DiverDashDiverDash

Privacy Policy

Last updated: February 9, 2026

Privacy at a Glance

Before diving into the details, here is what matters most:

  • We collect only what we need to run your dive center management platform.
  • Your client data belongs to you. We process it on your behalf and do not sell it.
  • We do not sell or share personal information for advertising or marketing purposes.
  • We use a small number of trusted service providers (Stripe, Google, and others) and we list them all below.
  • We store sensitive data carefully. Passwords are hashed. Financial details are encrypted. Medical data requires explicit consent.
  • We do not use third-party analytics or advertising trackers. We only set essential cookies.
  • You have rights over your data. Depending on where you live, you can access, correct, delete, export, or restrict how we use it.
  • We transfer data internationally using approved safeguards like Standard Contractual Clauses.
  • We notify you promptly if a data breach affects your information.

Questions? Contact us at admin@diverdash.com or write to our Data Protection Officer at admin@diverdash.com.

1. Who We Are

Diver Dash is a multi-tenant software-as-a-service (SaaS) platform for dive center management. We help dive centers manage their clients, courses, equipment, staff, finances, and day-to-day operations.

Data Controller:
Genius Creations LLC
3 Germay Dr, Unit 4 #1324, Wilmington, DE 19804, United States
United States (Delaware)

Data Protection Officer:
Data Protection Officer
admin@diverdash.com
3 Germay Dr, Unit 4 #1324, Wilmington, DE 19804, United States

Throughout this policy, "Diver Dash," "we," "us," and "our" refer to Genius Creations LLC. "You" and "your" refer to the individual whose personal data we process.

2. Who This Policy Applies To

We process personal data for two types of individuals. Understanding which category you fall into helps explain how and why we handle your data.

2.1 Business Users (Dive Center Staff and Owners)

You are a business user if you create a Diver Dash account to manage a dive center. This includes dive center owners, administrators, managers, instructors, and other staff members. For business user data, Diver Dash is the data controller -- we determine why and how your data is processed.

2.2 Dive Center Clients (Divers)

You are a dive center client if you submit your information through a dive center's registration or onboarding form hosted on Diver Dash. For dive center client data, Diver Dash is the data processor -- we process your data on behalf of the dive center (the data controller) according to their instructions.

If you are a dive center client and have questions about how your personal data is used, your primary point of contact is the dive center that collected your information. You may also contact us directly, and we will assist you or direct your request to the relevant dive center.

3. Personal Data We Collect

We organize the personal data we collect into the categories below. Not all data is collected from every user -- what we collect depends on your role, your dive center's configuration, and the features used.

3.1 Identity Data

Data that identifies who you are.

This includes your first name, last name, full name, date of birth, gender, nationality, passport number (dive center clients only, where required by the dive center), and profile picture (optional, business users only).

3.2 Contact Data

Data we use to communicate with you.

This includes your email address, phone number, postal address (street, city, state/province, postal code, country), and emergency contact name, phone number, and relationship (dive center clients only).

3.3 Account and Authentication Data

Data related to your Diver Dash account (business users only).

This includes your email and password (password is stored as a one-way hash -- we cannot read it), email verification status and tokens (temporary), password reset tokens (temporary, expire within 1 hour), account role and permissions, session version (used for security, such as forced logout), account status (active, pending, or inactive), and freelancer status.

3.4 Preferences Data

Settings you choose to personalize your experience (business users only).

This includes your language, timezone, date and time format, currency and number format preferences, unit system (metric or imperial), week start day, theme preference (light, dark, or system), and notification preferences (email, push).

3.5 Employment and Payroll Data

Data related to staff employment (business users who are dive center staff).

This includes your hire date, end date, employment type (full-time, part-time, contractor), department and position, pay rate, hourly rate, salary amount, salary frequency, overtime rate, commission rates (retail, course), benefits eligibility, bank account details (encrypted), tax identifier such as SSN or tax ID (encrypted), and tax filing status and jurisdictional tax profile.

3.6 Diving and Certification Data

Data about diving qualifications and experience (dive center clients).

This includes your certification level, number, date, and issuing organization, maximum certified dive depth, approximate number of dives and date of last dive, diver type (technical diver, fun diver, course participant), stated diving interest, and dive check information (checked by, organization).

3.7 Health and Medical Data

Sensitive data related to fitness for diving (dive center clients). See also Section 6.

