Pelagic ("we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you use our dive intelligence platform.
This policy applies to all users of Pelagic, regardless of location. We comply with applicable privacy laws including the Australian Privacy Act 1988 and the California Consumer Privacy Act (CCPA).
🔒 Our Privacy Commitment
We do not sell your personal information to third parties. We only collect data necessary to provide and improve our service, and we implement strong security measures to protect your information.
Information We Collect
1.1 Information You Provide Directly
When you create an account or use our services, you provide us with:
- Account Information: Email address, name, password (encrypted)
- Payment Information: Credit card details, billing address (processed securely by Stripe - we do not store full payment card numbers)
- Profile Information: Optional dive certifications, preferences, settings
- Dive Reports: Condition reports you submit including visibility, weather observations, entry/exit assessments, and optional photos
- Marine Life Sightings: Species observed, location, date, time, and optional photos
- Communications: Support requests, feedback, and correspondence with our team
1.2 Information Collected Automatically
When you use Pelagic, we automatically collect:
- Usage Data: Features accessed, dive sites viewed, reports read, time spent on platform, click patterns
- Device Information: Device type, operating system, browser type and version, screen resolution
- Technical Data: IP address, access times, referring URLs, session IDs
- Location Data: Approximate location based on IP address; precise GPS location only when you submit dive reports or sightings (with your permission)
- Cookies and Tracking: Essential cookies for platform functionality, analytics cookies (with consent)
1.3 Information from Third Parties
We receive limited information from third-party services:
- Payment Processor (Stripe): Payment confirmation, transaction status, billing disputes
- Bureau of Meteorology (BOM): Weather, swell, and tide data (publicly available, not personal data)
- Authentication Services: If you sign in via third-party services (future feature), we may receive basic profile information
1.4 Information We Do NOT Collect
We do not collect:
- Government identifiers (driver's license, passport numbers, tax IDs)
- Precise health information or medical records
- Racial or ethnic origin
- Political opinions or affiliations
- Religious or philosophical beliefs
- Biometric data (fingerprints, facial recognition)
How We Use Your Information
We use your personal information for the following purposes:
2.1 Provide and Improve Services
- Display dive site information, maps, and conditions data
- Generate visibility predictions using our Azure algorithm
- Process and display user-submitted dive reports and marine life sightings
- Provide live weather, swell, and tide information
- Improve prediction accuracy by analyzing usage patterns and report data (anonymized)
- Fix bugs, improve performance, and develop new features
2.2 Account Management
- Create and maintain your account
- Authenticate your identity when you log in
- Manage subscription tiers (Free, Essential, Pro)
- Process payments and send receipts
- Handle subscription renewals, upgrades, downgrades, and cancellations
- Provide customer support and respond to inquiries
2.3 Communications
- Service Communications (required): Account confirmations, payment receipts, subscription renewals, technical updates, security alerts, terms changes
- Marketing Communications (optional): Newsletter, new features, special offers, diving tips - only with your explicit consent, easily unsubscribe anytime
2.4 Safety and Security
- Detect and prevent fraud, abuse, and terms violations
- Monitor for suspicious activity (multiple logins, unusual access patterns)
- Enforce our Terms and Conditions
- Protect against security threats and unauthorized access
- Respond to legal requests and comply with applicable laws
2.5 Analytics and Research
- Understand how users interact with the platform (anonymized usage analytics)
- Improve our visibility prediction algorithms using aggregated dive reports
- Identify popular dive sites and features
- Analyze marine life sighting trends (aggregated, anonymized data)
- Conduct research to improve dive safety and oceanographic modeling
🔬 Research and Algorithm Improvement
We use aggregated and anonymized dive reports to improve our visibility prediction models. For example, if 10 users report 5m visibility at Shelly Beach when we predicted 8m, we analyze what factors we missed to improve future predictions. Your individual reports are never shared publicly with identifying information.
