Privacy Policy

1. Introduction

This Privacy Policy explains how Rafferty Clarke Mathews ("we," "us," or "our") collects, uses, and protects your personal information when you use DIVR (the "App") and our related website at divrhq.com (together, the "Services").

DIVR is a social platform for scuba, free, and snorkel divers. The App lets you log your dives digitally, share them with followers, discover dive sites, and connect with other divers. To do this, we need to handle some personal information — including the content you post, the location of your dives, and the photos you share.

We've written this policy in plain English wherever we can. If you have questions, get in touch at hello@divrhq.com.

Who's responsible for your data

For UK and EU users, the "data controller" responsible for your personal information is Rafferty Clarke Mathews, based in the United Kingdom. You can reach the data controller at hello@divrhq.com.

What this policy covers

This policy applies to the DIVR iOS app and the divrhq.com website. It does not cover third-party services that the App connects to (like Apple Sign In, Google Sign In, or external map providers), which are governed by their own privacy policies. Where we name a third-party service in this policy, we'll link to their policy so you can read it directly.

When this policy applies

This policy applies from the moment you visit divrhq.com, sign up for the waitlist, download the App, create an account, or otherwise interact with our Services.

2. Information we collect

We collect information in three ways: information you give us directly, information we collect automatically when you use the Services, and information we receive from third parties.

Information you give us directly

Account information. When you create an account we collect your username, email address, and password (if you sign up with email). You can also add an optional display name, bio, and profile photo.

Your dive content. Every dive you log includes the data you enter — dive site name, date and time, depth, bottom time, water temperature, visibility, gear used, gas mix, notes, and any photos or videos you upload. You can also tag other DIVR users as dive buddies on a dive. You can only tag people who already have a DIVR account.

Photos and videos. When you upload a photo or video, we automatically strip the embedded metadata (EXIF data) such as GPS coordinates, camera model, and capture time before storing it. The photo itself is stored as you uploaded it; the hidden technical metadata is removed to protect your privacy.

Location data. When you pin a dive site, you provide its location (either by choosing a known site or by entering coordinates). You control the precision of locations you share through your privacy settings.

Logbook scan images. If you use the AI logbook scanning feature, you provide a photograph of a logbook page. As described in Section 6, we do not retain these images — they are processed by the AI service to extract dive data and then discarded.

Social activity. Comments you post, likes, follows, dive buddy tags, and similar interactions on the Services.

Communications with us. If you contact us at hello@divrhq.com, sign up to the waitlist on divrhq.com, or send a support request, we collect what you tell us, including your email address and the content of your message.

Information we collect automatically

Device and technical information. When you use the App, we automatically collect your device model, iOS version, app version, device language, and time zone. This helps us make the App work on your device and troubleshoot problems.

Usage data. Through Firebase Analytics, we collect information about how you use the App — which screens you visit, which features you use, how often, and for how long. This data is aggregated and used to understand what's working in the App and what needs improving.

Crash and diagnostic data. Through Firebase Crashlytics, we collect technical information when the App crashes — including the device state, what the App was doing, and a "stack trace" of the crash. This helps us fix bugs.

IP address and approximate location. Our infrastructure receives your IP address when you connect to our Services. We use this for security (e.g. to spot suspicious logins) and to route requests through Firebase's regional servers. From your IP we can infer your approximate location (country or region level), but we do not use this to determine your precise location.

Date and time of access. We log when you access the Services, which helps with security investigations and account recovery.

Information we receive from third parties

Sign-in providers. If you sign up using Apple Sign In or Google Sign In, those services share certain information with us:

• Apple Sign In shares your name and email (or, if you choose "Hide My Email", a private relay email address that forwards to your real one).
• Google Sign In shares your name, email, and profile photo.

We don't receive your Apple ID or Google password, and we don't get ongoing access to your Apple or Google account beyond what's needed to verify it's you.

Firebase Authentication. Firebase issues us an authentication token and a unique user ID when you sign in, which we use to identify your account on the back-end.

Cookies and similar technologies on divrhq.com

Our website uses a small number of cookies and similar technologies:

• Strictly necessary cookies set by our hosting provider GitHub Pages, which keep the site running. These can't be turned off.
• Form submission data. When you sign up to the waitlist, your email is sent through Static Forms (a third-party form-handling service) and stored in their dashboard, with a copy also delivered to our email inbox, so we can email you when DIVR launches.

The website does not currently use third-party analytics, advertising, or tracking cookies. If we add any in the future, we will update this policy and ask for your consent where required.

What we don't collect

We don't collect health data, biometric identifiers, precise real-time location tracking, or data about your activity off DIVR. We don't integrate with Apple Health.

3. How we use your information

We use your information only for the purposes set out below. For each purpose, we've identified the "legal basis" under UK and EU data protection law (UK GDPR / EU GDPR) that gives us the right to process your data that way.

What we don't do with your data

• We don't sell your personal data. Not to advertisers, not to data brokers, not to anyone. This is true now and we have no plans to change it.
• We don't use your data to train AI models. Your dive logs, photos, and logbook scans are never used to train Google Gemini or any other AI model. Google Gemini, accessed via Firebase AI Logic, processes scan images only to return extracted text to you, and the images are not retained by us or used for training.
• We don't run third-party ads. DIVR is ad-free and we don't share your data with advertising networks.
• We don't profile you for targeted advertising. We don't build advertising profiles based on your dives, locations, or behaviour.

4. How we share information

We do not sell your personal information to anyone. We share information only in the specific situations described below.

With other DIVR users

DIVR is a social platform, so some of your information is shared with other users when you use the App. You control how much, and with whom, through your privacy settings.

• Your profile — your username, profile photo, bio, and follower/following counts are visible to other DIVR users.
• Your dives — when you record a dive, you choose whether to post it to your feed or save it as a dive log only. Dives saved as logs only are visible just to you. Dives you post to your feed are visible based on your account-level privacy setting (public or private). If your account is public, your posted dives may be discoverable by people who are not signed in to DIVR.
• Dive buddy tags — if you tag someone as a dive buddy on a dive you post to your feed, they are notified, and their name appears on the dive as a link to their profile. The tag is visible to anyone who can see the dive itself, based on your account's privacy setting.
• Comments and likes — visible to anyone who can see the post they're on.

You can change your account privacy setting and individual dive visibility at any time, but content already seen, screenshot, or saved by other users may continue to exist outside the App.

With our service providers (sub-processors)

We use a small number of third-party services to run DIVR. These providers process your data on our behalf, under contracts that require them to keep it safe and use it only as we instruct. The main ones are:

For legal and safety reasons

We may share information when we believe in good faith that it's necessary to:

• Comply with a valid legal request (such as a court order, subpoena, or law enforcement request).
• Comply with any applicable law, regulation, or legal process.
• Enforce our Terms of Service or Community Guidelines.
• Detect, prevent, or address fraud, security, or technical issues.
• Protect the rights, property, or safety of DIVR, our users, or the public — including reporting content involving minors or credible threats of violence to relevant authorities.

Where legally permitted, we'll let you know about a request for your data before responding, so you have a chance to object.

In connection with a business transfer

If DIVR is ever involved in a merger, acquisition, sale of assets, or similar business transaction, your information may be transferred to the new owner as part of that transaction. If that happens, we'll let you know in advance, and the new owner will be bound to handle your data in a way that's at least as protective as this policy — or you'll be given the option to delete your account first.

Anonymous and aggregated information

We may share information that has been aggregated or fully anonymised — meaning it cannot be linked back to you — for things like community statistics ("most-logged dive sites this year") or research. This is not personal data and isn't subject to the rest of this policy.

5. Data storage & security

Where your data is stored

Your account data, dive logs, photos, and other content are stored on Google Firebase servers in the europe-west2 region (London, United Kingdom). Our website divrhq.com is hosted by GitHub Pages on their global CDN.

Some data is processed in other regions depending on the service — for example, Firebase Crashlytics may process crash diagnostics in the United States, and Apple's services may process data in the regions Apple operates. Where data leaves the UK or EU, it is transferred under safeguards approved by UK and EU data protection law (see Section 8 for more on international transfers).

How we keep your data safe

We take security seriously. The main measures we have in place are:

• Encryption in transit. All communication between your device and our servers is encrypted using HTTPS/TLS.
• Encryption at rest. Your data is encrypted on disk by Google Firebase using industry-standard encryption.
• Authentication required for access. Every request for your data has to be authenticated. You can't see another user's private content, and we can't either, except where strictly necessary for support or moderation.
• Firestore Security Rules. Strict rules at the database level control who can read or write each piece of data, so a vulnerability in the App can't be used to access other users' data.
• Passwords are never stored in plain text. Firebase Authentication hashes passwords using scrypt before they're stored, and we never see your password ourselves.
• Short-lived sign-in tokens. Authentication tokens are time-limited and refreshed regularly, so a stolen token quickly becomes useless.
• Limited access on our side. Only the developer (Rafferty Clarke Mathews) has administrative access to the back-end, and access is itself protected by strong authentication.

No service is 100% secure. We do everything we reasonably can to protect your data, but we can't guarantee perfect security. If a data breach ever affects your information, we'll notify you and the relevant authorities (such as the UK ICO) as required by law.

