Legal

Privacy Policy

Last updated: April 24, 2026  ยท  Applies to the Into The Blue mobile app and website.

Plain-English summary: We collect only what we need to run the app. We don't sell your data. You can delete your account and all associated data at any time from the app Settings screen.

1 Who we are

Into The Blue ("we", "us", "our") is a scuba diving logbook application developed by Stefano and Jardi. Our registered contact address is contact@intotheblue.app.

This Privacy Policy explains how we collect, use, disclose and protect information when you use our mobile applications for Android and iOS, and our website at intotheblue.app (collectively the "Service").

2 Data we collect

We collect the following categories of personal data:

  • Account data โ€” email address and password (hashed) when you register. If you sign in with Google or Apple, we receive only the email address and display name they provide.
  • Profile data โ€” display name, certification level, and optional profile photo you choose to upload.
  • Dive log data โ€” dive entries you create, including depth, bottom time, water temperature, visibility, notes, photos and GPS location of dive sites (only when you explicitly grant location permission).
  • Device data โ€” device type, operating system version, app version, and crash/error reports (anonymised) to help us fix bugs.
  • Usage data โ€” pages and features visited, session duration, and feature interactions, collected in aggregate and never linked to individual identities.
  • Beta sign-up data โ€” email address submitted through our website waiting-list form.

We do not collect payment data (the app is free during beta), precise real-time location outside of what you voluntarily attach to a dive log entry, or any biometric data.

3 How we use your data

We use collected data solely to:

  • Create and maintain your account and provide the core features of the Service.
  • Sync your dive log across your devices (Android and iOS).
  • Send transactional emails โ€” account confirmation, password reset, and important service notices.
  • Contact beta testers with app updates and feedback requests (you can opt out at any time).
  • Diagnose crashes and performance issues to improve the app.
  • Comply with applicable legal obligations.

We do not use your data for advertising, profiling, or any automated decision-making that produces legal or similarly significant effects.

4 Data sharing

We share data only with the following sub-processors, each bound by contractual data-processing agreements:

  • Supabase (database, authentication, storage) โ€” hosted in the EU (Frankfurt, AWS eu-central-1).
  • IONOS / Resend (transactional email delivery) โ€” used only to send emails you explicitly trigger.
  • Google (Firebase Crashlytics) โ€” anonymised, non-identifiable crash reports only.

We will never sell, rent or trade your personal data to third parties for marketing purposes.

We may disclose data if required by law, court order or government authority, and only to the minimum extent legally required.

5 Data retention

We retain your account data for as long as your account is active. Dive log data is retained until you delete individual entries or your entire account.

When you delete your account, all personal data is permanently erased from our systems within 30 days. Anonymised, aggregated statistics may be retained indefinitely.

Beta waiting-list emails are deleted upon your request or when the beta programme closes, whichever comes first.

6 Your rights

Depending on your location, you may have the following rights regarding your personal data:

  • Access โ€” request a copy of the data we hold about you.
  • Rectification โ€” ask us to correct inaccurate data.
  • Erasure โ€” request deletion of your account and all associated data (also available in-app via Settings โ†’ Delete Account).
  • Portability โ€” receive your dive log data in a machine-readable format (JSON export available in the app).
  • Restriction / Objection โ€” restrict certain processing or object to it.
  • Withdraw consent โ€” where processing is based on consent, you may withdraw at any time without affecting prior processing.

To exercise your rights, email us at privacy@intotheblue.app. We will respond within 30 days.

If you are in the EU/EEA, you have the right to lodge a complaint with your local supervisory authority.

7 Security

We apply industry-standard security measures including TLS encryption in transit, AES-256 encryption at rest, bcrypt-hashed passwords, and row-level security policies on our database. Access to production data is restricted to authorised team members only.

No method of transmission over the internet is 100% secure. We encourage you to use a strong, unique password and enable two-factor authentication when available.

8 Children

The Service is not directed to children under 16. We do not knowingly collect personal data from children under 16. If we become aware that a child under 16 has provided us with personal data, we will delete it promptly. If you believe this has occurred, please contact us at privacy@intotheblue.app.

9 Changes to this policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or by a prominent notice in the app at least 14 days before the change takes effect. The "Last updated" date at the top of this page will always reflect the most recent revision.

Continued use of the Service after the effective date constitutes acceptance of the revised policy.

10 Contact

For privacy-related questions or to exercise your rights, please contact:

Into The Blue โ€“ Privacy
Email: privacy@intotheblue.app
Website: intotheblue.app