Back to Trips

Privacy Policy

How we collect, use, and protect your data.

1. Who We Are

sharc Travel ("we", "us", "our") is a liveaboard booking platform operated by sharc GmbH. We connect divers and ocean enthusiasts with liveaboard operators worldwide, enabling real-time trip discovery, cabin selection, and secure online booking.

This Privacy Policy explains how we collect, use, store, and protect your personal data when you use our website, booking engine, and related services (collectively, the "Platform"). It applies to all visitors, registered users, and guests who interact with the Platform.

2. Data Controller

The data controller responsible for processing your personal data is:
sharc GmbH
Am Fischerwinkel 10, 82031 Grünwald, Germany
Email: hello@sharc.app

If you have questions about this policy or wish to exercise your data rights, contact us at the address above. We aim to respond within 30 days.

3. What Data We Collect

We collect personal data in the following categories:

3.1 Information You Provide

  • Booking data: Full name, email, phone number, nationality, date of birth, passport details, dietary requirements, and emergency contact information — collected when you book a trip
  • Dive certifications: Certification agency, level, number of logged dives, and equipment preferences — collected for dive liveaboard trips
  • Travel plans: Arrival/departure flights, hotel details, and transfer preferences
  • Payment data: Credit/debit card details are processed by our PCI-DSS compliant payment processor (Stripe). We never store full card numbers on our servers
  • Communications: Messages, support inquiries, and feedback you send us

3.2 Information Collected Automatically

  • Device data: Browser type, operating system, screen resolution, and device identifiers
  • Usage data: Pages visited, time on page, click paths, and search queries
  • Network data: IP address, approximate location (country/region), and referring URL
  • Cookies: Essential session cookies only today; if and when we add analytics cookies they will be opt‑in via the cookie banner (see our Cookie Policy)

4. How We Use Your Data

We use your personal data for the following purposes:

  • Booking fulfilment: Processing your reservation, sending confirmation emails, generating invoices, and sharing necessary guest information with the liveaboard operator for your trip
  • Payment processing: Charging the agreed amount, processing refunds per the applicable cancellation policy, and fraud prevention
  • Guest profile: Pre-populating your guest profile form so you only enter dive certifications, dietary needs, and travel details once
  • Customer support: Responding to inquiries, resolving booking issues, and providing trip-related assistance
  • Platform improvement: Analysing aggregated usage patterns to improve search, filters, and the booking experience
  • Legal compliance: Meeting tax, accounting, and regulatory obligations

5. Legal Basis for Processing (GDPR)

We process your personal data under the following legal bases:

  • Contract performance (Art. 6(1)(b)): Processing necessary to fulfil your booking and provide the requested services
  • Legitimate interests (Art. 6(1)(f)): Improving the Platform, fraud prevention, and customer analytics using aggregated data
  • Consent (Art. 6(1)(a)): Where you have opted in to marketing communications or non-essential cookies
  • Legal obligation (Art. 6(1)(c)): Tax documentation and regulatory compliance

6. Who We Share Data With

We do not sell your personal data and we do not share it with advertisers or data brokers. We share data only with the service providers and partners listed below, each under a written Data Processing Agreement (DPA) that restricts use to what is necessary to operate the Platform.

6.1 Liveaboard operators

When you confirm a booking, we share the guest profile and trip details that the operator running your trip needs to prepare your cabin, meals, dive gear, transfers, and any required documentation. The operator becomes an independent controller of that data for the purposes of running your trip and complying with local maritime, immigration, and tax law.

6.2 Subprocessors

The following subprocessors process personal data on our behalf. The list reflects the production stack on the date this policy was last updated.

  • Stripe Payments Europe Ltd. (Ireland) — PCI‑DSS compliant card processing, fraud prevention, and refunds. Full card details are handled exclusively by Stripe and are never stored on our servers.
  • Cloudways / DigitalOcean (Frankfurt, DE) — web application hosting for the sharc Travel website and booking engine.
  • Render Services, Inc. (Frankfurt, DE region) — hosting for the public MCP servers that power the ChatGPT and Claude integrations described in section 6.3.
  • Elastic Email s.r.o. (Slovakia, EU) — transactional email delivery (booking confirmations, payment notifications, support replies). Provided through our Cloudways hosting integration.
  • Cloudflare, Inc. — DNS, CDN, and edge security (planned/being rolled out). When active, Cloudflare may process IP addresses and request metadata for routing and DDoS protection only.

