The English version is binding.
Privacy Policy
This policy explains what personal data DivePrep handles, why, and your rights. DivePrep is an operations tool for dive centers, so it is important to be clear about who controls which data — the dive center or DivePrep.
Who controls the data (controller vs processor)
The split is deliberate and stated plainly:
- Operational data about divers — profiles, gear preferences, certification and insurance fields, waiver records, and medical-form status flags — is controlled by the dive center. DivePrep only processes this data on the dive center’s behalf and on its instructions.
- Account, billing, and referral data is controlled by DivePrep (DivePrep, Switzerland), which is the data controller for that data.
About medical forms: DivePrep stores only whether a required form (for example a medical questionnaire) has been received or is valid — a status flag. It does not store medical records, diagnoses, or the contents of medical documents.
Data we handle & why
- Account & sign-in — your name, email, and a securely hashed password (or a social login). Used to create and secure your account.
- Organization & billing — dive-center details, plan, Stripe customer/subscription identifiers, and invoice history. Used to run your subscription.
- Referral — referral codes, redemptions, and the IP address captured at referral signup. Used to operate the referral program and prevent abuse.
- Diver operational data — the diver profiles, contact details, date of birth, nationality, emergency contact, certification details, insurance status/company, gear preferences, signed liability-waiver record, and form-status flags the dive center enters. Used to provide trip and gear-prep features to the dive center.
- Technical & delivery logs — the IP address and browser user-agent recorded with a public booking submission (anti-abuse), and transactional email delivery logs, product telemetry, and error diagnostics (deliverability, support, reliability, and abuse prevention).
Legal bases
Where the GDPR / Swiss nFADP applies, we rely on:
- Performance of a contract — to provide DivePrep and process your subscription.
- Legitimate interest — to keep the service secure, prevent fraud and referral abuse, and operate and improve the product, balanced against your rights.
- Legal obligation — to keep records such as invoices where the law requires it.
Subprocessors
We use a small number of trusted infrastructure providers to run DivePrep. Each processes data only to provide its service to us:
| Provider | Purpose | Region |
|---|---|---|
| Vercel | Application hosting, content delivery, web analytics & performance telemetry | EU / US |
| Neon | PostgreSQL database hosting | EU |
| Stripe | Subscription billing & card payment processing | EU / US |
| Resend | Transactional email delivery | US |
| Sentry | Error monitoring & diagnostics | EU / US |
Maps & location lookups
Dive-center address search and nearby dive-site lookup use OpenStreetMap services through DivePrep’s server-side proxies where possible. Interactive map tiles load directly in your browser from OpenStreetMap tile servers, so the tile provider may receive normal browser request data such as your IP address and user-agent. DivePrep does not intentionally send customer, diver, or account identifiers with those tile requests.
Cookies
DivePrep keeps cookie use to a minimum — no advertising or cross-site tracking:
- An essential session cookie that keeps you signed in.
- A functional referral cookie (up to 30 days) that remembers a referral code so it can be applied when you sign up.
- A functional language cookie that remembers your chosen interface language so the app loads in it next time.
Analytics & performance: in production we use Vercel Web Analytics and Vercel Speed Insights to understand usage and page performance. Both are privacy-friendly: they set no cookies, do no cross-site tracking, and the data they collect is aggregated and anonymous. They are not loaded in our development or preview environments.
How long we keep data
- Your operational data is kept for as long as your dive center’s account is active. You can export it or delete your account at any time.
- Booking submission IP & user-agent are redacted after 30 days — the booking request itself is kept, but those technical identifiers are removed.
- Referral signup IP is used only for anti-fraud review tied to the referral’s 90-day qualification window, then redacted.
- Transactional email delivery logs are pruned after 180 days by a scheduled cleanup.
- Invoices and audit records may be retained longer where the law requires or to preserve a security/audit trail (with personal identifiers anonymized on erasure).
Your rights
Depending on where you live, you have rights to access, correct, delete, restrict, object to, and port your personal data. In DivePrep:
- Export — you can export your organization’s data from within the product at any time.
- Erasure — you can delete your account (a self-service GDPR erasure) from your account settings; audit-log entries you authored are anonymized rather than deleted, so a dive center’s security trail survives.
If you are a diver and want to exercise your rights over data a dive center holds about you, please contact that dive center — it is the controller of that data. For account, billing, and referral data, contact us at support@diveprep.app.
International transfers
DivePrep runs on EU and US infrastructure (see the subprocessors above). Where personal data is transferred outside the EU/EEA or Switzerland, we rely on appropriate safeguards such as the EU Standard Contractual Clauses and, where applicable, the EU–US Data Privacy Framework.
Security
We protect data with encryption in transit, hashed credentials, per-organization access controls and role-based permissions, encrypted storage of sensitive provider secrets, and scoped multi-tenant database access. No system is perfectly secure, but we take reasonable, industry-standard measures.
Applicable law
DivePrep is operated from Switzerland. This policy is designed to meet the Swiss Federal Act on Data Protection (nFADP) and, where it applies, the EU General Data Protection Regulation (GDPR).
Changes & contact
We may update this policy as the product evolves and will give reasonable notice of material changes. Questions or requests? Email support@diveprep.app.
Operated by DivePrep, Switzerland. Contact: support@diveprep.app.
Last updated: 3 July 2026.