Privacy Policy

Last updated: [DATE]

This Privacy Policy explains how [LEGAL NAME / COMPANY] (“Wave Atlas”, “we”, “us”, “our”) collects, uses, and shares personal data when you visit thewaveatlas.com (the “Website”) and when you contact us or submit a trip request.

1) Who is the Data Controller?

  • Controller: [LEGAL NAME / COMPANY]

  • Business address: [FULL ADDRESS]

  • Email: [CONTACT EMAIL]

  • Privacy email (if different): [PRIVACY EMAIL]

  • Company/VAT ID: [ID NUMBER]

2) What personal data we collect

Depending on how you use the Website, we may collect:

  • Identity & contact data: name, surname, email, phone number.

  • Trip request data: destination interest, travel dates, group details, surfing level/preferences, and any information you include in your message.

  • Communication data: content of messages you send via forms, email, WhatsApp, or social media.

  • Technical & usage data: IP address, device/browser information, cookie identifiers, and analytics data (only if enabled and accepted).

We do not intentionally collect special categories of data (e.g., health). Please avoid sharing sensitive data.

3) Why we use your data (purposes) and legal bases

We process personal data for the following purposes:

  • A. To respond to inquiries and trip requests

    Legal basis: consent and/or steps prior to entering into a contract.

  • B. To manage bookings or provide services you request (planning, coordination, logistics, and communications related to the trip/experience)

    Legal basis: performance of a contract and/or pre-contractual steps.

  • C. Administration, invoicing, and legal compliance (if you become a customer)

    Legal basis: legal obligation and/or contract performance.

  • D. Website analytics and improvement (e.g., understanding how the Website is used)

    Legal basis: consent (cookie-based analytics only).

  • E. Marketing communications (newsletters, new trips, offers)

    Legal basis: consent. You can unsubscribe at any time.

4) How long we keep your data

Inquiries/trip requests: as long as needed to handle your request, then for applicable limitation periods.

Customer data: for the duration of the relationship and as required by tax/accounting laws.

Marketing: until you unsubscribe or withdraw consent.

Cookies: as described in the Cookie Policy.

5) Who we share data with

We may share data with:

  • Service providers (processors): hosting, email, forms/CRM, analytics, and other tools that support our operations.

  • Trip partners/suppliers: accommodations, local operators, transport providers, or guides, only when necessary to deliver the requested service.

  • Authorities: when legally required.

  • All processors act under appropriate agreements and instructions.

6) International data transfers

Some providers may process data outside the European Economic Area. Where applicable, we rely on recognized safeguards (e.g., Standard Contractual Clauses) or other lawful mechanisms under GDPR.

7) Your rights (GDPR)

If you are in the EEA/UK, you may have the right to:

  • access, rectify, erase your data

  • object to processing

  • restrict processing

  • data portability

  • withdraw consent at any time (where processing is based on consent)

  • To exercise your rights, email [PRIVACY EMAIL] with your request and sufficient information to verify your identity.

  • You also have the right to lodge a complaint with your local data protection authority (in Spain, the AEPD).

8) Security

We use reasonable technical and organizational measures to protect personal data. No method of transmission is 100% secure, but we work to protect your information.

9) Children

The Website is not intended for children under 18. If you believe a minor has provided us data, please contact us to remove it.

10) Changes to this policy

We may update this policy from time to time. The “Last updated” date will reflect the latest version.