Skip to content
ESEN
Become a founding centre

Privacy policy

Last updated: 10 May 2026 · Version 1.0

1. Who we are

OQUEA TECHNOLOGIES, S.L. (hereinafter, "OQUEA" or "we") is the entity responsible for the processing of your personal data when you use OQUEA: our web and mobile platform for people who practise water sports —starting with scuba diving, freediving and snorkelling— and the centres that organise activities in the water.

Legal nameOQUEA TECHNOLOGIES, S.L.
Tax ID (CIF)B-26904193
Registered officeAvenida Diego Fernández de Mendoza, 11, 3º B, 29006 Málaga, Spain
RegistryCommercial Registry of Málaga, Sheet MA-197468, 1st entry
Contact emailsupport@oquea.com

The technical development and maintenance of the platform are handled by APPXPERT SOLUTIONS, S.L. (Tax ID B56200264, Calle Alejandro Dumas 17, 29004 Málaga), which acts as a data processor under our instructions and a data-processing agreement compliant with article 28 of the General Data Protection Regulation.

We are not legally required to appoint a Data Protection Officer at this time (article 37 GDPR), but you can reach us with any question related to your data at support@oquea.com.

2. What data we process

We process different categories of data depending on how you use the platform. We explain it by blocks.

2.1 If you create a user account (diver or water-sports enthusiast)

Data you provide when registering:

  • First and last name.
  • Unique username.
  • Email address.
  • Date of birth.
  • Gender (including the option "Prefer not to say").
  • Country of residence.
  • Declared diving level or experience (qualification, certifications, training agency).

Optional data you can add:

  • Profile photo.
  • Bio or short description.
  • Phone number.
  • Language and interests (diving goals).
  • Equipment sizing (shoe, wetsuit) so the centre can prepare your gear.
  • Diving insurance details (provider, policy number, expiry date).
  • Diving experience prior to OQUEA (years diving, number of previous dives, maximum depth reached, etc.).

Activity data generated when you use the platform:

  • Your dive logbook: date, duration, depth reached, water temperature, equipment used, gas mix, dive description, photos you upload, subjective rating of the experience and marine life observed.
  • Photos you upload to shared activity albums.
  • Centres you follow.
  • Aggregated statistics of your activity (total number of dives, etc.).

Technical data:

  • Internal identifier (UID assigned by Firebase Authentication).
  • Authentication method used (email magic link or sign-in with Google).
  • Email verification status.
  • Date of last sign-in.
  • Unit preferences (metres/feet, bar/psi, Celsius/Fahrenheit) and notification preferences.

2.2 If you register as a dive centre

We process the centre's data as an entity —name, address, phone, email, website, social profiles, training agency, languages, default operational values, photos, logo and, optionally, tax ID—. The Firebase identifiers of people with owner, administrator or staff permissions are linked to the centre to manage access.

If the centre is run by a sole trader, part of that information may be considered personal data and is processed under this policy.

2.3 If you take part in an activity by scanning a centre's QR

When you scan a dive centre's QR code to log a dive:

  • An entry is created in your personal logbook with the dive data and a snapshot of the centre and dive site information at that moment.
  • Your name, last name, username, profile photo and diving level are added to the participants list of that activity, visible to other people registered on OQUEA.
  • The same data is added to the centre's internal CRM so the centre can keep a history of the people who have dived with them.

It is important you understand this clearly: by scanning the QR, you are actively sharing that information with the centre. It is the foundation of how the service works. We also explain it in the QR-flow screen before you confirm.

2.4 Anthropometric and health data (not currently applicable)

We have designed the platform so that, in a future version, you may optionally share anthropometric data (weight, height) and a pre-dive medical questionnaire.

As of today, neither of these features is active. When we activate them:

  • We will ask for an explicit, separate consent distinct from the general account consent, in accordance with article 9.2.a) of the GDPR.
  • We will update this policy with all details before starting to collect that information.
  • You will be able to revoke consent at any time from your profile, which will result in the immediate deletion of the data.

