Privacy Policy

Last updated: March 2026

1. Data controller

The controller within the meaning of the General Data Protection Regulation (GDPR) and other applicable data protection laws is:

Bora Bey Sarikaya
10789 Berlin
Germany
Email: privacy@deeplink-freediving.com

2. General information on data processing

DEEPLINK is a coordination platform for freedivers. We process personal data only to the extent necessary to provide a functional platform and our services. Personal data is processed only with the user's consent or where processing is permitted by law.

3. Legal bases for processing

  • Consent (Art. 6(1)(a) GDPR) — Where we obtain consent for processing operations. Consent may be withdrawn at any time.
  • Performance of a contract (Art. 6(1)(b) GDPR) — For the performance of the user agreement (e.g. account creation, session planning, buddy matching, payment processing).
  • Legitimate interest (Art. 6(1)(f) GDPR) — For platform security, abuse prevention, analysis and improvement of our services.
  • Legal obligation (Art. 6(1)(c) GDPR) — Where we are legally required to process data (e.g. tax-related retention obligations).

4. Data we collect

a) Registration and account

Upon registration, we collect: name, email address, and password (stored as a cryptographic hash — we never have access to your plain-text password). Optionally: profile picture, bio, location.

b) Dive profile

Voluntary information about your diving profile: certification level, maximum depth, preferred disciplines, experience level, equipment. This data is used for buddy matching and session planning and is visible to other users according to your privacy settings.

c) Sessions and activities

Data about dive sessions you create or participate in: date, time, location, participants, roles (diver / safety). Dive log entries: depth, duration, discipline, personal notes.

d) Messages

Content you send and receive through the platform's chat function. Messages are stored encrypted and are only visible to the respective conversation participants.

e) Payment data

When using paid features (safety diver bookings, event tickets, marketplace), payment data is processed exclusively through our payment service provider Stripe. We do not store complete credit card numbers or bank details. We only receive a transaction ID and payment status.

f) Technical data (server logs)

Each time you access our platform, technical data is automatically collected: IP address (anonymized), browser type and version, operating system, referrer URL, date and time of access. This data is not merged with other data sources and is automatically deleted after 30 days.

5. Hosting

Our platform is hosted on servers operated by Supabase Inc. The databases relevant to operation are located on servers within the European Union. Supabase employs state-of-the-art technical and organizational measures to protect your data (encryption in transit and at rest, access controls, backup procedures).

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in the secure and efficient provision of the platform).

6. Cookies and local storage

DEEPLINK uses only technically necessary cookies and local storage entries:

  • Authentication — Session token for login (Supabase Auth)
  • Theme preference — Your chosen color scheme (local storage)
  • Mode preference — Your chosen navigation mode (local storage)

We do not use tracking cookies, advertising cookies, or third-party analytics tools. A cookie consent banner is therefore not required, as only technically necessary cookies are used (§ 25(2) TDDDG — German Telecommunications Digital Services Data Protection Act).

7. Third-party services

a) Google Fonts

We use fonts provided by Google LLC ("Google Fonts"). When you visit our pages, a connection to Google servers is established to load the fonts "Montserrat" and "Source Serif 4". Your IP address may be transmitted to Google in this process.

Provider: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. Privacy policy: policies.google.com/privacy. Legal basis: Art. 6(1)(f) GDPR. Data transfer to the USA is based on the EU-U.S. Data Privacy Framework.

b) Stripe (payment processing)

We use Stripe Inc. for payment processing. During a payment transaction, the required payment data is transmitted directly to Stripe and processed there. We do not receive complete payment data.

Provider: Stripe Inc., 354 Oyster Point Blvd, South San Francisco, CA 94080, USA. Privacy policy: stripe.com/privacy. Legal basis: Art. 6(1)(b) GDPR (performance of contract). Data transfer to the USA is based on the EU-U.S. Data Privacy Framework.

c) OpenAI (AI coach)

For AI-powered training analysis and recommendations, we use the OpenAI API. Only anonymized training data (depth, duration, discipline) is transmitted to OpenAI. No personally identifiable information such as name or email is shared with OpenAI.

Provider: OpenAI LLC, San Francisco, CA, USA. Privacy policy: openai.com/privacy. Legal basis: Art. 6(1)(a) GDPR (consent — the AI coach feature is optional and only activated at the user's explicit request).

8. Data transfers to third countries

Personal data is transferred to third countries (countries outside the EU/EEA) only in the context of the third-party services described in section 7. Transfers to the USA are based on the EU-U.S. Data Privacy Framework (adequacy decision by the European Commission pursuant to Art. 45 GDPR). The listed providers are certified under the Data Privacy Framework and are thus obligated to comply with EU data protection standards.

9. Storage duration

Personal data is stored only as long as necessary for the respective processing purpose:

  • Account data — Until the account is deleted by the user
  • Dive log — Until the account or individual entries are deleted by the user
  • Messages — Until the account is deleted
  • Server logs — 30 days
  • Payment data — In accordance with statutory retention periods (up to 10 years under § 147 AO — German Fiscal Code)

After deletion of your account, all personal data is completely removed from our systems within 30 days, unless statutory retention obligations require otherwise.

10. Your rights as a data subject

You have the following rights regarding your personal data:

  • Right of access (Art. 15 GDPR) — You may request information about the personal data we store about you.
  • Right to rectification (Art. 16 GDPR) — You may request the correction of inaccurate data.
  • Right to erasure / "right to be forgotten" (Art. 17 GDPR) — You may request the deletion of your data, provided no statutory retention obligations exist.
  • Right to restriction of processing (Art. 18 GDPR) — You may request the restriction of the processing of your data.
  • Right to data portability (Art. 20 GDPR) — You may receive your data in a structured, commonly used, machine-readable format. The data export function is available in your account settings.
  • Right to object (Art. 21 GDPR) — You may object to the processing of your data at any time where the processing is based on legitimate interest.

To exercise your rights, send an email to privacy@deeplink-freediving.com. Alternatively, you can delete your account and all associated data directly in your account settings.

11. Withdrawal of consent

Where the processing of your data is based on consent, you have the right to withdraw this consent at any time. The lawfulness of the processing carried out on the basis of the consent until the withdrawal is not affected. You may withdraw consent by email to privacy@deeplink-freediving.com or through your account settings.

12. Right to lodge a complaint with a supervisory authority

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority if you believe that the processing of your personal data infringes the GDPR.

The competent supervisory authority for us is:
Berlin Commissioner for Data Protection and Freedom of Information
(Berliner Beauftragte für Datenschutz und Informationsfreiheit)
Friedrichstr. 219
10969 Berlin, Germany
www.datenschutz-berlin.de

13. SSL/TLS encryption

This site uses SSL/TLS encryption for security purposes and to protect the transmission of confidential content. You can recognize an encrypted connection by the browser's address line changing from "http://" to "https://" and the lock icon in your browser bar. When SSL/TLS encryption is activated, the data you transmit to us cannot be read by third parties.

14. Minors

Our service is generally intended for persons aged 16 and over. Persons under 16 may only use DEEPLINK with the consent of a legal guardian. We do not knowingly collect data from children under 16 without parental consent.

15. Changes to this privacy policy

We reserve the right to update this privacy policy to ensure it always complies with current legal requirements or to reflect changes to our services. The updated privacy policy applies to your subsequent visits. We recommend reviewing this privacy policy regularly.