Back to home

Privacy Policy

Last updated: {{TODO: last-updated date}}

Template notice: This document is a template provided for scaffolding. It contains {{TODO}} placeholders and must be completed and reviewed by qualified legal counsel before it is relied upon.

1. Data Controller

The controller responsible for your personal data under the EU General Data Protection Regulation (GDPR) is:

  • Company: {{TODO: company legal name}}
  • Address: {{TODO: registered company address}}
  • Contact: {{TODO: privacy contact email}}
  • Data Protection Officer / representative: {{TODO: DPO or EU representative details, if applicable}}

2. Categories of Personal Data We Process

Appoploo is a yacht-fleet management platform used by charter operators. We process the following categories of personal data:

  • Account data — name, email address, password (hashed), company details, phone number, and business address of the operator and any team members they invite.
  • Client & crew personal data — where the operator records it: names and contact details of their charter clients, and names, contact details and role information of their crew. The operator is the controller of this data; we act as a processor on their behalf.
  • Booking & operational data — charter bookings, quotes, invoices, expenses, vessel and maintenance records, and any free-text notes entered by the operator.
  • Technical data — IP address, device/browser information and log data generated when you use the service.

3. Purposes & Lawful Basis

Purpose Lawful basis (Art. 6 GDPR)
Providing and operating the platform Performance of a contract (Art. 6(1)(b))
Billing & subscription management Performance of a contract (Art. 6(1)(b))
Security, fraud prevention, service integrity Legitimate interests (Art. 6(1)(f))
Legal & tax record-keeping Legal obligation (Art. 6(1)(c))
Product/marketing communications (if any) Consent (Art. 6(1)(a)) {{TODO: confirm}}

4. Data Retention

We retain account and operational data for as long as your account is active. When you delete your account, associated tenant data is erased (see Section 7). Records we are legally required to keep — such as invoices for tax purposes — are retained for the statutory period {{TODO: specify retention period, e.g. 5–10 years per jurisdiction}}. Backups are rotated and purged within {{TODO: backup retention window}}.

5. Sub-processors & International Transfers

We rely on the following sub-processors to deliver the service. Where data is transferred outside the EEA, transfers are safeguarded by appropriate mechanisms such as Standard Contractual Clauses {{TODO: confirm transfer mechanism per sub-processor}}.

Sub-processor Purpose
Cloudflare, Inc. Application hosting, edge network, DDoS/security
PocketBase host {{TODO: hosting provider legal name/location}} Primary database & file storage backend
Stripe, Inc. Subscription billing & payment processing
{{TODO: email provider}} Transactional email (account, booking notifications)

6. Your Rights

Under the GDPR you have the right to access, rectify, erase, restrict, and port your personal data, and to object to processing. You may also withdraw consent at any time and lodge a complaint with your local supervisory authority {{TODO: name the lead supervisory authority for the establishment}}.

7. Account Deletion & Data Subject Requests

You can delete your account and its associated tenant data at any time from Settings → Delete my account. To exercise any other data subject right, contact us at {{TODO: privacy contact email}}. We will respond within the timeframe required by law (generally one month).

8. Changes to This Policy

We may update this policy from time to time. Material changes will be communicated {{TODO: describe notification method}}. The "last updated" date at the top reflects the current version.