How long we keep your data

We keep your data only for as long as we need it. Different categories have different retention periods:

• Account information and dive content — kept while your account is active and for up to 30 days after you delete it, to allow for backup processing and accidental-deletion recovery.
• Inactive accounts — accounts inactive for 24 months may be deleted after at least 30 days' email notice (see Section 17 of the Terms of Service).
• Crash and diagnostic data — retained for up to 90 days, then deleted automatically.
• Analytics data — retained for 14 months by Firebase Analytics, then automatically deleted.
• Logbook scan images — not retained. Scans are processed by the AI service and discarded once dive data is extracted.
• Waitlist email addresses — kept on the divrhq.com waitlist until we send the launch announcement, then deleted (unless you choose to stay subscribed to product updates).
• Communications with us — support emails are kept for as long as needed to resolve your enquiry, plus a reasonable period afterwards in case of follow-up.
• Records we have to keep by law — for example, records relevant to tax, accounting, or legal claims may be kept for longer where required by law.

What happens when you delete your account

You can delete your DIVR account at any time from Settings → Account → Delete Account in the App.

When you delete your account:

• Your profile, dive logs, photos, follows, likes, and other personal content are deleted within 30 days.
• Backups are overwritten within a further 30 days (so within 60 days total, your data is gone from our systems).
• Comments you've left on other users' dives are deleted from our systems, though copies may still be visible to those users in their own caches, notifications, or screenshots — we can't reach into other people's devices to remove these.
• Data we're required to keep by law (e.g. for tax, fraud prevention, or to respond to legal claims) is retained for the legally required period.
• Fully anonymised or aggregated information — which is no longer linked to you — may be retained indefinitely.

Deletion is permanent. If you change your mind within the first 30 days, contact us at hello@divrhq.com and we may be able to restore your account from backup, but we can't guarantee it.

6. Your rights

You have meaningful rights over the personal data we hold about you. The exact rights depend on where you live, but most of them apply to everyone using DIVR. We've described them in plain English below.

Your rights under UK and EU data protection law

If you live in the UK or EU, you have all of the following rights under UK GDPR and EU GDPR:

• Right of access. You can ask us for a copy of the personal data we hold about you, and information about how we use it.
• Right to rectification. If any of your personal data is inaccurate or incomplete, you can ask us to correct it. You can also fix most of your account information yourself in the App.
• Right to erasure ("right to be forgotten"). You can ask us to delete your personal data. In most cases you can do this yourself by deleting your account in Settings → Account → Delete Account.
• Right to restrict processing. You can ask us to pause our use of your data while we investigate a concern you've raised — for example, if you think the data is inaccurate.
• Right to data portability. You can ask for a copy of your data in a structured, commonly-used, machine-readable format so you can take it to another service.
• Right to object. You can object to us processing your data based on our legitimate interests (such as analytics or crash reporting). For analytics and crash reporting, you can switch these off yourself in Settings → Privacy in the App.
• Right to withdraw consent. Where we rely on your consent (such as for marketing emails), you can withdraw it at any time. Withdrawing consent doesn't affect anything we did with your data before you withdrew.
• Rights related to automated decision-making. We don't make decisions about you based purely on automated processing (no automated profiling, scoring, or significant decisions made without a human).

How to exercise your rights

You can exercise most of your rights directly in the App:

• Edit your profile and dive content — in the App, on the relevant screen.
• Change privacy settings — Settings → Privacy.
• Turn off analytics or crash reporting — Settings → Privacy.
• Unsubscribe from marketing emails — using the unsubscribe link in any marketing email we send.
• Delete your account — Settings → Account → Delete Account.

For anything you can't do in the App — such as a formal access request, data portability export, or a question about how we use your data — email us at hello@divrhq.com with a brief description of what you're asking for.

What to expect when you make a request

• Response time. We'll respond within one month. If your request is unusually complex, we may extend this by up to two further months — we'll always tell you if so.
• Identity verification. To protect your data, we may need to confirm your identity before responding to a request. We won't ask for more information than necessary.
• Cost. Exercising your rights is free. If a request is "manifestly unfounded or excessive" (for example, identical repeat requests) we may charge a reasonable fee or refuse, but we'll explain why.
• Limits. Some rights have limits — for example, we can't delete data we're legally required to keep, and we can't act on a request that's clearly fraudulent or that would violate someone else's rights.

Right to lodge a complaint

If you think we've handled your personal data unfairly or in breach of the law, please get in touch first so we can try to put it right. You also have the right to complain to a data protection authority:

• In the UK — the Information Commissioner's Office (ICO), ico.org.uk.
• In the EU — the data protection authority of your EU country of residence. A full list is available on the European Data Protection Board website.

