Privacy Policy
Last updated: May 2026 · Compliant with the EU General Data Protection Regulation (GDPR)
Surfing Andaman ("we", "us", "our") respects your privacy and is committed to protecting your personal data. This policy explains who we are, what data we collect, why we collect it, and what rights you have under the GDPR.
Data Controller: Surfing Andaman Ltd (in formation), Israel
Contact: [email protected] · +972 52-598-9624
What data we collect
| Data | When collected | Legal basis (GDPR Art. 6) |
|---|---|---|
| Full name, email, phone | Trip registration | Contract performance (Art. 6.1.b) |
| Age, surfing experience | Registration | Contract performance (Art. 6.1.b) |
| Dietary / medical requirements | Registration, with consent | Explicit consent (Art. 9.2.a) |
| Passport details | Post-booking | Contract performance (Art. 6.1.b) |
| IP address, pages visited | Automatic, site visit | Legitimate interest (Art. 6.1.f) |
| Marketing preferences | Opt-in only | Consent (Art. 6.1.a) |
We do not accept credit card payments — all payments are made by direct bank transfer. No payment card data is ever stored by us.
How we use your data
- Processing your booking and managing your trip
- Sending confirmations, itineraries, and trip updates
- Handling cancellation or amendment requests
- Improving our website (via Google Search Console — no cookies, no personal data)
- Direct marketing — only with your explicit prior consent
We will never sell, rent, or trade your personal data to any third party.
Who we share data with
Data is shared only with service providers directly involved in your trip:
- Beyond Oceans (India) — boat operator: name, group size, special requirements
- Ishika Resort (India) — accommodation: name, stay dates, dietary needs
- Visa agents (India) — passport details only, for Indian visa processing
- Cloudflare (USA/EU) — website hosting and security
International data transfers
To operate your trip, some personal data is transferred to service providers in India. India is not recognised by the European Commission as providing an adequate level of data protection.
We mitigate this by: limiting transfers to the minimum data strictly necessary; using written data-processing agreements with our suppliers; and applying organisational safeguards to prevent unauthorised use.
By booking with us you acknowledge this transfer as necessary for the performance of your contract. You may withdraw consent at any time — see your rights below.
Cookies
This site uses only strictly necessary cookies required for basic functionality (language preferences, Cloudflare security). We do not use Google Analytics, advertising cookies, or any third-party tracking. No cookie consent banner is required.
How long we keep your data
| Data type | Retention period |
|---|---|
| Trip booking records | 7 years (accounting obligations) |
| Marketing correspondence | Until consent is withdrawn |
| Medical / dietary information | Deleted within 30 days of trip end |
| Website logs (IP, pages) | Up to 12 months |
Your rights under the GDPR
Access (Art. 15)
Request a copy of the personal data we hold about you.
Rectification (Art. 16)
Ask us to correct inaccurate or incomplete data.
Erasure (Art. 17)
Ask us to delete your data where there is no compelling reason to continue processing it.
Restriction (Art. 18)
Request that we limit how we use your data in certain circumstances.
Portability (Art. 20)
Receive your data in a structured, machine-readable format.
Object (Art. 21)
Object to processing based on legitimate interests, including direct marketing.
Withdraw consent
Where processing is based on consent, withdraw it at any time without affecting prior lawful processing.
Lodge a complaint
Complain to your local supervisory authority if you believe we have mishandled your data.
To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.
How to opt out of marketing
You can withdraw marketing consent at any time by:
- Clicking the unsubscribe link in any email we send
- Emailing [email protected]
- WhatsApp message to +972 52-598-9624
Opting out of marketing does not affect service communications related to your booking.
Supervisory authority
If you are not satisfied with our response, you have the right to lodge a complaint with the data protection authority in your EU member state of residence. A list of national supervisory authorities is available at edpb.europa.eu.
Changes to this policy
We may update this policy from time to time. Material changes will be posted on this page with at least 14 days' notice. The "Last updated" date at the top of this page indicates when the policy was last revised.