Privacy Policy | Pelagic

Information We Collect

1.1 Information You Provide Directly

When you create an account or use our services, you provide us with:

Account Information: Email address, name, password (encrypted)
Payment Information: Credit card details, billing address (processed securely by Stripe - we do not store full payment card numbers)
Profile Information: Optional profile photo, dive certifications, preferences, and settings
Telegram Username: If you choose to add it, your Telegram username is stored and displayed to other paid members when you are checked in at a dive site, enabling direct contact via Telegram. This is entirely optional — leaving it blank keeps you private. You can add or remove it at any time in Account Settings.
Dive Check-Ins: When you check in at a dive site, your display name, profile photo (if set), check-in type, optional note, and check-in timestamp are visible to other users on the platform for the duration of your check-in.
Dive Log: Dive records you create including date, site, depth, duration, visibility observed, water temperature, and optional notes. Visibility observations from your dive logs may be used to improve our visibility prediction models (see Section 2.5).
Dive Reports: Condition reports you submit including visibility, weather observations, entry/exit assessments, and optional photos
Marine Life Sightings: Species observed, location, date, time, and optional photos
Communications: Support requests, feedback, and correspondence with our team

1.2 Information Collected Automatically

When you use Pelagic, we automatically collect:

Usage Data: Features accessed, dive sites viewed, reports read, time spent on platform, click patterns
Device Information: Device type, operating system, browser type and version, screen resolution
Technical Data: IP address, access times, referring URLs, session IDs
Location Data: Approximate location based on IP address; precise GPS location only when you submit dive reports or sightings (with your permission)
Cookies and Tracking: Essential cookies for platform functionality, analytics cookies (with consent)

1.3 Information from Third Parties

We receive limited information from third-party services:

Payment Processor (Stripe): Payment confirmation, transaction status, billing disputes
Bureau of Meteorology (BOM): Weather, swell, and tide data (publicly available, not personal data)
Authentication Services: If you sign in via third-party services (future feature), we may receive basic profile information

1.4 Information We Do NOT Collect

We do not collect:

Government identifiers (driver's license, passport numbers, tax IDs)
Precise health information or medical records
Racial or ethnic origin
Political opinions or affiliations
Religious or philosophical beliefs
Biometric data (fingerprints, facial recognition)

How We Use Your Information

We use your personal information for the following purposes:

2.1 Provide and Improve Services

Display dive site information, maps, and conditions data
Generate visibility predictions using our forecast model
Process and display user-submitted dive reports and marine life sightings
Display active dive check-ins on site maps and dive site pages
Provide live weather, swell, and tide information
Store and display your dive log entries
Improve prediction accuracy by analysing usage patterns, dive reports, and visibility observations from dive logs (anonymised and aggregated — individual entries are never shared publicly with identifying information)
Fix bugs, improve performance, and develop new features

2.2 Account Management

Create and maintain your account
Authenticate your identity when you log in
Manage subscription tiers (Free, Essential, Pro)
Process payments and send receipts
Handle subscription renewals, upgrades, downgrades, and cancellations
Provide customer support and respond to inquiries

2.3 Communications

Service Communications (required): Account confirmations, payment receipts, subscription renewals, technical updates, security alerts, terms changes
Marketing Communications (optional): Newsletter, new features, special offers, diving tips - only with your explicit consent, easily unsubscribe anytime

2.4 Safety and Security

Detect and prevent fraud, abuse, and terms violations
Monitor for suspicious activity (multiple logins, unusual access patterns)
Enforce our Terms and Conditions
Protect against security threats and unauthorized access
Respond to legal requests and comply with applicable laws

2.5 Analytics and Research

Understand how users interact with the platform (anonymized usage analytics)
Improve our visibility prediction algorithms using aggregated dive reports
Identify popular dive sites and features
Analyze marine life sighting trends (aggregated, anonymized data)
Conduct research to improve dive safety and oceanographic modeling

🔬 Research and Algorithm Improvement

We use aggregated and anonymized dive reports to improve our visibility prediction models. For example, if 10 users report 5m visibility at Shelly Beach when we predicted 8m, we analyze what factors we missed to improve future predictions. Your individual reports are never shared publicly with identifying information.