If you live in California

If you're a California resident, you have similar rights under the California Consumer Privacy Act (CCPA / CPRA). The terminology is different but the rights largely mirror those described above:

• Right to know what personal information we collect, use, and share about you.
• Right to delete the personal information we hold about you.
• Right to correct inaccurate personal information.
• Right to opt out of "sale" or "sharing" of personal information. We do not sell or share your personal information within the meaning of the CCPA, so there is nothing to opt out of, but we list this right for completeness.
• Right to limit use of sensitive personal information. We don't process sensitive personal information beyond what's needed to provide the App to you.
• Right to non-discrimination. We won't discriminate against you for exercising any of these rights.

To exercise these rights, email us at hello@divrhq.com. You may use an authorised agent to make a request on your behalf, in which case we'll need proof of authorisation.

7. Children's privacy

DIVR is not intended for children under 13. In some EU jurisdictions the minimum age is 16, or whatever minimum age is required by your local law, whichever is higher.

We do not knowingly collect personal information from anyone below the minimum age. If we discover that we've collected information from someone below the minimum age, we will close the account and delete the associated information.

If you're a parent or guardian and you believe your child has created a DIVR account without your consent, please email us at hello@divrhq.com so we can take action quickly. To manage how a minor in your household uses iOS apps, we recommend using Apple Family Sharing and parental controls, which give you tools to approve downloads, restrict content, and manage screen time.

Where required by local law, we will not process the personal information of a minor for marketing purposes or for purposes that go beyond what's needed to provide the App.

8. International users and data transfers

DIVR is operated from the United Kingdom, and we primarily store your data on servers in the UK (see Section 5). But the App relies on services from Google and Apple, which sometimes process data in other countries — most notably the United States. This section explains how that works and what protections are in place.

Where your data may be processed

Your personal data may be processed in the following places:

• United Kingdom — primary storage of your account, dive logs, photos, and other content (Firebase europe-west2 region).
• European Union — some Firebase services may use EU regions for backups and redundancy.
• United States — Firebase Crashlytics processes crash diagnostics on US-based servers. Apple and Google services (including Sign in with Apple, Google Sign In, and Firebase AI Logic / Gemini) may also process data in the US.
• Other regions — Apple, Google, GitHub, and Static Forms operate global infrastructure and may process small amounts of data (such as map tile requests, website traffic, or form submissions) in other regions to deliver the Services efficiently.

Safeguards for international transfers

When your personal data is transferred outside the UK or EU, we make sure it's protected by appropriate safeguards under UK GDPR and EU GDPR:

• UK International Data Transfer Agreement (IDTA) and EU Standard Contractual Clauses (SCCs) — the contracts we have with Google, Apple, GitHub, and Static Forms include these clauses (or equivalent safeguards), which are the approved legal mechanisms for transferring personal data internationally.
• EU–US Data Privacy Framework and the UK Extension — where applicable, Google and Apple are certified under these frameworks, which provide an additional layer of protection for transfers to the US.
• Technical safeguards — all transfers are encrypted in transit, and data at rest is encrypted by our providers using industry-standard encryption.

You can request more information about any of these safeguards by emailing hello@divrhq.com.

If you're using DIVR from outside the UK or EU

DIVR is designed to work for divers anywhere in the world. If you use the App from outside the UK or EU, your data will still be stored primarily on servers in the UK, and processed in line with this Privacy Policy and UK data protection law. By using the App, you understand and agree that your information will be transferred to and processed in the UK and the other regions described above.

If your country's law gives you additional rights — for example, under Brazil's LGPD, Australia's Privacy Act, or any state-level US privacy law — those rights still apply, and you can exercise them by contacting us at hello@divrhq.com.

9. Changes to this policy

We may update this Privacy Policy from time to time — for example, when we add new features, change how we handle data, or update our list of service providers. When we do, we'll always update the "Last updated" date at the top of this page so you can see when the most recent change was made.

For material changes — meaning changes that significantly affect how we collect, use, or share your personal information — we'll give you advance notice through one or more of the following, where available:

• An in-app notice the next time you open DIVR.
• A push notification.
• An email to the address linked to your account.

Where the law requires it, we'll ask for your fresh consent before the change takes effect.

Continued use of DIVR after a change to this policy takes effect means you accept the updated policy. If you don't agree with a change, you can delete your account at any time from Settings → Account → Delete Account, and your data will be removed in line with Section 5.

10. Contact us

If you have questions about this Privacy Policy, want to exercise your rights, or just want to talk through anything about how we handle your data, please get in touch.

Rafferty Clarke Mathews
Email: hello@divrhq.com

We aim to reply to all privacy-related enquiries within five working days, and to formal data requests within the timeframes set out in Section 6.