Skip to content

Privacy policy

Last updated: 11 May 2026 · Version 1.1

1. Who we are

OQUEA TECHNOLOGIES, S.L. (hereinafter, "OQUEA" or "we") is the entity responsible for processing your personal data when you use the OQUEA Platform (web and mobile app).

Corporate nameOQUEA TECHNOLOGIES, S.L.
NIFB-26904193
Registered addressAvenida Diego Fernández de Mendoza, número 11, 3º B, 29006 Málaga, Spain
Registry entryMálaga Commercial Registry, Sheet MA-197468, entry 1ª
Contact emailsupport@oquea.com

We have entrusted the technical development and maintenance of the Platform to APPXPERT SOLUTIONS, S.L. (NIF B56200264, Alejandro Dumas 17, 29004 Málaga). OQUEA works with technology providers that may process personal data on behalf of OQUEA. When they act as processors, the relationship is governed by the corresponding data-processing agreement under Article 28 of the GDPR.

We are not legally required to appoint a Data Protection Officer at this time (Article 37 GDPR), but you can reach us with any data-related question at support@oquea.com.

2. Roles in data processing

On OQUEA there are three distinct legal relationships you should understand from the start:

  1. OQUEA as controller. OQUEA acts as data controller for the data needed to create and manage your account, let you use the Platform, maintain your profile, record your logbook, ensure security and provide OQUEA's own features.
  2. Centre as independent controller. Centres act as independent controllers for the data they process to organise Activities, deliver diving services, manage their relationship with customers, meet their legal obligations, verify insurance, certifications or safety requirements, and carry out their own communications under their own privacy policy.
  3. OQUEA as processor for the Centre. In certain professional features, OQUEA may act as the Centre's processor when providing technical tools for management, CRM, bookings or communications on behalf of the Centre and under its instructions.

3. What data do we process?

We process different categories of data depending on how you use the Platform. Some data is required to create and maintain the account; other data is optional and is only processed if you decide to provide it to improve your experience, help Centres prepare Activities or complete your profile.

3.1 If you create a User account

Data required to create and maintain the account:

  • Email address.
  • Unique username.
  • Declaration of legal age (and, when legal verification is required, date of birth).
  • Diving level or declared experience necessary for the platform to function correctly (certification, agency).

Optional data you can add from your profile:

  • First name and last name.
  • Profile photo.
  • Biography or presentation.
  • Gender (including a "Prefer not to say" option).
  • Country of residence.
  • Phone number.
  • Language and interests (diving goals).
  • Equipment sizes (boots, wetsuit) so the Centre can prepare your kit.
  • Dive insurance details (provider, policy number, expiry date).
  • Pre-OQUEA experience (years diving, previous dives, max depth, etc.).

Activity data generated by using the Platform:

  • Your dive logbook: date, duration, depth, water temperature, equipment used, gas mix, dive description, photos you upload, subjective experience rating and marine life observed.
  • Photos uploaded to shared Activity albums.
  • Centres you follow.
  • Aggregated activity statistics (total number of dives, etc.).

Technical data:

  • Internal identifier (UID assigned by Firebase Authentication).
  • Authentication method (magic link via email or Google sign-in).
  • Email verification status.
  • Last sign-in date.
  • Unit preferences (metres/feet, bar/psi, Celsius/Fahrenheit) and notification preferences.

3.2 Equipment sizing and prior experience

Equipment sizing and prior experience are optional. They will only be used to help prepare Activities, rent equipment or adapt the experience. They will not be publicly visible and will only be shared with a Centre when you take part in an Activity where that information is needed or you decide to share it.

3.3 Dive insurance data

Dive insurance data is optional and will not be publicly visible. It will only be shared with Centres when necessary to verify participation requirements for an Activity, course or service, or when you expressly authorise it.