How We Share Your Information

We do not sell your personal information to anyone. We only share your information in the following limited circumstances:

3.1 Service Providers

We share data with trusted third-party service providers who help us operate Pelagic:

Service Provider	Purpose	Data Shared
Stripe	Payment processing	Email, name, payment card details
Hosting Provider	Platform infrastructure	All platform data (encrypted at rest)
Email Service	Send transactional and marketing emails	Email address, name
Analytics Tools	Usage analytics (if enabled)	Anonymized usage patterns, IP addresses

All service providers are bound by strict confidentiality agreements and may only use your data to provide services to us.

3.2 Public and Member-Visible Information

The following information may be visible to other Pelagic users:

Profile Photo: If you upload a profile photo, a small version is displayed alongside your check-ins, dive site feed posts, and marine life sightings. You can remove your photo at any time in Account Settings.
Dive Check-Ins: When you check in at a dive site, your display name, profile photo, check-in type (Diving Now / Planning a Dive / Looking for a Buddy), and any optional note you add are visible to all users on the platform for the duration of your check-in. Check-ins expire automatically (Diving Now: 12 hours; Planning a Dive: 7 days; Looking for a Buddy: 30 days).
Telegram Username: If you choose to add your Telegram username in Account Settings, it is visible to paid members (Essential and Pro) when you are checked in at a dive site, in the form of a direct contact button. It is not displayed as plain text. You can remove it at any time.
Dive Reports: Your submitted condition reports (visibility, weather, entry conditions) are visible to other users. Reports show date, time, and site but NOT your name or email unless you choose to include it.
Marine Life Sightings: Species, location, date, time, and photos (if uploaded) are visible to other users. Sightings do NOT include your name or email unless you choose to add it.
You control visibility: You can choose whether to include your name when submitting reports, and can manage your profile photo and Telegram username at any time in Account Settings.

3.3 Legal Requirements

We may disclose your information if required by law or in good faith belief that such disclosure is necessary to:

Comply with legal obligations, court orders, or government requests
Enforce our Terms and Conditions and investigate violations
Protect against legal liability
Protect the rights, property, or safety of Pelagic, our users, or the public
Respond to emergency situations involving danger of death or serious injury

3.4 Business Transfers

If Pelagic is involved in a merger, acquisition, asset sale, or bankruptcy, your personal information may be transferred to the acquiring entity. We will notify you via email and/or prominent notice on our platform before your information becomes subject to a different privacy policy.

3.5 With Your Consent

We may share your information with third parties when you give us explicit permission to do so.

Data Security

We implement industry-standard security measures to protect your personal information:

4.1 Technical Safeguards

Encryption in Transit: All data transmitted between your device and our servers is encrypted using SSL/TLS (HTTPS)
Encryption at Rest: Sensitive data stored on our servers is encrypted
Password Security: Passwords are hashed using industry-standard algorithms (bcrypt) - we never store passwords in plain text
Payment Security: Payment card data is processed by Stripe (PCI DSS Level 1 certified) - we never store full payment card numbers
Secure Infrastructure: Pelagic runs on a dedicated cloud server located in Australia, maintained with current security patches and hardened server configuration. Server access is protected by strong authentication controls and restricted to authorised personnel only.
Hosting Provider: Our cloud hosting provider operates under strict data processing terms and has no right to access, use, or share your data for their own purposes. They provide infrastructure only.

