Privacy Policy

Last Updated: January 29, 2026
Version: 1.2

Bommie ("we," "us," or "our") is committed to protecting your privacy and ensuring you have control over your personal data.

This Privacy Policy explains how we collect, use, disclose, and safeguard your information ("Personal Data") when you use the Bommie mobile application (the "App") including the website www.bommie.app (the "Site") and our related services (collectively, the "Service").

1. Information We Collect

To operate and provide necessary functionality for the Service including interactive map-based interface, real-time weather scoring, and community generated content features, we may collect the following information that constitutes "Personal Data".

Account Data: When you register we collect your display name, email address and password. You may also provide a user avatar and bio to customise your profile. Please note that the display name you select does not need to include your real name or any other information that identifies you.

Personal Data Received from Third-Parties: When you choose to use your Google account to log into our Service, we may receive certain information from Google. This information can include your email address, external account name, and any other data you allow us to access based on your external account privacy settings, such as profile photos. You can revoke our access to this information by removing our connection to that external service. For details on how Google manages and processes user data, please refer to their Privacy Policy.
User-Generated Content: User-generated content you create, including site descriptions, photos, videos, posts and other content or information you generate or make available on the Service as well as associated metadata. Metadata includes information on who, when and what piece of content was collected and how that content has been formatted or edited. Metadata also includes information that users can choose to include in posts such as keywords, geographical or location information, and other similar data.
Feedback and Support: Information and images you provide when contacting us for support or reporting content and associated metadata including account ID, display name, date and time.
Map Services: The Service uses map services provided by Google. Google requests device metadata, IP address, crash metrics and an Internal Usage Attribution Identifier to maintain and improve Google services. This is not used to identify the user or for advertising attribution. You can find more information on the how Google processes and handles user data here: Privacy Policy
Location Data: To provide our map discovery features you may choose to share your approximate geolocation by turning on location services and granting permission on your mobile device. The App will access the device's location data only while the application is actively open, visible, and being used on the screen. This data is processed by Google as part of their Google Maps service and is not stored on our servers. You can disallow collection of geolocation data by turning off location services on your mobile device or removing app permissions at any time.
Device and Log Data: In order to secure our services, authenticate users, prevent fraud and comply with applicable laws we collect information about your mobile device, including unique device identifiers, operating system, app usage patterns including date and time, IP address and country of origin when you connect with our Service.
Payment Data: If you choose to purchase a Plus one-time payment or Pro subscription account, payments are processed directly by the applicable app store (Apple App Store or Google Play). We do not store your credit card details or full payment information on our servers.
Transaction History: In order to manage accounts across devices and platforms our third-party transaction facilitator, RevenueCat, stores transaction receipts and account ID. If you have questions about how our payment facilitator protects such information, please read RevenueCat's Terms of Use and Privacy Policy
Offline Data: To support offline capabilities, certain data (such as map regions and site information) is cached locally on your device for up to 7 days.

2. How We Use Your Information

We must rely on a specific legal basis for collecting and using Personal Data, particularly in jurisdictions like the European Economic Area (EEA) and the United Kingdom, as mandated by applicable law (e.g., Art. 6 GDPR Lawfulness of processing).

The most common legal basis for the collection and use of Personal Data are:

Contractual Necessity: Processing is required to deliver our Service or fulfill our obligations under a contract with you.
User Consent: You have given us explicit, specific permission for the collection and processing of your Personal Data for a defined purpose.
Legitimate Interests: Processing is necessary for our business interests, provided these interests are not overridden by your fundamental rights and interests.
Legal Compliance: Processing is necessary to meet a legal or regulatory obligation that applies to us.

We use your data for a variety of purposes, including to deliver, improve, and secure our services:

Service Delivery: To display dive sites on the interactive map and community based features to display your posts, photos, videos to other users, and audit the edit history of dive site descriptions.
Personalisation: To share display name, avatar and other profile information with the community.
Communication and Customer Support: To send you service updates or respond to your queries and support requests.
Security: To enforce our terms, prevent fraud, and manage permissions based on your account status and tier.
Marketing: Posts that you choose to share via the Service may be displayed within the App, on our Sites, on third party websites, social media and/or third-party apps, including those of our business partners.
Legal Obligations: We may also collect and use your Personal Data to comply with requests from government authorities and/or enforcement bodies and our obligations under applicable laws including the Australian Consumer Law and the Corporations Act 2001 (Cth).

3. How We Share and Disclose Data

We do not sell your personal data for money or engage in targeted advertising. We disclose information only in the following circumstances:

Service Providers or Vendors: We use third party suppliers ("Service Providers") to provision services required to support and operate our business. These Service Providers may perform services on our behalf or assist us to provide Services to you. We do not authorise the use or disclosure of your Personal Data for any other purposes other than in connection to the provision of their services to us. Our Service Providers may need to access your Personal Data in connection with providing us with these services:
- Appwrite: For backend database and file storage, authentication and server-side application functions.
- Google: To provide interactive map services
- RevenueCat: To manage payment receipts, account subscription status and purchase history across devices and platforms.
Public Information: Certain information you provide may be publicly visible through the Service. Your profile (display name, avatar) and User-Generated Content (posts, photos, site edits) are visible to other users of the Service as part of the community features.
Business Transfers: If we are involved in a merger, acquisition, financing due diligence, reorganization, bankruptcy, receivership, sale of all or a portion of our assets, or transition of our Service to another provider, your Personal Data may be shared in the diligence process with counterparties and others assisting with the transaction and transferred to a successor or affiliate as part of that transaction along with other assets.
Legal Requirements: We may disclose information if required by law or to protect the safety of our users.

