Privacy Policy

1. Introduction

How's The Spot ("we", "us", "our") is operated by How's the Spot, an Australian-based organisation providing snorkeling condition forecasts, community features, and marine wildlife information for Australian snorkeling spots. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website at howsthespot.com (the "Service").

Please read this privacy policy carefully. If you do not agree with the terms of this privacy policy, please do not access the Service. By using the Service, you consent to the collection and use of information in accordance with this policy.

2. Information We Collect

2.1 Account Information

When you create an account, we collect your email address and display name. Passwords are stored as bcrypt hashes and cannot be read in plain text by anyone, including our staff. We also record your access level and last login timestamp for security and administrative purposes.

2.2 Location Data

We collect and display geographic coordinates (latitude and longitude) for snorkeling spots listed on our platform. If you contribute community reports or proposed edits, the location information you submit (such as spot coordinates or user-submitted locations) is stored and displayed publicly. We do not track your real-time device location unless you explicitly provide it.

2.3 User-Generated Content

When you submit community reports or proposed edits to spot content, we store the information you provide, including:

• Report title, content, and images
• Visit date and condition ratings
• Proposed content changes (old and new content stored as JSON)
• Your user ID associated with the submission

2.4 Usage Analytics

We collect anonymised usage analytics to understand how visitors interact with our Service. This data includes page paths, referrers, and user agent strings — all of which are hashed using SHA-256 before storage. We do not collect raw personally identifiable information (PII) through our analytics system. Session identifiers are also hashed to prevent tracking of individual users.

2.5 Waitlist Data

If you join a waitlist, we collect your email address. Waitlist entries record the source page and relevant spot slug.

2.6 Spam Prevention Data

To protect against spam and automated abuse, we record CAPTCHA verification results including your user ID (if logged in) and IP address. This data is used solely for security purposes and is periodically purged.

3. How We Use Your Information

We use the information we collect for the following purposes:

• Providing the Service — Delivering snorkeling condition forecasts, marine wildlife data, and community features
• Community Features — Displaying your community reports, proposed edits, and user profile information
• Analytics — Understanding usage patterns to improve the Service (anonymised data only)
• Spam Prevention — Using CAPTCHA verification and IP logging to prevent automated abuse
• Account Management — Authenticating users, managing access levels, and maintaining account security
• Communication — Responding to your inquiries and providing service-related notifications

4. Legal Basis for Processing

We process your personal data under the following legal bases:

• Consent — Where you have given explicit consent, such as accepting analytics cookies
• Contractual Necessity — Where processing is necessary to provide the Service you have requested, such as account creation and content submission
• Legitimate Interest — Where processing is necessary for our legitimate interests, such as spam prevention, security monitoring, and service improvement, provided your rights and freedoms are not overridden
• Legal Obligation — Where processing is required to comply with applicable laws and regulations

5. Third-Party Services

We use the following third-party services to operate our platform. We only share the minimum data necessary for each service to function:

We do not sell, trade, or rent your personal information to third parties. We do not share your personal information with third parties for their own marketing purposes.

6. Data Retention

We retain your personal data only for as long as necessary:

• Analytics Data — Anonymised analytics records are retained for 90 days, after which they are automatically purged
• Account Data — Retained until you request deletion of your account, subject to the 30-day grace period described below
• CAPTCHA/IP Data — IP addresses collected for spam prevention are retained only until they are periodically purged
• Community Content — When an account is deleted, associated community content (reports, edits) is anonymised rather than deleted, to preserve the integrity of community contributions
• Waitlist Data — Retained until you request deletion

7. Your Rights

Depending on your location, you may have the following rights regarding your personal data:

• Access — Request a copy of the personal data we hold about you
• Correction — Request correction of inaccurate or incomplete personal data
• Deletion — Request deletion of your personal data, subject to our retention obligations
• Data Portability — Request your personal data in a structured, machine-readable format
• Objection — Object to the processing of your personal data based on legitimate interests
• Restriction — Request restriction of processing in certain circumstances
• Withdrawal of Consent — Withdraw consent at any time where processing is based on consent, without affecting the lawfulness of processing prior to withdrawal

Australian Privacy Act 1988: If you are an Australian resident, you have rights under the Privacy Act 1988 (Cth), including the right to access and correct your personal information, and to make a complaint to the Office of the Australian Information Commissioner (OAIC) if you believe your privacy has been breached.

GDPR: If you are in the European Economic Area, you have rights under the General Data Protection Regulation (GDPR). You may lodge a complaint with your local supervisory authority.

To exercise any of these rights, please contact us using the details provided in Section 14.

8. Cookies

We use cookies and similar tracking technologies to enhance your experience on our Service. Our cookie consent banner allows you to control which categories of cookies you accept. Essential cookies are always active as they are necessary for the Service to function.

For detailed information about the cookies we use, please see our Cookie Policy . You can manage your cookie preferences at any time via our Privacy Preferences page.

9. Data Security

We implement appropriate technical and organisational measures to protect your personal data:

• Password Hashing — All passwords are hashed using bcrypt, an industry-standard adaptive hashing algorithm
• Authentication Tokens — JWT tokens are used for session management with appropriate expiration
• Content Sanitisation — All user-submitted content is sanitised to prevent cross-site scripting (XSS) attacks
• Security Headers — HTTP security headers are configured to protect against common web vulnerabilities
• Infrastructure Hardening — Our services run in Docker containers with security hardening applied
• Encryption in Transit — All data transmitted between your browser and our servers is encrypted using TLS

While we strive to protect your personal data, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security.

10. Account Deletion

You may request deletion of your account at any time by contacting us. Upon receiving your request:

• Your account enters a 30-day grace period during which you can change your mind and restore your account
• After the grace period, your account and associated personal data are permanently deleted
• Community content you have contributed (reports, proposed edits) is anonymised rather than deleted, to preserve the integrity of community contributions
• Your email address is removed from all waitlists

11. Children's Privacy

The Service is not directed to children under the age of 13. We do not knowingly collect personal information from children under 13. If we become aware that we have collected personal information from a child under 13, we will take steps to delete that information promptly. If you believe a child under 13 has provided us with personal information, please contact us immediately.

12. International Users

How's The Spot is operated from Australia. If you are accessing the Service from outside Australia, please be aware that your information may be transferred to, stored in, and processed in Australia. By using the Service, you consent to the transfer of your information to Australia and acknowledge that data protection laws in Australia may differ from those in your country of residence.

13. Changes to This Policy

We may update this Privacy Policy from time to time. When we make changes, we will update the "Last updated" date at the top of this page. For significant changes, we will provide notice through the Service or by other appropriate means. Your continued use of the Service after any changes constitutes your acceptance of the updated Privacy Policy.

14. Contact Us

If you have any questions about this Privacy Policy or wish to exercise your data protection rights, please contact us at:

We will endeavour to respond to your request within 30 days. In some cases, we may need to verify your identity before processing your request.