Privacy Policy

1. What We Collect

We collect only the information necessary to provide the emergency ID service:

Account information:

• Email address (used for login and notifications)
• Account creation date and authentication metadata (managed by Supabase Auth)

Profile data (only what you choose to enter):

• Personal: name, date of birth, gender, nationality, height, weight, photo
• Medical: blood type, organ donor status, allergies, medications, medical conditions, notes
• Sensitive: passport number, national ID (encrypted before storage)
• Emergency contacts: name, relationship, phone, email
• Certifications: dive agency, cert name, cert number, issue date
• Insurance: provider, policy number, expiry date, DAN region

Scan logs (when your QR code is scanned):

• Timestamp of the scan
• Access tier accessed (public or extended)
• Device type and browser (from user-agent string)
• IP address — SHA-256 hashed before storage. We never store raw IP addresses.

2. How We Use Your Data

• Displaying your emergency profile — when someone scans your QR code, we serve the fields you have set as public or PIN-protected
• Scan notifications — if you enable scan alerts, we send you an email each time your QR is accessed
• Account management — login, password reset, and session management via Supabase Auth
• Service improvement & commercial insights — anonymised, aggregate analytics may be used to improve the platform and to generate commercial insights (e.g. scan trends, geographic patterns, certification distribution). We do not analyse individual profiles.
• Legal compliance — where required by law or regulation

We do not sell personally identifiable data. We do not share your individual medical data with any third party except as required to operate the service (e.g. hosting infrastructure).

3. What We Share

ScubaID is a you-control-what-you-share platform. We only make your profile data available to third parties as follows:

• QR scan visitors — anyone who scans your QR code can see fields you have marked as Public. Extended fields require your PIN. Private fields are never shared.
• Infrastructure providers — our hosting and database providers (see Third Parties below) process data in order to run the service. They act as data processors under GDPR.
• Legal requirements — we may disclose data if required by a valid court order, subpoena, or applicable law.
• Aggregate insights — anonymised, aggregate analytics (never containing personally identifiable information) may be shared with partners, dive operators, tourism boards, or insurance providers for commercial purposes.

We do not sell personally identifiable data. We may share anonymised aggregate insights with partners and third parties. These insights never contain personally identifiable information.

4. Child Data

Child profiles receive enhanced protections:

• A child's full first name is not displayed on public emergency pages — only initials and surname
• Medical details are PIN-protected by default for child profiles
• Parent/guardian contact details are shown prominently on the child's public emergency page
• Child profiles may only be created by the parent or legal guardian

We do not knowingly collect data about children directly. Child profile data is entered and controlled exclusively by the adult account holder. If you believe a child profile has been created without proper authorisation, please contact us at privacy@scubaid.co.

5. Data Storage

Your data is stored on Supabase infrastructure hosted in the EU (AWS eu-west-1, Ireland). We apply the following security measures at the storage level:

• Row-level security (RLS) policies ensure users can only access their own data
• Highly sensitive fields (passport number, national ID) are encrypted at the application layer before being written to the database
• Database backups are encrypted at rest
• All data in transit is encrypted via TLS 1.2+

Emergency PIN hashes are stored using a one-way hashing function — we cannot recover your PIN if you forget it.

ScubaID shares infrastructure with Nautiq (divenautiq.com). Your data is stored in the same secured Supabase instance but is logically separated by row-level security policies. No data is shared between ScubaID and Nautiq without your explicit consent.

6. Data Retention

• Profile data — retained until you delete your account or the specific profile
• Scan logs — retained for 12 months, then automatically purged. Hashed IPs are not linked to any identifiable person.
• Auth data — managed by Supabase Auth; deleted when you delete your account
• Account data — permanently deleted within 30 days of account closure

We may retain anonymised, aggregated usage statistics after deletion (e.g. total scan counts with no linkage to individuals).

7. Your Rights (GDPR)

If you are located in the UK or EU, you have the following rights under GDPR / UK GDPR:

• Right of access — request a copy of the personal data we hold about you
• Right to rectification — correct inaccurate or incomplete data. You can edit your profile at any time.
• Right to erasure — request deletion of your data. You can delete your account directly in the app.
• Right to restriction — request we restrict processing while a dispute is resolved
• Right to portability — receive your data in a portable format (data export feature coming soon)
• Right to object — object to processing based on legitimate interests
• Right to withdraw consent — where processing is based on consent, you may withdraw it at any time

To exercise any of these rights, contact us at privacy@scubaid.co. We will respond within 30 days. You also have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk.

8. Cookies & Tracking

ScubaID uses the minimum necessary cookies to operate:

• Session cookie — a secure, HttpOnly session cookie issued by Supabase Auth. Required for login to function. Expires when you log out or after a set period.
• PostHog analytics cookie — we use PostHog for anonymous product analytics. This places a cookie to help us understand how users interact with the platform. No personal data is included. PostHog processes data in accordance with their privacy policy.

We do not use:

• Advertising or tracking cookies
• Third-party marketing trackers
• Cookies on public emergency pages — visitors who scan a QR code are not cookied

You can manage cookie preferences via the cookie banner (coming soon). Declining analytics cookies will not affect core functionality.

9. Third-Party Services

ScubaID uses the following third-party services to operate. Each acts as a data processor under a data processing agreement:

We do not use any advertising networks, social media tracking pixels, or data brokers.

10. Security

We take reasonable and appropriate technical and organisational measures to protect your data:

• All connections encrypted with TLS (HTTPS only)
• Row-level security (RLS) in the database — users can only read and modify their own records
• Sensitive field encryption at the application layer (passport, national ID)
• IP addresses hashed before storage (SHA-256)
• Emergency PINs stored as one-way hashes
• Admin API routes restricted to admin-flagged accounts

No system is perfectly secure. If you discover a security vulnerability, please report it responsibly to privacy@scubaid.co. We will acknowledge all reports within 48 hours.

11. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email and/or display a notice within the app at least 14 days before the changes take effect.

Your continued use of ScubaID after changes take effect constitutes acceptance of the revised policy. If you disagree with any changes, you may close your account before they become effective.

12. Children's Privacy

ScubaID allows parents and legal guardians to create emergency profiles for children under 18.

Data Collection for Children

We collect the following data for child profiles when provided by the parent or guardian: name (displayed in obfuscated form only), date of birth (used to calculate age range — exact date is never displayed publicly), medical information, emergency contact details, and special needs information.

Enhanced Privacy Protections

Child profiles automatically receive enhanced privacy protections:

• Full names are never displayed on public emergency pages
• Photos are never displayed on public emergency pages
• Gender is not displayed on public emergency pages
• The Holiday profile type provides minimal information only

Parental Consent

By creating a child profile, the account holder confirms they are the child's parent or legal guardian, or have authorisation to create the profile.

Data Deletion

Parents can delete a child's profile at any time from their account. This permanently removes all data associated with that profile, including emergency contacts, medical information, and QR codes.

Contact

For child safety concerns or data requests relating to a child's profile, contact us at support@scubaid.co.

13. Contact

For privacy questions, data subject requests, or to report a concern: