KitesurfingOfficial

Legal

Privacy policy

Last updated: 19.05.2026

Thank you for your interest in KitesurfingOfficial. Protecting your personal data is important to us. This Privacy Policy explains what personal data we process, for what purposes, on what legal basis and what rights you have.

This Privacy Policy applies to kitesurfingofficial.com and the related features, including the spot map, community, forum, user profiles, journal, tools, clip submissions, partner inquiries, newsletter and administrative functions.

1. Controller

The controller responsible for data processing on this website is:

Philip Heuhserer
operating under the name KitesurfingOfficial
Niedermayerstraße 5
81679 Munich
Germany

Email: philip@kitesurfingofficial.com

2. General Information on Data Processing

We process personal data only where necessary to provide this website, operate its features, manage user accounts, publish content, respond to inquiries, ensure platform security or where you have given your consent.

Personal data means any information relating to an identified or identifiable natural person. This may include your name, email address, username, profile image, IP address, technical access data, forum posts, uploaded content, contact requests or other information you voluntarily provide.

3. Legal Bases for Processing

We process personal data in particular on the following legal bases:

Art. 6(1)(a) GDPR
where you have given consent, for example for optional cookies, newsletters or certain third party content.

Art. 6(1)(b) GDPR
where processing is necessary for the performance of a contract or pre contractual measures, for example user accounts, community features, partner inquiries or clip submissions.

Art. 6(1)(c) GDPR
where we are legally required to process data.

Art. 6(1)(f) GDPR
where processing is necessary for our legitimate interests or the interests of third parties, such as technical security, abuse prevention, spam protection, error analysis, platform stability or permitted audience measurement.

4. Hosting and Technical Operation

Our website is provided through technical service providers. In this context, technical data necessary for operation, security and delivery of the website may be processed.

This may include:

  • IP address
  • date and time of access
  • requested URL
  • referrer URL
  • browser type and version
  • operating system
  • device type
  • language settings
  • transmitted data volume
  • technical errors and log data

This data is processed to provide the website, detect attacks, analyze errors, prevent abuse and ensure platform stability.

Legal basis: Art. 6(1)(f) GDPR

Technical service providers

We use in particular:

  • Lovable – for development, hosting and delivery of the website and certain server functions.
  • Supabase – for database storage, user accounts, authentication, community posts, spot data, profile information, moderation data and administrative functions.
  • Cloudflare – for delivery, security, performance optimization and protection of the website.

Depending on the technical configuration, data may be processed on servers within or outside the European Union. Where required, appropriate safeguards are used, including standard contractual clauses or comparable protection mechanisms.

5. Server Log Files

When you visit our website, server log files are automatically processed. These are technically necessary to deliver the website and ensure security and stability.

Log files may include:

  • IP address
  • time of access
  • requested page
  • browser and operating system
  • referrer
  • status codes
  • error messages
  • technical access information

These data are not combined with other data sources unless necessary for security analysis or abuse prevention.

Legal basis: Art. 6(1)(f) GDPR

6. Cookies and Similar Technologies

Our website uses cookies and similar technologies. Cookies are small files stored on your device. Similar technologies may include local storage, session storage or comparable storage technologies.

We distinguish between:

Essential Cookies and Technologies

These are necessary for the website to function. They may include:

  • login status
  • language settings
  • security settings
  • cookie consent status
  • session management
  • technical platform functions

These technologies are required for the operation of the website.

Legal basis: Art. 6(1)(f) GDPR
Legal basis for access to your device: Section 25(2) TDDDG

Optional Cookies and Technologies

Optional cookies and technologies are only used if you have given consent. These may include:

  • analytics cookies
  • marketing cookies
  • external media
  • tracking technologies
  • statistics functions
  • embedded third party content

Legal basis: Art. 6(1)(a) GDPR
Legal basis for access to your device: Section 25(1) TDDDG

You can change or withdraw your consent at any time via the Cookie Settings link in the footer.

7. Cookie Banner and Consent Management

When you first visit the website, we show you a cookie banner. There you can decide whether to allow only essential technologies or also optional services.

