This Privacy Notice for YachtSync Ltd (“YachtSync”, “we”, “us”, or “our”) describes how and why we collect, store, use, and share (“process”) your personal information when you use the YachtSync mobile application (“App”) or our website at yachtsync.uk (together, the “Services”).
YachtSync helps maritime crew store, track and manage their professional certificates. We take privacy seriously because we know the documents you upload to our App — passports, ENG1 medicals, STCW certificates, visas — are among the most sensitive you own. This notice explains, in plain English, what we do with your data.
Questions or concerns? Contact us at legal@yachtsync.uk. We are the data controller for your personal information under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
Summary of Key Points
This summary gives you the essentials. Full detail is in the sections below.
What we collect. Your name, email and password for your account. Your certificates and the information contained in them (which can include sensitive data like passport numbers, dates of birth, medical fitness from ENG1 certificates, and nationality). Optional profile information (rank, vessel, training location).
How AI is used. When you scan a certificate, the document is sent to Anthropic (our AI provider) to extract dates and details. Anthropic does not store your document or use it to train their models. More on this below.
Where your data lives. Your certificates and account data are stored in the EU (Dublin, Ireland) by our hosting partner Supabase. A copy is also cached on your device so you can access certificates offline.
Who we share with. We don't sell your data. We share it with essential service providers (Supabase for storage, Anthropic for AI scanning, RevenueCat for subscription management, Loops.so for email, Apple/Google for app distribution, Expo for push notifications) — each under strict contractual obligations.
Your rights. Under UK GDPR, you can access, correct, export or delete your data at any time. You can delete your account directly in the App, or email legal@yachtsync.uk.
Table of Contents
- What information do we collect?
- Sensitive personal information
- How do we use your information?
- How we use AI (Anthropic)
- Legal bases for processing
- Who we share your information with
- International data transfers
- How long we keep your information
- How we keep your information safe
- Your privacy rights
- Children's data
- Updates to this notice
- Contact us
1. What information do we collect?
In Short: We collect account information, profile information you choose to provide, and your certificates — which may contain personal and sensitive data.
1.1 Account information
When you create an account, we collect:
- First and last name
- Email address
- Password (stored in hashed, encrypted form — we never see your plaintext password)
1.2 Profile information (optional)
To personalise the App, you may choose to provide additional information, including:
- Your rank (e.g. Deckhand, Chief Officer, Captain)
- Your career goal (e.g. working towards OOW 3000GT)
- Vessel details you are currently working on (name, flag state, tonnage, size, type)
- Preferred training location (city and country)
- Notification preferences (which reminder intervals you want, times of day)
- File naming preferences
All profile information is optional — you can use the core features of the App without providing any of it.
1.3 Certificate information
The core of YachtSync is certificate management. When you upload a certificate, we store:
- The PDF document itself
- Metadata you provide or that is extracted by AI: certificate title, type, issue date, expiry date, issuing authority
- File size and upload timestamp
The PDF document may contain personal information about you, depending on what you upload. This can include but is not limited to: your full name, date of birth, nationality, passport number, medical fitness status (from ENG1 or equivalent), photograph, signature, address, and other identifying details printed on the certificate.
1.4 Technical information
- Push notification tokens (if you enable notifications) — used to send expiry reminders
- App usage records (audit log of actions you take within your account, such as uploading or deleting a certificate) — used for security, troubleshooting and your own activity history
- Last active timestamp — used to identify inactive accounts
We do not collect device location, contacts, browsing history, or any other data outside what is listed above.
1.5 Subscription and billing data
If you purchase a Pro subscription, we collect:
- Purchase history and entitlement status (free, Pro Monthly, Pro Annual, or Pro Lifetime) — managed via RevenueCat
- App store transaction identifiers provided by Apple or Google to verify your purchase
We do not store full payment card details. All billing is handled by Apple In-App Purchase or Google Play Billing. RevenueCat stores your entitlement data to verify your subscription status across devices and app reinstalls.
2. Sensitive personal information
In Short: Yes, because of the nature of maritime certificates, some data we process is classified as sensitive under UK GDPR. We handle it accordingly.
Under UK GDPR, certain categories of personal data are given extra protection, including data revealing health, racial or ethnic origin, and biometric data.
The certificates you upload may include such sensitive data — for example:
- Your ENG1 medical certificate is health data (Article 9 UK GDPR)
- A passport or national ID contains data revealing nationality and your photograph
- Visas may reveal nationality and immigration status
Our legal basis for processing sensitive data. We rely on your explicit consent (Article 9(2)(a) UK GDPR), which you provide when you accept this Privacy Notice during signup, and on the processing being necessary for the purposes of carrying out obligations in the field of employment (Article 9(2)(b)), given that the very purpose of YachtSync is to help you maintain employment-critical certificates.
