Privacy Policy

Last updated: April 15, 2026

1. Introduction

DIVR ("we", "us", or "our") operates the DIVR platform at divr-connect.com ("Service"). This Privacy Policy explains how we collect, use, store, share, and protect your personal information when you use our Service.

We are committed to protecting your privacy and complying with the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and other applicable data protection laws.

2. Data Controller

The data controller responsible for your personal data is:

DIVR

Joep Weterman, Founder

Email: joep@divr-connect.com

3. Information We Collect

3.1 Information You Provide

  • Account data: email address, username, display name, password
  • Profile data: avatar photo, bio, certification level
  • Dive logs: date, location, depth, duration, water temperature, visibility, notes, dive type
  • Equipment data: suit type, weight, cylinder configuration, gas mix, accessories
  • Media: photos and videos you upload
  • Citizen science data: species sightings, abundance observations, coral health assessments
  • Social interactions: comments, likes, follows, buddy tags, site reviews

3.2 Information Collected Automatically

  • Authentication cookies: session tokens required to keep you logged in
  • Analytics data: page views, browser type, and performance metrics collected by Vercel Analytics (no personally identifiable information)
  • Server logs: IP address, request timestamps, and user agent strings (retained for security purposes)

3.3 Information from Third Parties

  • Google OAuth: if you sign in with Google, we receive your email address, name, and profile picture from Google

4. How We Use Your Information

We use your personal information for the following purposes:

  • Provide the Service: display your dive logs, enable social features, and personalize your experience
  • Authentication: verify your identity and maintain your session
  • Marine research: contribute anonymized biodiversity data to international research databases (see Section 7)
  • Safety and moderation: detect abuse and enforce our Terms of Service
  • Improvement: analyze aggregated, anonymous usage patterns to improve the platform

Legal basis (GDPR): we process your data based on (a) the performance of our contract with you (Art 6(1)(b)) for core Service functionality (account, dive logs, social features), (b) your explicit, opt-in consent under Art 6(1)(a) for sharing your observations with external research databases, and (c) our legitimate interest (Art 6(1)(f)) in security, abuse prevention, and aggregate platform analytics. Research-data sharing is never based on legitimate interest — it requires your affirmative opt-in, which you can grant or withdraw at any time from Settings.

5. How We Share Your Information

We do not sell your personal data. We never have and never will.

We share information only in the following circumstances:

  • With other users: your public profile, shared dive logs, comments, and likes are visible to other authenticated users. You control which dives are shared using the privacy toggle.
  • For marine research: anonymized species observations and environmental data are shared with EMODnet Biology, EurOBIS, OBIS, and GBIF under a CC-BY 4.0 license (see Section 7 for full details).
  • Service providers: we use Supabase (database and authentication), Vercel (hosting and analytics), and Google (OAuth sign-in). These providers process data on our behalf under their respective privacy policies and data processing agreements.
  • Legal requirements: we may disclose data if required by law, court order, or to protect the rights and safety of DIVR, our users, or the public.

6. Cookies and Tracking

We use a minimal number of cookies:

CookiePurposeType
Supabase auth tokenKeeps you logged inStrictly necessary
Vercel AnalyticsAnonymous page view and performance metricsAnalytics (no PII)

We do not use advertising cookies, social media tracking pixels, or any third-party marketing trackers. Vercel Analytics is privacy-focused and does not use cookies to identify individual users across sessions.

7. Research Data Sharing & Anonymization

DIVR's mission is to contribute to marine conservation through citizen science. With your explicit opt-in, we share anonymized biodiversity observations from your public dives with international research databases including EMODnet Biology, EurOBIS, OBIS, and GBIF.

Opt-in by default: The "Contribute to Marine Science" toggle in your Settings starts off. No research export includes your data until you turn it on. You can turn it off at any time; we log the time, IP, user-agent, and consent text version of every change so we can demonstrate compliance with GDPR Art 7(1).

What is shared (when opted in): species sightings, abundance, environmental measurements, coral health, dive date, site coordinates, and occurrence photos (under CC-BY 4.0).

What is never shared: your name, email, username, profile, notes, dive buddies, or any identifier that links records back to you directly.