You can:

  • accept optional cookies
  • reject optional cookies
  • customize your selection
  • change your selection later

Optional services are activated only after you have given consent.

8. User Account and Registration

If you create a user account, we process the data necessary to create and manage your account.

This may include:

  • email address
  • username
  • password or authentication data
  • profile image
  • display name
  • bio
  • Instagram handle
  • language settings
  • saved spots
  • posts
  • comments
  • upvotes
  • gamification data
  • XP points
  • badges
  • account status
  • time of registration
  • login data
  • email verification status

The processing is carried out to provide your account, attribute your posts, enable community features, prevent abuse and operate the platform securely.

Legal basis: Art. 6(1)(b) GDPR
For security and abuse prevention: Art. 6(1)(f) GDPR

9. Public Profiles

If you use a public profile or publish content, certain information may be publicly visible.

This may include:

  • username
  • display name
  • profile image
  • bio
  • public posts
  • comments
  • badges
  • public activity
  • voluntarily provided social handles

The following are not publicly displayed by default:

  • email address
  • birthday
  • newsletter status
  • internal admin notes
  • private account data
  • security information

You should not publish personal data that you do not want to be publicly visible.

10. Forum and Community Features

On KitesurfingOfficial, you can use community features such as forum posts, comments, upvotes, reactions, profiles and discussions.

We may process:

  • published posts
  • comments
  • reactions
  • upvotes
  • reported content
  • moderation status
  • timestamps
  • user attribution
  • technical security data

Public posts and comments may be viewed by other users. Depending on indexation settings, public content may also be indexed by search engines. Content that we consider unsuitable, spammy, unlawful or against our rules may be moderated, hidden or deleted.

Legal basis: Art. 6(1)(b) GDPR
For moderation, security and abuse prevention: Art. 6(1)(f) GDPR

11. Automated YouTube Forum Posts

We may automatically publish videos from YouTube channels approved by us as forum posts. In this context, publicly available video information may be processed, including:

  • video title
  • video description
  • video link
  • thumbnail
  • channel name
  • publication date
  • video ID

These contents originate from publicly accessible YouTube channels and are embedded or referenced on KitesurfingOfficial for community information and discussion. In some cases, video descriptions may be cleaned or linguistically adjusted to remove links, hashtags or irrelevant elements.

Legal basis: Art. 6(1)(f) GDPR

12. AI Assisted Text Processing

For certain functions, we may use AI assisted systems, for example to clean, summarize or rewrite publicly available YouTube descriptions into neutral forum text.

This may involve the processing of:

  • video title
  • cleaned video description
  • channel name
  • public metadata
  • texts entered by admins

We do not use AI to create sensitive user profiles or make automated decisions with legal effect. AI outputs may be reviewed, edited or removed by admins.

If external AI services are used, the content required for the respective processing may be transmitted to the provider.

Legal basis: Art. 6(1)(f) GDPR
Where consent is required: Art. 6(1)(a) GDPR

13. Spot Map, Spot Data and Spot Contributions

Our spot map displays kitesurf spots, descriptions, coordinates, wind information, season recommendations, level, water conditions, facilities, hazards, photos and community contributions.

If you save spots, suggest edits, submit photos or report errors, we may process:

  • user ID
  • contribution or edit suggestion
  • uploaded or linked content
  • timestamps
  • moderation status
  • technical metadata
  • coordinates or location information where applicable

Spot related content may be displayed publicly after review. Contributions may be reviewed, approved, edited or rejected.

Legal basis: Art. 6(1)(b) GDPR
For quality assurance, moderation and abuse prevention: Art. 6(1)(f) GDPR

14. Mapbox Maps

Our website may use Mapbox map services to display kitesurf spots and geographic information.

When the map is loaded, technical information may be transmitted to Mapbox, such as:

  • IP address
  • device information
  • browser data
  • map tiles and map interactions
  • approximate location or map viewport data

We use Mapbox to provide an interactive spot map.

