Privacy Policy

1. Data controller

The controller of personal data collected through BlueAtlas is BlueAtlas ("we", "us"). For any question about this policy or your data, write to privacy@blueatlas.app.

BlueAtlas is a digital dive logbook for recreational scuba divers. We only process the data needed to provide the service.

2. Data we collect

Account data

• Email address (account creation, transactional emails, waitlist).
• Display name and avatar (if you set them).
• Preferences (language, visibility settings, PRO subscription).

Dive data

• Imported dive profile files (.fit, .uddf, .ssrf, .json) and their content (depth, duration, temperature, site geolocation when present).
• Underwater photos and videos attached to each dive.
• Annotations, descriptions, buddy groups, tagged friends.

Technical data

• Server logs (IP address, user-agent, timestamps) for security and error diagnostics.
• Anonymous session id for aggregate audience measurement (Vercel Analytics, Vercel Speed Insights).

3. Purposes and legal bases

• Provide the service (store your logbook, parse your files, social sharing) — legal basis: contract performance (Art. 6.1.b GDPR).
• Send transactional emails (confirmation, password reset, opt-in notifications) — contract performance.
• Waitlist (one email at launch) — explicit consent collected on the landing page (Art. 6.1.a GDPR). Unsubscribe in one click.
• Security and anti-abuse (Cloudflare Turnstile, spam detection, audit logs) — legitimate interest (Art. 6.1.f GDPR).
• Aggregate audience measurement (no cross-site tracking) — legitimate interest.

4. Retention

• Account and dive data: as long as your account is active. After account deletion, full erasure within 30 days (backups included).
• Waitlist email: until public launch, then merged with your account if you sign up, or deleted on request.
• Server logs: 90 days maximum.
• Invoices and accounting (PRO subscription, when applicable): 10 years (legal obligation).

5. Sub-processors

We rely on carefully selected providers. All operate within the European Union or have Standard Contractual Clauses approved by the European Commission in place.

6. Security

• TLS 1.3 encryption for all traffic between your device and our servers.
• AES-256 encryption at rest on the database and the media storage.
• Authentication via signed, expiring session tokens.
• Data access restricted on a least-privilege basis.

7. Your GDPR rights

Under Articles 15–22 GDPR, you have the following rights:

• Right of access: obtain a copy of the data we hold about you.
• Right to rectification: correct inaccurate information.
• Right to erasure ("right to be forgotten"): delete your account and all your data.
• Right to portability: receive your data in a structured, reusable format (JSON / ZIP).
• Right to object: object to processing based on legitimate interest.
• Right to restriction: request the temporary freeze of a processing.

To exercise these rights, write to privacy@blueatlas.app. We respond within one month maximum. If you believe your rights are not respected, you may lodge a complaint with your local data protection authority (e.g. CNIL in France).

8. Cookies and trackers

BlueAtlas uses no advertising cookies nor third-party trackers for profiling. We only set:

• An encrypted session cookie (authentication, expires on logout or inactivity).
• A Turnstile cookie (Cloudflare) on the waitlist signup page, to block bots. No personal data, no tracking.

9. Minors' data

BlueAtlas is not directed at children under 16. We do not knowingly collect data from minors. If you believe we have, contact us at privacy@blueatlas.app for immediate deletion.

10. Changes to this policy

We may update this policy over time (new provider, regulatory evolution). The last-updated date is shown at the top of the page. For substantial changes, we will notify you by email.