This includes medical questionnaire answers (health conditions, symptoms, medication history), whether a physician evaluation is required, medical clearance status, date, expiry, approving person, and notes, digital signature on medical declaration (typed name and date), and generated medical questionnaire PDF documents.

3.8 Dietary Information

Data related to food requirements (dive center clients).

This includes dietary requirements and whether the client has food allergies, along with details of those allergies.

3.9 Equipment and Sizing Data

Data for equipment fitting (dive center clients).

This includes BCD size, wetsuit size, fin size, shoe size, and t-shirt size.

3.10 Financial and Transaction Data

Data related to billing, payments, and financial management.

For business users (company-level), this includes company bank account numbers, routing numbers, institution details, opening balances, company tax ID and tax numbers, sales tax codes and rates, invoices, bills, payments, expenses, deposits, and related transaction records, as well as chart of accounts and journal entries. For dive center clients, this includes client bills, payment records, deposits, and refund records. For subscriptions, this includes subscription plan, billing cycle, trial dates, Stripe customer ID, and subscription ID (Diver Dash does not store payment card numbers -- Stripe handles this directly).

3.11 Company and Business Data

Data about the dive center business (provided by business users).

This includes company name and legal name, business address, phone, email, and website, company logo, tax identification numbers, whether the company is a training center, dive organization affiliation, registration ID (used for client self-registration links), and owner information.

3.12 Course and Operations Data

Data about dive center activities.

This includes course schedules, enrollments, and progress records, dive trip plans and manifests, equipment rental records, staff schedules, facility bookings, and vessel and voyage records.

3.13 Documents and Files

Files uploaded to the platform.

This includes medical questionnaire PDFs, certification cards, insurance documents, signed waivers, bank statements (imported for reconciliation), and product data files (bulk uploads).

3.14 Technical and Log Data

Data generated through your use of the platform.

This includes your IP address (recorded in audit logs for security-relevant actions), browser user agent (recorded in access control audit logs), actions performed on the platform (audit trail), and timestamps of activity.

3.15 Referral Data

Data about referral relationships.

This includes referrer identity and associated referral code, referral link usage, commission records, and group leader assignments.

4. How We Collect Your Data

4.1 Data You Provide Directly

We collect data directly from you when you register for a Diver Dash account (business users), when you fill out a dive center's client registration or onboarding form (dive center clients), when you complete a medical questionnaire, when you upload documents such as certifications, insurance, or waivers, when you update your profile, preferences, or company settings, and when you contact our support team.

4.2 Data Generated Through Your Use of the Platform

As you use the platform, certain data is generated automatically. This includes audit logs created when you perform actions on the platform, session data stored in authentication cookies, and financial transaction records created through platform use.

4.3 Data Received from Third Parties

  • Stripe: Subscription status updates, payment success or failure notifications, and trial end dates (received via secure webhooks)
  • Google Calendar: Calendar event data when a dive center enables calendar synchronization (optional)
  • Google reCAPTCHA: Verification result (pass/fail) during account registration -- we do not receive or store the underlying interaction data
  • Bank statement imports: Transaction data uploaded by dive center staff for reconciliation purposes

We process your personal data only when we have a valid reason to do so. The table below maps each processing activity to its purpose and legal basis under the EU General Data Protection Regulation (GDPR). Where other jurisdictions apply, equivalent legal bases are noted in Section 19.