How we protect your identity:

  • Your identity is replaced with a random anonymous_research_id (UUID) generated once per account and used across all exports for scientific record continuity
  • Taxonomic identifications are linked to WoRMS via LSIDs and kept continuously reconciled (so a species rename in WoRMS is reflected in exports automatically)
  • Only dives you have marked as public are eligible
  • Every export has a SHA-256 hash logged in our audit table — you can request the list of exports that include you at any time via Settings → "Download access report"

Withdrawal. When you turn off research sharing, enable Do-Not-Share, or delete your account, an entry is immediately added to our OBIS deletion queue with your anonymous research ID and the DwC occurrence IDs to be removed. Data stewards at OBIS/EMODnet/GBIF are notified to purge these records from active publications. Archives previously downloaded by third parties under CC-BY cannot be recalled.

Published anonymized data is not considered personal data under GDPR Recital 26 and is distributed under a Creative Commons Attribution 4.0 International License (CC-BY 4.0), the standard license used by OBIS and GBIF for open biodiversity data.

8. Data Storage & Security

Your data is stored on Supabase infrastructure with encryption at rest and in transit. We implement row-level security (RLS) policies on every database table to ensure users can only access their own data and public content.

Passwords are hashed using industry-standard algorithms (bcrypt) and are never stored in plain text. We do not have access to your password.

While we take reasonable measures to protect your data, no method of electronic storage or transmission is 100% secure. We encourage you to use a strong, unique password for your DIVR account.

9. Data Retention

We retain your personal data for as long as your account is active. When you delete your account, all personal data is permanently removed, including:

  • Your profile, dive logs, media, comments, likes, and follows
  • Your species sightings, coral assessments, and site reviews
  • Your gear sets, bookmarks, and notifications

Previously exported anonymized research data cannot be recalled, as it is no longer linked to your identity.

Server logs containing IP addresses are retained for up to 30 days for security and abuse prevention purposes, after which they are automatically deleted.

10. Your Rights

10.1 Rights Under GDPR (EU/EEA Residents)

Under the GDPR, you have the right to:

  • Access: request a copy of the personal data we hold about you
  • Rectification: correct inaccurate personal data
  • Erasure: request deletion of your personal data ("right to be forgotten")
  • Restriction: restrict the processing of your data in certain circumstances
  • Portability: receive your data in a structured, machine-readable format
  • Objection: object to processing based on legitimate interests
  • Withdraw consent: withdraw your consent at any time where processing is based on consent

10.2 Rights Under CCPA / CPRA (California Residents)

Under the CCPA as amended by the CPRA, California residents have the right to:

  • Know (§1798.110): what personal information we collect, the categories of sources, the business purpose, and the categories of third parties with whom we have shared it in the preceding 12 months. Use Settings → "Download access report" to retrieve this.
  • Delete (§1798.105): request deletion of your personal information. We fulfill CCPA delete requests within the 45-day statutory window.
  • Correct (§1798.106): request correction of inaccurate personal information.
  • Limit sharing (§1798.120): we do not sell personal information. Even so, you can disable all sharing with research databases using the "Do Not Share My Info" toggle in Settings → California Privacy Rights.
  • Non-discrimination: we will not discriminate against you for exercising your rights. The Service remains fully functional whether or not you opt in to research sharing.

To exercise any of these rights, contact us at joep@divr-connect.com. We will respond within 30 days.

11. Age Requirement

DIVR is intended for users aged 16 and older. We do not knowingly collect personal data from children under 16. If you are under 16, you may only use DIVR with the consent and supervision of a parent or legal guardian. If we learn that we have collected personal data from a child under 16 without appropriate consent, we will delete that information promptly.

12. International Data Transfers

Your data may be processed in countries outside your country of residence, including the United States, where our service providers (Supabase, Vercel) operate. These transfers are protected by appropriate safeguards, including the service providers' compliance with applicable data protection frameworks.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by posting a notice on the platform or sending you an email. The "Last updated" date at the top of this page indicates when the policy was last revised. Continued use of the Service after changes constitutes acceptance of the updated policy.

14. Contact Us

If you have questions about this Privacy Policy, want to exercise your data rights, or have a privacy concern, contact us at:

joep@divr-connect.com