4. Data Storage, Security and Safeguards

We are strongly committed to keeping your Personal Data safe. We have implemented and will maintain technical, administrative, and physical measures that are reasonably designed to help protect your Personal Data from unauthorised access and processing. These measures include:

Secure Servers: We store Personal Data on secure servers that adhere to strict, industry-standard regulations, including GDPR, CCPA, HIPAA, and SOC 2.
Encryption in Transit: HTTPS/TLS protects sensitive information from interception, tampering, and unauthorized access during transit.
Password Encryption: Passwords are encrypted and stored using the Argon2 password-hashing algorithm.
Access Controls: Strict Role-Based Access Control (RBAC) limits who has access to data.
Payment Security: Payments are processed directly by the applicable app store (Apple App Store or Google Play). We do not store your credit card details or full payment information on our servers.

Security risk is inherent in all internet and information technologies and we cannot guarantee the security of your Personal Data. By using Bommie you acknowledge that you transmit information to us at your own risk. Please read this Privacy Policy before using our Service or submitting any Personal Data to Bommie and contact us if you have any questions.

5. Data Retention

We retain your personal data on our servers for as long as your account remains active or for as long as reasonably necessary to fulfill the purposes outlined in this Privacy Policy, including satisfying any legal, accounting, tax, or reporting requirements.

Account Deletion: If you delete your account, we will take all reasonable steps to process this request and delete your Personal Data as required by applicable law. User-generated content you created and made available on the Service, such as photos, videos, posts, and associated metadata, will be removed from our servers. However, user-generated site descriptions, reports and feedback will be anonymised and retained as deidentified contributions to the Service.

6. Your Privacy Rights

We grant all users control over their personal data. Depending on where you reside, you may have specific legal rights regarding the information we collect.

6.1. General Rights (All Users)

Regardless of your location, you can exercise the following rights through your account settings or by contacting us:

Access and Update: You can access and update your profile information, including your avatar and display name, directly within the App.
Account Deletion: You may request the deletion of your account and associated data directly within the App.
Opt-Out of Marketing: You can unsubscribe from marketing emails at any time by clicking the "unsubscribe" link in our communications.

6.2. Australian Users

Under the Privacy Act 1988 (Cth), Australian residents have the following rights:

Access and Correction: You have the right to request access to the personal information we hold about you and request corrections if it is inaccurate, incomplete, or out of date.
Anonymity: Where practicable, you have the right to interact with us anonymously or using a pseudonym (e.g., when browsing public dive sites without an account).
Complaints: If you believe we have mishandled your data, you may lodge a complaint with us. If you are unsatisfied with our response, you may contact the Office of the Australian Information Commissioner (OAIC).

6.3. European (EEA) and UK Users

If you are located in the European Economic Area (EEA) or the United Kingdom (UK), you have rights under the GDPR and UK GDPR, including:

Right to Access: You may request confirmation of whether we process your personal data and receive a copy of that data.
Right to Rectification: You may request correction of inaccurate or incomplete personal data.
Right to Erasure: You may request that we delete your personal data ("right to be forgotten") if it is no longer necessary for our purposes or if you withdraw your consent.
Right to Restrict Processing: You may ask us to limit how we use your data in certain circumstances, such as while we verify the accuracy of data you contest.
Right to Data Portability: You have the right to receive your personal data in a structured, machine-readable format to transfer to another service.
Right to Object: You may object to the processing of your data for direct marketing or where we rely on "legitimate interests" as our legal basis.
Withdraw Consent: Where we rely on consent to process your data (e.g., for location tracking), you may withdraw it at any time.

You have the right to lodge a complaint with your local data protection authority (e.g., the ICO in the UK) if you believe we have violated your privacy rights.

6.4. United States Users

Residents of California, Virginia, Colorado, Connecticut, and other states with consumer privacy laws have specific rights:

Right to Know: You may request details about the categories of personal data we collect, the sources, the business purposes for collection, and the third parties with whom we share it.
Right to Delete: You may request the deletion of your personal data, subject to certain legal exceptions.
Right to Correct: You may request the correction of inaccurate personal data we hold about you.
Right to Opt-Out of "Sale" or "Sharing": Under laws like the CCPA, "sharing" data for targeted advertising may be considered a sale. You have the right to opt-out of this sharing for cross-context behavioral advertising. We do not sell your personal data for money or engage in targeted advertising.
Right to Non-Discrimination: We will not deny you services, charge you different prices, or provide a different quality of service for exercising your privacy rights.
Right to Appeal: If we decline your privacy request, residents of certain states (e.g., Colorado, Virginia) have the right to appeal our decision.

6.5. How to Exercise Your Rights

To exercise any of these rights, please contact our Privacy Officer (details below)

Verification: To verify your identity, email authentication is necessary for processing privacy requests. This is done by responding to a verification email sent to the email address linked to your Bommie account. If we cannot verify your identity through this email authentication, we will be unable to complete your request.
Response Time: We aim to respond to legitimate requests within one month (or 45 days for US requests). If we require more time, we will inform you of the reason and extension period.

7. Children's Privacy

Bommie is not directed to children under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have collected such data without parental consent, we will take steps to delete it.

8. International Transfers

Bommie is based in Australia but utilises cloud-based services (such as Appwrite Cloud, RevenueCat and Google Maps) that may store data in various regions. By using the Service, you acknowledge that your information may be transferred to and processed in countries other than your own, which may have different data protection laws.

9. Changes to This Privacy Policy

We may update this Privacy Policy to reflect changes in our technical architecture or business practices (e.g., new subscription tiers or partnerships). We will notify you of material changes through the App or via email.

10. Contact Us

If you have questions about this Privacy Policy or our data practices, please contact the Bommie Privacy Officer:

Email: support@mayfly.ink
Subject: Bommie Privacy Inquiry