Privacy Policy

1. Data Controller

Celesta Liveaboards (“we”, “us”, “our”) is the data controller for personal data collected through this website.

Business name: Celesta Liveaboards
Location: Hurghada, Egypt
Email: bookings@celestaliveaboards.com

2. What Data We Collect

Booking and contact forms

When you submit a booking request or contact form, we collect the information you provide: name, email address, phone number (optional), message content, and inquiry type.

Guest profile data

To prepare for your expedition, we collect additional information necessary for safe and compliant operations:

Travel logistics: flight details, transfer preferences, hotel accommodation before/after the trip
Diving profile: certification level, certifying agency, logged dives, last dive date
Health and safety: medical notes relevant to diving, allergies, dietary requirements
Identity documents: passport number and expiry date (required by Egyptian maritime authorities)
Emergency contacts: name, phone number, email, and relationship
Insurance: dive insurance provider and policy number (mandatory for all guests)

Payment information

We collect payment-related data including bank transfer references, receipt uploads, and invoice records. We do not store full card numbers — only the last 4 digits for reference if applicable.

If you subscribe to our newsletter, we collect your email address.

Analytics

With your consent, we use Google Analytics 4 to collect anonymised usage data such as pages visited, time on site, device type, and approximate geographic location. No personally identifiable information is collected through analytics.

Customer and agency portals

If you use our customer or agency portal, we process the data necessary to manage your bookings: name, email, booking details, payment records, cabin assignments, and communication history.

Support tickets

When you submit a support request via the portal or email, we collect the subject, messages, and any attachments you provide.

Post-trip surveys

After your expedition, we may invite you to complete a feedback survey. We collect your ratings, written feedback, and whether you consent to being quoted as a testimonial.

3. Cookies and Google Analytics

We use Google Analytics 4 with Consent Mode v2. By default, no analytics cookies are set until you explicitly consent via our cookie banner. If you decline, no analytics cookies are placed and no usage data is collected.

Essential cookies required for the website to function (such as session cookies) may be set without consent as they are strictly necessary.

You can change your cookie preferences at any time by clearing your browser’s local storage for this site.

4. Legal Basis for Processing

Consent — Analytics data collection (you can withdraw consent at any time via the cookie banner)
Contract performance — Processing booking requests, managing reservations, and communicating about your trip
Legitimate interest — Operating the customer and agency portals, responding to inquiries, and improving our services
Legal obligation — Tax record retention (7 years as required by law), maritime safety compliance, and regulatory reporting
Vital interests — Processing emergency contact information and medical notes for trip safety

5. Third-Party Services

We use the following third-party services that may process your data:

Google Analytics (Google LLC, USA) — Website usage analytics. Data is processed in accordance with Google’s privacy policy.
Google Workspace / Gmail API (Google LLC, USA) — Read-only email monitoring for booking management and customer communication. We access emails sent to our business addresses to ensure timely responses. No third-party access is granted.
Resend (Resend Inc., USA) — Transactional email delivery for booking confirmations, invoices, and portal access.
Cloudflare (Cloudflare Inc., USA) — CDN, DNS, and DDoS protection for our website. Cloudflare R2 is used for secure file storage of customer documents (passports, dive certifications, invoices) and website assets. File storage is configured in the EU jurisdiction.
Hetzner (Hetzner Online GmbH, Germany) — Server infrastructure hosting our application and database within the EU.
Sentry (Functional Software Inc., EU — Frankfurt, Germany) — Error monitoring and session replay to diagnose technical issues, processed on the basis of legitimate interests (operating a reliable service). Sentry may collect IP addresses, user identifiers, and browser information. Session interactions are recorded but text content and media are masked by default. Data is stored within the EU.

6. Data Retention

We retain personal data only as long as necessary for the purposes described in this policy:

Booking data: Retained for the duration of your booking and up to 7 years after for tax and accounting purposes
Contact form submissions: Retained for up to 2 years
Newsletter subscriptions: Until you unsubscribe
Analytics data: Automatically deleted after 14 months (Google Analytics default retention)
Error monitoring data (Sentry): 90 days
Support tickets: Retained for 2 years after resolution
Customer documents (passport copies, dive certifications): Retained for the duration of the booking plus 1 year, then deleted
Audit logs: Retained permanently for compliance and security purposes
Session data: Automatically expires within 24–48 hours

7. Your Rights Under GDPR

If you are located in the European Economic Area (EEA), you have the following rights regarding your personal data:

Right of access — Request a copy of the personal data we hold about you
Right to rectification — Request correction of inaccurate data
Right to erasure — Request deletion of your personal data
Right to data portability — Receive your data in a structured, machine-readable format
Right to restrict processing — Request that we limit how we use your data
Right to object — Object to processing based on legitimate interest
Right to withdraw consent — Withdraw consent for analytics at any time
Right to lodge a complaint — File a complaint with your local data protection authority

To exercise any of these rights, please email us at bookings@celestaliveaboards.com. We will respond within 30 days.

8. International Data Transfers

Our primary application and database are hosted on EU-based servers (Hetzner Online GmbH, Germany). Your data may also be transferred to and processed in countries outside the EEA:

Egypt — Where we are based and operate our business
United States — Where some service providers are located (Google, Resend, Cloudflare)

For transfers to the United States, we rely on Standard Contractual Clauses and applicable adequacy mechanisms. All transfers are subject to appropriate safeguards to ensure your data is protected.

9. Data Security

We implement appropriate technical and organisational measures to protect your personal data:

Encryption in transit (TLS/HTTPS) for all data transmitted between your browser and our servers
Role-based access control — Staff access is restricted to data relevant to their role
Audit logging — All data access and changes are logged for accountability
Rate limiting — API and form submission rate limiting to prevent abuse
Secure authentication — Google OAuth for staff, magic link authentication for customers (no passwords stored)

10. Children’s Privacy

Our services are not directed at children under 16. We do not knowingly collect personal data from children. If you believe we have collected data from a child, please contact us and we will delete it promptly.

11. Changes to This Policy

We may update this privacy policy from time to time. Changes will be posted on this page with an updated “last updated” date. We encourage you to review this page periodically.

12. Contact Us

For any questions about this privacy policy or to exercise your data protection rights, please contact us:

Email: bookings@celestaliveaboards.com
Location: Hurghada, Egypt