Template, not legal advice. A working draft reflecting how ScubaOS is built. Have it reviewed by a data-protection specialist and complete every [placeholder] before publishing.

The short version

ScubaOS is local-first: you can log and plan dives with no account and no data leaving your device. The optional account and social features store some data on our server so you can sync across devices and share dives. We don't sell your data, we don't run ads, and we collect as little as we can.

Who we are

The data controller for the account and social features is [Operator legal name, address, ICO registration no. if applicable]. Contact: [email protected].

What we collect, and why

If you only use the app locally

Your dives, plans, kit and any photos you add stay on your device. We don't receive them. App stores may collect their own analytics under their policies.

If you create an account / use the social features

Our lawful bases (UK/EU GDPR)

Where your data lives, and transfers

The account-tier server is self-hosted in the United Kingdom. We keep data there and minimise third parties. Exact coordinates are encrypted at rest. If we ever use a processor outside the UK (for example a content-safety service), we will put an appropriate transfer safeguard in place and update this policy. [If you appoint sub-processors, list them and the safeguards here.]

How long we keep it

We keep account and shared-dive data while your account is active. When you delete your account, we delete it and the content you've shared on our servers. We may retain limited records where the law requires (for example, a record of a report we were obliged to make).

Your rights

You can access, export and delete your data from within the app (Settings → account), and you may also ask us directly. Under UK/EU GDPR you have rights to access, rectification, erasure, restriction, portability and objection. To exercise them, contact [email protected]. You can complain to the UK Information Commissioner's Office (ico.org.uk) or your local supervisory authority.

Children

ScubaOS is for users aged 13 and over. We don't knowingly collect data from children under 13. For users under 18, accounts default to higher-privacy settings. See our Child Safety Standards.

Security

We use industry-standard measures: passwords are hashed (Argon2id), exact coordinates are encrypted, image metadata is stripped, and access to shared content is enforced per request. No system is perfectly secure, but we design to minimise what a breach could expose.

The website

scubaos.app is a static site. It sets no advertising or tracking cookies. It loads fonts from Google Fonts, which may receive your IP address to serve them. [If you add analytics, disclose it here.]

Contact

[email protected][Operator legal name, postal address; UK/EU representative if applicable].