We have reserved section 11 of this policy for this category of data.

2.5 Data we do not collect

  • We do not process payment data. OQUEA does not process financial transactions at the time this policy is written. If we do in the future, it will be done through a specialist provider and this policy will be updated.
  • We do not process biometric identification data. Photos you upload are not processed via facial recognition and are not used to identify individuals.
  • We do not record your real-time location. The geographic coordinates that appear on the platform refer to centres and dive sites, not to your position.

3. What we use your data for and the legal basis

Each processing operation has a specific purpose and a legal basis that legitimises it. We present it as a table:

Why we process the dataLegal basis
Create and maintain your account, authenticate you, manage your profile. Performance of the contract (the Terms of Use you accept when registering).
Allow you to log your dives and join activities at centres by scanning the QR. Performance of the contract.
Share your basic data with the centre when you scan its QR (centre CRM and participants list). Performance of the contract. It is the functionality you request when scanning.
Display your public profile (name, username, photo, bio, level, counters) to other authenticated OQUEA users. Performance of the contract.
Send you the magic sign-in link, security alerts and other essential operational communications. Performance of the contract.
Send you commercial or promotional communications (news, flash offers, recommendations). Your consent, which you can withdraw at any time from your profile.
Improve the platform, detect errors, prevent fraud and abuse, and safeguard information security. Legitimate interest.
Keep the account during a 30-day grace period after deletion request, in case you decide to recover it. Legitimate interest and, where applicable, legal obligation.
Comply with legal obligations (respond to authorities' requests, keep consent records, etc.). Legal obligation.
Equipment-sizing data (equipmentSizing) and prior experience (priorExperience). Your consent, given when voluntarily filling those fields during onboarding. You can withdraw it by deleting the information from your profile.
Anthropometric data and medical form, when activated. Explicit consent under article 9.2.a) of the GDPR.

4. How long we keep your data

InformationRetention period
Active account While the account exists and you do not delete it.
Account deleted by you 30 calendar days (grace period to recover it). After that, definitive deletion of your personal data from our systems, except for what we are legally obliged to retain.
Your dive logbook, private photos and associated data Until the definitive deletion of the account.
Shared album of an activity (photos uploaded by participants) 30 days from the activity date. After that, automatic deletion.
Follow data (centres you follow) Until the definitive deletion of the account or until you stop following the centre.
Dive centre data in its CRM (when you have dived with them) For the duration of the relationship with the centre. If you delete your OQUEA account, your data is also removed from the centre CRM within 30 days.
Consent records For the lifetime of the consent plus the limitation period of any legal actions that could arise, as required by the AEPD to evidence consent.
Documentation with tax or accounting relevance (when it exists) 6 years, in accordance with the Spanish Commercial Code.
Security and authentication logs According to the Google/Firebase policy for the underlying services (typically between 90 days and 1 year).

When the period is met, the data is deleted or irreversibly anonymised.

5. Who we share your data with

5.1 Other OQUEA users

Part of your profile is visible to anyone authenticated on OQUEA:

  • First and last name.
  • Username.
  • Profile photo.
  • Bio.
  • Declared diving level.
  • Counters (total number of dives, followers, following).
  • Certifications you have declared.
  • Your participation in a centre's activity (if you have scanned the QR).
  • Photos you upload to the shared album of an activity (while the album lasts, up to 30 days).

The rest of the information (email, phone, date of birth, dive logbook, insurance, sizing data and, in the future, anthropometric and medical data) is private.

5.2 Dive centres

When you scan a centre's QR, the data described in section 2.3 is transferred to the centre, which then becomes data controller over that information for its own purposes (commercial management, customer follow-up, loyalty). Each centre must have its own privacy policy, which we recommend you consult.

For medical and anthropometric data (when activated), centres will only be able to access them if you expressly consent on a centre-by-centre basis.

