How MBAR Millibar Technologies UG (haftungsbeschränkt) processes your personal data
MBAR Millibar Technologies UG (haftungsbeschränkt)
Germany
Email: privacy@millibar.io
This policy explains how we collect, use, and protect personal data in connection with the Millibar platform available at millibar.io and its subdomains. We process personal data in compliance with Regulation (EU) 2016/679 (GDPR) and applicable national data protection law.
We treat user data (registered divers and their profiles) and directory data (dive center listings) as separate processing activities, each described in its own section below.
Account and profile data is retained for as long as your account is active. Upon account deletion, your profile and associated content are deleted within 30 days, except where retention is required by law or by a legitimate operational need (e.g. records of completed transactions). Dive logs and certification data you have uploaded are deleted on request or upon account deletion.
You may request deletion of your account at any time by contacting privacy@millibar.io. We will process your request within one month.
Certain features of the platform — such as dive medical declarations or health-related information required by a dive center as part of a check-in process — may involve the collection of special-category personal data within the meaning of Art. 9 GDPR.
Medical declarations, health conditions, or other health-related information you choose to provide or that a dive center requires as part of a safety assessment before a dive activity.
This data is collected solely for the purpose of facilitating safe diving activity as required by the dive center or applicable safety guidelines. Legal basis: explicit consent (Art. 9(2)(a) GDPR). You will be asked to give explicit consent before any medical or health data is collected.
You may withdraw your consent at any time by contacting privacy@millibar.io. Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal. However, if you withdraw consent, certain safety-related services offered through dive centers may no longer be available to you.
Medical and health data is stored with access restricted to authorised personnel only and is kept separate from general account data. It is retained only for as long as necessary to fulfil the purpose for which it was collected and is deleted upon account deletion or earlier upon your request.
Millibar maintains a public directory of dive centers. Each listing may include the business name, address, phone number, email, website, social media profiles, location coordinates, services offered, agency affiliations, and, where applicable, the name or contact details of identifiable owners or representatives.
Directory information is compiled from publicly available sources, including: official business websites, public registers, map services (such as Google Maps), social media platforms, diving industry directories, information submitted by dive centers themselves, and information provided by registered users.
The Directory is operated to help divers find and connect with dive operators. Where directory listings include personal data relating to identifiable individuals (such as an owner or representative), the legal basis for processing is legitimate interests (Art. 6(1)(f) GDPR): specifically, the operation of an informational directory that supports the diving community and enables divers to make informed choices.
If your personal data (for example your name as a dive center owner or representative) has been included in the Directory without being provided directly by you, you have the right to receive information about this processing under Art. 14 GDPR. You may contact us at privacy@millibar.io to obtain details of the data held, its source, and the purposes for which it is processed.
Authorized representatives of a dive center may contact us at privacy@millibar.io to:
We will respond to such requests within one month. Removal requests are assessed on a case-by-case basis and will be processed where we cannot demonstrate compelling legitimate grounds that override the individual's interests.
Certain dive centers are designated as Millibar Partners based on an active collaboration agreement. Partners may receive increased visibility in the Directory. Partner status does not constitute a quality, safety, or certification mark. Claiming a listing is separate from and does not automatically confer Partner status.
We send different types of email communications, each with a distinct legal basis.
Emails necessary to deliver the Service — including account verification, password reset, security alerts, check-in confirmations, document signing requests, and responses to your enquiries. Legal basis: performance of a contract (Art. 6(1)(b) GDPR). These emails cannot be opted out of while your account is active.
Emails informing you of significant changes to the platform, updates to these policies, and information about new or changed services available through Millibar. Legal basis: legitimate interests (Art. 6(1)(f) GDPR). Data used: name, email address, registration date, associated dive center, platform activity.
Occasional invitations to participate in satisfaction surveys or other forms of product research. Participation is entirely optional. Declining has no effect on your access to the Service. Legal basis: legitimate interests (Art. 6(1)(f) GDPR) — improving the quality and relevance of the Service based on user feedback.
Survey responses are retained for a maximum of 24 months from submission, then deleted or permanently anonymised. You may object to receiving survey invitations at any time, free of charge, by contacting privacy@millibar.io or following the opt-out link in any survey email. Objection preferences are retained for the life of your account.
Occasional invitations to participate in qualitative user interviews to inform product development. Participation requires your explicit, affirmative response. No interview will take place without your agreement. Legal basis: consent (Art. 6(1)(a) GDPR).
Interview preferences are retained for a maximum of 24 months from the date of last contact, then deleted. You may object to receiving interview requests at any time by contacting privacy@millibar.io.
All emails are delivered via Postmark (Wildbit LLC, a Fastmail company), which acts as a Data Processor. Email interactions — including delivery confirmation, message opens, and link clicks — may be recorded by Postmark and made available to us for the purpose of monitoring deliverability and communication effectiveness. Personal data processed: email address; message metadata (delivery status, open events, link-click events). Postmark Privacy Policy
We use the following third-party service providers ("Processors") to operate the platform. Each Processor is bound by a data processing agreement and may only process personal data in accordance with our instructions.
Hetzner Online GmbH — Hosting and infrastructure
Provides servers, cloud infrastructure, and database hosting for the platform. Data categories: all personal data stored on the platform. Location: Germany / EU. No international transfer. Privacy Policy
Postmark (Wildbit LLC / Fastmail) — Email delivery
Transactional and service email delivery. Data categories: email address, message metadata, interaction events. Location: United States. Transfers are covered by Standard Contractual Clauses (SCCs). Privacy Policy
Google — Map services and authentication
Google Maps Platform is used for the dive center map and location data. Google OAuth is available as an optional sign-in method. Data categories: location queries, authentication tokens. Location: United States / global. Transfers are covered by SCCs. Privacy Policy
GitHub — Authentication
GitHub OAuth is available as an optional sign-in method. Data categories: GitHub profile information (username, email) provided at sign-in. Location: United States. Transfers are covered by SCCs. Privacy Policy
Anthropic — AI features
Powers AI-assisted features on the platform. Data submitted to AI features is processed solely to deliver the requested output and is not used to train Anthropic's models under our API agreement. Location: United States. Transfers are covered by SCCs. Privacy Policy
An up-to-date list of Processors may be requested at any time by contacting privacy@millibar.io.
Under the GDPR you have the following rights in relation to your personal data:
Submit your request to privacy@millibar.io. All requests are free of charge. We will respond within one month. Where a request is complex or numerous, we may extend this period by a further two months, of which we will inform you.
We implement appropriate technical and organisational measures to protect personal data against unauthorised access, loss, destruction, or alteration, including encrypted data transmission (TLS), hashed password storage, and restricted access controls. However, no method of transmission over the internet or electronic storage is completely secure.
The platform uses cookies and similar tracking technologies necessary for authentication, session management, and security. We do not use third-party advertising or tracking cookies. By using the platform you consent to the use of strictly necessary cookies.
We may update this Privacy Policy from time to time. Where changes are material — particularly where they affect the legal basis for processing or introduce new categories of data — we will notify registered users by email and/or through the platform before the changes take effect, and will obtain renewed consent where legally required.
We recommend checking this page periodically. The date of the most recent update is shown below.
Latest update: 21 June 2026
For privacy enquiries and data-subject requests, please contact us at
privacy@millibar.io.
All requests are free of charge and will be answered within one month.
Note: This policy has been prepared in good faith to reflect current practices. It is recommended
that it receives legal review before being treated as final.
2026 © Millibar Technologies - All Rights Reserved