How We Share Your Information
We do not sell your personal information to anyone. We only share your information in the following limited circumstances:
3.1 Service Providers
We share data with trusted third-party service providers who help us operate Pelagic:
| Service Provider |
Purpose |
Data Shared |
| Stripe |
Payment processing |
Email, name, payment card details |
| Hosting Provider |
Platform infrastructure |
All platform data (encrypted at rest) |
| Email Service |
Send transactional and marketing emails |
Email address, name |
| Analytics Tools |
Usage analytics (if enabled) |
Anonymized usage patterns, IP addresses |
All service providers are bound by strict confidentiality agreements and may only use your data to provide services to us.
3.2 Public Information
The following information may be visible to other Pelagic users:
- Dive Reports: Your submitted condition reports (visibility, weather, entry conditions) are visible to other users. Reports show date, time, and site but NOT your name or email unless you choose to include it.
- Marine Life Sightings: Species, location, date, time, and photos (if uploaded) are visible to other users. Sightings do NOT include your name or email unless you choose to add it.
- You control visibility: You can choose whether to include your name when submitting reports or make submissions anonymous.
3.3 Legal Requirements
We may disclose your information if required by law or in good faith belief that such disclosure is necessary to:
- Comply with legal obligations, court orders, or government requests
- Enforce our Terms and Conditions and investigate violations
- Protect against legal liability
- Protect the rights, property, or safety of Pelagic, our users, or the public
- Respond to emergency situations involving danger of death or serious injury
3.4 Business Transfers
If Pelagic is involved in a merger, acquisition, asset sale, or bankruptcy, your personal information may be transferred to the acquiring entity. We will notify you via email and/or prominent notice on our platform before your information becomes subject to a different privacy policy.
3.5 With Your Consent
We may share your information with third parties when you give us explicit permission to do so.
Data Security
We implement industry-standard security measures to protect your personal information:
4.1 Technical Safeguards
- Encryption in Transit: All data transmitted between your device and our servers is encrypted using SSL/TLS (HTTPS)
- Encryption at Rest: Sensitive data stored on our servers is encrypted
- Password Security: Passwords are hashed using industry-standard algorithms (bcrypt) - we never store passwords in plain text
- Payment Security: Payment card data is processed by Stripe (PCI DSS Level 1 certified) - we never store full payment card numbers
- Secure Infrastructure: Regular security updates, firewalls, intrusion detection
4.2 Access Controls
- Strict access controls limiting who can view personal data
- Multi-factor authentication for administrative access
- Regular access audits and reviews
- Principle of least privilege - staff only access data necessary for their role
4.3 Monitoring and Response
- Continuous monitoring for security threats and suspicious activity
- Incident response plan for data breaches
- Regular security assessments and penetration testing
- Prompt notification to affected users in case of data breach
⚠️ No Absolute Security
While we implement strong security measures, no internet transmission or electronic storage is 100% secure. You acknowledge that you transmit information to us at your own risk. We cannot guarantee absolute security but will always notify you promptly if a breach occurs.
Data Retention
We retain your personal information for as long as necessary to provide our services and comply with legal obligations:
| Data Type |
Retention Period |
Reason |
| Account Data |
Duration of account + 30 days after deletion |
Provide services; allow account recovery |
| Payment Records |
7 years |
Tax law requirements (Australia), legal compliance |
| Dive Reports & Sightings |
Indefinitely (anonymized after account deletion) |
Platform value for community; algorithm training |
| Usage Analytics |
Indefinitely (anonymized) |
Platform improvement, algorithm refinement |
| Marketing Data |
Until you unsubscribe or request deletion |
Send newsletters, updates (with consent) |
| Support Communications |
3 years |
Customer service quality, dispute resolution |
5.1 Account Deletion
When you delete your account:
- You will receive 30 days notice before permanent deletion
- During the 30-day period, you may request a copy of your data or reactivate your account
- After 30 days, your personal identifiable information is permanently deleted
- Your dive reports and sightings remain on the platform but are anonymized (no longer linked to you)
- Payment records are retained for 7 years as required by law
- Aggregated, anonymized analytics data may be retained indefinitely
Your Privacy Rights
Your privacy rights vary depending on your location. Below are the rights available to users in different jurisdictions:
6.1 Australian Users (Privacy Act 1988)
Under the Australian Privacy Principles (APPs), you have the right to:
- Access: Request a copy of the personal information we hold about you
- Correction: Request correction of inaccurate, incomplete, or out-of-date information
- Erasure: Request deletion of your personal information (subject to legal retention requirements)
- Complain: Lodge a complaint with us or the Office of the Australian Information Commissioner (OAIC)
- Anonymity: Where practicable, interact with us anonymously or using a pseudonym
To exercise these rights, contact us through your account settings or email. We will respond within 30 days.
