Privacy Policy

Last updated: March 2026

This privacy policy explains how the Diver Life platform ("the Platform", "we", "us", "our") collects, uses, stores, and protects your personal data. We are committed to protecting your privacy and handling your data transparently.

1. Who We Are

Diver Life is a community platform for the diving industry. The data controller responsible for your personal data is the Diver Life platform operator. Contact details for data protection queries are provided in Section 12.

2. Age Requirement

This Platform is for users aged 16 and over. We collect date of birth at registration to verify eligibility. We do not knowingly collect or process personal data from anyone under 16 years of age. If we become aware that a user is under 16, their account will be terminated and all personal data deleted immediately.

3. Data We Collect

3.1 Data you provide directly

  • Account information: Name, email address, date of birth, password (stored as bcrypt hash — we never see or store your actual password), account type (Recreational/Pro/Operator)
  • Profile information: Bio, location (town/country level), profile photo, certifications, dive preferences
  • Content: Dive logs, photos, posts, comments, species sightings, dive site contributions, gear reviews, loadouts
  • Preferences: Unit preferences (metric/imperial), dive flag preference, map view preference, notification settings
  • Communications: Messages sent to other users, contact form submissions

3.2 Data collected automatically

  • Session data: Authentication cookies (httpOnly, secure) to keep you logged in
  • Usage data: Pages visited, features used, timestamps (for platform operation and improvement)
  • Device information: Browser type, screen size, device capability (used for adaptive 2D/3D map rendering)

3.3 Data from third parties

  • OAuth providers: If you sign in with Google, Facebook, or Apple, we receive your name, email, and profile image from that provider. We do not receive your password from these services.
  • Payment processor: Stripe processes payments for Pro and Operator subscriptions. We receive confirmation of payment status but do not store card details.

4. How We Use Your Data

  • Providing the service: Displaying your profile, posts, dive logs, and contributions to other users as intended by the Platform's features
  • Community databases: Your species sightings, dive site contributions, and gear entries become part of shared community databases that benefit all users
  • Personalisation: Displaying content in your preferred units, showing your selected dive flag, adapting map rendering to your device
  • Communication: Sending essential service emails (password resets, account verification) and optional notification digests
  • Safety & moderation: Reviewing flagged content, preventing abuse, enforcing our Terms of Service
  • Platform improvement: Understanding how features are used to improve the Platform (aggregate, anonymised analytics only)

5. Legal Basis for Processing

We process your personal data on the following legal bases:

  • Contract: Processing necessary to provide the service you signed up for (account operation, displaying your content, buddy connections)
  • Legitimate interest: Platform security, fraud prevention, service improvement, moderation
  • Consent: Optional features like notification emails, cross-posting to external platforms, location sharing with buddies

6. Data Sharing

We do not sell your personal data to third parties.

We share data only in these limited circumstances:

  • Other users: Your public profile, posts, and contributions are visible to other users as intended by the Platform's social features. You control visibility settings on posts (public or buddies-only).
  • Service providers: We use third-party services to operate the Platform: Mapbox (maps), Stripe (payments), MongoDB Atlas (database hosting), email delivery services. These providers process data on our behalf under data processing agreements.
  • Legal requirements: We may disclose data if required by law, court order, or to protect the safety of users or the public.

7. Data Storage & Security

  • Data is stored in MongoDB with managed hosting
  • Passwords are hashed with bcrypt (irreversible — we cannot see your password)
  • Sessions use server-side storage with secure httpOnly cookies (not accessible via JavaScript)
  • CSRF protection is built into the authentication system
  • All connections use HTTPS in production
  • File uploads are validated for type and size

While we implement reasonable security measures, no system is 100% secure. We encourage you to use a strong, unique password and enable two-factor authentication when available.

8. Data Retention

  • Active accounts: Data is retained for as long as your account is active
  • Deleted accounts: Personal data is deleted after a 30-day grace period. Community contributions (dive logs, sightings, species data, dive site data, gear entries, posts, comments) are anonymised and attributed to "Captain Nemo" — they can no longer be traced back to you. See our Terms of Service Section 10 for details.
  • Private messages: Chat messages are retained for 2 years after they were last viewed by any participant. Messages in conversations not opened by either participant for 2 years are automatically deleted.
  • Chat attachments: Images and files shared in private messages are deleted from our servers 1 year after they were last viewed. The message text remains with a notice that the attachment has expired.
  • Auto-generated feed posts: System-generated announcements on the Dive Slate (e.g. "X joined", "X created a trip") are automatically removed after a period if not viewed. Retention varies by type: welcome posts (2 weeks), job posts (2 months), event announcements (3 months), species and site additions (4 months), and trip, course, dive log, and gear posts (up to 7 months). The original content (trips, courses, dive logs, etc.) is never affected — only the feed announcement is removed.
  • Pings and availability: Operator pings (staff requests) are automatically deleted at their fill-by deadline or when a pro is selected. Pro availability pings are automatically deleted when their end date passes. Pro location data shared via availability pings is stored only for the duration of the ping and is not publicly visible — operators can see how many pros are in range but not individual identities or exact locations until a pro responds.
  • Notifications: Read notifications expire after 30 days. Unread notifications expire after 90 days.
  • Backups: Database backups may retain data for up to 90 days after deletion, after which it is purged
  • Legal holds: Data may be retained beyond normal periods if required by law or ongoing legal proceedings

9. Your Rights

You have the following rights regarding your personal data:

  • Access: Request a copy of all personal data we hold about you
  • Correction: Update or correct inaccurate personal data via your settings page or by contacting us
  • Deletion: Delete your account and personal data via the Platform settings (30-day grace period applies) or by contacting us
  • Data portability: Request an export of your data in a machine-readable format (JSON)
  • Restriction: Request that we limit processing of your data in certain circumstances
  • Objection: Object to processing based on legitimate interest
  • Withdraw consent: Where processing is based on consent, you can withdraw it at any time via your settings

We will respond to all data rights requests within 30 days. To make a request, contact us at the details in Section 12.

10. Cookies

We use the following cookies:

  • Authentication cookie: Essential — keeps you logged in. httpOnly, secure, session-based or 30-day expiry (if "stay signed in" selected). Cannot be disabled without losing login functionality.
  • Theme cookie: Functional — stores holiday theme selection to maintain consistency during date clashes. Session-scoped.

We do not use tracking cookies, advertising cookies, or analytics cookies that identify individual users. A cookie consent mechanism will be implemented before public launch.

11. International Data Transfers

Our service providers may process data outside of your country of residence. Where data is transferred internationally, we ensure appropriate safeguards are in place (such as Standard Contractual Clauses or adequacy decisions) to protect your data.

12. Contact Us

For any privacy-related questions, data access requests, or complaints, contact us at:

If you are not satisfied with our response, you have the right to lodge a complaint with the relevant data protection supervisory authority in your jurisdiction.

13. Changes to This Policy

We may update this privacy policy from time to time. Material changes will be communicated via the Platform (notification or email). The "last updated" date at the top of this page indicates when the policy was last revised. Continued use of the Platform after changes constitutes acceptance of the updated policy.

This privacy policy was last reviewed in March 2026. A full legal review for compliance with applicable data protection legislation is required before public launch.