Privacy Policy
How Aquarius Diving Club collects, uses and protects your personal data. Compliant with EU GDPR (Regulation 2016/679) and Egyptian Personal Data Protection Law (Law 151/2020).
1. Who we are
Aquarius Diving Club ("we", "us") is a PADI 5-Star IDC Resort operating from four locations on Egypt's Red Sea: Hurghada (since 1996), Sharm El Sheikh (since 1999), Sahl Hasheesh and Makadi Bay. We are the data controller for personal data collected through this website (www.aquariusredsea.com) and our reservation systems.
Contact: reservation@aquariusredsea.com · WhatsApp / phone +20 100 160 0742 · Aquarius Diving Club, Hurghada, Red Sea, Egypt.
2. What personal data we collect
| Category | Examples | Source |
|---|---|---|
| Identity & contact | Name, email, phone, country of residence, preferred language | Booking / enquiry forms |
| Diving profile | Certification level & agency, last dive date, logged dives, dive insurance | Booking / pre-trip form, on-site check-in |
| Health declaration | PADI/RSTC medical questionnaire answers, doctor's clearance if required | On-site medical form (paper or digital) |
| Travel details | Hotel, room number, dive dates, equipment sizes | Booking / on-site |
| Payment | Card last 4 digits, amount, currency — full card data handled by the payment processor, never stored by us | Booking checkout |
| Technical | IP address, browser, device, pages viewed, referrer | Web server logs, cookies (see Cookie Policy) |
| Imagery | Photos & video taken during dive trips (optional — see §6) | Our staff on dive boats / dive sites |
3. Why we process it (legal bases)
- To deliver the service you booked (contract performance, GDPR Art. 6(1)(b)): manage reservations, assign instructors/boats, issue receipts, process payments.
- To protect your health and safety (vital interests, Art. 6(1)(d); special-category data Art. 9(2)(c)/(h)): collect and review the standard PADI/RSTC medical questionnaire before any in-water activity. This is mandatory for diving worldwide.
- To comply with legal obligations (Art. 6(1)(c)): Egyptian tourism licence record-keeping, tax invoicing, customs/insurance reporting for incidents.
- Legitimate interests (Art. 6(1)(f)): site security, fraud prevention, customer support, post-trip feedback, basic anonymised analytics.
- Consent (Art. 6(1)(a)): marketing emails, non-essential cookies (analytics/marketing), use of your photos in our marketing — each with separate opt-in.
4. Who we share data with
- Service providers under written contract (acting as processors): cPanel hosting (Egypt/EU), payment processor (PCI-DSS compliant), email service for reservation confirmations, WhatsApp Business (Meta) for chat support, Google (Tag Manager + Analytics 4 if you consented to analytics cookies).
- Insurance and emergency services: only in case of an in-water incident, we share what's clinically necessary with DAN, the treating hyperbaric chamber, your travel insurer, and Egyptian authorities.
- PADI: for course registration and certification issuance (legal basis: contract performance — you can't get a PADI card otherwise).
- We do not sell personal data, ever. We do not share with advertisers without consent.
5. International transfers
We are based in Egypt. Some of our processors (Google, Meta, Cloudflare) may transfer data to the EU, UK, USA or elsewhere. For EU/UK data subjects we rely on Standard Contractual Clauses (Commission Decision 2021/914) and, where relevant, supplementary measures (encryption in transit and at rest).
6. Photos and video on dive trips
Our staff may take photos / video during dive trips for marketing use (website, social media, brochures). You can opt out at any time, before or after the trip, by emailing us — we will remove your image from current channels and add you to a "do-not-photograph" list for future visits. Photos of identifiable minors are only used with parental consent.
7. How long we keep data
| Data | Retention | Reason |
|---|---|---|
| Booking + payment records | 5 years from trip end | Egyptian tax + tourism law |
| Medical questionnaire | 3 years from last dive | Liability + insurance window |
| PADI course paperwork | Per PADI retention schedule | Certification trace |
| Marketing email list | Until you unsubscribe | Consent (Art. 6(1)(a)) |
| Web analytics (anonymised) | 14 months (GA4 default) | Site improvement |
| Photos & video | Until you opt out | Marketing consent |
8. Your rights
Under GDPR and the Egyptian PDPL you have the right to:
- Access a copy of the data we hold about you
- Rectify inaccurate data
- Erasure ("right to be forgotten") where the lawful basis no longer applies
- Restrict or object to processing
- Data portability (receive your data in a portable format)
- Withdraw consent at any time (for marketing emails, photos, non-essential cookies)
- Lodge a complaint with your local supervisory authority (e.g. ICO in the UK, CNIL in France, BfDI/state DPAs in Germany, the Garante in Italy, or the Egyptian Personal Data Protection Centre under the MCIT)
To exercise any right, email reservation@aquariusredsea.com with the subject line "Privacy request". We respond within 30 days.
9. Security
This site enforces HTTPS sitewide. Reservation pages run on a hardened server with rate-limited login, parameterized database queries, encrypted backups, and a written incident-response procedure. We do not store full payment card numbers — the payment processor handles them under PCI-DSS.
10. Children
Our services are not directed to under-13s. PADI Junior courses (10+) are taken with parent/guardian co-signature and the parent consents on the child's behalf.
11. Cookies
See our dedicated Cookie Policy for the full list and to change your preferences.
12. Changes to this policy
We will publish material changes on this page with a new version number and effective date. If we make a substantial change affecting your consent, we will surface it via the cookie banner so you can re-confirm.