5.3 Data processors (providers that process data on OQUEA's behalf)

ProviderServiceLocation
Google Ireland Limited (Firebase services from Google Cloud) Authentication, database, image and video storage, web hosting, cloud functions and push notifications Data stored in European multi-region. Administrative access from the United States by Google LLC, covered by the EU-U.S. Data Privacy Framework.
Twilio Inc. / SendGrid Sending of transactional emails (magic sign-in link, operational notifications) United States, covered by the EU-U.S. Data Privacy Framework.
APPXPERT SOLUTIONS, S.L. Development, maintenance and technical support of the platform Spain

All these providers have a corresponding data-processing agreement signed with OQUEA, in accordance with article 28 of the GDPR.

5.4 Authorities

We will share your data with public authorities, judges and courts only when required by a law of statutory rank or when there is a formal, properly motivated request.

5.5 What we do NOT do

  • We do not sell your data to third parties. Under no circumstances.
  • We do not transfer your data to advertisers or to ad networks.
  • We do not use your data to train artificial-intelligence models of our own or of third parties.

6. International transfers of data

Your data is stored mainly on servers located in the European Union (Google Cloud's European multi-region configuration).

6.1 If you reside in the European Economic Area

There are two circumstances in which your data may be accessed or processed from the United States:

  1. Administrative access by Google LLC to the Firebase services, on a punctual basis and for technical support and security tasks.
  2. Sending of transactional emails through Twilio/SendGrid.

In both cases, the transfer is covered by the EU-U.S. Data Privacy Framework (Adequacy Decision of the European Commission of 10 July 2023) and, on a subsidiary basis, by the Standard Contractual Clauses approved by the European Commission.

6.2 If you reside outside the European Economic Area (for example, in Latin America)

For you to use OQUEA, your data travels from your country of residence to our servers in the European Union. This international transfer is necessary for the performance of the service you request when registering. The legal basis of this transfer can be found, depending on your country, in:

  • Article 49.1.b) of Regulation (EU) 2016/679 (GDPR), applicable as origin reference.
  • Article 33, II and IX, of the Brazilian General Data Protection Law (LGPD).
  • Article 36 of the Mexican Federal Law on the Protection of Personal Data Held by Private Parties.
  • Article 26 of Colombian Statutory Law 1581/2012.
  • Article 12 of Chilean Law 19.628.
  • Article 15 of Argentine Law 25.326.

We apply the GDPR protection regime to your data regardless of your country of residence. The European Union offers a level of personal data protection equivalent to or higher than that required by most Latin American legislations.

If your country's legislation requires additional safeguards for international transfer (for example, specific informed consent), we understand that your voluntary registration on the platform, after having had access to this Policy, constitutes such consent.

7. Your rights

As a data subject, the GDPR and Spanish Organic Law 3/2018 grant you the following rights:

  • Access: know what data of yours we process and obtain a copy.
  • Rectification: correct inaccurate or incomplete data. Many changes you can make directly from your profile.
  • Erasure ("right to be forgotten"): ask us to delete your data. There is a "Delete account" button in the application that triggers this right.
  • Restriction of processing: ask us to freeze the use of your data in certain circumstances.
  • Portability: receive your data in a structured, commonly used and machine-readable format, or have us transmit it directly to another controller when technically possible.
  • Objection: object to processing based on legitimate interest.
  • Withdrawal of consent: if processing is based on your consent, you can withdraw it at any time. Withdrawal does not affect the lawfulness of prior processing.
  • Not to be subject to individual automated decisions: we currently do not make decisions producing legal effects on you based solely on automated processing.

How to exercise them: send us an email to support@oquea.com indicating which right you want to exercise and, where necessary, attaching a document that proves your identity. We will respond within a maximum of one month from the receipt of the request (extendable by up to two additional months if the request is particularly complex, in which case we will let you know).

