Privacy Policy - OcusDiver
Last updated: April 25, 2026
Version: 2.1
This Privacy Policy describes how OcusDiver (ocusdiver.com) collects, uses, shares, stores, and protects personal data in connection with the Platform.
The Service is operated by IOHANNA WIELEWSKI DE SOUZA VIGINESKI - ME, registered under Brazilian Tax ID (CNPJ) No. 65.934.149/0001-93, with registered office in Sao Paulo/SP, Brazil ("OcusDiver," "we," "us," "our").
This Policy is incorporated into the Terms of Use.
1. Scope and Controller
OcusDiver acts, in general, as the controller of the personal data processed in connection with the Platform.
Controller: IOHANNA WIELEWSKI DE SOUZA VIGINESKI - ME - CNPJ No. 65.934.149/0001-93 - Sao Paulo/SP, Brazil
Privacy and data subject contact channel: [email protected]
This Policy was prepared taking into account, where applicable:
- the LGPD (Brazilian General Data Protection Law, Law No. 13,709/2018);
- the GDPR (EU Regulation 2016/679);
- consumer protection and other applicable legal rules.
2. Personal Data We Collect
2.1 Data provided directly by you
We may collect:
- name;
- email;
- OcTag or username;
- avatar, cover photo, bio, and other profile information;
- country, city, website, and social links;
- self-declared diving certifications;
- text, reviews, dive logs, uploads, photos, reports, corrections, and other content you submit;
- communications you send to us.
2.2 Data received from authentication providers
When you use third-party sign-in, we may receive, depending on the provider and the permissions granted:
- name;
- email;
- profile photo;
- unique provider identifier;
- basic authentication and session data.
This may include providers such as Google, Apple, Microsoft, and equivalent services. We do not receive your provider password.
2.3 Data collected automatically
We may automatically collect:
- IP address;
- access date and time;
- user agent;
- browser or device identifiers;
- operating system and language;
- pages viewed and interactions performed;
- security, error, performance, and audit events;
- cookies and similar technologies.
2.4 Photos, files, and metadata
When you upload photos or other files, we may process:
- the file itself;
- thumbnails and resized versions;
- technical metadata embedded in the file, including EXIF, such as date, time, and, where present, geographic coordinates.
We use this data to operate the feature, moderate content, improve the experience, detect inconsistencies, and associate media with relevant records. Where technically feasible and compatible with the product, we may reduce or remove metadata in public files delivered to third parties.
2.5 Data we do not usually intend to collect
OcusDiver is not designed for the deliberate collection of:
- bank or card payment data, unless and until a native payment feature is introduced;
- biometric data;
- structured medical data;
- continuous real-time location data.
If sensitive data is improperly submitted by you in free-text fields or uploads, it may still be processed to the extent necessary for moderation, security, defense of rights, and legal compliance.
3. Public Nature of Some Content
OcusDiver includes public-facing functionality. Depending on how the feature is offered:
- profiles;
- reviews;
- photos;
- public dive logs;
- dive site contributions;
- biodiversity data and community interactions
may be visible to other users, non-logged-in visitors, and search engines.
This means public content:
- may be indexed;
- may appear in search results;
- may be shared by third parties;
- may remain accessible through caches, screenshots, or republications outside our control.
4. Purposes of Processing and Legal Bases
We process personal data for the following purposes:
| Purpose | Examples of data | Main legal basis |
|---|---|---|
| Create and manage your account | name, email, login identifiers | contract performance |
| Authenticate access and maintain sessions | login data, tokens, technical logs | contract performance / legitimate interest |
| Display profile and public content | OcTag, bio, reviews, photos, public dive logs | contract performance |
| Operate social and community features | follows, reports, interactions, complaints | contract performance / legitimate interest |
| Moderate content and prevent fraud or abuse | IP, logs, submitted content, reports | legitimate interest / exercise of legal rights |
| Organize and enrich information about dive sites and biodiversity | technical data, text, relevant metadata | contract performance / legitimate interest |
| Use automation and AI tools for operational support | descriptions, classification, search, assisted moderation | legitimate interest |
| Send transactional and operational communications | email, account records | contract performance |
| Comply with legal duties and respond to authorities | logs, registrations, acceptance records | legal obligation / regulatory compliance |
| Defend rights in judicial or administrative proceedings | account records, logs, communications | exercise of legal rights |
| Carry out aggregated analysis, metrics, and security | technical and statistical event data | legitimate interest |
Where processing depends on consent, consent will be requested specifically, freely, clearly, and prominently when required by law.
