Privacy Policy

Summary: This is a draft for DiveGuard SaaS (multi-tenant orgs, Supabase-hosted data, Stripe billing, transactional email). It is not legal advice — align subprocessors, retention, and regional disclosures with your counsel (e.g. J9) before production.

Last updated: April 18, 2026 · Marine Compliance Systems

1. Who we are

This policy describes how Marine Compliance Systems ("MCS" / "we", "us") processes information in connection with DiveGuard (the "Service"). The Service may be used by your organization ("Customer") and its personnel. For much of the personal data processed in the Service, your Org (typically the Org Owner or Customer entity) is the controller, and we act as a processor on instructions expressed through use of the Service and these terms. Where we determine purposes and means (e.g. account administration for billing, security telemetry at platform level), we may act as a separate controller for those limited activities.

2. What we collect

2.1 Account and authentication

Name, email, authentication identifiers, Org membership, role metadata, and related session or device signals needed to sign in (processed via our authentication provider).

2.2 Operational / Customer Data

Content your Org submits to operate the product: equipment and maintenance records, work orders, templates, comments, uploaded files (e.g. PDFs, images), and configuration or settings.

2.3 Billing, subscriptions, and payment methods

Plan tier, seat counts, asset or usage-related entitlements, subscription status, invoice and transaction metadata, and identifiers that link your Org to Stripe (e.g. customer id). Payment card details are collected and stored by Stripe, not on MCS servers, per Stripe's practices.

If you use the Free plan, we may still ask you to add a payment method through Stripe for verification and future billing if you upgrade. Adding a payment method for Free does not by itself charge a subscription fee while you remain within the Free plan as described in the Terms; charges occur when you start a paid subscription or as otherwise clearly disclosed at checkout.

2.4 Communications

Support correspondence; transactional and invitation email metadata and delivery events relayed through our email infrastructure.

2.5 Technical and security

Server, application, and edge logs (e.g. IP address, user agent, timestamps, error diagnostics) necessary to operate, secure, debug, and comply with law; abuse prevention signals.

3. Purposes and legal bases

We process personal data to:

• Provide the Service (contract / legitimate interests, depending on role and jurisdiction);
• Authenticate users, enforce Org isolation, and maintain security;
• Process subscriptions, trials, invoices, and payment failure handling;
• Communicate operational notices, invitations, and (where permitted) product updates;
• Comply with law, respond to lawful requests, and defend legal claims.

Where GDPR/UK GDPR applies, the Org remains responsible for establishing lawful grounds for personnel and third-party data in Customer Data; we assist as processor.

4. Subprocessors

The Service relies on the following categories of infrastructure partners (non-exhaustive):

• Supabase — hosted PostgreSQL, authentication, and related platform services;
• Stripe — payments, billing portal, and related financial compliance tooling;
• Email delivery — transactional and invitation email (provider as configured for your deployment);
• Application hosting / CDN — edge delivery and hosting (e.g. where the web app is deployed).

Their processing is subject to their documentation and our data protection agreements as applicable. Customer administrators should maintain an accurate subprocessor register for internal compliance.

5. International transfers

Data may be processed in countries where our subprocessors and their failover regions operate (which may include the United States, European Economic Area, United Kingdom, and Australia). Where required, we use appropriate safeguards such as standard contractual clauses or equivalent mechanisms. See also the Terms section on Data Processing (DPA / SCCs) for Org-led requests.

6. Retention

We retain Customer Data while the subscription is active and for periods afterward as described in these policies and the Terms of Service (including post-cancellation export windows, payment-delinquency timelines, inactive Free org handling, backup latency, and batch purge timing).

Paid subscription ending (Schedule A): Operational Customer Data may be deleted or anonymized after the ninety (90) UTC calendar-day export window and scheduled processing described in the Terms, unless the product shows different dates for your Org.

Payment delinquency (Schedule B): While charges fail on a paid subscription, access restrictions and a separate deletion timeline (including a target of approximately 180 UTC calendar days from the first recorded failure anchor) may apply as described in the Terms. Once the paid subscription has ended and Schedule A applies, Schedule A governs operational purge timing.

Free / inactive orgs: Operational Customer Data may be deleted or anonymized after prolonged inactivity as described in the Terms (for example about 60 calendar days after inactivity as implemented).

Billing records: Stripe and MCS may retain billing-related records for accounting and legal requirements, commonly up to seven (7) years, separately from equipment and maintenance records. Backup systems may retain redundant copies; deletion is not always immediate across all systems. Deletion may also depend on legal holds and investigations.

7. Security

We implement technical and organizational measures appropriate to a multi-tenant SaaS (including database row-level security for Org isolation). No transmission or storage method is 100% secure; you should protect credentials and follow Org policies.

8. Your rights

Depending on your location, you may have rights to access, rectify, delete, restrict, object, or port personal data, and to lodge a complaint with a supervisory authority. For data processed on behalf of your Org, contact your Org Owner first; we will assist Customer as required by contract and law. For limited processing where MCS is controller (e.g. billing contact at Customer), contact us via the channel published for privacy on dive-guard.com (placeholder until counsel finalizes).

9. Cookies and similar technologies

We use cookies or local storage as needed for session authentication, security, and product functionality. Analytics or marketing cookies, if introduced, will be described in an updated notice and, where required, consent flows.

10. Children

The Service is not directed at children, and we do not knowingly collect personal information from children.

11. U.S. state privacy notices

If you are a resident of U.S. states with comprehensive privacy laws, additional disclosures or rights may apply. Placeholder: your counsel should add state-specific sections (e.g. California) before broad U.S. marketing.

12. Changes

We may update this policy. Material changes will be communicated as required by law or contract, for example via the application, email to Org Owners, or notice on our marketing site.

13. Contact

Marine Compliance Systems
For privacy requests relating to Org-held data, contact your Org Owner. For MCS-controlled processing, use the privacy contact published on dive-guard.com after J9 review — placeholder until published.

For more about security practices, see our Security page.