Privacy Policy
Last updated: March 13, 2026World Wake App ("WWA", "we", "us", or "our") operates a marketplace platform at wwa.app that connects riders with cable wakeparks. This Privacy Policy explains how we collect, use, store, and protect your personal data when you use our platform. We are committed to protecting your privacy in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and applicable Polish data protection law.
1. Data Controller
The data controller responsible for your personal data is World Wake App, operated at wwa.app. For any questions about data processing or to exercise your data subject rights, contact us at privacy@wwa.app.
2. Data We Collect
Account Data
When you create an account, we collect your name, email address, and optionally your phone number. If you sign up via a third-party provider (e.g., Google or Apple), we receive the profile information you authorize.
Booking Data
When you make a booking, we collect the selected wakepark, date, time slot, number of riders, and any waiver acceptance records.
Payment Data
Payments are processed by Stripe. We do not store your credit card numbers, CVV, or full card details on our servers. Stripe acts as an independent data controller for payment card data. We receive only a payment confirmation, transaction ID, and last four digits of your card.
Device and Usage Data
We automatically collect your IP address, browser type and version, operating system, device type, pages visited, time spent on pages, and referring URLs. This data helps us maintain security and improve the platform.
Communication Data
If you contact us via email or support channels, we store the content of your messages and any attachments to resolve your inquiry.
3. Purposes and Legal Bases for Processing
We process your personal data for the following purposes under the legal bases specified in GDPR Article 6(1):
Performance of contract (Art. 6(1)(b))
Creating and managing your account; processing bookings and payments; communicating booking confirmations, changes, and cancellations; sharing your name and email with wakepark operators to fulfill bookings.
Legitimate interest (Art. 6(1)(f))
Maintaining platform security and preventing fraud; analyzing usage patterns to improve the platform; sending transactional notifications (booking reminders, status updates); resolving disputes between users and wakepark operators.
Consent (Art. 6(1)(a))
Sending marketing newsletters and promotional communications (only when you opt in); placing analytics and marketing cookies on your device; processing UX analytics data (session recordings, heatmaps) via Microsoft Clarity.
Legal obligation (Art. 6(1)(c))
Retaining transaction records for tax and accounting purposes; responding to lawful requests from authorities; complying with data protection regulations.
4. Data Processors and Third-Party Services
We share your data with the following service providers (data processors) who process data on our behalf under data processing agreements:
| Service | Purpose | Location |
|---|---|---|
| Supabase | Database hosting, user authentication, and file storage | EU region (Frankfurt) |
| Stripe | Payment processing via Stripe Connect (marketplace payments, payouts to wakepark operators) | United States / EU |
| Vercel | Website hosting and content delivery | Global edge network (EU and US nodes) |
| Sentry | Error monitoring and application performance tracking | United States |
| Google Analytics 4 (via Google Tag Manager) | Website analytics — page views, user journeys, conversion tracking | United States |
| Google Tag Manager | Tag management container for loading analytics scripts | United States |
| Microsoft Clarity | UX analytics — heatmaps, session recordings, scroll depth analysis | United States |
| Hotjar | UX analytics — heatmaps, session recordings, user feedback surveys | European Union (Malta) |
5. Data Shared with Wakepark Operators
When you make a booking, we share your name and email address with the relevant wakepark operator so they can fulfill your reservation. Wakepark operators are independent data controllers for the data they receive. Their use of your data is governed by their own privacy policies. We encourage you to review the privacy practices of any wakepark before booking.
7. Your Rights Under GDPR
Under GDPR Articles 15–22, you have the following rights regarding your personal data:
- Right of access (Art. 15) — You can request a copy of the personal data we hold about you.
- Right to rectification (Art. 16) — You can request correction of inaccurate or incomplete data.
- Right to erasure (Art. 17) — You can request deletion of your personal data, subject to legal retention obligations.
- Right to restriction (Art. 18) — You can request that we limit the processing of your data in certain circumstances.
- Right to data portability (Art. 20) — You can request your data in a structured, commonly used, machine-readable format.
- Right to object (Art. 21) — You can object to processing based on legitimate interest, including profiling.
- Right to withdraw consent — Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.
To exercise any of these rights, contact us at privacy@wwa.app. We will respond within 30 days of receiving your request.
8. Data Retention
We retain your personal data only for as long as necessary to fulfill the purposes described in this policy:
- Account data — retained for the duration of your account plus 30 days after deletion request.
- Booking records — retained for 5 years after the booking date for legal and accounting purposes.
- Payment transaction records — retained for 5 years as required by tax regulations.
- Analytics data — aggregated and anonymized within 26 months.
- Support communications — retained for 2 years after resolution.
- Cookie consent records — retained for 12 months, after which we ask for your preferences again.
9. International Data Transfers
Some of our data processors are located outside the European Economic Area (EEA), primarily in the United States. For these transfers, we rely on EU Standard Contractual Clauses (SCCs) approved by the European Commission, adequacy decisions where applicable, and the EU-US Data Privacy Framework where the processor is certified. We ensure that all international transfers provide an adequate level of data protection as required by GDPR Chapter V.
10. Data Security
We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures include encryption of data in transit (TLS) and at rest, row-level security policies in our database, secure authentication with support for passkeys, regular security reviews, and access controls limiting data access to authorized personnel only.
11. Age Restriction
Our platform is not intended for individuals under 16 years of age. We do not knowingly collect personal data from children under 16. If you believe a child under 16 has provided us with personal data, please contact us at privacy@wwa.app so we can delete it.
12. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of significant changes by posting a notice on our platform or sending you an email. The "Last updated" date at the top of this policy indicates when it was last revised. We encourage you to review this policy periodically.
13. Right to Lodge a Complaint
If you believe that our processing of your personal data infringes data protection laws, you have the right to lodge a complaint with a supervisory authority. In Poland, the competent authority is the President of the Personal Data Protection Office (Prezes Urzędu Ochrony Danych Osobowych — UODO), ul. Stawki 2, 00-193 Warsaw, Poland, website: uodo.gov.pl.
14. Contact
For any questions about this Privacy Policy or our data processing practices, please contact us at privacy@wwa.app.