Privacy Policy

How MBAR Millibar Technologies UG (haftungsbeschränkt) processes your personal data

Data Controller

MBAR Millibar Technologies UG (haftungsbeschränkt)
Germany
Email: privacy@millibar.io

This policy explains how we collect, use, and protect personal data in connection with the Millibar platform available at millibar.io and its subdomains. We process personal data in compliance with Regulation (EU) 2016/679 (GDPR) and applicable national data protection law.

We treat user data (registered divers and their profiles) and directory data (dive center listings) as separate processing activities, each described in its own section below.


1. Registered Users and Diver Profiles

Data collected

  • Account and contact information: name, email address, username, password (hashed), registration date.
  • Profile details: country, preferred language, diving experience level, preferences.
  • Certifications: agency, level, certification number, date, uploaded certification card images.
  • Documents: signed waivers, declarations, and other documents managed through the platform.
  • Dive logs: dive date, location, depth, duration, equipment notes, and other dive-specific data you choose to record.
  • Insurance information: insurer, policy number, expiry date.
  • Platform activity: check-in and check-out records, requests, bookings, associated dive center.

Purposes and legal bases

Account creation and authentication — to identify you and provide access to the platform. Legal basis: performance of a contract (Art. 6(1)(b) GDPR).
Diver profile and service delivery — to enable you to manage your certifications, dive logs, documents, and bookings, and to connect you with dive centers. Legal basis: performance of a contract (Art. 6(1)(b) GDPR).
Platform improvement and security — to monitor and maintain the integrity and performance of the Service. Legal basis: legitimate interests (Art. 6(1)(f) GDPR).
Legal compliance — to meet statutory obligations. Legal basis: compliance with a legal obligation (Art. 6(1)(c) GDPR).

Retention

Account and profile data is retained for as long as your account is active. Upon account deletion, your profile and associated content are deleted within 30 days, except where retention is required by law or by a legitimate operational need (e.g. records of completed transactions). Dive logs and certification data you have uploaded are deleted on request or upon account deletion.

Account deletion

You may request deletion of your account at any time by contacting privacy@millibar.io. We will process your request within one month.


2. Medical and Special-Category Data

Certain features of the platform — such as dive medical declarations or health-related information required by a dive center as part of a check-in process — may involve the collection of special-category personal data within the meaning of Art. 9 GDPR.

Data collected

Medical declarations, health conditions, or other health-related information you choose to provide or that a dive center requires as part of a safety assessment before a dive activity.

Purpose and legal basis

This data is collected solely for the purpose of facilitating safe diving activity as required by the dive center or applicable safety guidelines. Legal basis: explicit consent (Art. 9(2)(a) GDPR). You will be asked to give explicit consent before any medical or health data is collected.

Consent withdrawal

You may withdraw your consent at any time by contacting privacy@millibar.io. Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal. However, if you withdraw consent, certain safety-related services offered through dive centers may no longer be available to you.

Access, security, and retention

Medical and health data is stored with access restricted to authorised personnel only and is kept separate from general account data. It is retained only for as long as necessary to fulfil the purpose for which it was collected and is deleted upon account deletion or earlier upon your request.


3. Dive Center Directory

Data in the Directory

Millibar maintains a public directory of dive centers. Each listing may include the business name, address, phone number, email, website, social media profiles, location coordinates, services offered, agency affiliations, and, where applicable, the name or contact details of identifiable owners or representatives.

Sources

Directory information is compiled from publicly available sources, including: official business websites, public registers, map services (such as Google Maps), social media platforms, diving industry directories, information submitted by dive centers themselves, and information provided by registered users.

Purposes and legal basis

The Directory is operated to help divers find and connect with dive operators. Where directory listings include personal data relating to identifiable individuals (such as an owner or representative), the legal basis for processing is legitimate interests (Art. 6(1)(f) GDPR): specifically, the operation of an informational directory that supports the diving community and enables divers to make informed choices.

Article 14 GDPR — information for individuals in the Directory

If your personal data (for example your name as a dive center owner or representative) has been included in the Directory without being provided directly by you, you have the right to receive information about this processing under Art. 14 GDPR. You may contact us at privacy@millibar.io to obtain details of the data held, its source, and the purposes for which it is processed.

Your rights regarding Directory listings

Authorized representatives of a dive center may contact us at privacy@millibar.io to:

  • Claim and take responsibility for their listing.
  • Request access to the personal data held about them in the Directory.
  • Request correction or update of inaccurate or outdated information.
  • Object to the processing of their personal data.
  • Request restriction of processing or removal of their listing from the Directory.

We will respond to such requests within one month. Removal requests are assessed on a case-by-case basis and will be processed where we cannot demonstrate compelling legitimate grounds that override the individual's interests.

Partner listings

Certain dive centers are designated as Millibar Partners based on an active collaboration agreement. Partners may receive increased visibility in the Directory. Partner status does not constitute a quality, safety, or certification mark. Claiming a listing is separate from and does not automatically confer Partner status.


4. Communications

We send different types of email communications, each with a distinct legal basis.

Transactional and service emails

Emails necessary to deliver the Service — including account verification, password reset, security alerts, check-in confirmations, document signing requests, and responses to your enquiries. Legal basis: performance of a contract (Art. 6(1)(b) GDPR). These emails cannot be opted out of while your account is active.

Platform updates and service information

Emails informing you of significant changes to the platform, updates to these policies, and information about new or changed services available through Millibar. Legal basis: legitimate interests (Art. 6(1)(f) GDPR). Data used: name, email address, registration date, associated dive center, platform activity.