Processing ActivityData UsedPurposeLegal Basis (GDPR)
Account creation and authenticationIdentity, contact, account dataProvide and secure the platformContractual necessity (Art. 6(1)(b))
Dive center client registration and onboardingIdentity, contact, diving, dietary, equipment, documentsEnable dive centers to manage their client relationshipsContractual necessity (Art. 6(1)(b)) -- as processor on behalf of the dive center
Medical questionnaire processingHealth and medical dataAssess fitness for diving activitiesExplicit consent (Art. 9(2)(a))
Subscription billing and payment processingFinancial data, company dataProcess subscription payments via StripeContractual necessity (Art. 6(1)(b))
Client billing and invoicingFinancial and transaction dataEnable dive centers to bill their clientsContractual necessity (Art. 6(1)(b)) -- as processor
Payroll processingEmployment, financial, tax dataCalculate and process staff payContractual necessity (Art. 6(1)(b)); Legal obligation (Art. 6(1)(c)) for tax reporting
Course and operations managementCourse, operations, scheduling dataCore platform functionality for dive center operationsContractual necessity (Art. 6(1)(b))
Google Calendar synchronizationCourse session names, dates, locationsSync dive center schedules with Google Calendar (optional)Consent (Art. 6(1)(a)) -- user initiates the connection
Email communications (transactional)Contact data, email contentSend account-related emails (welcome, verification, password reset, invitations, payslips, trial notifications)Contractual necessity (Art. 6(1)(b)); Legitimate interest (Art. 6(1)(f)) for service notifications
Bot protection (reCAPTCHA)IP address, interaction tokenPrevent automated abuse during registrationLegitimate interest (Art. 6(1)(f)) -- platform security
Security logging and audit trailsTechnical data, IP address, user agent, actions performedDetect and investigate unauthorized access, maintain compliance recordsLegitimate interest (Art. 6(1)(f)) -- security; Legal obligation (Art. 6(1)(c)) for financial audit trails
Referral program managementReferral data, identity dataTrack and compensate referralsContractual necessity (Art. 6(1)(b))
Emergency contact storageEmergency contact dataProvide safety information in case of diving emergenciesLegitimate interest (Art. 6(1)(f)) -- vital safety interests

About legitimate interest: Where we rely on legitimate interest, we have conducted a balancing test to confirm that our interest does not override your rights and freedoms. You can request details of these assessments by contacting us.

6. Sensitive and Special Category Data

6.1 Health and Medical Data

Diver Dash processes health and medical data when dive center clients complete medical questionnaires as part of the dive center's onboarding process. This data may include information about medical conditions, symptoms, medications, and fitness-to-dive assessments.

Under the GDPR, health data is a "special category" of personal data (Article 9) that requires additional protections. We process this data based on:

  • Explicit consent (Article 9(2)(a)): Dive center clients provide explicit consent when they complete and digitally sign the medical questionnaire.
  • The dive center (as data controller) is responsible for obtaining this consent. Diver Dash (as data processor) processes the data according to the dive center's instructions.

Under US state privacy laws (including the CCPA/CPRA), health data is classified as sensitive personal information with enhanced protections.

Safeguards we apply to health data:

  • Medical questionnaire PDFs are stored in cloud storage with unique, non-guessable URLs (UUID-based paths). Access requires knowing the specific URL
  • Access to medical data within the platform is restricted to authorized dive center staff through role-based access control
  • Medical clearance records include expiry dates to support data minimization
  • Dive center clients may request deletion of their medical data at any time

6.2 Financial and Tax Data

Employment-related financial data (bank account details, tax identifiers) is encrypted in our database. Access is restricted to authorized personnel within the relevant dive center.

6.3 Identity Documents

Passport numbers collected from dive center clients are stored only when required by the dive center's operational needs. This data is treated as sensitive and access is restricted.

7. How We Share Your Data

We do not sell your personal data. We share personal data only with the service providers and in the circumstances described below.

7.1 Service Providers (Sub-Processors)

Service ProviderData SharedPurposeLocation
Cloud infrastructure providerAll application data (hosting, database, file storage)Infrastructure: application hosting, database, and file storageUnited States
StripeCompany email, company name, company ID, subscription plan, billing cyclePayment processing for subscriptions (Stripe handles payment card details directly -- we never see or store card numbers)United States
Transactional email providerRecipient email address and name, email contentSending transactional emails (welcome, verification, password reset, invitations, payslips, trial notifications)United States
Google (reCAPTCHA)IP address, reCAPTCHA interaction tokenBot protection on the registration page onlyUnited States
Google (Calendar API)Course session names, dates, times, locations, notes; OAuth tokensCalendar synchronization (only when a dive center opts in)United States
Google (Fonts)IP address (implicit, during font loading)Loading web fonts for the platform interfaceUnited States

7.2 Email Tracking Disclosure

Our email service provider tracks email opens and link clicks by default for transactional emails. This tracking helps us confirm delivery and identify issues. We do not use this data for advertising or profiling.

7.3 Dive Center Access to Client Data

If you are a dive center client, the dive center that collected your data has access to your information through the Diver Dash platform. This includes your personal details, diving information, medical data (where authorized), documents, and billing records. The dive center is the data controller for this information and determines how it is used.

7.4 Within Your Organization

If you are a business user, other authorized members of your dive center may have access to certain data depending on their role and permissions within the platform. For example, managers may access staff scheduling data, and administrators may access payroll information.