6.2 California Users (CCPA/CPRA)
If you are a California resident, you have the following rights under the California Consumer Privacy Act:
- Right to Know: Request disclosure of:
- Categories of personal information we collect about you
- Sources from which we collect personal information
- Business or commercial purposes for collecting information
- Categories of third parties with whom we share information
- Specific pieces of personal information we hold about you
- Right to Delete: Request deletion of your personal information (with certain exceptions)
- Right to Correct: Request correction of inaccurate personal information
- Right to Opt-Out of Sale: We do NOT sell personal information, so this right does not apply
- Right to Limit Use of Sensitive Information: Request limitation of use of sensitive personal information (we collect minimal sensitive data)
- Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights
To exercise your CCPA rights: Submit a request through our privacy request form (link in account settings) or email us. We will verify your identity and respond within 45 days.
6.3 Other US State Users
If you reside in Virginia, Colorado, Connecticut, or other states with privacy laws, you may have similar rights including:
- Right to confirm whether we process your personal data
- Right to access your personal data
- Right to correct inaccuracies in your personal data
- Right to delete your personal data
- Right to obtain a copy of your data in a portable format
- Right to opt-out of targeted advertising (we do not engage in targeted advertising)
Contact us to exercise your rights. We will respond in accordance with applicable state law.
6.4 All Users - General Rights
Regardless of location, all users can:
- Update Account Information: Change your email, name, preferences in account settings
- Opt-Out of Marketing: Unsubscribe from newsletters via the link in any marketing email
- Manage Cookies: Control cookie preferences in your browser settings
- Delete Account: Request account deletion through account settings
- Download Data: Request a copy of your data (available in account settings or by contacting us)
Cookies and Tracking Technologies
7.1 What Are Cookies?
Cookies are small text files stored on your device when you visit our platform. We use cookies to provide essential functionality and improve your experience.
7.2 Types of Cookies We Use
Essential Cookies (Required):
- Authentication - Keep you logged in
- Security - Protect against fraud and unauthorized access
- Session management - Remember your preferences during your visit
- These cookies are necessary for the platform to function and cannot be disabled
Analytics Cookies (Optional - With Your Consent):
- Understand how users interact with Pelagic
- Identify popular features and dive sites
- Improve platform performance and user experience
- We use anonymized analytics that do not identify you personally
7.3 Managing Cookies
You can control cookies through:
- Browser Settings: Most browsers allow you to refuse cookies or delete existing cookies. Note that disabling essential cookies will prevent you from using Pelagic.
- Cookie Preferences: Manage analytics cookie preferences in your account settings
7.4 Do Not Track
Some browsers support "Do Not Track" (DNT) signals. Currently, there is no universal standard for DNT. We do not currently respond to DNT signals, but we minimize tracking and do not engage in behavioral advertising.
Children's Privacy
Pelagic is intended for use by certified divers, typically aged 10+ for junior certifications and 15+ for open water certifications. We recognize that some users may be minors.
8.1 Age Requirements
- Users under 13 years old (US) or under 16 years old (Australia) must have parental consent to create an account
- We do not knowingly collect personal information from children under these ages without parental consent
- Parents/guardians can create accounts for junior divers and manage their settings
8.2 Parental Rights
Parents or guardians of users under 18 have the right to:
- Review personal information collected from their child
- Request deletion of their child's personal information
- Refuse further collection or use of their child's information
- Manage privacy settings on behalf of their child
8.3 If We Learn of Unauthorized Collection
If we become aware that we have collected personal information from a child under the applicable age without parental consent, we will take steps to delete that information promptly.
