Privacy Policy
Effective date: May 16, 2026
Who we are
Reef is a scuba diving logbook app developed by Anton Usov (individual developer, Austria). We are committed to protecting your privacy and being transparent about what data we collect.
Contact: support@reeflogbook.app
What data we collect
Authentication
You can use Reef anonymously (guest account) or create an account using email/password, Apple Sign In, or Google Sign In. Authentication is handled by Supabase Auth. We store only the minimum information needed to authenticate you (email address, auth provider ID).
Dive data
Your dives, gear items, certifications, dive sites, and settings are stored in a Supabase Postgres database and synced to your device via PowerSync (offline-first SQLite). Your data is private and only accessible to you.
Photos
Dive photos are stored locally on your device first. If you have an account, photos are backed up to Supabase Storage (cloud). Photos are private — they are not shared with other users or made public.
Location
Reef only accesses your location when you explicitly choose to add a dive site location. We do not track your location in the background.
Crash reporting
We use Sentry for crash reporting and performance monitoring. Sentry receives anonymous device information and stack traces — no personal data, no dive data, no photos. Crash reporting is disabled in development builds.
Product analytics
We use PostHog (EU-hosted) for product analytics to understand how features are used and where the app can be improved. PostHog collects:
- Action events — e.g., "dive created", "paywall opened", "onboarding completed". We track feature usage, never the content of your dives, names, photos, or any personally identifiable information.
- Device metadata — OS, app version, device model, screen size, and locale. Collected automatically by the SDK for compatibility analysis.
- Pseudonymous profile properties — account type (guest/signed-in), subscription status, and diver experience level (if you selected one during onboarding). These are linked to a random device ID or, if you create an account, to your pseudonymous user ID (not your email).
Additionally, RevenueCat sends subscription lifecycle events (purchase, renewal, cancellation, billing issues) to PostHog server-side using the same pseudonymous user ID. This allows us to understand the full subscription funnel without collecting any payment details ourselves.
Analytics events are queued locally and sent when connectivity is available — they never block the app.
Purchases
Subscription purchases are processed by RevenueCat through Apple's App Store and Google Play. We never see or store your payment information (credit card, billing address). RevenueCat receives a pseudonymous user ID to manage your subscription status.
Marketing measurement
We use AppsFlyer to measure the performance of our marketing campaigns — for example, to understand which ad source or referral brought you to the app. AppsFlyer receives:
- Install identifier — an anonymous AppsFlyer install ID and your device's vendor identifier (IDFV), so we can attribute your install to the campaign that drove it.
- Anonymous device metadata — OS, app version, device model, and IP address (used for country-level geo only).
- Subscription events — purchase, renewal, and refund events forwarded from RevenueCat (product, amount, currency) so we can measure campaign return on investment.
We do not show the App Tracking Transparency (ATT) prompt and do not collect your IDFA (advertising identifier). On iOS, install attribution relies on Apple's privacy-preserving SKAdNetwork (aggregated, anonymous reports). On Android, attribution uses Google Play Install Referrer.
Legal basis (GDPR): we rely on legitimate interest (Art. 6(1)(f) GDPR) for aggregated marketing measurement. AppsFlyer Ltd. acts as our data processor under a Data Processing Agreement.
Your choices: you can object to this processing at any time by emailing support@reeflogbook.app. You can also opt out directly via AppsFlyer's opt-out page, and control device-level advertising preferences in iOS Settings → Privacy & Security → Apple Advertising (or Android Settings → Privacy → Ads). See AppsFlyer's privacy policy for full details.
What we do NOT do
- We do not sell your data to anyone.
- We do not show in-app ads.
- We do not use cross-app advertising tracking — we don't show the App Tracking Transparency prompt and don't collect your IDFA. We use AppsFlyer only to measure which marketing channels drive installs and subscriptions.
- We do not share your data with third parties except the service providers listed above (Supabase, PowerSync, Sentry, PostHog, RevenueCat, AppsFlyer), which are strictly necessary to operate the app.
Legal basis for processing (GDPR)
We process your data under the following legal bases:
- Contract performance (Art. 6(1)(b) GDPR) — for providing the app's core functionality: storing your dives, syncing data, managing your account and subscription.
- Legitimate interest (Art. 6(1)(f) GDPR) — for product analytics (PostHog), crash reporting (Sentry), and marketing campaign measurement (AppsFlyer). Our legitimate interest is to improve app quality, fix bugs, and understand which marketing channels drive installs. We minimize the data collected, never track personal content, and do not use IDFA / cross-app tracking. You can object to any of this processing by emailing support@reeflogbook.app; AppsFlyer also provides a direct opt-out at appsflyer.com/optout.
Service providers
We use the following third-party services, all hosted in the EU or with EU data processing:
| Provider | Purpose | Data received |
|---|---|---|
| Supabase (EU) | Database, auth, file storage | Account credentials, dive data, photos |
| PowerSync (EU) | Offline-first sync | Dive data (encrypted in transit) |
| PostHog (EU) | Product analytics | Anonymous events, device metadata, pseudonymous ID |
| Sentry (EU) | Crash reporting | Stack traces, device info, pseudonymous ID |
| RevenueCat | Subscription management | Pseudonymous user ID, purchase receipts (from App Store/Google Play) |
| AppsFlyer | Marketing campaign measurement | Anonymous install ID, IDFV, IP (country only), subscription events |
Data storage and security
Your dive data is stored in Supabase (hosted on AWS in the EU). Analytics data is stored in PostHog (EU). Crash reports are stored in Sentry (EU). All communication between the app and our servers is encrypted via TLS. Database access is protected by Row Level Security (RLS) — each user can only access their own data.
Data retention
Your dive data is kept for as long as your account exists. When you delete your account, all associated data is permanently removed from our servers.
Analytics data in PostHog is retained for up to 1 year for aggregate insights, after which it is automatically deleted. Crash reports in Sentry are retained for 90 days.
Your rights
You have the right to:
- Export your data — available in Settings > Sync & Data > Export. Downloads all your data as JSON.
- Delete your account — available in Settings > About > Delete Account. This permanently removes your account and all associated data from our servers.
- Contact us — for any privacy-related requests, email support@reeflogbook.app.
Children's privacy
Reef is not directed at children under 16. We do not knowingly collect personal information from children. If you believe a child has provided us data, please contact us and we will delete it.
Changes to this policy
We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated effective date. For significant changes, we will notify users within the app.
Contact
Anton Usov
Email: support@reeflogbook.app
Website: reeflogbook.app