4.2 Access Controls

Strict access controls limiting who can view personal data
Multi-factor authentication for administrative access
Regular access audits and reviews
Principle of least privilege - staff only access data necessary for their role

4.3 Monitoring and Response

Continuous monitoring for security threats and suspicious activity
Incident response plan for data breaches
Regular security assessments and penetration testing
Prompt notification to affected users in case of data breach

⚠️ No Absolute Security

While we implement strong security measures, no internet transmission or electronic storage is 100% secure. You acknowledge that you transmit information to us at your own risk. We cannot guarantee absolute security but will always notify you promptly if a breach occurs.

Data Retention

We retain your personal information for as long as necessary to provide our services and comply with legal obligations:

Data Type	Retention Period	Reason
Account Data	Duration of account + 30 days after deletion	Provide services; allow account recovery
Profile Photo	Until removed by user or account deletion	Display on check-ins, feed posts, sightings
Telegram Username	Until removed by user or account deletion	Enable member-to-member contact via Telegram
Dive Check-Ins	Auto-expire (12 hours to 30 days by type); deleted on account deletion	Display active diver presence at dive sites
Dive Log	Duration of account; deleted on account deletion	Personal dive records; visibility model improvement (anonymised)
Payment Records	7 years	Tax law requirements (Australia), legal compliance
Dive Reports & Sightings	Indefinitely (anonymized after account deletion)	Platform value for community; algorithm training
Usage Analytics	Indefinitely (anonymized)	Platform improvement, algorithm refinement
Marketing Data	Until you unsubscribe or request deletion	Send newsletters, updates (with consent)
Support Communications	3 years	Customer service quality, dispute resolution

5.1 Account Deletion

When you delete your account:

You will receive 30 days notice before permanent deletion
During the 30-day period, you may request a copy of your data or reactivate your account
After 30 days, your personal identifiable information is permanently deleted
Your dive reports and sightings remain on the platform but are anonymized (no longer linked to you)
Payment records are retained for 7 years as required by law
Aggregated, anonymized analytics data may be retained indefinitely

Your Privacy Rights

Your privacy rights vary depending on your location. Below are the rights available to users in different jurisdictions:

6.1 Australian Users (Privacy Act 1988)

Under the Australian Privacy Principles (APPs), you have the right to:

Access: Request a copy of the personal information we hold about you
Correction: Request correction of inaccurate, incomplete, or out-of-date information
Erasure: Request deletion of your personal information (subject to legal retention requirements)
Complain: Lodge a complaint with us or the Office of the Australian Information Commissioner (OAIC)
Anonymity: Where practicable, interact with us anonymously or using a pseudonym

To exercise these rights, contact us through your account settings or email. We will respond within 30 days.

6.2 California Users (CCPA/CPRA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act:

Right to Know: Request disclosure of:
- Categories of personal information we collect about you
- Sources from which we collect personal information
- Business or commercial purposes for collecting information
- Categories of third parties with whom we share information
- Specific pieces of personal information we hold about you
Right to Delete: Request deletion of your personal information (with certain exceptions)
Right to Correct: Request correction of inaccurate personal information
Right to Opt-Out of Sale: We do NOT sell personal information, so this right does not apply
Right to Limit Use of Sensitive Information: Request limitation of use of sensitive personal information (we collect minimal sensitive data)
Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights

To exercise your CCPA rights: Submit a request through our privacy request form (link in account settings) or email us. We will verify your identity and respond within 45 days.

6.3 Other US State Users

If you reside in Virginia, Colorado, Connecticut, or other states with privacy laws, you may have similar rights including:

Right to confirm whether we process your personal data
Right to access your personal data
Right to correct inaccuracies in your personal data
Right to delete your personal data
Right to obtain a copy of your data in a portable format
Right to opt-out of targeted advertising (we do not engage in targeted advertising)

Contact us to exercise your rights. We will respond in accordance with applicable state law.

