Privacy Policy

Last updated: April 2026

1. Introduction

FreedivingFlow (Aleksei Barulin, OSVČ, Czech Republic) respects your privacy and processes personal data in accordance with the GDPR (EU General Data Protection Regulation).

2. Data We Process

  • Contact & identity: name, email, phone; for the student area — magic link and/or Google sign-in (when enabled).
  • Bookings & courses: selected course and session, dates, party size, booking notes, contact preferences, optional equipment rental; payment history for accounting.
  • Student cabinet: theory and exercise progress, test scores, achievements, personal bests, fin/wetsuit sizes if provided, access to materials and videos, instructor notes on sessions; a concise history of AIDA course runs (including training snapshots when a past session is removed from the schedule — see section 5).
  • Electronic waiver & health declaration: health questionnaire answers, signature image, signer name, IP address at signing time, document language; after signing we generate a PDF of the full document and store it in secure object storage (Cloudflare R2), while a database record remains for the website to function.
  • Dry Training Pro: session history (box, glottis, program), progression, hold results; optional pulse and SpO₂ after glottis (only if you enter them); subscription billing via Stripe (we do not store full card numbers).
  • Payments: processed through Stripe; we do not store full card numbers on our servers.

3. Purposes of Processing

  • Contract performance (booking, payment, delivering the course).
  • Providing the student area, materials, and progress tracking.
  • Legal obligations: accounting and tax records; retention of signed waivers, health declarations, and theory-test archives for at least 7 years from the document date (liability limitation and evidence).
  • Communicating with you about the course and safety.
  • Service improvement and security (including error logs).

4. Legal Basis

  • Contract: bookings, payments, cabinet and course materials.
  • Legitimate interests: security, fraud prevention, product improvement.
  • Legal obligation: accounting records and retention of waivers/tests as required or reasonably expected for a Czech sole trader.
  • Consent: marketing emails (if you opt in separately); optional pulse/SpO₂ in Dry Training; analytics cookies and advertising pixels — only after you accept the cookie banner (see section 8).

5. Retention

Signed waivers (including the health declaration and liability waiver as part of the PDF) and archived theory-exam submissions are kept for at least 7 years from signing / test completion — in the database and in a **dedicated** private Cloudflare R2 bucket for legal records (`R2_LEGAL_BUCKET_NAME`; not mixed with the video bucket). The waiver PDF is uploaded there after signing; a PDF of each exam submission (questions, answers, candidate signature — no grading) is stored on each test submission or retake.

Financial records (including payment history) are kept for the periods required by Czech law for accounting and tax (often several years or more; confirm with your accountant).

Other personal data (contacts, bookings without a separate legal archive) are generally retained for up to 3 years after the last interaction unless a longer period is required by law or overlaps the categories above. Training history in the cabinet (including denormalised course-run snapshots) is kept while the student account exists and is removed when the account is deleted (cascade), except where we must or may retain data longer (for example accounting records and the 7-year waiver/test archive).

Dry Training Pro: safety and subscription rules — dedicated page.

6. Your Rights (GDPR)

  • Right of access
  • Right to rectification
  • Right to erasure — with limits: we cannot erase data we must retain by law (accounting, 7-year waiver and test archives).
  • Right to restrict processing
  • Right to data portability (where applicable)
  • Right to object (where applicable)

7. Processors & Third Parties

Data may be shared (only as needed for the service) with:

  • Stripepayments
  • Cloudflare R2 object storage: a dedicated private bucket for legal archives (waiver PDFs, theory-exam submission PDFs — `R2_LEGAL_BUCKET_NAME`); other buckets are used for course videos/media, mail attachments, etc.
  • Vercelapplication hosting
  • Resend (или иной SMTP-провайдер)transactional and service email
  • Google optional Google sign-in for the student area (OAuth).
  • Meta (Facebook) pixel and server-side conversion events on purchase — only after cookie-banner consent.
  • Google Analytics only after cookie-banner consent.
  • Telegram operational admin alerts (not bulk messaging to customers).

8. Cookies & Analytics

We use strictly necessary cookies for the site to work (student session, language, admin session). Analytics (Google Analytics) and Meta’s measurement/advertising pixel are loaded only if you click “Accept” in the cookie banner; if you decline, those scripts are not loaded.

9. Security

HTTPS, restricted admin access, secrets kept in hosting environment variables. Legal archives in R2 live in a dedicated private bucket (`R2_LEGAL_BUCKET_NAME`) with no public URL; admin PDF download is served through a protected API.

10. Contact

For privacy questions and this policy:

Email: [email protected]
Data controller: Aleksei Barulin

FreedivingFlow — Professional Freediving Courses & Dive Trips