Privacy Policy — Odysseic

01Introduction

This Privacy Policy explains how Odysseic Ventures Pte. Ltd. (UEN 202604236H) ("Odysseic", "we", "us") collects, uses, discloses, and protects personal data in connection with the Odysseic software-as-a-service platform, websites, applications, embed widgets, hosted booking pages, and APIs (the "Service").

Odysseic is established in Singapore. We comply with the Singapore Personal Data Protection Act 2012 (the "PDPA"), and, where applicable, the EU General Data Protection Regulation (the "GDPR") and the UK GDPR. This policy uses "personal data" to mean any information that identifies or could reasonably be used to identify an individual.

Short version. If you are a dive operator using Odysseic, we collect what we need to provide the software and bill you. If you are a diver booking through an Odysseic-powered surface, the dive operator is the controller of your data — Odysseic processes it on their behalf. We never sell personal data.

02Controller vs processor

Our role under data-protection law depends on whose data is in play.

2.1 Odysseic as controller

We act as data controller for personal data we collect directly when you (a) operate a dive business that subscribes to Odysseic, (b) visit our marketing site, or (c) contact us. This includes the personal data of operator owners, staff, signup leads, and anyone who emails us.

2.2 Odysseic as processor

We act as data processor on behalf of our operator Customers when those Customers use the Service to take bookings from divers. That includes diver names, contact details, certification info, booking history, and any messages or notes the Customer stores in the Service about a diver.

In that processor capacity, the operator decides what to collect and why; Odysseic stores, transmits, and acts on that data only on the operator's instructions and as needed to run the Service. Divers with questions about their data should contact the dive operator they booked with first. We will assist the operator in responding.

If you booked through an Odysseic embed widget or hosted booking page, the operator's identity is visible to you at the time of booking and is repeated in every confirmation email.

03What we collect

What we never collect: Odysseic does not receive or store full card numbers, CVVs, or bank account credentials. All payment instruments are tokenised by the relevant Payment Provider (Stripe, Xendit, or Doku) and the card or bank data is held by them, not by us. We see only transaction metadata — Provider transaction IDs, status, amounts, and the last four digits of a card — which is what we need to reconcile bookings and invoices.

3.1 From operators and operator staff

Account & profile: name, work email, business name, role, password (hashed), profile photo if provided.
Business data: dive centre details, addresses, country, tax info (UEN/VAT/etc.), bank/Payment Provider account identifiers as needed for integration.
Billing: billing contact, plan, payment method tokens, invoice history.
Communications: support tickets, emails, demo requests, contact form submissions.
Usage & device data: IP address, browser, OS, device identifiers, pages viewed, actions taken in the Service, timestamps. Used to operate the Service, debug, and secure accounts.

3.2 From divers (processed on operators' behalf)

Identity & contact: name, email, phone, country, emergency contact where collected.
Booking details: dive site, date, time, party size, add-ons, special requests, price paid.
Certification & dive history: agency, level, card number, last-dive date, logged-dives count — only where the operator enables the relevant pre-requisite checks.
Medical declarations: only where the operator collects them via a Service-provided form, and only because the operator's regulator or insurer requires it.
Payment metadata: Stripe / Xendit / Doku transaction IDs, status, amount, and last four digits of card.

3.3 From visitors to the marketing site

Pages viewed, referrer, country (from IP — used to default the currency on the pricing page), and any details you provide in contact, demo, or signup forms.
Strictly-necessary preference cookies (e.g., currency choice).

04How we use it

We use personal data to:

Provide, secure, and improve the Service — including authentication, booking processing, sending booking confirmations, calendar management, and reporting.
Bill operators for their Subscription and Per-Booking Fees.
Send service-related communications (e.g., outage notices, policy updates, security alerts).
Respond to questions and provide support.
Detect and prevent fraud, abuse, and security incidents.
Comply with legal obligations (tax records, court orders, regulatory requests).
With your consent, send marketing about Odysseic features, plans, or industry news. You can opt out at any time using the unsubscribe link or by emailing us.
Produce de-identified aggregate analytics about the Service to understand usage and improve the product. These aggregates cannot reasonably identify any individual.

05Legal bases (PDPA / GDPR)

Under the PDPA we collect personal data with the consent of the individual or where another exception (e.g., business contact, legal compliance) applies. Under the GDPR, where it applies, we rely on:

Performance of a contract — to provide the Service you (or your operator) signed up for.
Legitimate interests — to secure the Service, prevent fraud, communicate operationally with Customers, and improve our product. We balance these interests against your rights.
Consent — for non-essential cookies, optional marketing emails, and any sensitive categories of data we may process on an operator's behalf.
Legal obligation — to keep tax and accounting records, respond to lawful requests, and comply with anti-money- laundering rules.