User satisfaction surveys and product research

Occasional invitations to participate in satisfaction surveys or other forms of product research. Participation is entirely optional. Declining has no effect on your access to the Service. Legal basis: legitimate interests (Art. 6(1)(f) GDPR) — improving the quality and relevance of the Service based on user feedback.

Survey responses are retained for a maximum of 24 months from submission, then deleted or permanently anonymised. You may object to receiving survey invitations at any time, free of charge, by contacting privacy@millibar.io or following the opt-out link in any survey email. Objection preferences are retained for the life of your account.

User interview invitations

Occasional invitations to participate in qualitative user interviews to inform product development. Participation requires your explicit, affirmative response. No interview will take place without your agreement. Legal basis: consent (Art. 6(1)(a) GDPR).

Interview preferences are retained for a maximum of 24 months from the date of last contact, then deleted. You may object to receiving interview requests at any time by contacting privacy@millibar.io.

Email delivery and interaction tracking

All emails are delivered via Postmark (Wildbit LLC, a Fastmail company), which acts as a Data Processor. Email interactions — including delivery confirmation, message opens, and link clicks — may be recorded by Postmark and made available to us for the purpose of monitoring deliverability and communication effectiveness. Personal data processed: email address; message metadata (delivery status, open events, link-click events). Postmark Privacy Policy


5. Service Providers and International Transfers

We use the following third-party service providers ("Processors") to operate the platform. Each Processor is bound by a data processing agreement and may only process personal data in accordance with our instructions.

Hetzner Online GmbH — Hosting and infrastructure

Provides servers, cloud infrastructure, and database hosting for the platform. Data categories: all personal data stored on the platform. Location: Germany / EU. No international transfer. Privacy Policy

Postmark (Wildbit LLC / Fastmail) — Email delivery

Transactional and service email delivery. Data categories: email address, message metadata, interaction events. Location: United States. Transfers are covered by Standard Contractual Clauses (SCCs). Privacy Policy

Google — Map services and authentication

Google Maps Platform is used for the dive center map and location data. Google OAuth is available as an optional sign-in method. Data categories: location queries, authentication tokens. Location: United States / global. Transfers are covered by SCCs. Privacy Policy

GitHub — Authentication

GitHub OAuth is available as an optional sign-in method. Data categories: GitHub profile information (username, email) provided at sign-in. Location: United States. Transfers are covered by SCCs. Privacy Policy

Anthropic — AI features

Powers AI-assisted features on the platform. Data submitted to AI features is processed solely to deliver the requested output and is not used to train Anthropic's models under our API agreement. Location: United States. Transfers are covered by SCCs. Privacy Policy

An up-to-date list of Processors may be requested at any time by contacting privacy@millibar.io.


6. Your Rights and How to Exercise Them

Under the GDPR you have the following rights in relation to your personal data:

  • Right of access (Art. 15) — to obtain a copy of the personal data we hold about you.
  • Right to rectification (Art. 16) — to have inaccurate data corrected or incomplete data completed.
  • Right to erasure (Art. 17) — to request deletion of your personal data where there is no compelling reason for its continued processing.
  • Right to restriction of processing (Art. 18) — to request that we limit how we use your data in certain circumstances.
  • Right to data portability (Art. 20) — to receive your data in a structured, commonly used, machine-readable format and to have it transferred to another controller where technically feasible.
  • Right to object (Art. 21) — to object to processing based on legitimate interests or carried out for direct marketing purposes. Where you object to direct marketing, we will stop processing your data for that purpose without requiring justification.
  • Right to withdraw consent (Art. 7(3)) — where processing is based on consent, to withdraw that consent at any time without affecting the lawfulness of prior processing.
  • Right to lodge a complaint (Art. 77) — to bring a complaint before the competent supervisory authority. In Germany, the lead supervisory authority is the data protection authority of the state in which our registered office is located.

How to exercise your rights

Submit your request to privacy@millibar.io. All requests are free of charge. We will respond within one month. Where a request is complex or numerous, we may extend this period by a further two months, of which we will inform you.


7. Security

We implement appropriate technical and organisational measures to protect personal data against unauthorised access, loss, destruction, or alteration, including encrypted data transmission (TLS), hashed password storage, and restricted access controls. However, no method of transmission over the internet or electronic storage is completely secure.


8. Cookies and Trackers

The platform uses cookies and similar tracking technologies necessary for authentication, session management, and security. We do not use third-party advertising or tracking cookies. By using the platform you consent to the use of strictly necessary cookies.


9. Changes to This Policy

We may update this Privacy Policy from time to time. Where changes are material — particularly where they affect the legal basis for processing or introduce new categories of data — we will notify registered users by email and/or through the platform before the changes take effect, and will obtain renewed consent where legally required.

We recommend checking this page periodically. The date of the most recent update is shown below.


Definitions

Personal Data: Any information relating to an identified or identifiable natural person.
Special-Category Data: Personal data revealing health information, as defined in Art. 9 GDPR.
Data Subject: The natural person to whom Personal Data relates.
Data Controller: The entity that determines the purposes and means of processing Personal Data. In this context: MBAR Millibar Technologies UG (haftungsbeschränkt).
Data Processor: A natural or legal person that processes Personal Data on behalf of the Controller.
GDPR: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data.
Standard Contractual Clauses (SCCs): Standard data protection clauses adopted by the European Commission for the transfer of personal data to third countries, providing appropriate safeguards under Art. 46(2)(c) GDPR.

Latest update: 21 June 2026

For privacy enquiries and data-subject requests, please contact us at privacy@millibar.io. All requests are free of charge and will be answered within one month.
Note: This policy has been prepared in good faith to reflect current practices. It is recommended that it receives legal review before being treated as final.

2026 © Millibar Technologies - All Rights Reserved