International Data Transfers
9.1 Current Data Location
All user data is currently stored on servers located in Australia. We do not transfer your data outside of Australia.
9.2 Future Expansion
If we expand our operations to include servers or service providers in other countries (such as the United States), we will:
- Update this Privacy Policy and notify affected users at least 30 days in advance
- Ensure appropriate safeguards are in place for international data transfers
- Comply with cross-border data transfer requirements under Australian and applicable foreign privacy laws
- Use standard contractual clauses or other approved transfer mechanisms
9.3 Third-Party Services
Some of our service providers (like Stripe for payment processing) may process data internationally. These providers are contractually required to implement appropriate safeguards and comply with applicable data protection laws.
Data Breach Notification
In the event of a data breach that compromises your personal information:
10.1 Our Response
- Immediate Action: We will immediately investigate and take steps to contain the breach
- Assessment: We will assess the scope, severity, and type of information affected
- Remediation: We will implement measures to prevent future breaches
- Documentation: We will maintain detailed records of the breach and our response
10.2 User Notification
- Australian Users: We will notify affected users and the Office of the Australian Information Commissioner (OAIC) as required by the Privacy Act if the breach is likely to result in serious harm
- US Users: We will notify affected users and relevant state authorities as required by applicable state data breach notification laws (typically within 72 hours for California)
- All Users: Notification will include:
- Description of the breach and data affected
- When the breach occurred
- Steps we're taking to address it
- Recommendations for protecting yourself
- Contact information for questions
10.3 Your Actions
If you are notified of a data breach:
- Change your password immediately
- Monitor your financial accounts for suspicious activity
- Be alert for phishing attempts or scam communications
- Follow the specific recommendations in our breach notification
Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.
11.1 How We Notify You
- Material Changes: We will notify you via email and/or prominent notice on our platform at least 30 days before material changes take effect
- Non-Material Changes: We will update the "Last Updated" date at the top of this policy
- Your Options: If you disagree with changes, you may delete your account before they take effect
11.2 Continued Use
Your continued use of Pelagic after changes to this Privacy Policy constitutes acceptance of the updated policy. We encourage you to review this policy periodically.
Contact Us About Privacy
12.1 Privacy Questions and Requests
If you have questions about this Privacy Policy or wish to exercise your privacy rights, contact us:
- Through your account settings privacy request form
- Via email: [privacy contact - available on platform]
- We will respond within 30 days (or as required by applicable law)
12.2 Privacy Complaints
Australian Users:
- Step 1: Contact us directly - we will investigate and respond within 30 days
- Step 2: If unsatisfied, contact the Office of the Australian Information Commissioner (OAIC):
- Website: www.oaic.gov.au
- Phone: 1300 363 992
- Email: enquiries@oaic.gov.au
California Users:
- Use our CCPA request form (link in account settings)
- California Attorney General's Office: oag.ca.gov
Other US State Users:
- Contact your state Attorney General's consumer protection division
- Federal Trade Commission (FTC): ftc.gov/complaint
📧 We're Here to Help
Privacy is important to us. If you have any questions, concerns, or requests regarding your personal information, please don't hesitate to contact us. We're committed to addressing your privacy concerns promptly and transparently.
Privacy Policy Summary
This summary provides a quick overview of our privacy practices. Please read the full policy above for complete details.
🔐 Key Privacy Points
What we collect: Email, name, payment info, dive reports, sightings, usage data, device info
How we use it: Provide services, process payments, improve predictions, customer support
Who we share with: Stripe (payments), hosting providers, email services - we do NOT sell your data
Your rights: Access, correct, delete your data; opt-out of marketing; manage cookies
Security: Encryption, secure passwords, PCI-compliant payments, regular audits
Data location: Currently stored in Australia; will notify if this changes
Contact: Questions? Use account settings or email us - we respond within 30 days