6.4 All Users - General Rights

Regardless of location, all users can:

Update Account Information: Change your email, name, preferences in account settings
Opt-Out of Marketing: Unsubscribe from newsletters via the link in any marketing email
Manage Cookies: Control cookie preferences in your browser settings
Delete Account: Request account deletion through account settings
Download Data: Request a copy of your data (available in account settings or by contacting us)

Cookies and Tracking Technologies

7.1 What Are Cookies?

Cookies are small text files stored on your device when you visit our platform. We use cookies to provide essential functionality and improve your experience.

7.2 Types of Cookies We Use

Essential Cookies (Required):

Authentication - Keep you logged in
Security - Protect against fraud and unauthorized access
Session management - Remember your preferences during your visit
These cookies are necessary for the platform to function and cannot be disabled

Analytics Cookies (Optional - With Your Consent):

Understand how users interact with Pelagic
Identify popular features and dive sites
Improve platform performance and user experience
We use anonymized analytics that do not identify you personally

7.3 Managing Cookies

You can control cookies through:

Browser Settings: Most browsers allow you to refuse cookies or delete existing cookies. Note that disabling essential cookies will prevent you from using Pelagic.
Cookie Preferences: Manage analytics cookie preferences in your account settings

7.4 Do Not Track

Some browsers support "Do Not Track" (DNT) signals. Currently, there is no universal standard for DNT. We do not currently respond to DNT signals, but we minimize tracking and do not engage in behavioral advertising.

Children's Privacy

Pelagic is intended for use by certified divers, typically aged 10+ for junior certifications and 15+ for open water certifications. We recognize that some users may be minors.

8.1 Age Requirements

Users under 13 years old (US) or under 16 years old (Australia) must have parental consent to create an account
We do not knowingly collect personal information from children under these ages without parental consent
Parents/guardians can create accounts for junior divers and manage their settings

8.2 Parental Rights

Parents or guardians of users under 18 have the right to:

Review personal information collected from their child
Request deletion of their child's personal information
Refuse further collection or use of their child's information
Manage privacy settings on behalf of their child

8.3 If We Learn of Unauthorized Collection

If we become aware that we have collected personal information from a child under the applicable age without parental consent, we will take steps to delete that information promptly.

International Data Transfers

9.1 Current Data Location

All primary user data is stored on cloud servers located in Australia. Our hosting infrastructure is based in an Australian data centre, and we do not transfer your core account or personal data outside of Australia. Some third-party service providers (Stripe, AWS S3, OpenAI) may process limited data internationally as described in Section 9.3.

9.2 Future Expansion

If we expand our operations to include servers or service providers in other countries (such as the United States), we will:

Update this Privacy Policy and notify affected users at least 30 days in advance
Ensure appropriate safeguards are in place for international data transfers
Comply with cross-border data transfer requirements under Australian and applicable foreign privacy laws
Use standard contractual clauses or other approved transfer mechanisms

9.3 Third-Party Services

Some of our service providers may process data internationally. These providers are contractually required to implement appropriate safeguards and comply with applicable data protection laws:

Stripe — Payment processing. Handles all subscription billing. May process data in the United States. No full card numbers are stored by Pelagic.
MapTiler — Provides map fonts and tile assets used to render the dive site map. When you load the map, your device makes requests to MapTiler's servers, which may log your IP address as part of standard web server logging. No personal account information is transmitted. See MapTiler's Privacy Policy.
Esri (ArcGIS) — Provides satellite and basemap imagery used in the dive site map. When you view the map, your device requests map tiles from Esri's servers, which may log your IP address as part of standard web server logging. No personal account information is transmitted. See Esri's Privacy Policy.
OpenAI — Used to generate audio forecast briefs (text-to-speech). Only forecast text (non-personal conditions data such as swell height, wind, and visibility predictions) is sent to OpenAI's API. No personal user data, account information, or identifying information is transmitted.
Telegram — If you add your Telegram username, paid members can initiate contact via Telegram's platform directly. Pelagic only stores your username and generates a link — we do not participate in, store, or have access to any conversations that take place on Telegram. Telegram's own Privacy Policy applies to any interactions on their platform.
Bureau of Meteorology (BOM) — Weather, swell, and tide data (publicly available government data, not personal data).

