Legal

Privacy Policy

Last updated 7 July 2026

This Privacy Notice for YachtSync Ltd (“YachtSync”, “we”, “us”, or “our”) describes how and why we collect, store, use, and share (“process”) your personal information when you use the YachtSync mobile application (“App”) or our website at yachtsync.uk (together, the “Services”).

YachtSync helps maritime crew store, track and manage their professional certificates. We take privacy seriously because we know the documents you upload to our App — passports, ENG1 medicals, STCW certificates, visas — are among the most sensitive you own. This notice explains, in plain English, what we do with your data.

Questions or concerns? Contact us at legal@yachtsync.uk. YachtSync Ltd (registered in England & Wales, company number 17152913) is the data controller for your personal information under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

Summary of Key Points

This summary gives you the essentials. Full detail is in the sections below.

What we collect. Your name, email and password for your account. Your certificates and the information contained in them (which can include sensitive data like passport numbers, dates of birth, medical fitness from ENG1 certificates, and nationality). Optional profile information (rank, vessel, training location).

How AI is used. When you scan a certificate, the document is sent to Anthropic (our AI provider) to extract dates and details. Anthropic does not store your document or use it to train their models. More on this below.

Where your data lives. Your certificates and account data are stored in the EU (Dublin, Ireland) by our hosting partner Supabase. A copy is also cached on your device so you can access certificates offline.

Who we share with. We don't sell your data. We share it with essential service providers (Supabase for storage, Anthropic for AI scanning, RevenueCat for subscription management, Loops.so for email, Apple/Google for app distribution, Expo for push notifications) — each under strict contractual obligations.

Your rights. Under UK GDPR, you can access, correct, export or delete your data at any time. You can delete your account directly in the App, or email legal@yachtsync.uk.

Table of Contents

  1. What information do we collect?
  2. Sensitive personal information
  3. How do we use your information?
  4. How we use AI (Anthropic)
  5. Legal bases for processing
  6. Who we share your information with
  7. International data transfers
  8. How long we keep your information
  9. How we keep your information safe
  10. Your privacy rights
  11. Children's data
  12. Updates to this notice
  13. Contact us

1. What information do we collect?

In Short: We collect account information, profile information you choose to provide, and your certificates — which may contain personal and sensitive data.

1.1 Account information

When you create an account, we collect:

1.2 Profile information (optional)

To personalise the App, you may choose to provide additional information, including:

All profile information is optional — you can use the core features of the App without providing any of it.

1.3 Certificate information

The core of YachtSync is certificate management. When you upload a certificate, we store:

The PDF document may contain personal information about you, depending on what you upload. This can include but is not limited to: your full name, date of birth, nationality, passport number, medical fitness status (from ENG1 or equivalent), photograph, signature, address, and other identifying details printed on the certificate.

1.4 Technical information

We do not collect device location, contacts, browsing history, or any other data outside what is listed above.

1.5 Subscription and billing data

If you purchase a Pro subscription, we collect:

We do not store full payment card details. All billing is handled by Apple In-App Purchase or Google Play Billing. RevenueCat stores your entitlement data to verify your subscription status across devices and app reinstalls.

1.6 Training directory activity

The App includes a directory of maritime training providers and courses. When you tap a “Book” button or a provider link, we record a referral click so we can measure how the directory is used and, where we have an affiliate arrangement, attribute any commission. The click record contains:

What we send to the training provider. When the link opens, we append only an anonymous referral tag (ref=yachtsync) to the provider’s booking page. We do not pass your name, email, account identifier or any certificate data to the provider. What you do on the provider’s own website is governed by their privacy policy, not ours. See also our Terms on third-party listings.

1.7 Cookies and similar technologies

Our website (yachtsync.uk) uses only strictly necessary cookies required to serve and secure the pages. We do not use advertising or third-party tracking cookies, and we do not run pixels, fingerprinting or cross-site trackers, so no cookie-consent banner is required under the Privacy and Electronic Communications Regulations (PECR). We use Vercel Web Analytics, a privacy-friendly measurement service, to count page views in aggregate: it sets no cookies, stores no personal identifiers, and does not track you across other sites. When you click through to a training provider or to the App Store from our site, we count that click (the page, the destination and the country, never your identity) so we know which pages are useful. The mobile App does not use advertising identifiers and does not track you across other apps or websites. If we ever introduce cookie-based analytics, we will update this notice and, where the law requires it, ask for your consent first.

