VesselTwin Privacy Policy
Effective 2026-05-24 — v1.1, under legal review
Version 1.1, effective 2026-05-24 — draft pending review
These terms are under licensed legal review and may be updated. Material changes will be announced; the effective date at the top will move. If you have questions, contact legal@vesseltwin.io.
1. Summary
VesselTwin is a digital record-keeping product for boat owners. We collect the data you give us to operate and improve the service for you. We may use and monetize aggregated or de-identified information, derived insights, benchmarking outputs, public contributions, and opt-in community data. We do not currently sell your personal information or share it for cross-context behavioral advertising. If that changes, we will update this Policy before the new practice begins and provide any notices, opt-outs, consents, or other rights required by law. We do not let AI providers use your data to train their models. You can export or delete your account at any time.
Privacy questions: privacy@vesseltwin.io. Security: security@vesseltwin.io.
2. Scope
This Policy covers personal information collected through vesseltwin.io, our iOS app, our Android Capacitor wrapper, and our API. It does not cover third-party sites we link to (each has its own policy) or platforms operated by anyone other than VesselTwin.
3. Who controls your data
3.1 Owner accounts. For owner accounts (the primary VesselTwin user), VesselTwin is the data controller: we decide why and how your personal data is processed.
3.2 Recipients of share links. When you receive a VesselTwin share link as a vendor, broker, or other recipient, we are a separate-purpose controller for the limited interactions we record (your terms acceptance, your IP address, your user agent, the times you opened the link).
3.3 Fleet and enterprise customers. For fleet/enterprise customers under a separate Data Processing Agreement, VesselTwin may act as processor with the customer as controller. Email privacy@vesseltwin.io for our DPA.
4. Data we collect
- 4.1 Account data — email address, name, avatar URL, OAuth identifiers, MFA factors, password hash. Collected via our authentication provider (Clerk).
- 4.2 Vessel data — boat configuration (make, model, year, hull ID, dimensions, capacities), photos, documents (manuals, invoices, receipts), measurements, parts, maintenance history, vessel-specs, vessel zones.
- 4.3 Usage data — IP address, user-agent, request paths, session events, login timestamps, audit-log entries for sensitive actions.
- 4.4 Communications — emails you send to support, in-product feedback submissions.
- 4.5 Optional: phone number for SMS reminders, captured at the time you opt in.
- 4.6 Derived data and insights — classifications, normalizations, benchmark metrics, model-level reliability patterns, maintenance-interval signals, vendor-performance statistics, catalog improvements, and other inferences created from account, vessel, usage, public, or opt-in contribution data.
- 4.7 What we do not collect — payment card data (handled by a future payment processor and never by VesselTwin servers directly), social-graph data, ongoing GPS location, biometric identifiers. Photos you upload may contain GPS coordinates in EXIF metadata; we strip EXIF (including GPS) on upload before storing the image.
5. Sources of data
We collect data: (a) directly from you, when you use the Service; (b) from Clerk, when you sign in or sign up; (c) from share-link recipients, when they accept recipient terms or interact with your shared content; (d) from vendors, when they submit estimates or completion notes via the vendor portal; (e) from public catalog contributions you submit for inclusion in the shared boat catalog.
6. Why we use your data (purposes and legal bases under GDPR Art. 6)
| Purpose | Legal basis |
|---|---|
| Operating the Service for you (record-keeping, sharing, AI extraction) | Performance of contract — Art. 6(1)(b) |
| Security, abuse detection, audit logging | Legitimate interest — Art. 6(1)(f) |
| Legal compliance (DMCA, tax, lawful requests) | Legal obligation — Art. 6(1)(c) |
| Marketing-adjacent communications | Consent — Art. 6(1)(a). Required at signup; revocable at any time. |
| Defending or pursuing legal claims | Legitimate interest — Art. 6(1)(f) |
| Product analytics, benchmarking, de-identification, and creation of aggregated or de-identified data products | Legitimate interest — Art. 6(1)(f), consent where required by law or by a specific opt-in contribution flow |
7. AI processing
When you upload a document or image to VesselTwin, parts of it may be sent to a foundation-model API (operated by one of our AI subprocessors) to extract structured data — equipment lists, spec values, work performed, parts replaced, invoice line items, dates, costs. We configure these services so they do not use your inputs to train their underlying models. See our subprocessor list, §3, for the per-provider status.
You can save documents to VesselTwin without triggering AI extraction; AI processing is opt-in per action, not a global account setting.
We may use AI-extracted outputs, user corrections, and de-identified or aggregated patterns to test, evaluate, improve, and commercialize VesselTwin's own extraction logic, catalog intelligence, benchmark reports, predictive-maintenance signals, and related data products. This does not permit our AI subprocessors to train their general models on your inputs, and any future use of personal data or non-public Content to train a third-party or general-purpose model will be handled only after we provide the notices, consents, or opt-outs required by law.