7.5 Legal and Regulatory Disclosures

We may disclose personal data when required to:

  • Comply with applicable laws, regulations, or legal process
  • Respond to lawful requests from public authorities, including law enforcement
  • Protect the rights, property, or safety of Diver Dash, our users, or others
  • Enforce our Terms of Service

7.6 Business Transfers

If Diver Dash is involved in a merger, acquisition, or sale of assets, your personal data may be transferred as part of that transaction. We will notify you before your data becomes subject to a different privacy policy.

8. International Data Transfers

Diver Dash's infrastructure and service providers are located in the United States. If you are located outside the United States, your personal data will be transferred to and processed in the United States.

We protect your data during international transfers using the following safeguards:

  • EU/EEA and UK to United States: Standard Contractual Clauses (SCCs) approved by the European Commission, supplemented by the UK International Data Transfer Addendum where applicable. Where our service providers are certified under the EU-US Data Privacy Framework, this provides additional protection.
  • Brazil: Standard Contractual Clauses or equivalent transfer mechanisms.
  • Singapore, Thailand, Japan: Contractual arrangements ensuring a comparable level of data protection.
  • Australia: We take reasonable steps to ensure overseas recipients handle personal information in accordance with the Australian Privacy Principles.
  • Canada and Quebec: We maintain accountability for data transfers under PIPEDA and conduct privacy impact assessments for transfers outside Quebec as required by Law 25.
  • South Africa: Transfers are made under binding agreements ensuring adequate protection as required by POPIA.

You may request a copy of the applicable transfer safeguards by contacting our Data Protection Officer.

9. Cookies and Tracking Technologies

9.1 Cookies We Use

Diver Dash uses a small number of essential cookies only. We do not use advertising cookies, third-party tracking cookies, or analytics cookies.

CookiePurposeTypeDuration
next-auth.session-tokenKeeps you signed in (authentication)Essential, HTTP-only, SameSite=Lax30 days
next-auth.callback-urlManages authentication redirectsEssential, SameSite=LaxSession
next-auth.csrf-tokenProtects against cross-site request forgery attacksEssential, HTTP-only, SameSite=LaxSession
themeRemembers your light/dark theme preferenceFunctional, SameSite=Strict1 year

9.2 Local Storage

We store your theme preference (theme) in your browser's local storage for a consistent experience across sessions.

9.3 No Third-Party Tracking

We do not use Google Analytics or any analytics tracking service, advertising pixels or retargeting tags, session recording tools (such as Hotjar, FullStory, or LogRocket), error tracking services, or any social media tracking pixels.

9.4 Google Fonts

Our platform loads fonts from Google Fonts, which may cause your browser to make requests to Google's servers. This exposes your IP address to Google. Google's privacy policy applies to this interaction.

9.5 Google reCAPTCHA

On the registration page only, we use Google reCAPTCHA v2 to prevent automated abuse. This service may collect your IP address and behavioral data during the CAPTCHA interaction. Google's privacy policy and terms of service apply to reCAPTCHA.

9.6 Cookie Consent

Our cookies are limited to those strictly necessary for the platform to function (authentication, security, and basic preferences), which generally do not require opt-in consent under most privacy regulations. However, Google reCAPTCHA (on the registration page) and Google Fonts involve data transmission to Google's servers (see Sections 9.4 and 9.5). We disclose all tracking-related interactions here for full transparency.

10. Data Retention

We retain personal data only as long as necessary for the purposes described in this policy, or as required by law. The table below outlines our retention periods by data category.

Data CategoryRetention PeriodReason
Business user account dataDuration of account + 30 days after account deletionService provision; grace period for account recovery
Dive center client dataRetained by the dive center (controller) until deleted; removed within 30 days of deletion request or account terminationProcessed on behalf of the dive center
Medical and health dataDuration of client relationship with the dive center; deleted on request or at account terminationSafety purposes; subject to explicit consent
Employment and payroll dataDuration of employment + 7 yearsTax, accounting, and legal record-keeping obligations
Financial transaction records7 years after transaction dateTax, accounting, and legal record-keeping obligations
Subscription and billing recordsDuration of subscription + 7 yearsFinancial record-keeping; dispute resolution
Email verification and password reset tokens24 hours (email verification); 1 hour (password reset)Short-lived by design for security
Audit logs and security records3 yearsSecurity investigation; regulatory compliance
Application server logs90 daysDebugging and security monitoring
Documents and uploaded filesDuration of account or client record; removed within 30 days of deletion requestService provision
Referral dataDuration of referral program participation + 3 yearsCommission reconciliation and disputes

After the retention period ends, data is securely deleted or anonymized. Anonymized data (from which you cannot be identified) may be retained indefinitely for aggregate analysis and product improvement.

