The short version
ScubaOS is local-first: you can log and plan dives with no account and no data leaving your device. The optional account and social features store some data on our server so you can sync across devices and share dives. We don't sell your data, we don't run ads, and we collect as little as we can.
Who we are
The data controller for the account and social features is Piers Jennings, trading as My SEO Growth. Contact: [email protected].
What we collect, and why
If you only use the app locally
Your dives, plans, kit and any photos you add stay on your device. We don't receive them. App stores may collect their own analytics under their policies.
If you create an account / use the social features
- Account details: email, a handle, optional display name and bio. Used to run your account and let people find and follow you.
- Shared dives: the dive data you choose to publish, and any photos you attach. Used to show your posts to the audience you select.
- Location: a dive's coordinates, where you add them. For anyone other than you, a shared dive's location is coarsened (“fuzzed”) to a rough area, or hidden, per your choice; we never publish your exact site to others.
- Photos: we strip embedded metadata (including GPS) from uploaded images so a photo can't reveal a precise location.
- Interactions & safety data: follows, kudos, comments, blocks, and reports you make or that are made about your content, to operate the feed and keep it safe.
- Date of birth: collected at signup to enforce our minimum age and apply higher-privacy defaults to accounts under 18. We keep the date, not a public age.
- Sync data (Pro): if you turn on account sync, your dive log, kit and photos are stored on our server to keep your devices in step. Backup to your own iCloud or Google Drive goes to your own account under Apple’s or Google’s terms, not to us.
- Purchases: store receipts and entitlement status, to unlock what you have paid for. We never see your payment details.
- Push tokens: a device token if you enable notifications, used only to deliver them.
- Server logs: like every server, ours keeps short-lived technical logs (IP address, request, time) for security and abuse prevention. They are deleted within 30 days.
Our lawful bases (UK/EU GDPR)
- Contract: to provide the account, sync and social features you ask for.
- Consent: for optional sharing choices (e.g. publishing a dive, exact vs fuzzed location). You can withdraw consent by changing your settings or deleting the content.
- Legitimate interests: to keep the Service secure, prevent abuse, and moderate content.
- Legal obligation: to act on and report certain illegal content where the law requires.
We do not make solely automated decisions about you that have legal or similarly significant effects. Some profanity in feed text is masked automatically; enforcement against a person or account is reviewed by a human.
Where your data lives, and transfers
The account-tier server is self-hosted in the United Kingdom. We keep data there and minimise third parties. Exact coordinates are encrypted at rest. The processors that may handle account or social data are Resend (transactional email: verification and password-reset codes) and Apple and Google (delivering push notifications); each is used only for that purpose. These providers are US companies: where personal data leaves the UK we rely on the UK Extension to the EU–US Data Privacy Framework where the provider is certified, or on the ICO’s International Data Transfer Agreement or Addendum otherwise.
How long we keep it
We keep account and shared-dive data while your account is active. When you delete your account, we delete it and the content you've shared on our servers. Deleted content can persist in encrypted backups for up to 30 days before it is gone entirely. We may retain limited records where the law requires (for example, a record of a report we were obliged to make).
Your rights
You can access, export and delete your data from within the app (Settings → account), and you may also ask us directly. Under UK/EU GDPR you have rights to access, rectification, erasure, restriction, portability and objection. To exercise them, contact [email protected]; we respond within one month, free of charge, and may need to verify your identity first. You can complain to the UK Information Commissioner's Office (ico.org.uk) or your local supervisory authority.
Children
ScubaOS is for users aged 13 and over. We don't knowingly collect data from children under 13. For users under 18, accounts default to higher-privacy settings. See our Child Safety Standards.
Security
We use industry-standard measures: passwords are hashed (Argon2id), exact coordinates are encrypted, image metadata is stripped, and access to shared content is enforced per request. No system is perfectly secure, but we design to minimise what a breach could expose.
The website
scubaos.app sets no cookies. If you pick a light or dark theme, that choice is saved in your browser’s local storage on your device; it is set only when you ask for it, never sent to us, and you can clear it in your browser settings. Fonts are served from our own domain, so no third party is involved in loading the site.
Analytics. We count visits using a first-party beacon that sets no cookies and stores nothing on your device. It records the page viewed, the referring site, your browser type and a shortened form of your IP address that we cannot link back to you. We use this, under our legitimate interest in understanding how the site is used, to see which pages matter. It is never combined with app or account data, and we do not use it to track you across sites.
Mailing list. If you join the launch list we store your email address, when you signed up, and your double opt-in confirmation, so we can show you consented. With that consent we send occasional ScubaOS news, including the early-supporter discount we promised. Every email has an unsubscribe link; unsubscribing stops the emails immediately, and you can ask us to erase the record entirely. Resend sends these emails for us under the transfer safeguards described above.
Changes to this policy
If we change this policy in a way that matters, we will say so here and update the date above; for material changes affecting account holders we will tell you in the app or by email.
Contact
[email protected] (Piers Jennings, trading as My SEO Growth).