3.4 If you register as a dive Centre

We process the Centre's data as an entity —name, address, phone, email, web, social profiles, training agency, languages, operational defaults, photos, logo and, optionally, NIF/CIF—. The Firebase identifiers of people with owner, admin or staff permissions are linked to the Centre to manage access.

If the Centre is run by a natural person (e.g. a self-employed worker), part of that information may qualify as personal data and is processed under this policy.

3.5 If you take part in an Activity by scanning a Centre's QR

When you scan a Centre's QR and confirm your participation in an Activity, OQUEA will process the data needed to:

  1. Record the Activity in your account and, where appropriate, in your logbook.
  2. Associate your participation with the Centre and the corresponding dive site.
  3. Show you in the participants list when that feature is necessary for the Activity.
  4. Allow the Centre to manage the Activity and keep an operational history of the people who have participated in its Activities.

Before confirming the scan, we will show you a clear notice with the data that will be shared with the Centre and the purpose of that communication.

The Centre may process that data as an independent controller to manage the Activity, evidence participation, comply with legal or safety obligations and maintain its operational relationship with you.

Any commercial, promotional or loyalty use by the Centre must be carried out under its own responsibility and with the appropriate legal basis, in accordance with the Centre's own privacy policy.

3.6 Anthropometric and health data (not applicable today)

The Platform has been designed so that, in a future version, you may optionally share anthropometric data (weight, height) and a pre-dive medical questionnaire.

Today, neither of these features is active. When we activate them:

  • We will ask for separate explicit consent from the general account consent, under Article 9.2.a) GDPR.
  • OQUEA will carry out a specific risk assessment and, where appropriate, a Data Protection Impact Assessment, alongside reinforced access controls, audit logging and consent-withdrawal mechanisms.
  • We will update this policy with full details before any of this information is collected.
  • You may withdraw consent at any time, which will mean we stop processing that data for the relevant purpose and proceed with its deletion or blocking under applicable law.

3.7 Data we don't collect

  • We don't process payment data. OQUEA does not process financial transactions at the time of writing. If we do in the future, it will be through a specialised provider and this policy will be updated.
  • We don't process biometric identification data. Photos you upload are not run through face recognition or used to identify people.
  • We don't track your real-time location. The coordinates that appear in the Platform belong to Centres and dive sites, not your position.

4. Profile visibility ("privacy by default")

By default, your profile visible to other authenticated Users will show your username, profile photo if you've added one, biography if you've filled it in, general declared level and basic statistics.

Your full first name and last name will only be visible to Centres you interact with, to other participants of an Activity when necessary to identify you, or when you choose to make them publicly visible through the privacy settings available.

All other information (email, phone, date of birth, dive logbook, insurance, sizing data and, in the future, anthropometric and medical data) is private.

5. Privacy settings

You'll be able to configure certain privacy aspects from your profile, including the visibility of certain data, optional profile information, notification preferences and consents granted, when the feature is available.

6. What we use your data for and the legal basis

PurposeMain dataLegal basis
Create and maintain your account email, UID, username, technical credentials Performance of the contract
Verify legal age declaration of legal age or date of birth Performance of the contract / legal obligation or legitimate interest as applicable
Maintain your dive logbook dive data entered by User or Centre Performance of the contract
Take part in an Activity via QR basic profile data, Activity, Centre Performance of the contract
Share data with the Centre for operational management and history name, username, level, participation Performance of the contract / legitimate interest as applicable
Display basic profile elements needed for interaction username, photo, basic stats Performance of the contract
Display optional profile elements (biography, detailed certifications, extended info) biography, certifications, interests User's voluntary configuration
Display participation in Activities participation, divers list Performance of the service when needed for the Activity
Operational communications (login, security alerts) email, preferences Performance of the contract
OQUEA commercial communications email, preferences Your consent (you can withdraw it any time from your profile)
Centre commercial communications contact data shared or collected by the Centre Centre's responsibility / consent or applicable legal basis
Security, abuse prevention and service improvement logs, UID, technical events Legitimate interest
Keep the account for the 30-day grace period after deletion request email, UID Legitimate interest and, where applicable, legal obligation
Comply with legal obligations as required Legal obligation
Sizing and prior experience sizes, years of experience Consent given by filling them in voluntarily. You can withdraw it by deleting them from your profile
Future health / anthropometric data medical questionnaire, weight, height Explicit consent (Article 9.2.a) GDPR)