5. AI, Automation, and Support Tools
We may use automation tools and artificial intelligence systems to:
- enrich dive site and species descriptions from public sources (web, scientific databases, diving agencies);
- classify content;
- support spam, fraud, or abuse detection;
- improve search, organization, and contextualization of content;
- support operational triage.
Important — scope of AI in OcusDiver: the enrichment of dive sites and species operates on public destination metadata (name, coordinates, typical depth, observed fauna, season). We do not send your logbook, your reviews, your photos, your identity, or any user-generated content to AI for enrichment purposes. For this reason, this specific use of AI does not process your personal data and does not require separate granular consent.
When automated tools need to process personal data for another purpose (for example, assisted moderation or abuse detection), we do so based on legitimate interest or another applicable legal basis, with safeguards proportional to the risk and strictly the data necessary for the contracted function.
The use of such tools does not mean that relevant decisions are made exclusively by automated means. Where human review is appropriate or necessary, we may use it.
6. Data Sharing
We may share personal data in the following cases:
6.1 Infrastructure and technology providers
We operate with the following vendors, strictly to the extent necessary to deliver the Service:
- Amazon Web Services (AWS) — hosting (RDS PostgreSQL, ECS Fargate), storage (S3), transactional email (SES), media delivery (CloudFront). Personal data at rest is stored in the sa-east-1 (São Paulo, Brazil) region. CDN edge is global, but API personal data does not transit through edge locations.
- Google Maps Platform — map rendering on the front-end. When viewing maps, your IP and viewport are sent to Google in the US to serve tiles.
6.2 Authentication providers
We use Google, Microsoft, and Apple as OAuth login providers. When you click "Sign in with [provider]", you are redirected to the provider, which returns to OcusDiver only the minimal data (email, name, unique identifier, profile picture). OcusDiver does not store the provider's access tokens.
6.3 AI and automation vendors
- Anthropic (USA) — Claude model (Haiku 4.5) used for semantic search and enrichment of species and dive site descriptions. Prompts may be retained in ephemeral cache for up to 5 minutes on the vendor's servers. We limit content sent to query data and public content to the best of our ability, avoiding identifiable personal data.
Sharing with 6.1 to 6.3 occurs under the role of processors (LGPD Art. 5, VII), acting under OcusDiver's instructions, safeguarded by specific agreements (data processing agreements / commercial service terms) and by Standard Contractual Clauses (SCCs) where applicable to international transfers.
6.4 Other users and the general public
Your public content and data associated with your public profile may be viewed by:
- other users;
- visitors who are not logged in;
- search engines;
- third parties accessing public pages of the Platform.
6.5 Authorities and legal compliance
We may share data when necessary to:
- comply with a legal obligation;
- respond to a valid court order or formal demand;
- prevent fraud or imminent risk;
- exercise or defend rights.
6.6 Corporate transactions
In the event of a reorganization, merger, acquisition, incorporation, asset sale, or similar transaction, data may be shared or transferred to the successor, subject to applicable safeguards.
OcusDiver does not sell personal data as its core business model.
7. International Data Transfers
Data at rest stays in the AWS sa-east-1 (São Paulo, Brazil) region. Limited international transfers occur to the following destinations and for the following purposes:
| Recipient | Country | Purpose | Safeguard |
|---|---|---|---|
| Google (OAuth, Maps) | USA | Authentication, map rendering | Standard Contractual Clauses (SCC) via Google Cloud Terms |
| Microsoft (OAuth) | USA | Authentication | SCC via Microsoft Online Services Terms |
| Apple (OAuth) | USA | Authentication | Apple Developer Program Agreement |
| Anthropic (Claude) | USA | AI enrichment, semantic search | Commercial Terms + SCC, ephemeral cache retention (≤ 5 min) |
Additional safeguards applied:
- limiting the content sent to the minimum necessary for the purpose;
- in-transit encryption (TLS 1.2+) for all transfers;
- periodic necessity and proportionality reviews;
- preference for vendors with public and auditable DPA/SCC.
