turn on location features (nearby spots, local forecasts). Coordinates alone are not classified as health information under Australian law, but we still treat them as sensitive personal information in practice.
• Billing metadata: subscription status, receipts, and transaction references. Card numbers sit with our payment processor, not on our servers.
• Messages you send us: Support tickets, feedback, or anything else you volunteer.

We do not set out to collect sensitive information (for example health records or biometric templates used for automated identification). If you include sensitive details in a free-text message, we only use or disclose that content for the purpose you supplied it, as the law permits, and consistent with the APPs.

Most data arrives directly from you when you create an account, browse while logged in, buy something from the shop, or email/Support-chat us. We also receive event data from suppliers such as authentication and payments platforms when needed to operate those features. Depending on your browser settings we may use cookies or similar technologies (section 13).

Storage is electronic. Servers and backup systems may sit in Australia or overseas through cloud vendors we vet. Where anonymous browsing is lawful and practical, you can explore limited parts of the site without signing in; personalised forecasting generally needs an identifiable session or account.

Typical purposes include:

• running forecasts, search, favourites, calendars, and shop fulfilment;
• checking who you are, billing you correctly, and sending operational notices;
• detecting fraud or misuse and defending our legal position;
• internal analytics and product improvement where expectations make that reasonable;
• marketing we are allowed to send, always with identifiers and unsubscribe options consistent with the Spam Act 2003 (Cth) where it applies.

We do not sell mailing lists or trade personal information as a commodity. Secondary uses line up with what you would expect from a forecasting service, or happen because you consent, or because the law requires it.

Contractors help us with hosting, authentication, payments (such as Stripe), analytics, email delivery, and customer-support tooling. Contracts restrict them to handling data on our instructions and require confidentiality where commercially sensible.

Some subprocessors operate from the United States, European Union, United Kingdom, New Zealand, or elsewhere. That means personal information may cross borders. Foreign authorities could compel disclosure under their laws, and an overseas recipient might not be answerable under the Privacy Act. We use safeguards (including contractual clauses where appropriate) aimed at APP-standard protection, but overseas regimes differ from Australia's. Where the Act lets us rely on your informed consent to disclosure, using SURF NEXT after reading this section counts as acknowledging that risk.

We implement administrative and technical controls suited to the sensitivity of what we hold: access limits, encryption in transit where standard, monitoring, and staff awareness. No online service is bulletproof; if we learn of a serious incident we follow our breach process (section 8). We try to keep records accurate and only keep them as long as section 12 describes.

Where Part IIIC of the Privacy Act applies and we qualify as an organisation that must comply, we assess suspected breaches and, when an eligible breach is confirmed, notify affected individuals and the Office of the Australian Information Commissioner as the scheme requires. That obligation can extend to incidents involving vendors who hold data on our behalf.

Commercial emails or SMS we initiate include sender identification and a working unsubscribe path where the Spam Act applies.

We do not adopt Medicare numbers or other Commonwealth identifiers as our own internal IDs.

You can ask what personal information we hold and seek correction if something is wrong, incomplete, or out of date. Profile screens cover part of that; contact Support for everything else. There are narrow refusal grounds in the Act. If we rely on one we explain why. Simple requests are usually free; unusually large extracts may attract a reasonable charge, but we will quote first.

Please talk to us through Support in the first instance. If you remain unhappy after our final response, you may escalate to the Office of the Australian Information Commissioner (OAIC). Complaints and guidance live at oaic.gov.au.

We retain personal information only while we need it for the purposes above, to meet legal duties, or to resolve disputes, then de-identify or destroy it unless a longer archive is mandatory (for example tax or corporate records).

Cookies and local storage support login sessions, remember preferences, and help us understand aggregate usage. Browser controls let you limit tracking; disabling essentials may break parts of SURF NEXT.

If you are in the European Economic Area, United Kingdom, Switzerland, or another jurisdiction with equivalent privacy statutes, we act as controller for the processing described here unless a supplier processes purely on its own behalf. You may have rights to access, rectify, erase, restrict, or object to certain processing, to port data, and to lodge a complaint with your supervisory authority. Legal bases can include contract, legitimate interests balanced against your rights, consent where we request it, or compliance with law. International transfers rely on mechanisms recognised in your jurisdiction when required.

If you are in New Zealand, the Privacy Act 2020 may apply to our handling of your personal information. You may have rights to access and correct information and to complain to the Office of the Privacy Commissioner (privacy.org.nz). Please contact Support before escalating so we can try to resolve your concern quickly.

Where the California Consumer Privacy Act (and amendments) applies, you may be entitled to know what personal information we collect, to delete or correct certain records, and to opt out of sharing that qualifies as "sale" or "sharing" under Californian definitions. We do not monetise personal information through selling lists or behavioural advertising sales as those terms are commonly understood in California law. Submit requests via Support so we can verify you.

SURF NEXT is aimed at teenagers and adults who surf. We do not knowingly collect personal information from children under 15 in Australia, or under 13 (or the higher age applicable in your region) elsewhere, without verifiable parental or guardian consent where the law demands it. Contact Support if you believe a minor's data reached us improperly.

When we change this policy we revise the "Last updated" line and post the new version here. Material changes may also be highlighted inside the app or by email when that is practical or required.

Privacy questions go through Support. For product background, visit About or review the Terms of Service.