You can request earlier deletion of your data at any time, subject to our legal obligations to retain certain records. See Section 12.

11. Data Security

We implement technical and organizational measures to protect your personal data against unauthorized access, loss, alteration, and destruction. These measures include:

Technical measures:

  • Encryption in transit: All data transmitted between your browser and our servers is encrypted using HTTPS/TLS
  • Password security: Passwords are hashed using bcryptjs (a one-way cryptographic hash) -- we cannot read your password
  • Encrypted sensitive fields: Staff bank account details and tax identifiers are encrypted in the database
  • Database encryption at rest: Our database provider provides encryption at rest
  • Secure cookies: Authentication cookies are HTTP-only (not accessible to JavaScript) and marked Secure in production
  • CSRF protection: Cross-site request forgery tokens protect against unauthorized form submissions
  • Rate limiting: Registration, login, password reset, and other sensitive endpoints have rate limits to prevent brute-force attacks

Organizational measures:

  • Role-based access control (RBAC): Users only access data relevant to their role. A hierarchical role system (Super Admin, Admin, Manager, User) with granular permissions controls access
  • Multi-tenant data isolation: Each dive center's data is strictly separated. Users can only access data belonging to their own organization
  • Fail-closed security model: If an authorization check fails or encounters an error, access is denied by default
  • Session management: Sessions expire after 30 days. Administrators can revoke user sessions immediately when needed
  • Audit logging: Security-relevant actions (role changes, permission modifications, session revocations) are logged with timestamps and metadata

No security system is perfect. While we take these measures seriously, no method of transmission or storage is 100% secure. If you discover a vulnerability, please report it to admin@diverdash.com.

12. Your Privacy Rights

Depending on where you are located, you may have specific rights over your personal data. We honor these rights regardless of whether we are acting as a data controller (for business user data) or data processor (for dive center client data).

12.1 Rights Available to All Users

RightDescription
AccessRequest a copy of the personal data we hold about you
CorrectionRequest that we correct inaccurate or incomplete data
DeletionRequest that we delete your personal data (subject to legal retention requirements)
Withdraw consentWhere processing is based on consent, withdraw your consent at any time

12.2 Additional Rights by Jurisdiction

RightAvailable To
Data portability (receive your data in a machine-readable format)EU/EEA, UK, Quebec, Brazil, and other jurisdictions with portability rights
Restrict processingEU/EEA, UK
Object to processing (including processing based on legitimate interest)EU/EEA, UK, South Africa
Opt out of sale or sharing of personal informationCalifornia and other US states with opt-out rights
Limit use of sensitive personal informationCalifornia
Right not to be subject to automated decision-makingEU/EEA, UK, South Africa
Lodge a complaint with a supervisory authorityEU/EEA, UK, Brazil, South Africa, Singapore, Thailand, Australia, and others (see Section 18)

12.3 How to Exercise Your Rights

You can exercise your rights in any of the following ways:

What to expect: We will verify your identity before processing any request. We will respond within 30 days (or sooner where required by applicable law -- for example, 15 days under Brazil's LGPD, or 45 days under the CCPA). If we need additional time for complex requests, we will let you know within the initial response period. If we cannot fulfill a request (for example, due to a legal retention obligation), we will explain why.

If you are a dive center client: We may need to coordinate with your dive center (the data controller) to fulfill your request. We will not unreasonably delay the process.

No discrimination: We will not treat you differently or penalize you for exercising your privacy rights.

13. Children and Young Divers

Diver Dash is a business platform designed for dive center management. We do not knowingly direct our services to children.

However, we recognize that dive certification agencies issue certifications to individuals as young as 10 years old, which means dive centers may process data about minors through the Diver Dash platform.

13.1 Our Approach to Minor Data

Business user accounts (dive center staff) must be held by individuals who are at least 16 years old (or the minimum age of digital consent in your jurisdiction, whichever is higher).