1.8 Calendar access (optional)

If you choose to add a certificate expiry to your device calendar (Apple, Google or Outlook), the App asks your device for permission to do so. We only create the specific events you request; we never read, store or modify your existing calendar entries, and your calendar data is not transmitted to us.

2. Sensitive personal information

In Short: Yes, because of the nature of maritime certificates, some data we process is classified as sensitive under UK GDPR. We handle it accordingly.

Under UK GDPR, certain categories of personal data are given extra protection, including data revealing health, racial or ethnic origin, and biometric data.

The certificates you upload may include such sensitive data — for example:

Our legal basis for processing sensitive data. We rely on your explicit consent (Article 9(2)(a) UK GDPR), which you provide when you accept this Privacy Notice during signup, and on the processing being necessary for the purposes of carrying out obligations in the field of employment (Article 9(2)(b)), given that the very purpose of YachtSync is to help you maintain employment-critical certificates.

You can withdraw consent at any time by deleting the relevant certificate or your entire account.

3. How do we use your information?

In Short: To run the App, remind you about expiries, keep your data secure, and improve the Service. We do not use your data for advertising or sell it to anyone.

We do not use your data for advertising, profiling, automated decision-making with legal effect, or training AI models.

4. How we use AI (Anthropic)

In Short: When you scan a certificate, the document is sent to Anthropic's Claude AI to read the dates and type. Anthropic does not store your document or use it for training.

One of YachtSync's key features is AI-assisted document scanning. Here is exactly what happens:

  1. You take a photo or upload a PDF of a certificate in the App.
  2. We send the document, along with a prompt asking it to extract the certificate title, issue date, expiry date and type, to Anthropic PBC via their API (servers located in the United States).
  3. Anthropic's Claude model returns the extracted information.
  4. We store the extracted information (and the document itself) in your account.

Anthropic's data handling. Under Anthropic's Commercial Terms of Service, data sent via their API is not used to train their models and is retained only as long as necessary to provide the service — typically 30 days for abuse monitoring, after which it is deleted. Full details are in Anthropic's Privacy Policy and Commercial Terms.

Improving accuracy from corrections. When you correct a detail the AI got wrong, we keep that correction to help the model do better on future scans — for you and for other users. Before any correction is reused, personal identifiers (names, document numbers, passport numbers, dates of birth) are stripped out, so only the anonymised pattern remains (for example, “this was a Passport, not a generic travel document”). We rely on our legitimate interest in improving the Service for this, and no individual user’s document content is ever shown to another user. Full detail is on our AI Use page.

Your right to opt out of AI processing. AI scanning is not mandatory. You can add certificates manually without any AI involvement — simply skip the scan step and type the details yourself.

International transfer. Because Anthropic's API infrastructure is located in the United States, sending a document for scanning is an international transfer. We rely on Standard Contractual Clauses (the UK International Data Transfer Addendum) as the legal mechanism for this transfer.

5. Legal bases for processing

In Short: We only process your data when we have a valid lawful basis under UK GDPR.

Processing activityLawful basis (UK GDPR Art. 6)
Creating and managing your account, storing certificates, enabling offline accessContract (Art. 6(1)(b)) — necessary to provide the Service you signed up for
Sending expiry remindersContract (Art. 6(1)(b)) and consent (Art. 6(1)(a)) for push notifications
AI document scanningConsent (Art. 6(1)(a)) — you choose when to scan
Processing sensitive data in your certificatesExplicit consent (Art. 9(2)(a)) and employment obligations (Art. 9(2)(b))
Training directory referral clicks and affiliate attributionLegitimate interests (Art. 6(1)(f)) — operating and funding the Service
Improving AI accuracy from anonymised correctionsLegitimate interests (Art. 6(1)(f))
Marketing emails (product updates)Consent (Art. 6(1)(a)) — opt-in, withdrawable at any time
Security, fraud prevention, audit loggingLegitimate interests (Art. 6(1)(f))
Complying with legal obligationsLegal obligation (Art. 6(1)(c))

You can withdraw any consent at any time. Withdrawing consent does not affect the lawfulness of processing before withdrawal.

