Privacy Policy
Last updated: March 17, 2026
DivePass ("we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our mobile application, website, and related services (collectively, the "Service").
Data Controller
The data controller responsible for your personal data is:
DivePass
Information We Collect
Account Information
Email address, optional profile details (name, certification level), and authentication credentials managed through our authentication provider.
Dive Log Data
Dive data you enter or import from dive computers (depth, duration, location, conditions). This data is stored to provide the core service.
Analytics Data
With your consent, we collect anonymous usage analytics through Vercel Analytics (web) and TelemetryDeck (iOS) to improve the app. This data cannot identify you personally.
Crash Reports
Anonymous error and crash data to identify and fix bugs. Personal information is automatically scrubbed from these reports.
IP Addresses
We collect IP addresses for rate limiting, fraud prevention, and security purposes when you interact with our API endpoints and forms (e.g., partner applications). IP addresses are retained for 90 days.
Cookies
We use essential cookies for authentication and session management, and optional analytics cookies (with your consent). See our Cookie Policy for details.
CAPTCHA Data
We use Cloudflare Turnstile to protect our forms from spam. Turnstile may collect interaction data to verify you are human. See Cloudflare's privacy policy for details.
Legal Basis for Processing
We process your personal data under the following legal bases:
Consent
Analytics cookies and marketing communications. You can withdraw consent at any time.
Contract Performance
Processing necessary to provide the Service, including account management, dive log storage, and booking facilitation.
Legitimate Interest
Fraud prevention, security (including IP address collection for rate limiting), and service improvement.
How We Use Your Information
- Provide and sync your dive logs across devices
- Connect you with dive shops when you make bookings
- Improve app performance and fix issues (with consent for analytics)
- Protect against fraud, abuse, and security threats
- Send transactional emails related to your account and bookings
- Send marketing communications (only with your explicit consent)
Data Sharing & Processors
We do not sell your personal information. We share data only with the following service providers who help operate our Service:
| Provider | Purpose | Location |
|---|---|---|
| Supabase | Database hosting, authentication, and file storage | United States |
| Vercel | Web hosting and analytics | United States |
| Resend | Transactional email delivery | United States |
| Cloudflare | CAPTCHA verification (Turnstile) and security | Global |
| TelemetryDeck | Privacy-focused iOS analytics | European Union |
When you make a booking, we share necessary information (name, email, certification level) with the dive shop you are booking with.
International Data Transfers
Your data may be processed in the United States and the European Union by our service providers. Where data is transferred outside your jurisdiction, we rely on standard contractual clauses and the data processing agreements of our service providers to ensure adequate protection.
Data Retention
We retain your data for the following periods:
- Account data: Until you delete your account
- Analytics data: 26 months
- Email logs: 90 days
- Waitlist data: Until launch or until you unsubscribe
- IP addresses: 90 days
- Crash reports: 90 days
Data Security
Your data is encrypted in transit (TLS) and at rest. We use industry-standard security practices including row-level security policies, hashed user identifiers in logs, and automatic PII scrubbing in error reports.
Your Rights (GDPR — EEA Users)
If you are in the European Economic Area, you have the following rights:
- Right of Access: Request a copy of your personal data
- Right to Rectification: Correct inaccurate personal data
- Right to Erasure: Request deletion of your personal data
- Right to Data Portability: Receive your data in a structured, machine-readable format
- Right to Restriction: Request restricted processing of your data
- Right to Object: Object to processing based on legitimate interest
- Right to Withdraw Consent: Withdraw consent for analytics or marketing at any time
To exercise these rights, email us at support@divepass.app. We will respond within 30 days.
Your Rights (CCPA — California Residents)
If you are a California resident, you have the following rights under the California Consumer Privacy Act:
- Right to Know: Request disclosure of what personal information we collect, use, and share
- Right to Delete: Request deletion of your personal information
- Right to Opt-Out: Opt out of the sale of personal information
We do not sell your personal information.
To exercise these rights, email us at support@divepass.app.
Your Rights (LFPDPPP — Mexico Residents)
If you are a resident of Mexico, you have ARCO rights under the Ley Federal de Protección de Datos Personales en Posesión de los Particulares:
- Acceso (Access): Request access to your personal data
- Rectificación (Rectification): Correct inaccurate or incomplete data
- Cancelación (Cancellation): Request deletion of your personal data
- Oposición (Opposition): Oppose the processing of your personal data
To exercise your ARCO rights, email us at support@divepass.app. We will respond within 20 business days.
Children's Privacy
DivePass is not directed at children under 13 years of age (or under 16 in the EEA). We do not knowingly collect personal information from children. If you believe we have collected data from a child, please contact us at support@divepass.app and we will promptly delete it.
Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page and updating the "Last updated" date. Your continued use of the Service after changes constitutes acceptance of the updated policy.
Contact Us
If you have questions about this Privacy Policy or wish to exercise your privacy rights, contact us at: