Privacy Policy and Data Protection

LAST UPDATE: 21st January 2026 (update this date when you publish changes)

Your privacy is important to us.

This Privacy Policy explains what personal data we collect from Users, how we use it, and under what legal bases we process it. We encourage you to carefully read this document before providing personal data on this Website.

This Privacy Policy complies with current legislation, in particular:

  • Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (GDPR).
  • Organic Law 3/2018, of 5 December, on the Protection of Personal Data and Guarantee of Digital Rights (LOPDGDD).
  • Law 34/2002, of 11 July, on Information Society Services and Electronic Commerce (LSSI-CE).

1. LAWS INCORPORATED INTO THIS PRIVACY POLICY

This Privacy Policy is adapted to Spanish and European regulations on personal data protection on the internet. Specifically, it respects the following legal provisions:

  • Regulation (EU) 2016/679 (GDPR).
  • Organic Law 3/2018 (LOPDGDD).
  • Law 34/2002 (LSSI-CE).

2. IDENTITY OF THE DATA CONTROLLER

The Data Controller for personal data collected through this Website is:

The Ocean Explorers
Responsible person: Alessandra Fiumanò
NIE: Z0782321G
Address: Calle Panama 27, 3H, 35109 El Tablero, Las Palmas (Spain)
Email: info@theoceanexplorers.com
Website: https://theoceanexplorers.com

3. REGISTRATION OF PERSONAL DATA

The personal data collected by The Ocean Explorers, through the forms available on its pages, will be stored and processed in order to facilitate, expedite, and fulfill the commitments established between The Ocean Explorers and the User, or to maintain the relationship that is established in the forms the User completes, or to respond to a request or inquiry.

To ensure transparency, The Ocean Explorers includes a Privacy Policy acceptance checkbox at every data collection point on the Website. The User must check this box to authorize data collection and processing under this Privacy Policy and the Legal Notice.

4. PURPOSES OF PERSONAL DATA PROCESSING 

In addition to what is stated in the section above, The Ocean Explorers processes personal data for the following purposes, depending on how the User interacts with the Website and/or contacts us:

4.1. Handling requests and communications

  • Responding to inquiries sent via forms or other channels (email, WhatsApp, Instagram/Facebook messages).
  • Providing information about trips, experiences, availability, pricing, logistics, requirements (e.g., diving certification), and answering questions.

4.2. “Book your call” / call booking and lead qualification.

When the User submits the call booking form (“Book your call”), we process the submitted data to:

  • Review the application and assess whether the trip is a good fit for the User and whether the User fits the group dynamics described on the Website.
  • Contact the User to arrange a call (usually via WhatsApp, or via the contact method selected by the User).
  • Conduct the call/video call, manage the conversation history, and follow up afterwards.

4.3. Managing reservations, deposits, trip organization, and customer support

If the User decides to proceed, we process personal data to:

  • Manage reservation steps, deposits, confirmations, trip preparation communications, group coordination (including WhatsApp group coordination where applicable), and ongoing customer support before/during/after the trip.

4.4. Marketing and commercial communications (EMAIL, WHATSAPP, PHONE CALLS) — IMPORTANT

The Ocean Explorers may use the contact details provided by the User (email address, phone number, WhatsApp number) to send commercial communications and marketing messages about our trips, experiences and related services, only when legally permitted, specifically:

  • When the User has expressly consented (for example, by ticking a marketing consent checkbox where offered, subscribing to a newsletter, or requesting information and consenting to marketing contact), and/or
  • When there is a prior contractual relationship and the communications refer to services similar to those initially contracted, always providing a simple and free opt-out method in each communication, as required by LSSI-CE.

Marketing communications may be sent by email, WhatsApp messages, phone calls, and equivalent electronic means.

4.5. Website analytics, measurement and improvement (Google Analytics)

We process certain technical and usage data to:

  • Understand how Users interact with the Website, measure performance, improve content and user experience, and detect errors.
    This includes the use of Google Analytics, subject to the User’s cookie/consent choices (see Cookie Policy).

4.6. Advertising measurement and campaign optimisation (Meta / Facebook / Instagram)

We may process certain data to:

  • Measure and improve advertising performance, build audiences, and attribute results to campaigns using Meta technologies (e.g., Meta Pixel), subject to the User’s cookie/consent choices (see Cookie Policy).

4.7. Security, fraud prevention, and legal compliance

  • Maintain Website security, prevent abuse, and ensure the integrity of our systems.
  • Comply with legal obligations, respond to lawful requests, and protect our legal rights.

5. COMMERCIAL COMMUNICATIONS AND OPT-OUT

Where marketing communications are permitted by law, The Ocean Explorers guarantees:

  • We will not send marketing emails/WhatsApp/electronic messages that have not been requested or expressly authorised except where legally permitted due to a prior contractual relationship and similar services, always with an easy opt-out.
  • The User may object to marketing at any time, free of charge, using one of the following methods:
    • By clicking the unsubscribe link in marketing emails (when included).
    • By replying “STOP” / “UNSUBSCRIBE” via the same channel (e.g., WhatsApp/email).
    • By writing to info@theoceanexplorers.com requesting to stop receiving commercial communications.

Opt-out will be applied as quickly as reasonably possible.

6. PRINCIPLES APPLICABLE TO PERSONAL DATA PROCESSING

The processing of Users’ personal data shall adhere to the principles established in Article 5 of the GDPR and Article 4 and following of the LOPD:

  • Lawfulness, fairness, and transparency: User consent is required for data processing for one or more specific purposes, with full transparency.
  • Purpose limitation: Personal data is collected for specific, explicit, and legitimate purposes.
  • Data minimization: The data collected is strictly necessary for the intended purposes.
  • Accuracy: Data must be accurate and kept up to date.
  • Storage limitation: Data is stored only as long as necessary for processing purposes.
  • Integrity and confidentiality: Personal data is processed securely, ensuring confidentiality.
  • Accountability: The Controller is responsible for ensuring compliance with these principles.

7. CATEGORIES OF PERSONAL DATA

The only data categories processed by The Ocean Explorers are identification data. Special categories of personal data, as defined in Article 9 of the GDPR, are not processed.

In practice, depending on the User’s interaction, we may process the following non-special categories of personal data:

  • Identification and contact data: full name, email address, phone number, WhatsApp number, country/city of departure.
  • Trip/application data (Maldives form): selected trip, diving certification level, approximate number of dives, motivations, preferences, free-text answers, preferred contact channel, and any other information the User voluntarily provides.
  • Communications data: messages exchanged by email, WhatsApp, Instagram/Facebook, and call scheduling notes.
  • Technical/usage data (subject to consent where required): IP address, device/browser data, pages visited, interactions, and related analytics/ad measurement data collected via cookies or similar technologies.

Important: Please do not send health data or other sensitive data through open form fields. If the User voluntarily includes health-related or other sensitive information, we will treat it with enhanced confidentiality and only use it to handle the User’s request. Where required, we will request explicit consent or recommend using a safer channel.

8. LEGAL BASIS FOR PROCESSING PERSONAL DATA

The legal basis for processing personal data is consent. The Ocean Explorers commits to obtaining the User’s explicit and verifiable consent for processing their personal data for one or more specific purposes.

The User has the right to withdraw their consent at any time. Withdrawing consent shall be as easy as granting it. As a general rule, withdrawing consent shall not affect the use of the Website.

Whenever the User is required or allowed to provide their data through forms for inquiries, requests for information, or for any reason related to the content of the Website, they will be informed whether completing the form is mandatory, as some fields may be essential for the correct execution of the requested operation.


Depending on the specific processing activity, the legal basis may also include:

  • Pre-contractual steps / contractual necessity (GDPR Art. 6(1)(b)): processing necessary to manage the call booking, evaluate a request, and take steps prior to entering a contract, and/or to provide services requested by the User.
  • Legal obligation (GDPR Art. 6(1)(c)): processing necessary to comply with applicable legal obligations (e.g., accounting/tax obligations where applicable).
  • Legitimate interest (GDPR Art. 6(1)(f)): limited processing necessary for network and information security, fraud prevention, and internal administration, provided that such interests are not overridden by the User’s rights and freedoms.
  • Marketing communications under LSSI-CE: marketing by electronic means will be sent only with consent or under the existing customer / similar services exception, always with opt-out.

9. RETENTION PERIOD OF PERSONAL DATA

Personal data will only be retained for the minimum time necessary for the purposes of its processing, and in any case, until the User requests its deletion.

In addition to the general rule above, we apply the following retention criteria:

  • Leads / call bookings (no contract): data will generally be kept for up to 12 months from the last meaningful interaction, unless the User requests deletion earlier.
  • Customers / trip management: data will be retained for the duration of the relationship and thereafter for the periods required by applicable laws (e.g., accounting/tax retention where applicable).
  • Marketing lists: data will be retained until the User withdraws consent or objects, or until the data is no longer necessary for the purpose collected.
  • Security logs / technical records: retained for the minimum period necessary to ensure security and investigate incidents.

Where legally required, data may be blocked (restricted) and only made available to competent authorities or courts during limitation periods.

10. RECIPIENTS OF PERSONAL DATA

The User’s personal data will be shared with the following recipients or categories of recipients:

  • Hostinger: A platform that processes data for providing hosting services for the Website. [https://www.hostinger.com/]
  • WordPress: The Ocean Explorers uses WordPress for content management and hosting services, owned by Automattic, Inc. [https://automattic.com/]

If the Data Controller intends to transfer personal data to a third country or international organization, the User will be informed at the time of data collection regarding the country or organization to which their data will be transferred.


In addition to the above, depending on the User’s interaction and consent choices, personal data may also be shared with:

  • Brevo (Sendinblue): email marketing / CRM / newsletter delivery and related communications management (processor).
  • Google Analytics (Google): website analytics and measurement (may involve cookies/identifiers; requires consent where applicable).
  • Meta Platforms technologies (Facebook/Instagram / Meta Pixel): advertising measurement, audience building, and campaign optimisation (may involve cookies/identifiers; requires consent where applicable).
  • WhatsApp (Meta Platforms): communications with Users when the User chooses WhatsApp as a contact channel (note: WhatsApp is a third-party service; metadata and communications handling may be subject to their terms).
  • Facebook / Instagram: when the User contacts us through these platforms, or interacts with our pages, communications are processed through those services under their terms.

Service providers may act as data processors under a data processing agreement (where required), and may only process the data under our instructions, unless acting as independent controllers under their own terms (e.g., certain platform services).

11. PERSONAL DATA OF MINORS

In compliance with the GDPR (Article 8) and LOPD (Article 7), only individuals aged fourteen (14) years or older may lawfully consent to the processing of their personal data by The Ocean Explorers. If the User is under fourteen (14) years of age, parental or guardian consent will be required for data processing, and this shall only be deemed lawful if such consent is explicitly granted.


Our services, trips, and call booking forms are intended for adults (18+). We do not knowingly collect personal data from minors.

  • If we detect that a person under 14 has provided personal data, we will delete it as soon as reasonably possible unless verifiable consent from a parent/legal guardian is provided.
  • If a person is between 14 and 17, they may be able to consent under Spanish law for certain processing; however, because our services are intended for adults, we may refuse or cancel the request and delete the data where appropriate.

12. CONFIDENTIALITY AND SECURITY OF PERSONAL DATA

The Ocean Explorers is committed to implementing the necessary technical and organizational measures to ensure the security of personal data and prevent its accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access.

The Website has an SSL Certificate (Secure Socket Layer), ensuring that personal data is securely and confidentially transmitted between the server and the User, fully encrypted.

However, since The Ocean Explorers cannot guarantee the absolute security of the internet or the complete absence of cyberattacks, the Data Controller commits to notifying the User without undue delay in the event of a data breach that may pose a high risk to the rights and freedoms of natural persons. According to Article 4 of the GDPR, a personal data breach is defined as any security violation leading to the accidental or unlawful destruction, loss, alteration, or unauthorized disclosure or access to personal data.

