MyDiveTag

Legal

Privacy policy

Last updated 2026-05-16. Subject to legal review before public launch.

Who we are

MyDiveTag is an Australian-built platform for diver identity, bookings, waivers, gear-service, cylinder-testing, and marketing operated for the recreational and technical diving industry. This policy describes how MyDiveTag handles personal information under the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).

Privacy contact: privacy@mydivetag.com

What we collect

  • Diver profile: name, email, phone, emergency contact, certifications, agency cert numbers, medical declaration responses, dive log entries, profile photo.
  • Bookings + waivers: booking history, signed waivers, payment confirmations (Stripe handles card data, we never see it).
  • Gear + cylinders: gear inventory, service history, cylinder serials, test records.
  • Account security: password (hashed with bcryptjs), TOTP 2FA secret, login timestamps, hashed source IP.
  • Communications: messages you send us via the contact form and any support tickets.
  • Marketing: only with your explicit consent given to a specific dive shop. Per-business, not platform-wide.

How we collect it

Directly from you (signing up, signing a waiver, booking), from the dive shop you transact with (cert verification, dive log entries from completed bookings), and from Stripe (booking payment confirmations; payment data stays at Stripe).

Why we collect it (APP 6)

To operate the platform, to fulfil a booking or service request, to satisfy cylinder-testing and cert-verification legal/operational requirements, to comply with Australian law, and where you have explicitly consented, to send marketing from a specific dive shop.

Where it is stored

All sensitive data (medical declarations, waiver signatures, identity documents, account credentials) is stored in PostgreSQL hosted in Sydney, Australia. Backups are encrypted and retained for 30 days. We do not store data outside Australia in the ordinary course of operations.

Security (APP 11)

  • TLS 1.3 on every public endpoint, HSTS preloaded.
  • Postgres Row-Level Security policies enforce strict tenant isolation. One dive shop cannot see another's customers, bookings, or marketing lists.
  • Application-layer encryption (AES-256-GCM) for medical declarations, certification scans, signature images, and identity documents.
  • Passwords hashed with bcryptjs. TOTP two-factor authentication available to all users, mandatory for business owner accounts.
  • API keys hashed with argon2id at rest, scoped permissions, instant revocation, per-key rate limiting.
  • Audit log on every privileged action with hashed source IP. Logs retained at least 12 months.
  • Annual third-party penetration test.

Who can see your data (APP 6, APP 7)

  • You: your full profile, your bookings, your dive log, the certifications you have uploaded.
  • A dive shop: only the diver data relevant to its relationship with you (verified certs, current medical status flag, waivers you signed at that shop, bookings made with that shop). A dive shop does not see your activity at other shops.
  • Marketing: a dive shop sends marketing only with your explicit consent given to that specific shop. Consent is revocable at any time with one click.
  • Service providers: Stripe (payments), Resend (transactional and marketing email delivery), Twilio (SMS, when in use), Sentry (error monitoring with PII scrubbing), Google Analytics 4 + Google Tag Manager (web analytics, consent-gated). Each provider is bound by data-processing terms.

Diver data ownership

You own your diver profile. Each dive shop owns its relationship with you (its bookings, its waivers, its marketing consent record). Neither owns the other's. You can revoke a marketing consent without affecting your ability to keep diving with that shop.

Access, correction, deletion (APP 12, APP 13)

You can request a copy of your profile data, correct any of it, or delete the account. Deletion anonymises personally identifying information; transactional records (waivers signed, payments made) are retained for the legal evidence period and audit log obligations. Marketing consents are revoked immediately.

Email privacy@mydivetag.com to make a request. We respond within 30 days.

Marketing (Spam Act 2003)

Marketing email is sent only with your explicit consent, given per dive shop. Every marketing email has a clear sender, a one-click unsubscribe link (no login required), and identifies the business that obtained your consent. Consent records retain the timestamp, IP, user agent, and exact consent text.

Data breach response

MyDiveTag complies with the Notifiable Data Breaches scheme under Part IIIC of the Privacy Act 1988. In the event of an eligible breach, we will notify affected individuals and the Office of the Australian Information Commissioner without unreasonable delay.

Cookies and tracking

We use first-party cookies for authentication only on the application surface (app.mydivetag.com). The marketing website (mydivetag.com) loads Google Tag Manager, which we use to configure Google Analytics 4 with IP anonymisation enabled. Consent is gated: analytics and advertising storage are denied by default and only granted when you explicitly opt in. We do not run a Facebook pixel or any other third-party advertising tracker.

Changes to this policy

We will update this policy when our practices change. Material changes are communicated by email to registered users at least 14 days before they take effect.

Complaints

If you believe MyDiveTag has handled your personal information in breach of the APPs, contact privacy@mydivetag.com. If you are dissatisfied with our response, you may complain to the Office of the Australian Information Commissioner at oaic.gov.au.