How Finn handles your data — what we collect, what we do with it, what you can ask us to do about it.
Finn is a conversational surf forecast at heyfinn.surf. To work, Finn needs to know a bit about you and remember your conversations.
Finn is a web-based chat assistant at heyfinn.surf — you can chat in your browser or save Finn to your home screen as a Progressive Web App for one-tap access. A random session ID stored in your browser is how Finn recognises you and keeps your conversation continuous across visits. If you choose to share your phone number or email later, that becomes a more stable identifier across devices. Your messages run through Anthropic's Claude AI on a private commercial API account — Anthropic does not use your conversations to train their models. (Finn itself does use your data to get sharper at calling surf for you — see “What we use it for” below.) Finn also pulls weather and swell data from public forecast services, and may run a web search when researching a new spot. Everything you share with Finn is stored in our database on our servers. Subscriptions and payments, when they apply, are processed by Stripe.
A random session ID generated by Finn for your browser, so we can remember you across visits. If you choose to share it, your phone number or email (optional, useful for cross-device recognition and future delivery via WhatsApp / SMS / push notifications). Your name, timezone, and surf preferences (boards you ride, your usual spots, skill level, conditions you go for). The messages you send to Finn and the responses Finn gives back. After surf sessions you may report what it was like — size, quality, wind, crowd, hazards, any observations — and we keep those reports. If you grant browser notification permission, we store the subscription token required to send you push notifications.
Your data personalises your experience — every forecast, spot recommendation, and board pick is tuned to you individually. Your session reports, combined with reports from other surfers at the same spot, calibrate Finn's forecasts per break, surface hazards earlier, and build up the community knowledge that makes future calls sharper for everyone. We may also share anonymised, aggregated insights with partners such as surf brands, environmental organisations, or research groups — for example “X% of Illawarra surfers ride [brand of fish]” or “plastic-incident reports rose N% this summer”. These aggregated insights never identify you personally.
Finn may surface paid recommendations from partners — a local shaper when you ride a fish, a wetsuit brand suited to the water temperature you surf, a nearby surf school, a coffee spot near your local. These picks come from Finn matching what you've already shared against partner products. We never hand your data to outside advertisers or ad networks.
We don't sell your personal data. We don't share your name, phone number, email, or conversation history with any third party outside the operational service providers listed below. We don't feed your data to advertising networks, third-party trackers, or retargeting systems. We don't use third-party analytics cookies, pixels, web beacons, or cross-site tracking.
A small set of operational services help Finn run, and they are the only third parties that touch your personal information. Your messages are processed by our AI engine, powered by Anthropic's Claude on a commercial API account — Anthropic does not train on your conversations (Finn does learn from your data itself, as described above). Your profile, conversations, and session reports are stored in our database, which runs on our hosting infrastructure (Supabase + Railway). When Finn fetches weather data or searches the web to research a new spot, those requests don't include any user identifiers — they're just coordinates or search queries. Subscription billing is handled by Stripe — when you pay, your card details go directly to Stripe and Finn never sees or stores your card number. Push notifications, when you opt in, are delivered via the Web Push standard — your browser's push service (Apple, Google, or Mozilla depending on your device) is the only party in that loop besides us.
Conversation messages are kept on a rolling 30-day window and older messages are pruned automatically. Your profile, preferences, session reports, and any notification subscriptions are kept while your account is active. API usage logs are retained for cost tracking and service monitoring.
Under the Australian Privacy Act, you can ask what data we hold about you, correct anything that's wrong (or just tell Finn in conversation), and delete your account and all personal data tied to it. The easiest path: tell Finn in chat and we'll handle it. When we delete an account, we remove all your personal data promptly. Any anonymised, aggregated insights already derived from past sessions (and no longer linked to you) will remain in the community knowledge base.
Local browser storage holds your session ID and a small number of product flags — whether you've installed the PWA, when you last chatted — so the app behaves consistently between visits.
All traffic to heyfinn.surf is served over HTTPS with HSTS enforced. We use strict Content Security Policy headers to prevent script injection. Per-IP rate limiting protects shared infrastructure. Admin access uses Google OAuth and database-backed sessions.
If we materially change how we collect, use, or share data, we'll update this page and surface a notice in your next conversation with Finn so you know. The non-material updates (clarifying language, fixing typos) we make silently.
The easiest contact channel is to ask Finn directly in chat.
Hey Finn · Built by surfers, for surfers · © 2026