7. How long do we keep your data?

InformationRetention period
Active account While the account exists and you do not delete it.
Account deleted by you 30 calendar days (grace period to recover). After that period, we will delete or anonymise your personal data from active systems, except for data we must retain for the time necessary to comply with legal obligations, handle claims, prevent abuse, ensure security or evidence compliance with our obligations. Backup copies will be overwritten according to our standard technical cycles.
Your dive logbook, private photos and associated data Until the account is permanently deleted.
Shared album of an Activity (photos uploaded by participants) 30 days from the Activity date. After that, automatic deletion.
Following data (Centres you follow) Until the account is permanently deleted or until you stop following the Centre.
Centre CRM data (where you have dived with them) Under the Centre's own responsibility, in accordance with its privacy policy and the legal bases that apply to it.
Consent records For the lifetime of the consent plus the limitation period of any legal claims that may arise.
Fiscal or accounting documentation (where applicable) 6 years, under the Spanish Commercial Code.
Technical and security logs Retained for the time needed to ensure security, investigate incidents, prevent abuse and maintain Platform integrity. Generally, up to 12 months, unless longer retention is needed because of a specific incident, security investigation, claim or legal obligation.

When the period expires, data is irreversibly deleted or anonymised.

8. Who do we share your data with?

8.1 Other OQUEA Users

As explained in section 4, part of your profile is visible to other authenticated Users, according to the default configuration and the privacy preferences you have activated.

8.2 Dive centres

When you scan a Centre's QR, the data described in section 3.5 is communicated to the Centre, which then processes it as an independent controller under its own privacy policy.

The communication of data to the Centre for managing the Activity and maintaining the operational history is based on the performance of the service requested by the User. Any use of that data by the Centre for commercial, promotional, campaign or loyalty purposes must be carried out under the legal basis applicable in each case, under the Centre's responsibility.

For medical and anthropometric data (when activated), Centres will only be able to access it if you give express and specific consent for each Centre.

8.3 Processors (providers that process data on OQUEA's behalf)

ProviderServiceLocation
Google Ireland Limited (Firebase / Google Cloud) Authentication, database, image and video storage, web hosting, cloud functions and push notifications Data stored in EU multi-region. Administrative access from the United States by Google LLC.
Twilio Inc. / SendGrid Transactional email (magic link, operational notifications) United States
APPXPERT SOLUTIONS, S.L. Development, maintenance and technical support of the Platform Spain

8.4 Authorities

We will share your data with public authorities, judges and courts only when a legal rule requires us to do so or in response to a formal and properly motivated request.

8.5 What we don't do

  • We don't sell your data to third parties. Under any circumstances.
  • We don't share your data with advertisers or ad networks.
  • We don't use your data to train our own or third-party AI models.

9. International data transfers

Your data is primarily stored on servers located in the European Union (EU multi-region setting on Google Cloud).

When our providers process data from the United States, the transfer will be covered by the mechanisms valid at the relevant time, including adequacy decisions, adherence to the EU-US Data Privacy Framework when the provider is certified, Standard Contractual Clauses or other applicable safeguards.

If you access OQUEA from outside the European Economic Area, your data may be processed in the European Union, where our main systems are located. This transfer is necessary to provide you with the service you request when registering and using the Platform.

When applicable law requires additional safeguards, OQUEA will adopt the necessary measures depending on the country, type of processing and feature used, including, where appropriate, obtaining specific consent or applying adequate contractual safeguards.