Legal basis: Art. 6(1)(f) GDPR

Where Mapbox uses optional technologies beyond what is necessary or sets cookies requiring consent, this will be handled according to your cookie settings where required.

15. YouTube Videos and Embedded Content

Our website may embed or link YouTube videos. If you play an embedded YouTube video or load a page with embedded video content, data may be transmitted to YouTube or Google.

This may include:

  • IP address
  • device information
  • browser information
  • visited page
  • video ID
  • interactions with the video
  • cookies or similar technologies where applicable

Where possible, we use privacy friendly embedding methods, such as enhanced privacy mode or a two click solution. Nevertheless, YouTube may process data once content is loaded or played.

Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland

Legal basis: Art. 6(1)(a) GDPR where consent is required
For simple links: Art. 6(1)(f) GDPR

16. Contact

If you contact us by email, contact form or other communication channels, we process your information to handle your request.

This may include:

  • name
  • email address
  • message
  • subject
  • company or brand
  • social media profile
  • technical metadata
  • communication history

The data is used to answer your inquiry, ask follow up questions and document communication.

Legal basis: Art. 6(1)(b) GDPR where communication relates to contractual or pre contractual matters
Otherwise: Art. 6(1)(f) GDPR

17. Partner Inquiries and Collaborations

If you submit a partner inquiry, we process the data you provide to assess a possible collaboration.

This may include:

  • name
  • email address
  • company
  • website
  • social media channels
  • message
  • budget or project information
  • communication history

Legal basis: Art. 6(1)(b) GDPR
Where processing is necessary for internal review and documentation: Art. 6(1)(f) GDPR

18. Submit Your Clip

If you submit a video link through “Submit Your Clip”, we process the data necessary to review and potentially publish the submission.

This may include:

  • name or rider name
  • Instagram handle
  • email address
  • cloud link
  • video description
  • spot
  • rider credit
  • rights confirmation
  • communication history
  • admin review status

We use this data to review your submission, contact you in case of questions, include credit information and potentially publish the content on KitesurfingOfficial channels.

As part of the submission, you confirm that you have the necessary rights and grant us the usage rights described in the submission form.

Legal basis: Art. 6(1)(b) GDPR
For evidence, rights review and abuse prevention: Art. 6(1)(f) GDPR

19. Newsletter

If you subscribe to our newsletter, we process your email address and any other voluntary information to send you updates, content, community news or information about KitesurfingOfficial.

Subscription is based on your consent. Where used, we apply a double opt in process, where you confirm your subscription by email.

This may involve:

  • email address
  • time of subscription
  • IP address at subscription
  • confirmation time
  • newsletter status
  • unsubscribe status

You can unsubscribe from the newsletter at any time.

Legal basis: Art. 6(1)(a) GDPR

20. Gamification, XP and Badges

If you use a user account, we may record certain activities to provide gamification features.

This may include:

  • forum posts
  • comments
  • upvotes
  • spot contributions
  • photo submissions
  • profile completion
  • XP points
  • levels
  • badges
  • post reach
  • public or private gamification settings

These features help display community contributions and make user activity more visible.

Legal basis: Art. 6(1)(b) GDPR
For community development and platform improvement: Art. 6(1)(f) GDPR

21. Admin Functions and Moderation

To manage the platform, we process data in the admin area. This may include:

  • user accounts
  • public profiles
  • posts
  • comments
  • reported content
  • spot edits
  • clip submissions
  • moderation decisions
  • audit logs
  • technical errors
  • security events

Admin access is protected and logged to prevent abuse and operate the platform securely.

Legal basis: Art. 6(1)(f) GDPR
Where legal obligations apply: Art. 6(1)(c) GDPR

22. Security Measures

We use technical and organizational measures to protect personal data from loss, misuse, unauthorized access, alteration or disclosure.

These include in particular:

  • access restrictions
  • authentication
  • role and permission concepts
  • encrypted transmission via HTTPS
  • server side security checks
  • database security rules
  • moderation and reporting functions
  • logging of security relevant events

23. Retention Period

We store personal data only for as long as necessary for the respective purposes or as required by statutory retention obligations.