Dive center client data may include individuals under 16. The dive center (as data controller) is responsible for obtaining appropriate parental or guardian consent before submitting a minor's data, and for ensuring compliance with applicable children's privacy laws (including COPPA in the US for children under 13, and GDPR age-of-consent provisions in the EU).

If we become aware that we have processed data about a child without appropriate consent, we will take steps to delete that data promptly.

13.2 Parental Rights

Parents or guardians of minors whose data has been processed through the platform may contact us at admin@diverdash.com to:

  • Request access to their child's data
  • Request correction or deletion of their child's data
  • Withdraw consent for processing

14. Automated Decision-Making

Diver Dash does not currently use automated decision-making or profiling that produces legal effects or similarly significant effects on individuals.

Some platform features involve automated processing, such as:

  • Subscription plan feature limits and usage quotas
  • Medical questionnaire logic that flags when a physician evaluation may be required (based on answers provided)
  • Payroll calculations based on configured pay rates and hours

These automated processes support dive center operations but do not make decisions about individuals without human involvement. If this changes in the future, we will update this policy and provide appropriate notice and opt-out mechanisms.

15. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:

  1. Notify the relevant supervisory authority within the timeframe required by applicable law (for example, 72 hours under the GDPR, 3 calendar days under Singapore's PDPA)
  2. Notify affected individuals without undue delay when the breach is likely to result in a high risk to your rights and freedoms
  3. Document the breach including its nature, the data affected, likely consequences, and measures taken to address it

We maintain incident response procedures and regularly review them to ensure effective and timely breach management.

For a summary of breach notification timelines by jurisdiction, see the table below:

JurisdictionAuthority NotificationIndividual Notification
EU/EEA (GDPR)Within 72 hoursWithout undue delay (if high risk)
UKWithin 72 hoursWithout undue delay (if high risk)
United States (CCPA)As required by state lawWithout unreasonable delay
Brazil (LGPD)Within a reasonable time (recommended 2 business days)Without undue delay
South Africa (POPIA)As soon as reasonably possibleAs soon as reasonably possible
Singapore (PDPA)Within 3 calendar daysAs soon as practicable
Thailand (PDPA)Within 72 hoursWithout delay (if high risk)
AustraliaWithin 72 hoursAs soon as practicable
Canada (PIPEDA)As soon as feasibleAs soon as feasible
Canada (Quebec Law 25)As soon as possibleAs soon as possible

16. Changes to This Policy

We may update this privacy policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.

How we notify you of changes:

  • Material changes: We will notify business users by email and display a prominent notice within the platform at least 30 days before the change takes effect
  • Minor changes: We will update the "Last Updated" date at the top of this policy

We encourage you to review this policy periodically. Your continued use of Diver Dash after changes take effect constitutes acceptance of the updated policy, except where applicable law requires explicit re-consent.

17. How to Contact Us

If you have questions, concerns, or requests related to this privacy policy or your personal data, please contact us:

Data Protection Officer:
Data Protection Officer
Email: admin@diverdash.com
Address: 3 Germay Dr, Unit 4 #1324, Wilmington, DE 19804, United States

General Privacy Inquiries:
Email: admin@diverdash.com

Security Concerns:
Email: admin@diverdash.com

Mailing Address:
Genius Creations LLC
3 Germay Dr, Unit 4 #1324, Wilmington, DE 19804, United States

We aim to respond to all inquiries within 14 days.

18. Supervisory Authorities

If you are not satisfied with our response to a privacy concern, you have the right to lodge a complaint with the data protection authority in your jurisdiction. Below are some of the relevant authorities:

JurisdictionAuthorityContact
EU/EEAYour national Data Protection Authority (see EDPB list)Varies by country
United KingdomInformation Commissioner's Office (ICO)ico.org.uk
United States (California)California Privacy Protection Agency (CPPA)cppa.ca.gov
BrazilAutoridade Nacional de Protecao de Dados (ANPD)gov.br/anpd
South AfricaInformation Regulatorinforegulator.org.za
SingaporePersonal Data Protection Commission (PDPC)pdpc.gov.sg
ThailandPersonal Data Protection Committee (PDPC)pdpc.or.th
JapanPersonal Information Protection Commission (PPC)ppc.go.jp
AustraliaOffice of the Australian Information Commissioner (OAIC)oaic.gov.au
CanadaOffice of the Privacy Commissioner of Canada (OPC)priv.gc.ca
New ZealandOffice of the Privacy Commissionerprivacy.org.nz

