Privacy Policy

Effective date: 2026-05-15 · Version 1.0 (beta)

DRAFT — pending legal review.

1. Who we are

DivePass is operated during beta by Axel Cureno, an individual based in Cozumel, Mexico (the "Controller" for the purposes of LFPDPPP). Contact: axelcureno@gmail.com.

2. What we collect

Account data: email, name, certification level, preferred language. (Sign in with Apple may provide a relay email.)
Profile data: emergency contact, gear, insurance status, dive count, comfort level (you choose what to share).
Dive logs: date, dive site, depth, time, conditions, partner notes you record.
Location: only when you actively log a dive at a specific site. Background location is never collected.
Device telemetry: anonymized analytics events, app version, crash logs.
Server logs: IP address (hashed daily before storage), user agent, request paths.

3. Why we use it

Provide and operate the service
Sync your data across your devices
Aggregate analytics to understand product usage
Diagnose and fix bugs
Send transactional emails (account, password reset, booking confirmations once enabled)

4. Legal bases

Consent: for analytics events and any future marketing emails
Performance of a contract: for service operation and dive log storage
Legitimate interest: for security, fraud prevention, and aggregate product analytics

5. Who we share data with

Supabase (database, auth, storage, real-time) — primary processor
TelemetryDeck (iOS analytics, anonymized)
Vercel (web hosting + Vercel Analytics)
Apple / Google — only if you sign in with their identity provider; they receive only what's required for the auth handshake
Operators you contact — they receive your booking inquiry and contact details if you reach out

We do not sell your personal data. We do not share your data with advertisers.

6. Where your data lives

Supabase region: US-East. Backups encrypted at rest. Data in transit is encrypted with TLS.

International transfers from Mexico to the United States are performed under standard contractual clauses with Supabase.

7. How long we keep it

Account data: for the lifetime of your account, plus 30 days after account deletion (recovery window)
Dive logs: for the lifetime of your account; you can export and delete at any time
Aggregate analytics: 12 months
Server logs: 30 days

8. Your rights

Mexico (LFPDPPP — primary)

You have ARCO rights:

Acceso — request a copy of your data
Rectificación — request correction of inaccurate data
Cancelación — request deletion
Oposición — object to specific processing

We respond to ARCO requests within 20 business days. Email axelcureno@gmail.com to exercise any right.

European Economic Area (forward-compat)

If you are in the EEA, you also have the rights to access, rectification, erasure, restriction, portability, objection, and to withdraw consent at any time. You may lodge a complaint with your local supervisory authority.

California (forward-compat)

If you are a California resident, you have the right to know what we collect, request deletion, opt out of any sale (we do not sell), and not be discriminated against for exercising these rights.

9. Security

Supabase Row Level Security restricts access to your records. Passwords are hashed (never stored in plaintext). All traffic is over HTTPS. We do not store payment card data (no payments during beta).

10. Cookies and analytics consent

Web uses Vercel Analytics, which is cookieless and aggregates only anonymized data. iOS uses TelemetryDeck, which is anonymized. You may opt out of analytics from the in-app settings.

11. Children

The service is intended for users 18 and older. We do not knowingly collect data from children under 18. If you believe we have, contact us and we will delete it promptly.

12. Changes to this Policy

Material changes will trigger an in-app re-acceptance flow with at least 30 days' notice. Non-material changes take effect on posting.

13. Contact

axelcureno@gmail.com — for ARCO requests, GDPR requests, or any privacy question.