DiveJourneyDiveJourney

DiveJourney Privacy Policy

Controller: John Potess, 13359 N Hwy 183 #406-1201, Austin, TX 78750, United States

Contact: support@divejourney.io

Effective date: November 9, 2025

This Privacy Policy explains what personal data we collect, how we use it, our legal bases, how long we keep it, who we share it with, your rights, and how to contact us.

1. Data we collect

You provide

  • Account and profile: email, display name, password/hash, profile photo, certifications, bio, preferences.
  • User-generated content (UGC): dive logs, ratings, reviews, photos, spot submissions, comments.
  • Connections: friends/buddies you add or accept; visibility settings.
  • Communications: messages sent to support, forms, or feedback.
  • Newsletter: if you subscribe, your email and marketing preferences.

Collected automatically

  • Device and usage: IP address, device/browser data, pages viewed, interactions, crash/error data, performance timings.
  • Cookies/SDKs: see Cookies and Consent Management below.
  • Approximate location: derived from IP (city/region) for localization and security.

Optional / feature-specific

  • City-level presence on global map (opt-in): if you opt in, we may show that a diver (not named) is in a given city. You can withdraw at any time in Settings.
  • Buddy system (opt-in): if you opt in, your public profile and connection status are visible to other opted-in users.

2. Why we process data (purposes and legal bases)

| Purpose | Examples | Legal basis | |---|---|---| | Provide the service | authentication, profiles, dive logs, maps | Contract (Art.6(1)(b)) | | Safety & abuse prevention | rate limiting, fraud, securing accounts | Legitimate interests (Art.6(1)(f)); Legal obligations | | Functional features | maps, geocoding, limited error reporting without personal identifiers | Consent (Art.6(1)(a)) when not strictly necessary | | Analytics & improvement | GA4, PostHog, performance RUM | Consent (Art.6(1)(a)) | | Communications | responses to support; service emails | Contract / Legitimate interests | | Marketing | newsletter and campaigns (opt-in) | Consent (Art.6(1)(a)) | | Legal compliance | record-keeping, lawful requests | Legal obligations (Art.6(1)(c)) |

3. Cookies and consent management

We use a consent manager (self-hosted c15t).

  • Strictly necessary tools are always on to deliver the service and security.
  • Functional, Analytics, and Marketing categories are blocked by default and only load after you opt in.
  • You can change or withdraw consent anytime via the persistent Privacy choices link.
  • We plan to enable Google Consent Mode v2 later; until then, storage for non-essential categories remains denied until opt in.

4. Sharing and processors

We do not sell personal data. We use service providers bound by data processing agreements (DPAs):

  • Hosting, auth, and data: Supabase (database, storage, auth)
  • Maps and geocoding: Mapbox (map tiles/telemetry), Geoapify (geocoding)
  • Analytics and performance: PostHog, Google Analytics 4, SpeedCurve RUM
  • Error tracking: Sentry (configured to avoid personal identifiers; EU region where applicable)
  • Email: SendGrid/Twilio (transactional email), ConvertKit (newsletter signups and campaigns)
  • AI processing: OpenAI API (no special categories; do not send sensitive content)
  • Back-office: Google Workspace, Asana We may share data if required by law or to protect rights, safety, and security.

5. International transfers

We and some providers process data outside your country. For EEA/UK personal data, we use appropriate safeguards such as Standard Contractual Clauses (SCCs), participation in the EU-U.S. Data Privacy Framework (where applicable), and/or EU/UK data residency options (e.g., PostHog EU, Sentry EU).

6. Retention

  • Account and profile: kept while your account is active.
  • UGC (logs/photos/reviews): kept until you delete the item or close your account.
  • Analytics/performance: kept no longer than necessary (e.g., GA defaults approx. 14 months or shorter settings; SpeedCurve session cookies are short-lived).
  • Legal/backup: as required for compliance, security, and dispute resolution.

7. Your rights

Depending on your region, you may have rights to access, correct, delete, restrict, or port your data, and to object to processing. California and certain US states provide similar rights to know, correct, and delete, and to opt out of certain data sharing. Use the Privacy choices link or contact support@divejourney.io.

8. Age

The service is not directed to children. EEA/UK users must be 16+; in other regions, you must be 13+. Do not use the service if you are under the applicable age. We will delete children’s data if we learn of it.

9. Security

We apply industry-standard security (encryption in transit/at rest, access controls, logging). No method is 100% secure.

10. Your choices (including consent withdrawal)

  • Manage cookies and SDKs via Privacy choices.
  • Unsubscribe from newsletters at any time via the email footer or Settings.
  • Buddy system and city-dot features are opt-in; you can disable them anytime.

11. Deleting your account

You can request deletion in Settings. We will remove your account and associated data in our systems and instruct our processors to do the same, subject to legal retention needs. If you encounter errors, contact support@divejourney.io and we will complete the deletion for you.

12. DPIA for geolocation and buddy features

Before releasing or materially changing geolocation or buddy visibility features, we conduct a Data Protection Impact Assessment (DPIA) and keep a record of decisions, mitigations, and opt-in controls.

13. Contact, DPO, and EU/UK representative

  • Contact: support@divejourney.io
  • EU/UK representative (if required): will be listed on our website when appointed
  • Data Protection Officer (if appointed): will be listed on our website

14. Changes

We will post updates here and change the effective date. Significant changes will be notified in-app or by email.