10. What rights do you have?

As the data subject, the GDPR and Organic Law 3/2018 grant you the following rights:

  • Access: to know what data of yours we process and to obtain a copy.
  • Rectification: to correct inaccurate or incomplete data. Many changes can be made directly from your profile.
  • Erasure ("right to be forgotten"): to ask us to delete your data. The "Delete account" button in the app activates this right.
  • Restriction of processing: to ask us to freeze the use of your data in certain circumstances.
  • Portability: to receive your data in a structured, commonly used, machine-readable format, or to have us transmit it directly to another controller where technically feasible.
  • Objection: to object to processing based on legitimate interest.
  • Withdrawal of consent: if processing is based on your consent, you can withdraw it at any time. Withdrawal does not affect the lawfulness of prior processing.

When your request affects data processed by a Centre as an independent controller, OQUEA may give you the information needed to contact that Centre or, where appropriate, forward your request to it. However, each Centre is responsible for handling the rights that apply to the processing it performs under its own responsibility.

How to exercise them: send an email to support@oquea.com stating the right you wish to exercise and, where necessary, attaching a document evidencing your identity. We will reply within a maximum of one month from receipt of the request (extendable by up to two additional months for particularly complex requests, in which case we will let you know).

Complaints: if you consider that the processing of your data does not comply with applicable law, you may lodge a complaint with the competent supervisory authority:

  • In Spain, before the Spanish Data Protection Agency (AEPD): www.aepd.es.
  • If you reside in another EEA Member State, before your country's supervisory authority.
  • If you reside in another jurisdiction with its own data-protection authority, you may also reach out to it.

Before filing a complaint, we would appreciate it if you raised the matter with us first (support@oquea.com) so we can try to resolve it directly.

11. Automated decisions and artificial intelligence

Currently we do not make decisions based solely on automated processing that produce legal effects on you or similarly significantly affect you. If we incorporate recommendation systems, scoring, AI or automation with relevant effects in the future, we will update this policy and inform you specifically.

If we introduce features based on artificial intelligence, conversational assistants or personalised recommendation systems in the future, we will update this policy before activating them and explain what data is processed, for what purpose, under what legal basis and what control options the User will have.

12. Minors

OQUEA is exclusively for adults.

  • If you are a minor under applicable law, you must not register with OQUEA.
  • At registration we verify legal age.
  • If we detect that an account belongs to a minor, we will delete it.
  • If you are a parent or guardian of a minor who has registered without proper authorisation, write to support@oquea.com and we will delete the account immediately.

If we enable features for minors in the future, we will update this policy and put in place the parental authorisation, security and verification mechanisms that apply.

13. Data security

We apply reasonable technical and organisational measures to protect your information, in particular:

  • Encryption in transit (HTTPS/TLS) on all communications between your device and our servers.
  • Encryption at rest for data stored on Firebase.
  • Firestore and Storage security rules that limit, at server level, what each user can read or write.
  • Robust authentication with email magic links or federated sign-in with Google.
  • Internal access controls based on the principle of least privilege.
  • Backups managed by our infrastructure provider.

If a security breach affects personal data, OQUEA will assess its scope and risk. When it is likely to result in a risk to the rights and freedoms of individuals, we will notify the competent supervisory authority as required by the GDPR. When the breach is likely to result in a high risk to your rights and freedoms, we will also notify you without undue delay.

14. Cookies and similar technologies

You can find the full detail in our cookies and similar technologies policy. OQUEA currently only uses strictly necessary technologies for Platform operation and user-chosen preferences, with no analytics, advertising or tracking.

15. Changes to this policy

The current version of this Policy will be the one published at this URL at each time. When we introduce substantial changes, we will inform you prominently (for example, by email or in-app message).

If a change requires your consent, we will not apply that processing until you have validly given it.

16. How to contact us

  • Email: support@oquea.com
  • Postal address: OQUEA TECHNOLOGIES, S.L., Avenida Diego Fernández de Mendoza 11, 3º B, 29006 Málaga, Spain.