Privacy Policy
Effective date: April 4, 2026
Who we are
Reef is a scuba diving logbook app developed by Anton Usov (individual developer, Austria). We are committed to protecting your privacy and being transparent about what data we collect.
Contact: [email protected]
What data we collect
Authentication
You can use Reef anonymously (guest account) or create an account using email/password, Apple Sign In, or Google Sign In. Authentication is handled by Supabase Auth. We store only the minimum information needed to authenticate you (email address, auth provider ID).
Dive data
Your dives, gear items, certifications, dive sites, and settings are stored in a Supabase Postgres database and synced to your device via PowerSync (offline-first SQLite). Your data is private and only accessible to you.
Photos
Dive photos are stored locally on your device first. If you have an account, photos are backed up to Supabase Storage (cloud). Photos are private — they are not shared with other users or made public.
Location
Reef only accesses your location when you explicitly choose to add a dive site location. We do not track your location in the background.
Crash reporting
We use Sentry for crash reporting and performance monitoring. Sentry receives anonymous device information and stack traces — no personal data, no dive data, no photos. Crash reporting is disabled in development builds.
Product analytics
We use PostHog (EU-hosted) for product analytics to understand how features are used and where the app can be improved. PostHog collects:
- Action events — e.g., "dive created", "paywall opened", "onboarding completed". We track feature usage, never the content of your dives, names, photos, or any personally identifiable information.
- Device metadata — OS, app version, device model, screen size, and locale. Collected automatically by the SDK for compatibility analysis.
- Pseudonymous profile properties — account type (guest/signed-in), subscription status, and diver experience level (if you selected one during onboarding). These are linked to a random device ID or, if you create an account, to your pseudonymous user ID (not your email).
Additionally, RevenueCat sends subscription lifecycle events (purchase, renewal, cancellation, billing issues) to PostHog server-side using the same pseudonymous user ID. This allows us to understand the full subscription funnel without collecting any payment details ourselves.
Analytics events are queued locally and sent when connectivity is available — they never block the app.
Purchases
Subscription purchases are processed by RevenueCat through Apple's App Store and Google Play. We never see or store your payment information (credit card, billing address). RevenueCat receives a pseudonymous user ID to manage your subscription status.
What we do NOT do
- We do not sell your data to anyone.
- We do not use advertising or ad trackers.
- We do not use advertising analytics (no Google Analytics, no Facebook Pixel).
- We do not share your data with third parties except the service providers listed above (Supabase, PowerSync, Sentry, PostHog, RevenueCat), which are strictly necessary to operate the app.
Legal basis for processing (GDPR)
We process your data under the following legal bases:
- Contract performance (Art. 6(1)(b) GDPR) — for providing the app's core functionality: storing your dives, syncing data, managing your account and subscription.
- Legitimate interest (Art. 6(1)(f) GDPR) — for product analytics (PostHog) and crash reporting (Sentry). Our legitimate interest is to improve app quality and fix bugs. We minimize the data collected and never track personal content. You can contact us to object to analytics processing.
Service providers
We use the following third-party services, all hosted in the EU or with EU data processing:
| Provider | Purpose | Data received |
|---|---|---|
| Supabase (EU) | Database, auth, file storage | Account credentials, dive data, photos |
| PowerSync (EU) | Offline-first sync | Dive data (encrypted in transit) |
| PostHog (EU) | Product analytics | Anonymous events, device metadata, pseudonymous ID |
| Sentry (EU) | Crash reporting | Stack traces, device info, pseudonymous ID |
| RevenueCat | Subscription management | Pseudonymous user ID, purchase receipts (from App Store/Google Play) |
Data storage and security
Your dive data is stored in Supabase (hosted on AWS in the EU). Analytics data is stored in PostHog (EU). Crash reports are stored in Sentry (EU). All communication between the app and our servers is encrypted via TLS. Database access is protected by Row Level Security (RLS) — each user can only access their own data.
Data retention
Your dive data is kept for as long as your account exists. When you delete your account, all associated data is permanently removed from our servers.
Analytics data in PostHog is retained for up to 1 year for aggregate insights, after which it is automatically deleted. Crash reports in Sentry are retained for 90 days.
Your rights
You have the right to:
- Export your data — available in Settings > Sync & Data > Export. Downloads all your data as JSON.
- Delete your account — available in Settings > About > Delete Account. This permanently removes your account and all associated data from our servers.
- Contact us — for any privacy-related requests, email [email protected].
Children's privacy
Reef is not directed at children under 16. We do not knowingly collect personal information from children. If you believe a child has provided us data, please contact us and we will delete it.
Changes to this policy
We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated effective date. For significant changes, we will notify users within the app.
Contact
Anton Usov
Email: [email protected]
Website: reeflogbook.app