8. Retention and Deletion
We retain personal data for as long as necessary to fulfill the purposes described in this Policy, including Service operation, security, fraud prevention, legal obligations, and defense of rights.
Examples of retention:
- active account data: while the account remains active;
- access logs: for the minimum period required by applicable law, including the Brazilian Marco Civil da Internet where applicable;
- backups: for a limited operational period;
- public content after account deletion: it may be retained in de-identified or aggregated form when necessary for Platform integrity, public history, fraud prevention, metric consistency, and exercise of legal rights;
- reports, compliance, and security documentation: for as long as needed for investigation and evidence preservation.
Deleting an account does not mean immediate and absolute erasure of every record in every environment, especially where legal obligations, backups, disputes, legal defense, or preservation of de-identified history and aggregates apply.
9. Your Rights
Subject to applicable law, you may request, where appropriate:
- confirmation that processing exists;
- access to your data;
- correction of incomplete, inaccurate, or outdated data;
- anonymization, blocking, or deletion of unnecessary or unlawfully processed data;
- portability;
- deletion of data processed based on consent, subject to legal exceptions;
- information about data sharing;
- withdrawal of consent;
- objection to processing based on legitimate interest, where applicable;
- review of relevant automated decisions, where provided by law.
To exercise your rights, contact [email protected] and provide, to the extent possible:
- name;
- registered email;
- OcTag;
- the request you are making;
- sufficient context to identify the account or content involved.
We may ask for additional identity verification before fulfilling requests involving personal data.
10. Cookies and Similar Technologies
We use cookies and similar technologies for:
- authentication and session maintenance;
- security;
- preferences and essential functionality;
- metrics, analytics, and performance improvements;
- technical stability and abuse prevention.
You may manage cookies through your browser or device settings, but blocking essential technologies may impair the operation of the Service.
11. Information Security
We adopt reasonable technical and administrative measures to protect personal data, including, where applicable:
- access control;
- encryption in transit;
- environment segregation;
- security monitoring;
- backup routines;
- logging of critical events.
No system is completely invulnerable. You should also follow good security practices, including protecting your device and not sharing credentials.
11.1 Security incident notification (LGPD Art. 48)
Should we identify a security incident that may cause relevant risk or damage to data subjects:
- we will notify the Brazilian Data Protection Authority (ANPD) within a reasonable timeframe, observing then-current guidance (generally up to 2 (two) business days);
- we will notify affected data subjects, where applicable, by email or a notice on the Platform, indicating the nature of the affected data, the extent of the incident, the risks involved, and the measures adopted for containment and mitigation;
- we maintain an internal incident response playbook covering detection, containment, evidence preservation, investigation, eradication, and communication.
12. Minors
OcusDiver is intended for people 18 years of age or older. We do not knowingly intend to collect minors' data for regular use of the Platform.
If we identify an account that violates this rule, we may restrict or terminate access and process the related data as necessary and permitted by law.
13. Links and Third-Party Services
The Platform may contain links, integrations, or redirects to third-party sites, apps, and services. This Policy does not apply to the practices of those third parties, which are governed by their own terms and privacy policies.
We recommend reading the policies of services used together with OcusDiver, especially authentication, booking, payment, messaging, and social media tools.
14. Changes to this Policy
We may update this Policy from time to time. Material changes may be communicated through a Platform notice, renewed acceptance flow, email, or another reasonable method.
The most current version will remain available through OcusDiver's official channels.
15. Contact and Complaints
For questions, personal data requests, or privacy complaints:
- Email: [email protected]
- Controller: IOHANNA WIELEWSKI DE SOUZA VIGINESKI - ME - CNPJ No. 65.934.149/0001-93 - Sao Paulo/SP, Brazil
- Formal LGPD channel (Art. 18): web form at
ocusdiver.com/privacy-request, with a response SLA of up to 15 (fifteen) calendar days.
If you believe your rights were not adequately addressed, you may also contact the competent authority applicable to your case, without prejudice to first attempting to resolve the matter with us.
16. Data Protection Officer (DPO)
Pursuant to Art. 41 of the LGPD, the designated contact is:
- DPO: Juan Marcus Lopes Fernandes (interim, pending designation of a dedicated professional)
- Contact: [email protected]
By using OcusDiver, you acknowledge that you have read and understood this Privacy Policy.