9.4 Business Partnerships

Pelagic works with dive shops and brand ambassadors as platform partners. No user data, personal information, or account details are shared with any partner organisation. Partnerships are commercial arrangements only and have no access to Pelagic's user database.

Data Breach Notification

In the event of a data breach that compromises your personal information:

10.1 Our Response

Immediate Action: We will immediately investigate and take steps to contain the breach
Assessment: We will assess the scope, severity, and type of information affected
Remediation: We will implement measures to prevent future breaches
Documentation: We will maintain detailed records of the breach and our response

10.2 User Notification

Australian Users: We will notify affected users and the Office of the Australian Information Commissioner (OAIC) as required by the Privacy Act if the breach is likely to result in serious harm
US Users: We will notify affected users and relevant state authorities as required by applicable state data breach notification laws (typically within 72 hours for California)
All Users: Notification will include:
- Description of the breach and data affected
- When the breach occurred
- Steps we're taking to address it
- Recommendations for protecting yourself
- Contact information for questions

10.3 Your Actions

If you are notified of a data breach:

Change your password immediately
Monitor your financial accounts for suspicious activity
Be alert for phishing attempts or scam communications
Follow the specific recommendations in our breach notification

Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.

11.1 How We Notify You

Material Changes: We will notify you via email and/or prominent notice on our platform at least 30 days before material changes take effect
Non-Material Changes: We will update the "Last Updated" date at the top of this policy
Your Options: If you disagree with changes, you may delete your account before they take effect

11.2 Continued Use

Your continued use of Pelagic after changes to this Privacy Policy constitutes acceptance of the updated policy. We encourage you to review this policy periodically.

Contact Us About Privacy

12.1 Privacy Questions and Requests

If you have questions about this Privacy Policy or wish to exercise your privacy rights, contact us:

Through your account settings privacy request form
Via email: [privacy contact - available on platform]
We will respond within 30 days (or as required by applicable law)

12.2 Privacy Complaints

Australian Users:

Step 1: Contact us directly - we will investigate and respond within 30 days
Step 2: If unsatisfied, contact the Office of the Australian Information Commissioner (OAIC):
- Website: www.oaic.gov.au
- Phone: 1300 363 992
- Email: enquiries@oaic.gov.au

California Users:

Use our CCPA request form (link in account settings)
California Attorney General's Office: oag.ca.gov

Other US State Users:

Contact your state Attorney General's consumer protection division
Federal Trade Commission (FTC): ftc.gov/complaint

📧 We're Here to Help

Privacy is important to us. If you have any questions, concerns, or requests regarding your personal information, please don't hesitate to contact us. We're committed to addressing your privacy concerns promptly and transparently.

Privacy Policy Summary

This summary provides a quick overview of our privacy practices. Please read the full policy above for complete details.

🔐 Key Privacy Points

What we collect: Email, name, payment info, profile photo, Telegram username (optional), dive check-ins, dive log, dive reports, sightings, usage data, device info

How we use it: Provide services, process payments, display check-ins and profiles, improve visibility predictions, customer support

Who we share with: Stripe (payments), MapTiler and Esri (map tiles — IP only), OpenAI (audio forecasts, non-personal data only), hosting provider — we do NOT sell your data

Telegram: Your username is optional, shown only to paid members when you're checked in, and Pelagic has no access to Telegram conversations

Partnerships: Dive shop and ambassador partners have no access to user data whatsoever

Your rights: Access, correct, delete your data; remove profile photo and Telegram username anytime; opt-out of marketing; manage cookies

Security: Encryption, secure passwords, hardened Australian server, PCI-compliant payments

Data location: Stored in Australia; Stripe and MapTiler may process limited data internationally

Contact: Questions? Use account settings or email us — we respond within 30 days