Personal data will be treated as confidential, and the Data Controller commits to ensuring, through legal or contractual obligations, that confidentiality is respected by employees, associates, and any individuals with access to the information.

13. RIGHTS DERIVED FROM PERSONAL DATA PROCESSING

The User may exercise the following rights recognized under the GDPR and LOPD regarding The Ocean Explorers:

  • Right of Access: The User has the right to obtain confirmation on whether The Ocean Explorers is processing their personal data and, if so, to access the details of such data and how it is processed.
  • Right to Rectification: The User has the right to request the modification of their personal data if it is inaccurate or incomplete, taking into account the purposes of the processing.
  • Right to Erasure (Right to be Forgotten): The User has the right (unless otherwise stipulated by applicable law) to request the deletion of their personal data when: the data is no longer necessary for the purposes for which it was collected or processed; the User withdraws their consent, and there is no other legal basis for processing; the User objects to the processing, and there is no overriding legitimate reason to continue the processing; the data has been processed unlawfully; the data must be deleted to comply with a legal obligation; the data was obtained through a direct offer of information society services to a minor under fourteen (14) years of age. In addition to deleting the data, the Data Controller, considering available technology and the cost of implementation, must take reasonable steps to inform any controllers processing the data of the User’s request to delete any links to such data.
  • Right to Restriction of Processing: The User has the right to request the limitation of the processing of their personal data in the following cases: when the accuracy of the personal data is contested; when the processing is unlawful; when the Data Controller no longer needs the data, but the User requires it for legal claims; when the User has objected to the processing.
  • Right to Object: The User has the right to object to the processing of their personal data, and in such cases, The Ocean Explorers must cease processing the data unless there are compelling legitimate grounds to continue or if it is necessary for legal claims.
  • Right to Data Portability: If processing is carried out by automated means, the User has the right to receive their personal data in a structured, commonly used, and machine-readable format and to transmit it to another controller. Whenever technically feasible, the Data Controller shall directly transfer the data to the new controller.
  • Right Not to Be Subject to Automated Decision-Making, including Profiling: The right not to be subject to decisions based solely on automated processing, including profiling, unless otherwise stipulated by law.

The User may exercise these rights by submitting a written request to the Data Controller with the reference “GDPR – The Ocean Explorers”, including:

  1. Full name of the User and a copy of their ID. If representation is allowed, the ID of the representative must also be provided.
  2. A detailed request specifying the specific right they wish to exercise and the information they wish to access.
  3. Address for notification purposes.
  4. Date and signature of the request.
  5. Any supporting documents related to the request.

This request, along with any accompanying documents, may be sent to the following address and/or email:

  • Postal Address: Calle Panama 27, 3H, 35109 El Tablero, Las Palmas
  • Email: info@theoceanexplorers.com


If the User considers that their rights have not been properly addressed, they have the right to lodge a complaint with a supervisory authority. In Spain, the competent authority is the:

Agencia Española de Protección de Datos (AEPD)
C/ Jorge Juan, 6, 28001 Madrid (Spain)
Website: https://www.aepd.es/

14. LINKS TO THIRD-PARTY WEBSITES

The Website may include hyperlinks or links that allow access to third-party websites not operated by The Ocean Explorers. The owners of such websites have their own privacy policies, and they are responsible for their own data files and privacy practices.

15. INTERNATIONAL TRANSFERS 

Some of the providers mentioned in this Privacy Policy (for example, Google and Meta/WhatsApp) may process data in, or have access from, countries outside the European Economic Area (EEA), such as the United States.

Where international transfers occur, The Ocean Explorers will ensure that appropriate safeguards are applied in accordance with GDPR requirements, such as:

  • the use of Standard Contractual Clauses (SCCs) approved by the European Commission, and/or
  • other legally recognised transfer mechanisms, as applicable.

Users may request more information about the safeguards applied by writing to info@theoceanexplorers.com.

16. CHANGES TO THIS PRIVACY POLICY 

The Ocean Explorers reserves the right to modify this Privacy Policy to adapt it to legislative or jurisprudential developments, as well as to industry practices. Any updated version will be published on this page and will apply from the date of publication.