Privacy Policy
Last updated: 27 April 2026
The member portal is shared by SFK and SYD — two non-profit Swedish skydiving sports clubs, both affiliated with the Swedish Skydiving Federation. Membership in either club is open to qualified skydivers; applications are made via the respective club websites at skydiveskane.se and skydivesyd.se.
This privacy policy describes how the clubs handle your personal data when you use the member portal — the website at medlemsportal.hew.dev and the iOS / Android apps (collectively "the service"). The service is a community tool for members and approved guests of either club.
We comply with the EU General Data Protection Regulation (GDPR) and the Swedish Data Protection Act.
1. Data controller
The respective club whose membership you applied through is the data controller for your personal data processed in the service. For data-related questions, contact the club board — contact details are on the club websites linked above.
2. What data we collect
Data you provide at registration
- Name, email address, phone number
- Skydiving license (number + letter, e.g. "B-12345")
- Ratings (AFF instructor, Tandem instructor, etc.) you mark yourself
- Optional profile data: bio, location, profile picture, home dropzone
Data you create in the service
- Jump logs (date, altitude, freefall time, dropzone, notes, participants)
- RSVPs to jump days (yes/maybe/no + times)
- Comments and messages
- Signatures (your digital handwritten signature when signing other people's jumps)
- Equipment data (canopies, containers, AADs with repack dates)
Data created automatically
- Account ID (a unique identifier we assign to your account)
- Sign-in dates, IP address at sign-in (for security logs)
- Push notification token if you allow notifications
- Technical error logs (without personal info where possible)
Data from Apple/Google for social sign-in
If you sign in with Apple or Google, they share your email and name with us. Apple's "Hide my email" feature is supported — in that case we receive a relay address that forwards to your real one.
3. How we use your data
| Purpose | Legal basis |
|---|---|
| Provide the service (jump logs, calendar, messages) | Contract with the club |
| Send push notifications about jump days you've RSVP'd to | Contract / legitimate interest |
| Verify signatures on logged jumps for federation requirements | Legal obligation (Swedish Skydiving Federation) |
| Improve and secure the service | Legitimate interest |
| Marketing club events to members | Legitimate interest |
We never share your data with external parties for marketing.
4. Where your data is stored
The service runs on two EU-based providers:
- Supabase (Frankfurt region) — database, authentication, file storage (profile pictures, signatures)
- Vercel (EU region) — web server for the portal
For push notifications:
- Apple Push Notification Service (APNs) for iOS
- Firebase Cloud Messaging (FCM, Google) for Android
Push providers (APNs, FCM) only receive an opaque device token paired with the notification text — they never see who you are. The portal itself stores the token alongside your account ID so we can target the right device when sending.
5. How long we keep data
| Data | Retention |
|---|---|
| Account + profile | As long as you're a member, or until you delete your account |
| Jump logs | 10 years (federation requirement) — your name is replaced with a placeholder if you delete your account |
| Signatures on other people's jumps | Permanent (verifiability of history) — name at signing time is preserved |
| Security logs | 90 days |
| Inactive account | Anonymised after 24 months without sign-in |
6. Your rights
As a data subject, you have the right to:
- Access your data (request a logbook export from inside the app)
- Correct inaccurate data directly in Settings → Profile
- Delete your account via Settings → Delete account or
medlemsportal.hew.dev/delete-account. Personal data is scrubbed immediately; logbook records are retained in anonymised form due to federation requirements. - Object to processing based on legitimate interest
- Complain to the Swedish Authority for Privacy Protection (IMY) if you believe we've mishandled your data
7. Cookies and similar technologies
We use strictly necessary cookies for sign-in and language preference. No marketing or tracking cookies are used.
8. Children
The service is not intended for children under 13. Skydiving membership requires national age rules (usually 16 or older).
9. Security
- All traffic is encrypted with TLS 1.2 or higher
- Passwords are stored hashed using industry standards (bcrypt via Supabase Auth)
- Only club administrators can view other members' private data
- Data you share via the service may be visible to other members — but only members with approved accounts
10. Policy changes
For significant changes we'll show a notice inside the app. Minor updates (e.g. clarifications) are made without separate notice, but the date at the top is always updated.