06Who we share with

We share personal data only with the parties below, only for the purposes described:

Recipient	Purpose
Supabase	Database hosting, authentication, edge functions, and object storage. Data is hosted in regional Supabase projects we operate.
Vercel	Web application hosting and content delivery.
Stripe	Subscription billing for operators. For some operators, Stripe is also the connected Booking Payment Provider — in that case Stripe is acting as the operator's payment processor, not ours, in respect of the booking.
Xendit, Doku	Booking Payment Provider integrations, where the operator has connected one. The operator is the merchant.
Postmark / Resend	Delivery of transactional emails (booking confirmations, receipts, password resets). The diver and the operator are CC'd on booking emails, with a real reply-to set so they correspond directly.
Sentry, error & log monitoring	Crash reporting, error tracing, and operational logs. Personal data is minimised; identifiers are scrubbed where practical.
Analytics provider	Privacy-respecting product analytics about how the Service is used. Where used, we configure the tool to not collect IP addresses in clear and to honour Do Not Track / Global Privacy Control signals.
Country/IP geolocation API	On the marketing pricing page, we look up the visitor's country once to default the displayed currency. No persistent profile is created.
Professional advisors	Lawyers, auditors, and accountants, under confidentiality obligations.
Authorities	Where legally required (court orders, regulatory requests, fraud-prevention or to protect rights and safety).
A successor	If Odysseic is involved in a merger, acquisition, or sale of assets, personal data may be transferred to the successor under equivalent protections.

We do not sell personal data, and we do not share it with advertising networks for cross-context behavioural advertising.

07International transfers

Odysseic is based in Singapore. Our sub-processors operate in Singapore, the European Economic Area, the United Kingdom, and the United States, among other locations. When we transfer personal data across borders, we rely on appropriate safeguards: for transfers out of the EEA/UK, the European Commission's Standard Contractual Clauses (or the UK equivalent) and supplementary measures where required; for transfers out of Singapore, we contractually require recipients to provide a comparable standard of protection as required under the PDPA.

08Cookies & tracking

We use a small number of cookies and similar storage technologies:

Strictly necessary: authentication, session management, security (CSRF), and saving preferences such as your chosen pricing currency.
Functional / performance: remembering UI choices and measuring page-load times to keep the Service fast.
Analytics (where used): aggregated product analytics configured to respect privacy signals. We do not use third-party advertising cookies.

You can manage cookies through your browser. Blocking strictly- necessary cookies may prevent parts of the Service from working.

09Data retention

We keep personal data only for as long as needed for the purposes described in this policy, to comply with our legal obligations, or to resolve disputes and enforce our agreements.

Operator accounts: for the life of the Subscription, plus a reasonable wind-down period (typically 30 days) for data export.
Customer Data after termination: deleted, anonymised, or returned within 90 days of termination, except as required by law (tax records, audit logs, fraud-prevention logs).
Diver records: retained for as long as the operator requires, subject to their own retention policy.
Billing & tax records: retained for at least 5 years, as required under Singapore tax law.
Marketing leads: until you unsubscribe or 24 months of inactivity, whichever comes first.

10Your rights

Depending on where you are, you may have rights to:

Access the personal data we hold about you.
Correct inaccurate or incomplete personal data.
Request deletion of personal data, subject to legal-retention obligations.
Object to or restrict certain processing.
Withdraw consent for processing based on consent.
Receive a portable copy of personal data you provided to us.
Lodge a complaint with a data-protection authority.

Send rights requests to privacy@odysseic.com. If you are a diver, your dive operator is the controller — please contact them first; we will help them respond. We will respond to verified requests within 30 days (or sooner where required by law) and may ask for information to confirm your identity.

In Singapore you may contact the Personal Data Protection Commission (PDPC). In the EU you may contact your local supervisory authority. In the UK you may contact the Information Commissioner's Office (ICO).

11Security

We protect personal data with measures that include:

Encryption in transit (TLS) and at rest for data stores we control.
Row-level security on our database, with access scoped to the authenticated user's role and operator.
Hashed passwords and short-lived session tokens.
Audit logging, error monitoring, regular dependency updates, and backups with retention.
Before adopting a new sub-processor, we check for a data-processing agreement, a known hosting region, and an appropriate security posture for their role.

No system is perfectly secure. If we become aware of a data breach affecting personal data, we will notify affected Customers without undue delay and, where applicable, the relevant supervisory authority, in line with PDPA / GDPR obligations.

12Children's data

The Service is sold to dive operators, who are businesses, and is not directed at children. We do not knowingly collect data directly from children under 16. Some operators offer dives suitable for minors; in those cases the operator is responsible for obtaining the necessary parental consents and only the minimum data required (typically a guardian's contact details and a signed liability waiver) should be stored in the Service.

13Changes to this policy

We may update this Privacy Policy from time to time. When we make material changes, we will give reasonable notice through the Service or by email before they take effect. The "Last updated" date at the top of this page always reflects the current version.

14Contact

For privacy questions, complaints, or rights requests, contact us at privacy@odysseic.com. For general legal correspondence, write to legal@odysseic.com. For product or account support, write to support@odysseic.com.

Odysseic Ventures Pte. Ltd.
UEN 202604236H
160 Robinson Road, #14-04 Singapore Business Federation Center, Singapore 068914