Divera
[PENDING LEGAL REVIEW] This document is a placeholder drafted by the product team and has not yet been reviewed by qualified legal counsel. Do not rely on it for compliance.

Privacy Policy

Last updated:

This Privacy Policy explains how Divera ("we", "us") collects, uses, shares and protects personal data when you use the Divera dashboard for dive centers and the Divera mobile application for divers (the "Service"). It is written with reference to the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR").

1. Data Controller

For data you submit through the Service, the dive center you book with is generally the data controller, and Divera acts as a data processor on its behalf. For account data of dive-center operators and aggregate technical data, Divera is the data controller. The Service sits under a single data-protection contact: diveradevelopers@gmail.com.

2. Data we collect

2.1 Account data

  • Name and email address used to sign in.
  • Authentication metadata (hashed credentials, session tokens).
  • Operator role, dive-center membership, and preferences (locale, notifications).

2.2 Booking and operational data

  • Dive details (date, site, depth, equipment, staff assignment).
  • Participant lists and booking status.
  • Payment status and amount (we do not store card numbers).

2.3 Diver and document data

  • Diver profile (name, date of birth, contact details, emergency contact).
  • Certifications and insurance information uploaded by the diver or the dive center.
  • Medical-questionnaire answers and self-declarations of fitness to dive.
  • Liability waivers, including the typed name of the signer and the captured signature image.
  • Identification documents (DNI, NIE, passport) when uploaded for identity-verification purposes.

2.4 Technical data

  • Device and browser metadata, IP address, language preference.
  • Server logs for security, abuse prevention and debugging. Retention is limited to what is necessary for those purposes.

3. Purposes of processing

  • To provide and operate the Service you have asked us for.
  • To allow dive centers to manage divers, bookings, equipment and staff.
  • To verify identity, certifications, and insurance where required by law or by the dive center's operating procedures.
  • To assess medical self-declarations and waivers, in support of the dive center's safety procedures.
  • To send transactional communications (booking confirmations, reminders, password resets).
  • To secure the Service, prevent fraud and abuse, and meet legal obligations.

4. Lawful basis

We process personal data on the following bases under GDPR:

  • Contract performance — Article 6(1)(b): account management, booking lifecycle, communications necessary to deliver the Service.
  • Consent — Article 6(1)(a) and Article 9(2)(a): processing of medical questionnaires and signed waivers, which may contain health data; image consents; any optional marketing communications.
  • Legitimate interests — Article 6(1)(f): securing the Service, preventing abuse, and improving product quality, in ways that do not override your rights.
  • Legal obligation — Article 6(1)(c): keeping records required by tax, accounting, or maritime/diving regulations where applicable.

5. Retention

We keep personal data only as long as needed for the purposes set out above. Indicative retention periods:

  • Account data: while your account is active, plus up to 12 months.
  • Booking and waiver records: up to 5 years after the dive, in line with civil-liability limitation periods in Spain.
  • Identification documents: deleted as soon as the verification purpose is fulfilled, unless a longer period is required by law.
  • Server logs: typically 30–90 days.

Specific dive centers may set shorter retention periods in their own privacy notice; the shorter period prevails.

6. Service providers and recipients

We share personal data only with service providers that act on our instructions under written data-processing agreements:

  • Supabase — authentication, database, file storage (EU region).
  • Resend — transactional email delivery.
  • Google Maps — rendering of dive-site maps in the dashboard.

We may transfer personal data outside the European Economic Area only when adequate safeguards (such as the European Commission's Standard Contractual Clauses) are in place. We do not sell personal data and we do not use it for profiling or automated decision-making with legal effects.

7. Your rights

Subject to the conditions in the GDPR, you have the right to:

  • access the personal data we hold about you;
  • request rectification of inaccurate or incomplete data;
  • request erasure ("right to be forgotten") when the conditions are met;
  • restrict or object to processing based on our legitimate interests;
  • receive your data in a portable, machine-readable format;
  • withdraw any consent you have given, without affecting the lawfulness of prior processing;
  • lodge a complaint with the Spanish Data Protection Agency (Agencia Española de Protección de Datos, aepd.es) or the supervisory authority of your habitual residence.

To exercise these rights, contact diveradevelopers@gmail.com. We will respond within the period required by law.

8. Cookies and similar technologies

Divera uses only strictly necessary cookies and local-storage items required to operate the Service: authentication tokens issued by our identity provider and a small preference cookie that remembers the language you selected. These are exempt from the consent requirement under the ePrivacy Directive (Article 5(3)) because they are necessary to deliver the service you have requested.

We do not currently load advertising, analytics, or tracking cookies. If that ever changes, we will publish a cookie banner that lets you accept or reject non-essential cookies before they are set, and update this section accordingly.

9. Security

We use industry-standard measures to protect personal data, including encryption in transit (TLS), encryption at rest for sensitive fields, role-based access control, audit logging, and regular review of third-party processors. No system can be guaranteed completely secure; we will notify you of material incidents in line with applicable law.

10. Children

The Service is not intended for unsupervised use by children. Where a minor takes part in a dive, the minor's parent or legal guardian must complete the registration and waiver on their behalf.

11. Contact

Privacy questions, including requests under the GDPR, can be sent to diveradevelopers@gmail.com. While we have not appointed a formal Data Protection Officer under Article 37, this address is monitored as our single point of contact for data-protection matters.