PortiSubPortiSubPortimao scuba guide
PTEN
Request availability

Privacy

Privacy & data protection

How PortiSub collects, uses and protects your personal data under the EU GDPR and the Portuguese RGPD (Lei n.º 58/2019).

Last updated: 2026-05-31

1. Who is responsible for your data

Q32, LLC, the operator of the PortiSub platform, is the data controller for the personal data processed through this website. For any privacy question, or to exercise your rights, contact us at privacy@portisub.com.

PortiSub is a local scuba-diving discovery platform: it lists dive operators and dive sites, routes enquiries to operators, and hosts member accounts, reviews and a regional community board.

PortiSub serves divers and operators in Portugal and the wider EU and carries out its activities in that context, so the EU General Data Protection Regulation (GDPR) and the Portuguese RGPD (Lei n.º 58/2019) apply to this processing.

2. What data we collect

We only collect what we need to provide these features:

  • Enquiries — your name, email, phone (optional), the activity and preferred date, your message, the page you wrote from, and whether you consented to be contacted.
  • Account & sign-in — your email address, a temporary single-use sign-in link (stored only as a hashed token, valid 20 minutes), a session identifier, your display name and your role (member or operator).
  • Reviews & community — the rating and text you submit, your display name, and whether a review is public or private feedback to the operator. Forum threads and replies are public.
  • Operator listings — business contact details provided by, or on behalf of, operators (these are intended to be public).
  • Security signals — Cloudflare Turnstile performs bot checks on our forms, and we keep a limited audit log of administrative actions.

We do not use advertising or analytics cookies, and we do not track you across other sites.

3. Why we use it (lawful basis)

  • To answer and route your enquiry — your consent (Art. 6(1)(a) GDPR) and steps taken at your request before a possible contract (Art. 6(1)(b)).
  • To run your account and sign you in — performance of the service you asked for (Art. 6(1)(b)).
  • To publish reviews and community posts — your consent and our legitimate interest in a useful local community (Art. 6(1)(f)).
  • To keep the service secure (bot protection, audit logs) — our legitimate interest in preventing abuse (Art. 6(1)(f)).
  • To meet legal obligations where they apply (Art. 6(1)(c)).

Where we rely on consent, you can withdraw it at any time without affecting processing already carried out.

4. Who we share it with

We never sell your personal data. We share it only with:

  • Dive operators — this is the core purpose of the site. When you send an enquiry to a specific operator, or ask for a recommendation, your enquiry (name, contact details and message) is forwarded by email to the relevant operator(s) so they can reply to you directly.
  • Amazon Web Services (AWS SES) — delivers our transactional email (sign-in links and enquiry notifications).
  • Cloudflare — hosts the site and stores our database and uploaded files, and provides the Turnstile bot-protection and AI gateway.
  • AI translation — operator business descriptions may be processed by a machine-translation model via Cloudflare to produce translated listings. This concerns operator content, not your enquiry data.
  • Google (Places API) — we retrieve operators' public Google ratings; we do not send your personal data to Google.
  • Open-Meteo — supplies dive-site weather; no personal data is sent.

5. International transfers

Some of our processors (notably AWS SES, which we operate in the US region us-east-1, as well as Cloudflare and Google) process data outside the European Economic Area. Where personal data is transferred outside the EEA, the transfer is covered by appropriate safeguards — the European Commission's Standard Contractual Clauses and/or an adequacy decision — so your data keeps an equivalent level of protection.

6. How long we keep it

  • Sign-in links: 20 minutes; sessions: up to 30 days.
  • Enquiries: kept while we handle them and for up to 24 months afterwards, then deleted, unless a longer period is required to defend a legal claim.
  • Account, reviews and community posts: kept until you delete your account or ask us to remove them.
  • Security audit logs: kept for a limited period for security purposes.

7. Your rights

Under the GDPR/RGPD you have the right to access your data, to have it corrected or erased, to restrict or object to processing, to data portability, and to withdraw consent at any time.

To exercise any of these, email privacy@portisub.com. We will respond within one month.

If you believe we have mishandled your data, you can lodge a complaint with the Portuguese supervisory authority, the Comissão Nacional de Proteção de Dados (CNPD).

8. Cookies

We use only strictly-necessary and functional cookies: a session cookie to keep you signed in, and a small cookie to remember your language choice. Cloudflare Turnstile may set a short-lived token to verify form submissions. Because we set no analytics or advertising cookies, no cookie-consent banner is required.

9. Children

PortiSub is not directed at children under 16 and we do not knowingly collect their personal data. If you believe a child has provided us data, contact us and we will delete it.

10. Changes to this policy

We may update this policy as the service evolves. Material changes will be reflected by the “last updated” date above.