Privacy Policy

Last Updated: 2026-03-30 09:00:00

OVERVIEW

SeaCrush SASU ("SeaCrush", "we", "us") attaches great importance to the protection of your personal data. This Privacy Policy explains how we collect, use, share, and protect your information when you use our website and applications (the "Service").

This policy may be updated to reflect changes in our practices or legal requirements. We will notify you of significant changes by updating the date at the top of this page.

SeaCrush SASU acts as the data controller for the personal data collected through the Service, in compliance with the EU General Data Protection Regulation (GDPR) and the French Data Protection Act (loi Informatique et Libertés).

1. Data We Collect

1.1 Information you provide directly

Account information: name, email address, username, password, date of birth, gender, nationality, profile photo, cover photo, and biography
Diving information: certification body, certification level, certification location, number of dives
Communication data: messages sent through booking inquiries, contact forms, SMS (via Twilio), and WhatsApp
Reviews and ratings: trip reviews (scores for marine life, value, sustainability, professionalism) and diver ratings
Preferences: trip interests, language preference, currency preference, marketing opt-in status
Terms and privacy acceptance: timestamp of your agreement to our Terms of Use and Privacy Policy

1.2 Information collected automatically

Device and usage data: browser type, operating system, IP address, pages visited, and session information
Analytics data: page views and performance metrics collected by Vercel Analytics and Vercel Speed Insights
Cookies and similar technologies: see Section 5 below

1.3 Information from third-party authentication providers

When you sign in using a social media account, we receive profile information from that provider:

Google: name, email address, profile photo
Facebook: name, email address, profile photo, friends list, location, hometown, gender, birthday
Twitter/X: name, email address, profile photo

2. How We Use Your Data

We process your personal data for the following purposes:

Account management: creating and managing your account, authenticating you for access to restricted areas
Service delivery: processing booking inquiries, connecting you with dive operators, facilitating trip planning
Communication: sending booking confirmations, account notifications, and customer support responses via email, SMS, or WhatsApp
Reviews and ratings: displaying your reviews and ratings on the platform to help other users
Analytics and improvement: analyzing usage patterns to improve the Service and user experience (using anonymized or aggregated data where possible)
Marketing: sending newsletters and promotional content if you have opted in (you can opt out at any time in your settings)
Legal compliance: fulfilling our legal obligations, including responding to lawful requests from authorities
Safety and security: detecting and preventing fraud, abuse, and security incidents

3. Third-Party Services and Data Sharing

We share your data with the following categories of recipients:

3.1 Service providers

Firebase (Google Cloud): authentication, database storage (Firestore), file storage (Firebase Storage). Data may be processed in the United States and other countries where Google operates.
Google Cloud Storage: image hosting and delivery
Sanity CMS: content management for trip and destination data
Vercel: hosting, analytics (Vercel Analytics), and performance monitoring (Vercel Speed Insights)
Twilio: SMS messaging (phone numbers and message content)
Slack: customer support messaging (SMS messages are forwarded to our Slack workspace)
WhatsApp (Meta): customer support chat via the floating WhatsApp widget

3.2 Social media platforms

Facebook (Meta): Facebook SDK enables Facebook login. Facebook's data processing is governed by Facebook's Data Policy.
Google: Google OAuth for authentication
Twitter/X: Twitter/X OAuth for authentication

3.3 Dive operators

When you submit a booking inquiry, we share the information necessary to process your reservation with the relevant dive operator, including your name, diving certification, and contact details.

3.4 Legal disclosures

We may disclose your data if required by law, court order, or governmental authority, or if we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others.

4. International Data Transfers

Your data may be transferred to and processed in countries outside the European Economic Area (EEA), including the United States, where our service providers (Firebase/Google, Vercel, Twilio, Slack) operate. When we transfer data internationally, we ensure appropriate safeguards are in place, including:

Standard Contractual Clauses (SCCs) approved by the European Commission
The EU-U.S. Data Privacy Framework where applicable
Contractual obligations requiring equivalent data protection standards

5. Cookies

5.1 What are cookies?

Cookies are small files stored on your device by your browser. They help the Service function properly, remember your preferences, and collect usage statistics. Cookies do not contain viruses.

5.2 Types of cookies we use

Strictly necessary cookies: required for authentication and core site functionality. These include session cookies (active only during your visit, deleted when you close your browser) and authentication cookies (keep you signed in).
Preference cookies: remember your language and currency selections. These are persistent cookies stored for up to 180 days.
Analytics cookies: Vercel Analytics uses cookies to measure site performance, page views, and user interactions. These help us improve the Service.
Social media cookies: when you log in with Facebook, Google, or Twitter/X, or use social sharing features, those services may place cookies on your device.

5.3 Managing cookies

You can control cookies through your browser settings. Note that disabling certain cookies may affect site functionality.

Chrome: Settings > Privacy and security > Cookies and other site data
Firefox: Settings > Privacy & Security > Cookies and Site Data
Safari: Preferences > Privacy > Manage Website Data
Edge: Settings > Cookies and site permissions

6. Data Retention

We retain your personal data for as long as your account is active or as needed to provide the Service. Specifically:

Account data: retained until you request deletion or your account is terminated
Booking inquiries: retained for the duration necessary to process the inquiry and for legal compliance
Reviews and ratings: retained as long as they remain published on the platform (you may request removal)
SMS and chat logs: retained for customer support purposes and deleted after 12 months
Analytics data: retained in anonymized or aggregated form indefinitely

After account deletion, we may retain certain data where required by law (e.g., tax records) or for legitimate business purposes (e.g., fraud prevention), for a maximum period of 5 years.

7. Your Rights Under GDPR

If you are located in the European Economic Area (EEA), you have the following rights regarding your personal data:

Right of access: request a copy of the personal data we hold about you
Right to rectification: request correction of inaccurate or incomplete data
Right to erasure ("right to be forgotten"): request deletion of your personal data
Right to restriction: request that we limit how we process your data
Right to data portability: request your data in a structured, machine-readable format
Right to object: object to processing based on legitimate interest, including direct marketing
Right to withdraw consent: withdraw consent at any time where processing is based on consent
Right to lodge a complaint: file a complaint with your local supervisory authority (in France: CNIL)

To exercise any of these rights, contact us at hello@seacrush.com with the subject line "Personal Data". We will respond within 30 days. We may ask you to verify your identity before processing your request.

8. Facebook Data Deletion

If you have signed in using Facebook and wish to request deletion of data obtained through Facebook:

You can request deletion directly through Facebook's app settings under "Apps and Websites"
You can also contact us at hello@seacrush.com with the subject "Facebook Data Deletion" and we will process your request
We provide a callback URL for Facebook's data deletion and deauthorization requests to ensure compliance with Facebook's platform policies

9. Data Security

We implement appropriate technical and organizational measures to protect your data, including:

Encryption of data in transit (TLS/SSL)
Firebase Authentication security rules
Access controls limiting employee access to personal data
Regular security reviews of our infrastructure

However, no method of transmission over the Internet is 100% secure. We cannot guarantee absolute security but are committed to promptly addressing any security incidents.

10. Children's Privacy

The Service is not intended for anyone under the age of 18. We do not knowingly collect personal data from individuals under 18. If we become aware that we have collected data from a minor, we will take steps to delete it promptly.