Privacy Policy
Effective Date: March 25, 2026 · Last Updated: March 25, 2026
This Privacy Policy explains how FoilNexus LLC ("Company," "we," "us," or "our"), a Washington State limited liability company, collects, uses, shares, and protects your personal data when you use the eFoilCrew website, progressive web application, and related services (the "Service").
We are committed to protecting your privacy. This policy is designed to comply with the EU General Data Protection Regulation (GDPR), UK GDPR, California Consumer Privacy Act (CCPA/CPRA), Brazil's Lei Geral de Proteção de Dados (LGPD), and other applicable data protection laws.
1. Data Controller
FoilNexus LLC is the data controller responsible for your personal data. For questions or requests, contact us at privacy@foilnexus.com.
2. Information We Collect
2.1 Account Information
When you create an account, we collect your email address and password (stored as a secure hash — we never store plaintext passwords). We verify your email address via a confirmation link.
2.2 Profile Information
You may optionally provide: display name, bio, avatar photo, cover photo, experience level, the year you started riding, gear description, home location (coordinates and label), and whether to show your location on the community map.
2.3 Session & Activity Data
When you import or upload riding sessions (via Garmin Connect integration or GPX/TCX/FIT file upload), we collect: GPS tracks (full and simplified route linestrings), session start location, duration, distance, speed metrics (maximum and average), elevation gain, foil percentage, run counts, weather conditions at the time of riding, session notes, titles, and photos you choose to attach.
2.4 User-Generated Content
Content you create on the platform, including posts, comments, forum posts and replies, direct messages, spot condition reports (water state, wind, notes), gear setup configurations, and product interactions.
2.5 Social & Community Data
Follow relationships, likes, badge and achievement history, leaderboard rankings, and points ledger entries.
2.6 Location Data
With your permission, we may collect your device's geolocation during onboarding (to suggest your home location) and through GPS tracks in imported sessions. You can decline location access and manually enter your location instead. Spot locations you create or visit are also recorded.
2.7 Third-Party Account Data
If you connect your Garmin Connect account, we store encrypted OAuth tokens to access your Garmin activity data. We import activity metadata, GPS tracks, and associated metrics. You can disconnect Garmin at any time.
2.8 Usage & Analytics Data
With your opt-in consent, we collect behavioural analytics through PostHog, including page views, feature usage events, and anonymised session recordings (all form inputs are masked). We also collect aggregated page-view analytics through Plausible Analytics (which does not use cookies and does not collect personal data).
2.9 Device & Technical Data
Browser type, operating system, device type, screen resolution, IP address (for security and approximate geolocation), and referral source. This data is collected automatically when you access the Service.
3. How We Use Your Information
We use your personal data for the following purposes:
| Purpose | Legal Basis (GDPR) |
|---|---|
| Account creation and authentication | Contract performance |
| Session tracking, analysis, and display | Contract performance |
| Community features (posts, follows, messaging) | Contract performance |
| Spot discovery and conditions reporting | Contract performance |
| Gear catalog and setup management | Contract performance |
| Leaderboards, badges, and achievements | Contract performance |
| Behavioural analytics and session replay | Consent (opt-in) |
| Service improvement and bug detection | Legitimate interest |
| Security, fraud prevention, and abuse detection | Legitimate interest |
| Responding to support requests | Contract performance |
| Compliance with legal obligations | Legal obligation |
| Sponsored content and advertising | Legitimate interest / Consent |
4. Data Sharing & Third-Party Processors
We do not sell your personal data. We share data with the following categories of third-party service providers who process data on our behalf:
| Provider | Purpose | Data Region |
|---|---|---|
| Supabase | Database, authentication, file storage | US (Oregon) |
| Vercel | Website hosting and CDN | US (San Francisco) |
| PostHog | Analytics and session replay (opt-in only) | US |
| Plausible Analytics | Privacy-focused page-view analytics | EU |
| Mapbox | Maps, geocoding, and route display | US |
| Garmin Connect | Activity data import (user-initiated) | US |
| OpenWeatherMap | Weather data for riding conditions | EU/US |
| Linear | Bug report processing | US |
We may also use AI services (Anthropic, OpenAI, Google) for administrative functions such as content synthesis and session analysis. These services process aggregated or anonymised data and are not used to make automated decisions about individual users.