Complaints: if you consider that the processing of your data is not in accordance with applicable regulations, you can lodge a complaint with the competent supervisory authority:

  • In Spain, and primarily because OQUEA is established on Spanish territory, with the Spanish Data Protection Agency (AEPD): www.aepd.es.
  • If you reside in another Member State of the European Economic Area, with the supervisory authority of your country.
  • If you reside in Latin America or another jurisdiction with its own data-protection authority, you can also approach it. As a guideline: ANPD (Brazil), AAIP (Argentina), INAI (Mexico), Superintendence of Industry and Commerce (Colombia), Council for Transparency (Chile), National Authority for Personal Data Protection (Peru).

Before lodging a complaint, we would appreciate you raising it with us (support@oquea.com) so we can try to resolve it directly.

8. Minors

OQUEA is exclusively aimed at people who have reached the age of majority according to the legislation of their country of residence (generally, 18 years old).

  • If you are a minor under the legislation that applies to you, you should not register on OQUEA.
  • At registration we validate the age of majority based on the date of birth you provide.
  • If we detect that an account corresponds to a minor, we will proceed with its deletion.
  • If you are a parent or guardian of a minor who has registered on OQUEA without due authorisation, write to us at support@oquea.com and we will delete the account immediately.

This policy allows us to offer a homogeneous service in all jurisdictions where OQUEA operates and to avoid the complexities —and the risks for the minors themselves— of managing parental consents in very diverse legal frameworks.

9. Security of your data

We apply reasonable technical and organisational measures to protect your information, in particular:

  • Encryption in transit (HTTPS/TLS) for all communications between your device and our servers.
  • Encryption at rest for data stored in Firebase.
  • Firestore and Storage security rules that limit, at server level, what data each user can read or write.
  • Robust authentication with email magic links or federated sign-in with Google.
  • Internal access control following the principle of least privilege.
  • Backups managed by our infrastructure provider.

No system is invulnerable. If a security incident occurs that compromises your personal data and entails a high risk to your rights, we will notify you without undue delay and notify the AEPD as required by articles 33 and 34 of the GDPR.

10. Cookies and similar technologies

OQUEA only uses strictly necessary technical local storage for the operation of the platform:

  • Firebase Authentication session storage (IndexedDB and, depending on the browser, cookies) to keep you signed in while connected.
  • Local storage of preferences (language, units) so you do not have to set them every visit.

These technologies are exempt from the duty to obtain your consent in accordance with article 22.2 of Spanish Law 34/2002 (LSSI) and the AEPD Cookie Guide, as they are technical and necessary for the provision of the service you request.

We do not use analytics, advertising or third-party tracking cookies. If we decide in the future to add measurement or analytics tools (for example, Firebase Analytics), we will update this policy, show an informational banner and, where appropriate, obtain your prior consent. You can find the details in our cookie policy.

11. Health and anthropometric data (reserved section — not applicable to this version)

This section is deliberately empty in version 1.0 of the policy because, as of today, OQUEA does not collect or process anthropometric data (weight, height) or medical data (pre-dive health questionnaire).

When these features are activated, this section will include, at a minimum:

  • Specific categories of data processed.
  • Legal basis: explicit consent under article 9.2.a) of the GDPR.
  • Separate consent mechanism, distinct from the general account consent.
  • How to revoke the consent and the consequences of revocation.
  • Specific retention period.
  • Centres with access (only those you have expressly authorised).
  • Audit log of every access by the centre.

We will inform you of the change before it comes into force and no data of this category will be collected until you give consent.

12. Changes to this policy

We may update this Privacy Policy when services, providers, regulations or our practices change. When we do:

  • We will publish the new version at this same URL, indicating the update date at the top.
  • We will keep a version history available on request.
  • If the changes are substantial (for example, a new processing purpose, a new provider with international transfer, or the activation of medical data), we will notify you by email or via a prominent message in the application.

Your continued use of OQUEA after a modification implies that you accept the new version, except for changes that require renewed express consent, in which case we will request it before they come into force.

13. How to contact us

For any query, suggestion or exercise of rights related to this policy:

  • Email: support@oquea.com
  • Postal address: OQUEA TECHNOLOGIES, S.L., Avenida Diego Fernández de Mendoza 11, 3º B, 29006 Málaga, Spain.