19. Jurisdiction-Specific Disclosures

19.1 European Economic Area (EEA) and United Kingdom

If you are in the EEA or UK, the following additional information applies:

  • Data Controller: Genius Creations LLC, as identified in Section 1
  • Legal bases: As set out in Section 5. Where we rely on legitimate interest, you have the right to object (see Section 12)
  • Right to lodge a complaint: You may lodge a complaint with your national data protection authority at any time
  • Data transfers: We transfer data to the United States under Standard Contractual Clauses and, where applicable, the EU-US Data Privacy Framework. See Section 8
  • UK Data (Use and Access) Act 2025: We comply with the updated UK data protection framework, including the new complaints mechanism requiring acknowledgment within 30 days

19.2 California, United States

If you are a California resident, the following additional information applies under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

Categories of personal information collected in the preceding 12 months:

CCPA CategoryExamples from Diver DashSold?Shared?
IdentifiersName, email, phone, IP addressNoNo
Customer recordsAddress, phone, financial informationNoNo
Protected classificationsAge/date of birth, gender, nationalityNoNo
Commercial informationSubscription records, transaction historyNoNo
Internet/network activityAudit logs, session dataNoNo
Geolocation dataAddress information (no GPS tracking)NoNo
Sensory dataProfile picturesNoNo
Professional/employment informationJob title, department, employment typeNoNo
Education informationDive certificationsNoNo
Sensitive personal informationHealth data, passport number, tax ID, financial account detailsNoNo

We do not sell or share your personal information as those terms are defined by the CCPA.

Your California rights include:

  • Right to know what personal information we collect, use, disclose, and sell
  • Right to delete your personal information
  • Right to correct inaccurate personal information
  • Right to opt out of the sale or sharing of personal information
  • Right to limit the use and disclosure of sensitive personal information
  • Right to non-discrimination for exercising your rights

To exercise your rights: See Section 12. We will verify your identity using reasonable methods before fulfilling requests.

Global Privacy Control (GPC): We honor GPC opt-out preference signals received from your browser.

19.3 Other US States

Residents of Virginia, Colorado, Connecticut, Texas, Oregon, Montana, and other states with comprehensive privacy laws have similar rights to access, correct, delete, and port their data, and to opt out of targeted advertising and profiling. Please see Section 12 to exercise these rights or contact us for state-specific information.

19.4 Brazil

If you are in Brazil, we process your personal data in accordance with the Lei Geral de Protecao de Dados (LGPD). You have the right to confirmation of processing, access, correction, anonymization, portability, deletion, information about sharing, and withdrawal of consent. We will respond to your requests within 15 days as required by the LGPD.

19.5 South Africa

If you are in South Africa, your personal information is processed in accordance with the Protection of Personal Information Act (POPIA). Contact admin@diverdash.com for Information Officer inquiries. You have the right to access, correction, deletion, and to object to processing.

19.6 Canada

If you are in Canada, your personal information is processed in accordance with PIPEDA and, where applicable, Quebec Law 25. Quebec residents have a right to data portability and benefit from confidentiality-by-default protections. We process personal information based on meaningful consent and will respond to your rights requests within 30 days.

19.7 Japan

If you are in Japan, personal data is handled in accordance with the Act on the Protection of Personal Information (APPI). Where we transfer your data outside Japan, we ensure adequate safeguards through contractual arrangements. Special Care-Required Information (including medical data) is handled with specific consent as required.

19.8 Australia

If you are in Australia, we handle your personal information in accordance with the Australian Privacy Principles under the Privacy Act 1988. You have the right to access and correct your personal information. If you believe we have breached the APPs, you may lodge a complaint with us and, if unsatisfied, with the Office of the Australian Information Commissioner.

19.9 Singapore

If you are in Singapore, your personal data is processed in accordance with the Personal Data Protection Act (PDPA). You may withdraw consent at any time by contacting us. We will inform you of the consequences of withdrawal.

19.10 New Zealand

If you are in New Zealand, your personal information is handled in accordance with the Privacy Act 2020. You have the right to access and request correction of your personal information. Cross-border transfers are subject to comparable safeguards.

This privacy policy is provided for informational purposes and is based on applicable data protection laws as of the date shown above. We recommend consulting with qualified legal counsel for specific compliance advice. This policy does not constitute legal advice.