You can withdraw consent at any time by deleting the relevant certificate or your entire account.
3. How do we use your information?
In Short: To run the App, remind you about expiries, keep your data secure, and improve the Service. We do not use your data for advertising or sell it to anyone.
- To provide the Service. Create and manage your account, store your certificates, show them to you across your devices.
- To send expiry reminders. Push notifications at intervals you configure (default: 180, 90, 60, 30, 14, 7 and 1 day before expiry).
- To extract certificate data using AI. When you scan a document, we send it to our AI provider (Anthropic) to extract the title, dates and type — see Section 4 for full detail.
- To enable offline access. Caching your certificates on your device so you can show them to Port State Control or employers without signal.
- To send email communications. We use Loops.so to send transactional emails (account confirmations, important notices) and, where you have opted in, product updates. You can unsubscribe from marketing emails at any time using the unsubscribe link in any email we send.
- To manage your subscription. We use RevenueCat to verify your entitlement (Free or Pro), process subscription status changes, and restore purchases across devices.
- To keep your account secure. Authentication, detecting suspicious activity, maintaining the integrity of our systems.
- To comply with legal obligations. Responding to lawful requests from regulators, courts or law enforcement.
- To improve the Service. Aggregated, non-identifying analytics about which features are used (e.g. how many scans succeeded) help us fix bugs and improve the App. Individual certificate content is never used for this.
We do not use your data for advertising, profiling, automated decision-making with legal effect, or training AI models.
4. How we use AI (Anthropic)
In Short: When you scan a certificate, the document is sent to Anthropic's Claude AI to read the dates and type. Anthropic does not store your document or use it for training.
One of YachtSync's key features is AI-assisted document scanning. Here is exactly what happens:
- You take a photo or upload a PDF of a certificate in the App.
- We send the document, along with a prompt asking it to extract the certificate title, issue date, expiry date and type, to Anthropic PBC via their API (servers located in the United States).
- Anthropic's Claude model returns the extracted information.
- We store the extracted information (and the document itself) in your account.
Anthropic's data handling. Under Anthropic's Commercial Terms of Service, data sent via their API is not used to train their models and is retained only as long as necessary to provide the service — typically 30 days for abuse monitoring, after which it is deleted. Full details are in Anthropic's Privacy Policy and Commercial Terms.
Your right to opt out of AI processing. AI scanning is not mandatory. You can add certificates manually without any AI involvement — simply skip the scan step and type the details yourself.
International transfer. Because Anthropic's API infrastructure is located in the United States, sending a document for scanning is an international transfer. We rely on Standard Contractual Clauses (the UK International Data Transfer Addendum) as the legal mechanism for this transfer.
5. Legal bases for processing
In Short: We only process your data when we have a valid lawful basis under UK GDPR.
| Processing activity | Lawful basis (UK GDPR Art. 6) |
|---|---|
| Creating and managing your account, storing certificates, enabling offline access | Contract (Art. 6(1)(b)) — necessary to provide the Service you signed up for |
| Sending expiry reminders | Contract (Art. 6(1)(b)) and consent (Art. 6(1)(a)) for push notifications |
| AI document scanning | Consent (Art. 6(1)(a)) — you choose when to scan |
| Processing sensitive data in your certificates | Explicit consent (Art. 9(2)(a)) and employment obligations (Art. 9(2)(b)) |
| Security, fraud prevention, audit logging | Legitimate interests (Art. 6(1)(f)) |
| Complying with legal obligations | Legal obligation (Art. 6(1)(c)) |
You can withdraw any consent at any time. Withdrawing consent does not affect the lawfulness of processing before withdrawal.
6. Who we share your information with
In Short: A small, specific list of service providers. No advertisers. No data brokers. No selling.
We use the following sub-processors to operate the Service. Each has signed a Data Processing Agreement with us and is bound by UK GDPR-equivalent obligations.
| Provider | Purpose | Location |
|---|---|---|
| Supabase (Supabase Inc.) | Database hosting, file storage, authentication | EU (Dublin, Ireland — AWS) |
| Anthropic (Anthropic PBC) | AI document scanning (Claude API) | United States |
| Apple (Apple Inc. / Apple Distribution International) | App Store distribution, push notifications (APNs), TestFlight beta | United States / Ireland |
| Google (Google LLC) | Play Store distribution, push notifications (FCM) — Android only | United States |
| Expo (650 Industries, Inc.) | Mobile app build and push notification infrastructure | United States |
| RevenueCat (RevenueCat Inc.) | Subscription management, entitlement verification, purchase history | United States |
| Loops.so (Loops Software Inc.) | Transactional and marketing email | United States |
| Vercel (Vercel Inc.) | Hosting of our website yachtsync.uk | United States / Global CDN |
Other circumstances in which we may share data:
- Legal requirements. If required by law, court order, or to protect our rights or safety.
- Business transfers. If YachtSync Ltd is involved in a merger, acquisition or asset sale, your data may be transferred. You will be notified and given options before any such transfer takes effect.
We do not: sell your data, share it with advertisers, share it with data brokers, or transfer it to employers, agencies or any third party for marketing purposes.
7. International data transfers
In Short: Your data is primarily stored in the EU. Some processing happens in the US under approved safeguards.
Your certificate files and account data are stored by Supabase in Dublin, Ireland (EU). Because the UK is recognised by the European Commission as offering adequate data protection, and because we operate under UK GDPR which mirrors EU GDPR, data stored in the EU is considered adequately protected for UK users.
Some of our sub-processors (Anthropic, Expo, Vercel) operate from the United States. For transfers of personal data to these providers, we rely on:
- The UK International Data Transfer Agreement or the UK Addendum to the EU Standard Contractual Clauses, or
- The provider's certification under the EU-US Data Privacy Framework and the UK extension, where applicable.
Copies of the relevant transfer mechanisms are available on request from legal@yachtsync.uk.
8. How long we keep your information
In Short: Your data is kept for as long as you have an account. Deleted certificates are recoverable for 30 days before permanent deletion.
- Active account. Your account and certificates are retained for as long as you have an account with us.
- Certificates you delete from the App. We use “soft delete” — deleted certificates are recoverable for 30 days, after which they are permanently erased from our systems.
- Account deletion. When you delete your account, your profile and all certificate data are permanently deleted within 30 days. Encrypted backups that include historical data are retained for up to 90 days before being overwritten.
- Legal obligations. We may retain certain information longer if required by law (e.g. tax, accounting) — but this does not include your certificate documents.
- Aggregated, anonymised data. Data that has been fully anonymised (so it cannot be linked back to you) may be retained indefinitely.
9. How we keep your information safe
In Short: Encryption in transit and at rest. Row-level access controls. Audit logging. Locked-down admin access.
- Encryption in transit: all data exchanged between your device, our App and Supabase is encrypted via TLS 1.2+.
- Encryption at rest: Supabase encrypts all stored data and files at rest using AES-256.
- Row-level security: our database is configured so that each user can only access their own records — enforced at the database layer, not just the App.
- Access control: only authorised YachtSync personnel have access to administrative systems, and only where necessary for support, maintenance or security.
- Audit logging: significant account actions are logged so we can investigate any suspicious activity.
- Secure authentication: passwords are hashed using bcrypt. Email verification is required on signup.
No system is 100% secure. While we take reasonable steps to protect your data, we cannot guarantee absolute security. If we ever become aware of a data breach affecting your personal information, we will notify you and, where required, the UK Information Commissioner's Office (ICO) within 72 hours.
10. Your privacy rights
In Short: Under UK GDPR you have extensive rights over your personal data — all of which we will honour.
You have the right to:
- Be informed about how your data is processed (this notice).
- Access the data we hold about you and receive a copy.
- Rectify inaccurate data — most information can be edited directly within the App.
- Erase your data (“right to be forgotten”) — you can delete certificates and your entire account from within the App.
- Restrict processing of your data in certain circumstances.
- Data portability — request a copy of your data in a structured, machine-readable format.
- Object to processing based on legitimate interests.
- Withdraw consent at any time for processing based on consent (e.g. disable push notifications in your device settings, or stop using AI scanning).
- Not be subject to decisions based solely on automated processing with legal or similarly significant effect. We don't do this — AI scanning is an aid, not a decision.
- Complain to the Information Commissioner's Office if you believe we have mishandled your data.
To exercise any of these rights, email legal@yachtsync.uk. We will respond within one calendar month. There is no fee unless requests are manifestly unfounded or excessive.
11. Children's data
In Short: YachtSync is not intended for anyone under 18 and we do not knowingly collect data from minors.
The Service is intended for professional maritime crew, who are required to be at least 16 for most STCW qualifications and commonly 18 or older in practice. Our Terms require users to be at least 18. We do not knowingly collect personal data from children under 18.
If you believe a minor has provided us with personal information, please contact legal@yachtsync.uk and we will take steps to delete it.
12. Updates to this notice
We may update this Privacy Notice from time to time. When we do, we will update the “Last updated” date at the top. If the changes are material, we will notify you via the App or by email before they take effect. Your continued use of the Service after an update constitutes acceptance of the updated notice.
13. Contact us
For any privacy-related question, request, or complaint:
Email: legal@yachtsync.uk
Post:
YachtSync Ltd
66 Paul Street
London EC2A 4NA
United Kingdom
You also have the right to lodge a complaint with the UK data protection authority:
Information Commissioner's Office (ICO)
Website: ico.org.uk
Helpline: 0303 123 1113