For the data your shop and its customers enter ("Customer Data"), your shop is the data controller and ScubaDR is a data processor acting on your instructions. For your own account and billing data, ScubaDR is the controller.
To provide, secure, support and improve the service, process billing, and communicate with you. We do not sell your data, and we do not use Customer Data for advertising.
We share data only with service providers needed to run ScubaDR: Stripe (payments), Supabase (database & storage), Netlify/Cloudflare (hosting & delivery), and email delivery providers. These act under contract and only as needed.
Each shop's data is logically isolated with row-level security so that one shop cannot access another's records. Uploaded documents are stored in a private bucket accessible only to your shop. We use encryption in transit and reasonable safeguards, but no system is perfectly secure.
We retain Customer Data while your account is active and for up to 30 days after cancellation to allow export, after which it may be deleted. You may request earlier deletion.
You may access, correct, export or delete your account data by contacting us. Your customers' rights requests should be directed to your shop as the controller; we will assist you as processor.
If you upload identity documents, medical information, or waivers, you are responsible for having a lawful basis and any required consents. Only upload what you need.
The service is for businesses, not for use by children. Where your customers are minors, you are responsible for obtaining guardian consent as required.
Data may be processed in jurisdictions where our providers operate. By using the service you acknowledge this transfer.
We may update this policy; changes are posted here with a new date. Contact: support@scubadr.com.