Privacy notice & GDPR information

1. Data controller

The data controller for personal data processed through this deployment of Fjell Lift is: the operator of this Fjell Lift instance.

Operators should set NEXT_PUBLIC_LEGAL_CONTACT_EMAIL in production so users know how to reach you. Until then, use the same support channel as for account issues (if any).

2. Scope

This notice describes how we process personal data when you use the Fjell Lift web application (accounts, map, practice areas, session experiences, and related features). It is intended to meet transparency requirements under the EU/UK General Data Protection Regulation (GDPR) and similar laws.

3. Categories of personal data

• Account data: email address, name (if provided), profile image URL (if provided), identifiers created by Auth.js / Prisma.
• Authentication: magic-link tokens, session records, verification tokens (processed to sign you in securely).
• Your spots data: practice area geometry, labels, sport choices, wind preferences, public/private flags, and session experience entries you create.
• Technical data: server and hosting logs (e.g. IP address, timestamps, URLs) as generated by your hosting provider; not under our direct control in all deployments.

4. Purposes & legal bases (GDPR)

We process personal data for the following purposes and on these bases:

• Providing the Service (account, map, sync) — Art. 6(1)(b) GDPR (performance of a contract / steps prior to contract) or Art. 6(1)(f) (legitimate interests in operating the app).
• Security & abuse prevention (sessions, rate limits, logs) — Art. 6(1)(f) legitimate interests.
• Email magic links — Art. 6(1)(b) to deliver sign-in you requested.
• Optional analytics or marketing — only if the operator adds them later, typically Art. 6(1)(a) consent. This open-source deployment does not include advertising cookies by default.

5. Recipients & processors

Depending on configuration, data may be processed by:

• Hosting & database (e.g. Render, Vercel, Fly, AWS, etc.) storing the application and PostgreSQL.
• Email delivery (e.g. Resend HTTP API or local SMTP/Mailpit) for magic links.
• Map & weather providers when your browser loads tiles or when our servers call forecast APIs (typically location coordinates without directly attaching your name to those calls).

We use written agreements with processors where required (Art. 28 GDPR) when we appoint them as sub-processors.

6. Transfers outside the EEA

If servers or subprocessors are located outside the European Economic Area, we rely on appropriate safeguards such as Standard Contractual Clauses or adequacy decisions, as required by Chapter V GDPR.

7. Retention

We keep account and content data until you delete it or close your account, or until the operator removes an inactive deployment. Session tokens expire per Auth.js configuration (e.g. 30 days). Server logs follow the hosting provider's retention.

8. Your rights (GDPR)

Where GDPR applies, you may have the right to:

• Access your personal data (Art. 15)
• Rectification (Art. 16)
• Erasure ("right to be forgotten") (Art. 17)
• Restriction of processing (Art. 18)
• Data portability (Art. 20)
• Object to processing based on legitimate interests (Art. 21)
• Withdraw consent at any time, where processing is consent-based (Art. 7(3))
• Lodge a complaint with a supervisory authority (Art. 77), e.g. in your country of residence

To exercise rights, contact the controller using the email above (when configured) or your operator's published support channel.

9. Cookies & similar technologies

The Service uses cookies or secure storage as needed for session management (e.g. NextAuth session cookie). These are typically strictly necessary for authentication. We do not use third-party advertising cookies in the default open-source build.

10. Children

The Service is not directed at children under 16. Do not provide personal data of children without appropriate consent under local law.

11. Changes

We may update this notice. We will adjust the "Last updated" date and, where required, provide additional notice.