6. Who we share your information with

In Short: A small, specific list of service providers. No advertisers. No data brokers. No selling.

We use the following sub-processors to operate the Service. Each has signed a Data Processing Agreement with us and is bound by UK GDPR-equivalent obligations.

ProviderPurposeLocation
Supabase (Supabase Inc.)Database hosting, file storage, authenticationEU (Dublin, Ireland — AWS)
Anthropic (Anthropic PBC)AI document scanning (Claude API)United States
Apple (Apple Inc. / Apple Distribution International)App Store distribution, push notifications (APNs), TestFlight betaUnited States / Ireland
Google (Google LLC)Play Store distribution, push notifications (FCM) — Android onlyUnited States
Expo (650 Industries, Inc.)Mobile app build and push notification infrastructureUnited States
RevenueCat (RevenueCat Inc.)Subscription management, entitlement verification, purchase historyUnited States
Loops.so (Loops Software Inc.)Transactional and marketing emailUnited States
Vercel (Vercel Inc.)Hosting of our website yachtsync.uk and cookieless, aggregate web analyticsUnited States / Global CDN

Training providers in our directory. The providers and courses listed in the App are independent third parties, not sub-processors. When you tap through to book, we share no personal data with them — only an anonymous referral tag (ref=yachtsync). If you go on to book or enquire on a provider’s own website, any information you give them there is handled under their privacy policy. We may earn a commission on bookings made through these links; this never changes what you pay or affects which providers we list.

Other circumstances in which we may share data:

We do not: sell your data, share it with advertisers, share it with data brokers, or transfer it to employers, agencies or any third party for marketing purposes.

7. International data transfers

In Short: Your data is primarily stored in the EU. Some processing happens in the US under approved safeguards.

Your certificate files and account data are stored by Supabase in Dublin, Ireland (EU). Because the UK is recognised by the European Commission as offering adequate data protection, and because we operate under UK GDPR which mirrors EU GDPR, data stored in the EU is considered adequately protected for UK users.

Some of our sub-processors (Anthropic, Expo, Vercel) operate from the United States. For transfers of personal data to these providers, we rely on:

Copies of the relevant transfer mechanisms are available on request from legal@yachtsync.uk.

8. How long we keep your information

In Short: Your data is kept for as long as you have an account. Deleted certificates are recoverable for 30 days before permanent deletion.

9. How we keep your information safe

In Short: Encryption in transit and at rest. Row-level access controls. Audit logging. Locked-down admin access.

No system is 100% secure. While we take reasonable steps to protect your data, we cannot guarantee absolute security. If we ever become aware of a data breach affecting your personal information, we will notify you and, where required, the UK Information Commissioner's Office (ICO) within 72 hours.

10. Your privacy rights

In Short: Under UK GDPR you have extensive rights over your personal data — all of which we will honour.

You have the right to:

To exercise any of these rights, email legal@yachtsync.uk. We will respond within one calendar month. There is no fee unless requests are manifestly unfounded or excessive.

11. Children's data

In Short: YachtSync is not intended for anyone under 18 and we do not knowingly collect data from minors.

The Service is intended for professional maritime crew, who are required to be at least 16 for most STCW qualifications and commonly 18 or older in practice. Our Terms require users to be at least 18. We do not knowingly collect personal data from children under 18.

If you believe a minor has provided us with personal information, please contact legal@yachtsync.uk and we will take steps to delete it.

12. Updates to this notice

We may update this Privacy Notice from time to time. When we do, we will update the “Last updated” date at the top. If the changes are material, we will notify you via the App or by email before they take effect. Your continued use of the Service after an update constitutes acceptance of the updated notice.

13. Contact us

For any privacy-related question, request, or complaint:

Email: legal@yachtsync.uk
Post:
YachtSync Ltd (company no. 17152913)
66 Paul Street
London EC2A 4NA
United Kingdom

You also have the right to lodge a complaint with the UK data protection authority:

Information Commissioner's Office (ICO)
Website: ico.org.uk
Helpline: 0303 123 1113