5. International Data Transfers
Your data is primarily stored in the United States (Oregon and San Francisco). If you are located outside the US, your data will be transferred to and processed in the US. We rely on Standard Contractual Clauses (SCCs) approved by the European Commission and UK Information Commissioner's Office, and other appropriate safeguards, to ensure your data is protected during international transfers.
6. Cookies & Local Storage
We use cookies and browser local storage for essential functions and optional analytics. For full details, see our Cookie Policy.
Essential storage (no consent required): authentication session tokens, theme/palette preferences, UI state preferences. Optional storage (consent required): PostHog analytics cookies and identifiers.
7. Data Retention
- Account data: Retained for as long as your account is active. Deleted upon account deletion request.
- Session & activity data: Retained for as long as your account is active. You can hide or delete individual sessions at any time.
- User-generated content: Retained until you delete it or your account. Content shared in community contexts (posts, forum replies) may persist in other users' feeds.
- Analytics data: PostHog data is retained for 12 months. Plausible data is aggregated and contains no personal identifiers.
- Garmin tokens: Encrypted tokens are retained while your Garmin account is connected. Deleted immediately upon disconnection.
- Server logs: Access and error logs are retained for up to 30 days for security and debugging purposes.
8. Your Rights
Depending on your location, you may have the following rights regarding your personal data:
8.1 All Users
- Access: Request a copy of the personal data we hold about you.
- Correction: Request correction of inaccurate personal data.
- Deletion: Request deletion of your personal data and account.
- Withdraw consent: Withdraw your consent for optional data processing (e.g., analytics) at any time.
8.2 EU/UK Residents (GDPR)
- Data portability: Receive your data in a structured, machine-readable format.
- Restriction: Request restriction of processing in certain circumstances.
- Object: Object to processing based on legitimate interests.
- Lodge a complaint: File a complaint with your local Data Protection Authority.
8.3 California Residents (CCPA/CPRA)
- Right to know: Request disclosure of the categories and specific pieces of personal information we collect.
- Right to delete: Request deletion of personal information.
- Right to opt-out: We do not sell or share your personal information for cross-context behavioural advertising.
- Non-discrimination: We will not discriminate against you for exercising your CCPA rights.
8.4 Brazil Residents (LGPD)
- Confirmation & access: Confirm whether we process your data and access it.
- Correction & deletion: Correct inaccurate data or request deletion of unnecessary data.
- Portability: Transfer your data to another service provider.
- Revocation of consent: Revoke consent at any time.
To exercise any of these rights, email us at privacy@foilnexus.com. We will respond within 30 days (or the applicable statutory period).
9. Data Security
We implement appropriate technical and organisational measures to protect your personal data, including: HTTPS/TLS encryption in transit, secure password hashing via Supabase, encrypted storage of third-party OAuth tokens, row-level security (RLS) policies in our database to restrict data access, and regular security reviews. However, no method of transmission or storage is 100% secure, and we cannot guarantee absolute security.
10. Data Breach Notification
In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the relevant supervisory authorities within 72 hours of becoming aware of the breach (as required by GDPR) and will notify affected users without undue delay if the breach is likely to result in a high risk to their rights and freedoms.
11. Children's Privacy
The Service is not directed to individuals under the age of 16. We do not knowingly collect personal data from children under 16. If we become aware that we have collected data from a child under 16 without appropriate consent, we will take steps to delete that information promptly. If you believe a child under 16 has provided us with personal data, please contact us at privacy@foilnexus.com.
12. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on the Service and updating the "Last Updated" date. For significant changes, we may also notify you by email. Your continued use of the Service after such changes constitutes acceptance of the revised policy.
13. Contact Us
For any questions, concerns, or requests related to this Privacy Policy or your personal data, please contact us:
FoilNexus LLCData Protection Contact
Email: privacy@foilnexus.com
If you are in the EU/EEA and are not satisfied with our response, you have the right to lodge a complaint with your local Data Protection Authority.