A live, public subprocessor list is maintained at sharc.app/travel/subprocessors. We will give existing users reasonable notice before adding or replacing a subprocessor that materially changes how your data is handled.

6.3 AI assistant integrations (ChatGPT, Claude)

sharc Travel is available as an integration inside third‑party AI assistants (currently OpenAI’s ChatGPT and Anthropic’s Claude). When you ask one of those assistants about liveaboard diving trips or boats, the assistant may forward a small set of search criteria you express in conversation — destination, travel dates or month, group size, boat name, and trip or boat identifiers — to our public MCP server, which queries our trip and boat catalogue and returns matching results rendered as an in‑chat widget.

  • We do not receive your conversation history, your account identity in the AI assistant, or your IP address through this channel.
  • We process the forwarded search criteria only to compute the response. They are retained only in standard request logs (see section 8) and are not used for marketing or profiling.
  • Booking, payment, and guest profile flows always happen on sharc.app after you click through from the assistant. Section 6.1, 6.2, and the rest of this policy apply to those flows.
  • OpenAI and Anthropic act as conduits for your prompt and the rendered response. They have their own privacy policies; we do not control how the assistant itself processes your conversation.

The MCP servers expose only read‑only tools (search trips, view trip detail, view boat detail). They cannot create, modify, or cancel a booking, charge a card, or read any guest profile.

7. International Transfers

Your data may be transferred to liveaboard operators located outside the EU/EEA (e.g., Indonesia, Maldives, Egypt) when those operators are listed on sharc Travel, on a connected interface or app, or are using sharcOS to manage your booking. These transfers are necessary to perform your booking contract. Where applicable, we rely on the European Commission’s Standard Contractual Clauses or an adequacy decision for the destination country to ensure appropriate safeguards.

8. Data Retention

We retain your data according to these principles:

  • Booking data: Retained for the duration of your trip plus 3 years for tax and legal purposes
  • Account data: Retained while your account is active. After deletion request, data is removed within 30 days (unless legal retention applies)
  • Usage analytics: Aggregated and anonymised data is retained indefinitely; identifiable usage logs are deleted after 12 months
  • Payment records: Retained for 7 years as required by accounting regulations

9. Your Rights

Under GDPR and applicable data protection law, you have the right to:

  • Access: Request a copy of the personal data we hold about you
  • Rectification: Correct inaccurate or incomplete data
  • Erasure: Request deletion of your data ("right to be forgotten")
  • Restriction: Limit how we process your data in certain circumstances
  • Portability: Receive your data in a structured, machine-readable format
  • Objection: Object to processing based on legitimate interests
  • Withdraw consent: Revoke previously given consent at any time without affecting prior processing

To exercise any of these rights, email hello@sharc.app. We will respond within 30 days. If you believe we have not handled your data lawfully you may lodge a complaint with the supervisory authority for our place of business — Bayerisches Landesamt für Datenschutzaufsicht (BayLDA), Promenade 18, 91522 Ansbach, Germany — or with the data protection authority where you live or work.

10. Security Measures

We implement appropriate technical and organisational measures to protect your data:

  • TLS/SSL encryption for all data in transit
  • Encrypted database storage for sensitive fields
  • Role-based access controls — only authorised staff access personal data
  • Regular security audits and vulnerability assessments
  • PCI-DSS compliant payment processing via Stripe

11. Children's Privacy

The Platform is not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us and we will delete it promptly.

12. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email to registered users or via a prominent notice on the Platform. The "Last updated" date reflects the most recent revision. Continued use of the Platform after changes constitutes acceptance.

13. Contact

For privacy-related questions, data requests, or concerns:
sharc GmbH
Am Fischerwinkel 10, 82031 Grünwald, Germany
Email: hello@sharc.app

Last updated: May 21, 2026