In general:

  • contact requests are stored as long as necessary to process and document the request
  • user accounts are stored as long as the account exists
  • public posts remain visible until deleted, anonymized or moderated
  • admin logs are stored for an appropriate period for security and accountability
  • newsletter data is stored until you unsubscribe or withdraw consent
  • consent data is stored to document your choices
  • legally relevant data is stored according to statutory obligations

If your account is deleted, public contributions may be deleted, anonymized or disconnected from your account where legally permissible and technically possible.

24. Disclosure of Data

We disclose personal data only where necessary, where a legal basis exists or where you have given consent.

Recipients may include:

  • hosting and infrastructure providers
  • database and authentication providers
  • email and communication service providers
  • map providers
  • video platforms
  • AI service providers
  • analytics providers where used and consented to
  • legal advisors, tax advisors or authorities where required

We do not sell your personal data.

25. International Data Transfers

Some providers may process data outside the European Union or the European Economic Area, particularly in the United States.

Where such transfers occur, they are based on appropriate safeguards, in particular:

  • adequacy decisions
  • EU standard contractual clauses
  • additional safeguards
  • consent where required

When using certain third party services, access by authorities in third countries cannot be excluded.

26. Analytics and Audience Measurement

Where we use analytics tools, they help us understand website usage, identify technical issues, improve content and further develop the platform.

This may involve:

  • page views
  • session duration
  • click paths
  • device data
  • browser data
  • approximate location
  • referrer
  • technical IDs

Analytics tools are only used if they are configured in a privacy compliant way and, where required, based on your consent.

Legal basis: Art. 6(1)(a) GDPR where consent is required
Otherwise: Art. 6(1)(f) GDPR

27. Social Media Links

Our website contains links to social media platforms, such as Instagram, YouTube, TikTok or similar services.

When you click such a link, you leave our website. The respective platform provider is responsible for data processing on that platform.

28. Shopify Shop

Our shop may be operated under shop.kitesurfingofficial.com. If you visit or purchase through the shop, the privacy information of the shop and the respective payment, shipping and e commerce service providers also apply.

The main website kitesurfingofficial.com and the shop may be technically separate areas. When you click shop links, you will be redirected to the shop subdomain.

29. Children and Minors

Our website is not specifically directed at children under the age of 16. If you are under 16, you should provide personal data only with the consent of your parents or legal guardians.

30. Your Rights

Under the GDPR, you have in particular the following rights:

  • right of access to your stored personal data
  • right to rectification of inaccurate data
  • right to erasure
  • right to restriction of processing
  • right to data portability
  • right to object to certain processing
  • right to withdraw consent
  • right to lodge a complaint with a supervisory authority

If you have given consent, you can withdraw it at any time with effect for the future. The lawfulness of processing before withdrawal remains unaffected.

31. Right to Object to Processing Based on Legitimate Interests

If we process personal data based on Art. 6(1)(f) GDPR, you have the right to object at any time on grounds relating to your particular situation.

If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds or the processing serves the establishment, exercise or defense of legal claims.

32. Right to Lodge a Complaint

You have the right to lodge a complaint with a data protection supervisory authority if you believe that the processing of your personal data violates data protection law.

The supervisory authority responsible for your place of residence or the authority responsible for us may be contacted.

For Bavaria, this is usually:

Bayerisches Landesamt für Datenschutzaufsicht
Promenade 18
91522 Ansbach
Germany
Website: https://www.lda.bayern.de

33. Requirement to Provide Data

Providing certain personal data is necessary if you want to use specific functions.

Examples:

  • email address for a user account
  • login data for community features
  • contact information for inquiries
  • rights confirmation for clip submissions

If you do not provide this data, we may not be able to offer the respective function.

34. Automated Decision Making

Automated decision making within the meaning of Art. 22 GDPR does not take place.

35. Changes to this Privacy Policy

We may update this Privacy Policy if our website, features, service providers or legal requirements change.

The current version is always available on this website.