The short version
ScubaOS is local-first: you can log and plan dives with no account and no data leaving your device. The optional account and social features store some data on our server so you can sync across devices and share dives. We don't sell your data, we don't run ads, and we collect as little as we can.
Who we are
The data controller for the account and social features is [Operator legal name, address, ICO registration no. if applicable]. Contact: [email protected].
What we collect, and why
If you only use the app locally
Your dives, plans, kit and any photos you add stay on your device. We don't receive them. App stores may collect their own analytics under their policies.
If you create an account / use the social features
- Account details — email, a handle, optional display name and bio. Used to run your account and let people find and follow you.
- Shared dives — the dive data you choose to publish, and any photos you attach. Used to show your posts to the audience you select.
- Location — a dive's coordinates, where you add them. For anyone other than you, a shared dive's location is coarsened (“fuzzed”) to a rough area, or hidden, per your choice; we never publish your exact site to others.
- Photos — we strip embedded metadata (including GPS) from uploaded images so a photo can't reveal a precise location.
- Interactions & safety data — follows, kudos, comments, blocks and reports, to operate the feed and keep it safe.
Our lawful bases (UK/EU GDPR)
- Contract — to provide the account, sync and social features you ask for.
- Consent — for optional sharing choices (e.g. publishing a dive, exact vs fuzzed location). You can withdraw consent by changing your settings or deleting the content.
- Legitimate interests — to keep the Service secure, prevent abuse, and moderate content.
- Legal obligation — to act on and report certain illegal content where the law requires.
Where your data lives, and transfers
The account-tier server is self-hosted in the United Kingdom. We keep data there and minimise third parties. Exact coordinates are encrypted at rest. If we ever use a processor outside the UK (for example a content-safety service), we will put an appropriate transfer safeguard in place and update this policy. [If you appoint sub-processors, list them and the safeguards here.]
How long we keep it
We keep account and shared-dive data while your account is active. When you delete your account, we delete it and the content you've shared on our servers. We may retain limited records where the law requires (for example, a record of a report we were obliged to make).
Your rights
You can access, export and delete your data from within the app (Settings → account), and you may also ask us directly. Under UK/EU GDPR you have rights to access, rectification, erasure, restriction, portability and objection. To exercise them, contact [email protected]. You can complain to the UK Information Commissioner's Office (ico.org.uk) or your local supervisory authority.
Children
ScubaOS is for users aged 13 and over. We don't knowingly collect data from children under 13. For users under 18, accounts default to higher-privacy settings. See our Child Safety Standards.
Security
We use industry-standard measures: passwords are hashed (Argon2id), exact coordinates are encrypted, image metadata is stripped, and access to shared content is enforced per request. No system is perfectly secure, but we design to minimise what a breach could expose.
The website
scubaos.app is a static site. It sets no advertising or tracking cookies. It loads fonts from Google Fonts, which may receive your IP address to serve them. [If you add analytics, disclose it here.]
Contact
[email protected] — [Operator legal name, postal address; UK/EU representative if applicable].