Skip to content
← Back to home

Privacy Policy

Last updated: 2026-04-05 — GDPR Article 13 compliant

1. Data Controller

The data controller for DepthZero is the NAUI dive instructor operating this platform:

NAUI Instructor #66132 — Kana Losano

Contact: legal@depthzero.app

2. Data We Process

Account Data

Full name, email address, password (hashed), preferred language, referral information.

Legal basis: Contract performance (Article 6(1)(b))

Contact & Emergency Data (Encrypted)

Phone number, emergency contact name and phone number. Encrypted at rest using industry-standard encryption.

Legal basis: Legitimate interests — diver safety (Article 6(1)(f))

Training Records

Course enrollments, skill signoffs, dive logs, quiz results, certifications, instructor notes.

Legal basis: Contract performance; legitimate interests (Article 6(1)(b), (f))

⚠ Health Data — Special Category (Article 9)

Medical questionnaires, dive medical clearance documents. This is special-category data under GDPR Article 9.

Legal basis: Explicit consent (Article 9(2)(a)) — you provided this separately at registration.

This data is encrypted with a separate encryption key and is never used for analytics or shared with third parties except your instructor.

Usage Data

Page views, session timing, error logs (anonymised). Used for platform stability only.

Legal basis: Legitimate interests (Article 6(1)(f))

3. Retention Periods

  • Training records and certifications: 20 years (dive industry standard for qualification records)
  • Medical documents: 5 years after last course, unless longer retention required by applicable standards
  • Account data: Duration of account + 2 years
  • Audit logs: 7 years (financial and legal compliance)
  • AI conversation logs: 90 days, then anonymised

4. Sub-Processors

Supabase

Database and authentication

EU (eu-west-1)

Policy ↗

Vercel

Web hosting and CDN

Global edge / US

Policy ↗

Google

OAuth authentication, Drive document storage

Global

Policy ↗

Anthropic

AI study assistant (non-PII only — course content and skill data, never personal data)

US

Policy ↗

5. Your Rights (GDPR)

  • Access (Article 15): Request a copy of your data
  • Rectification (Article 16): Correct inaccurate data
  • Erasure (Article 17): Request deletion. Note: certification records may be retained where required by law or legitimate interests.
  • Portability (Article 20): Export your data in JSON/PDF format
  • Objection (Article 21): Object to processing based on legitimate interests
  • Withdraw consent: For medical data and AI features at any time

To exercise any right, contact: legal@depthzero.app

6. Cookies

We use only essential authentication cookies (Supabase session). See our Cookie Policy for details. We use Vercel Analytics for anonymous performance monitoring — see their privacy policy.

7. Supervisory Authority

You have the right to lodge a complaint with your national data protection authority. A list of EU supervisory authorities is available at edpb.europa.eu.