Short version: GFL doesn't collect, transmit, or sell your personal information. Your league data is stored on your device and synced privately through your own iCloud account using Apple's CloudKit. Nobody (not us, not third parties) has access to it.
1. Who we are
GFL (Ghost Fantasy League Surf) is an unofficial fan-built iOS app for private friend-group fantasy CT surfing leagues. The app is operated by Ghost Fingers, an independent California-based surf-data project. GFL is not affiliated with the World Surf League or any event sponsor.
Contact: [email protected]
2. Data we do NOT collect
GFL is built around the principle that the friend group's data is theirs. We do not collect, transmit, or have visibility into:
- Your name, email, phone number, address, or any contact information
- Your iCloud account identifier or Apple ID
- Your league activity, picks, scores, wagers, or chat
- Advertising IDs, marketing analytics, or behavioral profiling of any kind
- Your location, photos, microphone, camera, contacts, or health data
What about crash reports?
GFL uses Sentry for anonymous crash and performance diagnostics. When the app crashes or hits a performance issue, Sentry sends Sentry's servers: the call stack, the device model and OS version, app version, locale, and an anonymous hashed device identifier (not your Apple ID or iCloud identifier). No league data, no roster picks, no scores, no personal information.
Crash reporting is opted in by default and can be turned off any time in Settings › Privacy. Sentry's own privacy policy is at sentry.io/privacy.
3. Data your device handles locally
GFL stores the following on your device only, never transmitted to GFL or any third party:
- League state: league name, member identifiers (CloudKit user record IDs from your own iCloud account), commissioner role, season year, custom rules.
- Your roster picks: which CT surfers you drafted per event, your StokeJuice (2× multiplier) selection, lock timestamp.
- Wager ledger: friendly side-bet records (Space Cash, fictional currency) tracking who owes whom. Settlement happens outside the app (Venmo, group thread, beers).
- Notification preferences: per-device toggle state for lock-countdown reminders and heat alerts.
- Team profile: your chosen avatar emoji, display name, and accent color (per device).
4. CloudKit (Apple's iCloud sync)
GFL uses Apple's CloudKit framework to sync league data privately between members of the same league. CloudKit is operated by Apple under Apple's Privacy Policy. GFL has no access to your CloudKit data, no ability to read records on your behalf, and no server-side infrastructure that touches your data.
What syncs through CloudKit:
- League records (private to your friend group)
- Roster picks (visible to other league members only after roster lock per league rules)
- Score entries (commissioner-curated)
- Wager ledger entries (visible only to the two parties of each bet, plus the commissioner)
All CloudKit access uses Apple's "private database" scope, never the "public database." Even Apple cannot read the contents of your private CloudKit container.
5. Third-party services
GFL integrates with the following external sources:
Open-Meteo (weather + surf forecast)
For event-venue conditions, GFL fetches public surf forecast data from Open-Meteo, a free open-source weather API. Requests include only the venue's latitude/longitude (publicly available CT data). No user-identifying information is sent. Open-Meteo is licensed under CC-BY 4.0.
World Surf League (CT scores + schedule)
GFL displays publicly available WSL CT scoring data and event schedules. GFL is not affiliated with, sponsored by, or endorsed by the World Surf League. This is a fan-built unofficial app.
6. App Privacy Manifest
GFL ships an Apple Privacy Manifest (PrivacyInfo.xcprivacy) declaring zero data collection and only the following Apple "required reason" API uses:
- UserDefaults: for storing your local preferences (notification toggles, onboarding state) on this device only.
- FileTimestamp: for SwiftData's local file management.
- SystemBootTime: for sync-cadence calculations.
- DiskSpace: for SwiftData's storage management.
7. Children's privacy
GFL is not directed to children under 13. GFL collects no personal information from anyone, regardless of age.
8. Your rights
Because GFL stores everything in your own iCloud account, you have full control:
- Access: view all data via the app's Profile tab.
- Deletion: delete the app from your device to remove local copies. To delete CloudKit-synced data, sign in to iCloud.com → Settings → Manage Storage → GFL → Delete Documents and Data.
- Portability: league data can be exported by the commissioner via the Commissioner tab (V1.1+ feature).
- Right to be forgotten (CCPA, GDPR): since GFL stores nothing on our servers, "deletion from our records" is automatic. There's nothing to delete.
9. California privacy (CCPA)
For California residents under the California Consumer Privacy Act:
- We do not sell or share personal information for cross-context behavioral advertising.
- We do not collect any of the categories of personal information listed in CCPA §1798.140.
- You have the right to know, delete, correct, and opt-out, though as noted above, none of these apply because we collect nothing.
10. Future changes
If GFL adds features that change this policy (e.g., paid subscriptions, third-party advertising, analytics), we will:
- Update this page with a new "Last updated" date
- Surface the change in-app via the Settings → About section
- Require explicit opt-in before collecting any new data category
11. Reporting concerns
To report a privacy concern, request data removal, file a DMCA notice, or request athlete name removal: [email protected].
For DMCA takedown notices, GFL's registered DMCA agent is on file with the U.S. Copyright Office (copyright.gov/dmca-directory).