Privacy Policy

1. Information We Collect

We collect the following categories of information:

• Account data — your email address when you register or sign in via magic link.
• Organisation data — your dive center name, sender name, and sender email address that you provide during onboarding.
• Contact data — diver records you import (first name, email, certification level, last dive date, location). You own this data; we process it only on your behalf.
• Usage data — pages visited, features used, and campaign performance metrics (open rates, click rates).
• Communications data — messages submitted through our Contact page.

2. How We Use Your Information

• Provide, operate, and improve the Rushback platform.
• Send automated re-engagement emails to your divers on your behalf.
• Track email engagement events (opens, clicks, bounces, unsubscribes) so you can measure campaign performance.
• Respond to support and contact enquiries.
• Send product updates and important service notices to account holders.
• Comply with legal obligations.

We do not sell your data or your customers' data to third parties.

3. Data Sharing

We share data only with the sub-processors needed to run the service:

• Supabase — database and authentication infrastructure (EU/US data centres).
• Resend — transactional email delivery.
• Inngest — background job orchestration for email scheduling.
• Vercel — hosting and edge infrastructure.

All sub-processors are bound by data processing agreements and are prohibited from using your data for their own purposes.

4. Cookies & Tracking

Rushback uses a minimal number of cookies strictly necessary for authentication (session tokens) and locale preference. We do not use advertising or third-party tracking cookies.

Email open and click tracking is performed via a pixel and redirect links embedded in emails sent on your behalf. Your diver contacts can opt out at any time by clicking the unsubscribe link included in every email.

5. Data Retention

We retain your account and campaign data for as long as your account is active. If you close your account, we will delete your data within 30 days, except where retention is required by law.

Diver contact records you import are retained until you delete them or close your account.

6. Security

All data is encrypted in transit (TLS) and at rest. Access to production databases is restricted to authorised personnel only. We use row-level security policies to ensure each organisation can only access its own data.

Despite our safeguards, no system is 100% secure. If you become aware of a security issue, please contact us immediately at hello@rushback.org.

7. Your Rights

Depending on your location, you may have the right to:

• Access a copy of the personal data we hold about you.
• Correct inaccurate data.
• Request deletion of your data ("right to be forgotten").
• Object to or restrict certain processing activities.
• Port your data to another service.

To exercise any of these rights, email us at hello@rushback.org. We will respond within 30 days.

8. Children's Privacy

Rushback is not directed at individuals under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

9. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify account holders of material changes by email. The effective date at the top of this page will always reflect the most recent version.

10. Contact Us

Questions or concerns about this Privacy Policy? Reach us at: