Privacy Policy
Last updated: {{TODO: last-updated date}}
{{TODO}}
placeholders and must be completed and reviewed by qualified
legal counsel before it is relied upon.
1. Data Controller
The controller responsible for your personal data under the EU General Data Protection Regulation (GDPR) is:
- Company: {{TODO: company legal name}}
- Address: {{TODO: registered company address}}
- Contact: {{TODO: privacy contact email}}
- Data Protection Officer / representative: {{TODO: DPO or EU representative details, if applicable}}
2. Categories of Personal Data We Process
Appoploo is a yacht-fleet management platform used by charter operators. We process the following categories of personal data:
- Account data — name, email address, password (hashed), company details, phone number, and business address of the operator and any team members they invite.
- Client & crew personal data — where the operator records it: names and contact details of their charter clients, and names, contact details and role information of their crew. The operator is the controller of this data; we act as a processor on their behalf.
- Booking & operational data — charter bookings, quotes, invoices, expenses, vessel and maintenance records, and any free-text notes entered by the operator.
- Technical data — IP address, device/browser information and log data generated when you use the service.
3. Purposes & Lawful Basis
| Purpose | Lawful basis (Art. 6 GDPR) |
|---|---|
| Providing and operating the platform | Performance of a contract (Art. 6(1)(b)) |
| Billing & subscription management | Performance of a contract (Art. 6(1)(b)) |
| Security, fraud prevention, service integrity | Legitimate interests (Art. 6(1)(f)) |
| Legal & tax record-keeping | Legal obligation (Art. 6(1)(c)) |
| Product/marketing communications (if any) | Consent (Art. 6(1)(a)) {{TODO: confirm}} |
4. Data Retention
We retain account and operational data for as long as your account is active. When you delete your account, associated tenant data is erased (see Section 7). Records we are legally required to keep — such as invoices for tax purposes — are retained for the statutory period {{TODO: specify retention period, e.g. 5–10 years per jurisdiction}}. Backups are rotated and purged within {{TODO: backup retention window}}.
5. Sub-processors & International Transfers
We rely on the following sub-processors to deliver the service. Where data is transferred outside the EEA, transfers are safeguarded by appropriate mechanisms such as Standard Contractual Clauses {{TODO: confirm transfer mechanism per sub-processor}}.
| Sub-processor | Purpose |
|---|---|
| Cloudflare, Inc. | Application hosting, edge network, DDoS/security |
| PocketBase host {{TODO: hosting provider legal name/location}} | Primary database & file storage backend |
| Stripe, Inc. | Subscription billing & payment processing |
| {{TODO: email provider}} | Transactional email (account, booking notifications) |
6. Your Rights
Under the GDPR you have the right to access, rectify, erase, restrict, and port your personal data, and to object to processing. You may also withdraw consent at any time and lodge a complaint with your local supervisory authority {{TODO: name the lead supervisory authority for the establishment}}.
7. Account Deletion & Data Subject Requests
You can delete your account and its associated tenant data at any time from Settings → Delete my account. To exercise any other data subject right, contact us at {{TODO: privacy contact email}}. We will respond within the timeframe required by law (generally one month).
8. Changes to This Policy
We may update this policy from time to time. Material changes will be communicated {{TODO: describe notification method}}. The "last updated" date at the top reflects the current version.