Privacy Policy

Last updated: April 5, 2026

1. Introduction

DIVR ("we", "us", or "our") operates the DIVR platform at divr-connect.com ("Service"). This Privacy Policy explains how we collect, use, store, share, and protect your personal information when you use our Service.

We are committed to protecting your privacy and complying with the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and other applicable data protection laws.

2. Data Controller

The data controller responsible for your personal data is:

DIVR

Joep Weterman, Founder

Email: joep@divr-connect.com

3. Information We Collect

3.1 Information You Provide

  • Account data: email address, username, display name, password
  • Profile data: avatar photo, bio, certification level
  • Dive logs: date, location, depth, duration, water temperature, visibility, notes, dive type
  • Equipment data: suit type, weight, cylinder configuration, gas mix, accessories
  • Media: photos and videos you upload
  • Citizen science data: species sightings, abundance observations, coral health assessments
  • Social interactions: comments, likes, follows, buddy tags, site reviews

3.2 Information Collected Automatically

  • Authentication cookies: session tokens required to keep you logged in
  • Analytics data: page views, browser type, and performance metrics collected by Vercel Analytics (no personally identifiable information)
  • Server logs: IP address, request timestamps, and user agent strings (retained for security purposes)

3.3 Information from Third Parties

  • Google OAuth: if you sign in with Google, we receive your email address, name, and profile picture from Google

4. How We Use Your Information

We use your personal information for the following purposes:

  • Provide the Service: display your dive logs, enable social features, and personalize your experience
  • Authentication: verify your identity and maintain your session
  • Marine research: contribute anonymized biodiversity data to international research databases (see Section 7)
  • Safety and moderation: detect abuse and enforce our Terms of Service
  • Improvement: analyze aggregated, anonymous usage patterns to improve the platform

Legal basis (GDPR): we process your data based on (a) your consent when you create an account, (b) the performance of our contract with you (Terms of Service), and (c) our legitimate interest in marine conservation research (Article 6(1)(f) GDPR).

5. How We Share Your Information

We do not sell your personal data. We never have and never will.

We share information only in the following circumstances:

  • With other users: your public profile, shared dive logs, comments, and likes are visible to other authenticated users. You control which dives are shared using the privacy toggle.
  • For marine research: anonymized species observations and environmental data are shared with EMODnet Biology, EurOBIS, OBIS, and GBIF under a CC-BY 4.0 license (see Section 7 for full details).
  • Service providers: we use Supabase (database and authentication), Vercel (hosting and analytics), and Google (OAuth sign-in). These providers process data on our behalf under their respective privacy policies and data processing agreements.
  • Legal requirements: we may disclose data if required by law, court order, or to protect the rights and safety of DIVR, our users, or the public.

6. Cookies and Tracking

We use a minimal number of cookies:

CookiePurposeType
Supabase auth tokenKeeps you logged inStrictly necessary
Vercel AnalyticsAnonymous page view and performance metricsAnalytics (no PII)

We do not use advertising cookies, social media tracking pixels, or any third-party marketing trackers. Vercel Analytics is privacy-focused and does not use cookies to identify individual users across sessions.

7. Research Data Sharing & Anonymization

DIVR's mission is to contribute to marine conservation through citizen science. We share anonymized biodiversity observations with international research databases including EMODnet Biology, EurOBIS, OBIS, and GBIF.

What is shared: species sightings, abundance data, environmental measurements (water temperature, visibility), coral health assessments, dive date and approximate location.

What is never shared: your name, email, username, profile, photos, videos, notes, or any other personally identifiable information.

How we anonymize:

  • Your identity is replaced with a random UUID that cannot be traced back to you
  • GPS coordinates are rounded to approximately 110-meter precision
  • For dive sites visited by fewer than 3 unique divers in a given month, location precision is further reduced to approximately 11 kilometers
  • Only dives you have marked as public are included

This anonymized data is not considered personal data under GDPR (Recital 26) and is published under a Creative Commons Attribution 4.0 International License (CC-BY 4.0). When you delete your account, the mapping between your identity and the anonymous identifier is permanently destroyed.

8. Data Storage & Security

Your data is stored on Supabase infrastructure with encryption at rest and in transit. We implement row-level security (RLS) policies on every database table to ensure users can only access their own data and public content.

Passwords are hashed using industry-standard algorithms (bcrypt) and are never stored in plain text. We do not have access to your password.

While we take reasonable measures to protect your data, no method of electronic storage or transmission is 100% secure. We encourage you to use a strong, unique password for your DIVR account.

9. Data Retention

We retain your personal data for as long as your account is active. When you delete your account, all personal data is permanently removed, including:

  • Your profile, dive logs, media, comments, likes, and follows
  • Your species sightings, coral assessments, and site reviews
  • Your gear sets, bookmarks, and notifications

Previously exported anonymized research data cannot be recalled, as it is no longer linked to your identity.

Server logs containing IP addresses are retained for up to 30 days for security and abuse prevention purposes, after which they are automatically deleted.

10. Your Rights

10.1 Rights Under GDPR (EU/EEA Residents)

Under the GDPR, you have the right to:

  • Access: request a copy of the personal data we hold about you
  • Rectification: correct inaccurate personal data
  • Erasure: request deletion of your personal data ("right to be forgotten")
  • Restriction: restrict the processing of your data in certain circumstances
  • Portability: receive your data in a structured, machine-readable format
  • Objection: object to processing based on legitimate interests
  • Withdraw consent: withdraw your consent at any time where processing is based on consent

10.2 Rights Under CCPA (California Residents)

Under the CCPA, California residents have the right to:

  • Know: what personal information we collect and how it is used
  • Delete: request deletion of your personal information
  • Opt-out of sale: we do not sell personal information, so this right is automatically satisfied
  • Non-discrimination: we will not discriminate against you for exercising your rights

To exercise any of these rights, contact us at joep@divr-connect.com. We will respond within 30 days.

11. Age Requirement

DIVR is intended for users aged 16 and older. We do not knowingly collect personal data from children under 16. If you are under 16, you may only use DIVR with the consent and supervision of a parent or legal guardian. If we learn that we have collected personal data from a child under 16 without appropriate consent, we will delete that information promptly.

12. International Data Transfers

Your data may be processed in countries outside your country of residence, including the United States, where our service providers (Supabase, Vercel) operate. These transfers are protected by appropriate safeguards, including the service providers' compliance with applicable data protection frameworks.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by posting a notice on the platform or sending you an email. The "Last updated" date at the top of this page indicates when the policy was last revised. Continued use of the Service after changes constitutes acceptance of the updated policy.

14. Contact Us

If you have questions about this Privacy Policy, want to exercise your data rights, or have a privacy concern, contact us at:

joep@divr-connect.com