8. Cookies and similar storage
VesselTwin uses only strictly-necessary cookies and local browser storage. We do not currently set analytics, advertising, or cross-site tracking cookies. If we add non-essential cookies later, we will update our notice and consent controls where required. Full details are in our Cookie Notice.
9. Sharing with others
- 9.1 Shares you initiate. Share links you create are visible to the people you give the link to. Vendor portal access is visible to the vendor you grant access to.
- 9.2 Subprocessors process data on our behalf strictly to deliver the Service. The full list is at /subprocessors. Each is bound by a DPA or equivalent arrangement.
- 9.3 Legal compulsion. We may disclose data in response to subpoenas, court orders, or other lawful requests. We challenge overbroad requests where reasonable.
- 9.4 Business transfers. If VesselTwin is merged, acquired, or sells substantially all of its assets, your data may be transferred to the successor, who will be bound by this Privacy Policy or a materially similar one.
- 9.5 Aggregated or de-identified data. We may use aggregated and de-identified data for analytics, product improvement, benchmarking, market research, commercial data products, predictive-maintenance signals, catalog intelligence, valuation signals, vendor-performance statistics, and other derived insights. These outputs must not reasonably identify, relate to, describe, or be capable of being associated with a particular person, household, account, or non-public vessel.
- 9.6 De-identification commitments. When we treat information as de-identified, we maintain and use it only in de-identified form, take reasonable measures to prevent re-identification, do not attempt to re-identify it except to test and improve our privacy safeguards, and require recipients to protect it on similar terms.
- 9.7 Public and opt-in contributions. If you submit content to a public catalog, community feature, benchmark program, or other contribution flow, we may publish, distribute, license, or commercialize that submitted content and related derived insights according to the notice shown in that flow and any controls available there.
We do not currently sell your personal information. We do not currently share your personal information for cross-context behavioral advertising. If we introduce either practice, we will update this Policy before it begins and provide legally required opt-out, consent, Global Privacy Control, or equivalent mechanisms. Aggregated or de-identified data and public or opt-in contributions may be used commercially as described above.
10. International transfers
Some of our subprocessors are based in the United States. When personal data originating in the European Economic Area, the United Kingdom, or Switzerland is transferred to a U.S. subprocessor, the transfer is covered by Standard Contractual Clauses (SCCs) within the subprocessor's DPA, supplemented by additional safeguards where required. Enterprise customers may request configuration that keeps processing within a specific region.
11. Retention
- Vessel and account data: retained while your account is active.
- After a deletion request: 30-day grace period during which you can cancel via a one-shot email link; then full account cascade (see /account-deletion).
- Audit logs: retained identity-stripped after account deletion, under the legitimate-interest carve-out of GDPR Art. 17(3)(b).
- Backups: 30-day rolling — full purge of deleted data typically completes by approximately 60 days after the deletion request.
- DMCA notices and counter-notices: retained as required by the U.S. Copyright Office.
- Vendor business records: vendor estimates and completion notes are also the vendor's business records and may be retained on the vendor's side.
12. Your rights (GDPR and UK GDPR)
- 12.1 Access (Art. 15) — request a copy of the personal data we hold about you.
- 12.2 Rectification (Art. 16) — correct inaccurate or incomplete personal data.
- 12.3 Erasure (Art. 17) — delete your account. Self-service via /account-deletion. Subject to the retention carve-outs in §11.
- 12.4 Restriction (Art. 18) — limit processing while a dispute is pending.
- 12.5 Portability (Art. 20) — receive your personal data in a structured, machine-readable format. An in-app export endpoint is forthcoming. In the interim, request portability via privacy@vesseltwin.io.
- 12.6 Object (Art. 21) — object to legitimate-interest processing.
- 12.7 Withdraw consent — for consent-based processing (marketing-adjacent emails, optional SMS). Withdrawal does not affect prior lawful processing.
- 12.8 Lodge a complaint with your local data-protection supervisory authority.
13. Your rights (CCPA and CPRA — California)
- 13.1 Right to know — categories of personal information collected, sources, purposes, and recipients.
- 13.2 Right to delete — request deletion (subject to legal retention obligations).
- 13.3 Right to correct — request correction of inaccurate personal information.
- 13.4 Right to opt out of sale or sharing — VesselTwin does not currently sell personal information and does not currently share it for cross-context behavioral advertising. If we introduce a practice that counts as a sale or sharing under California law, we will provide a clear opt-out method, honor legally required preference signals such as Global Privacy Control where applicable, and make the required disclosures before the practice begins. You may still contact privacy@vesseltwin.io to exercise or confirm this right.
- 13.5 Right to non-discrimination — we will not deny you the Service or charge differently for exercising privacy rights.
- 13.6 Shine the Light — California residents may request the categories of personal information disclosed to third parties for direct marketing during the prior calendar year. We do not disclose personal information for third-party direct marketing.
- 13.7 How to exercise. Email privacy@vesseltwin.io. We may verify your identity before processing.
14. Other jurisdictions
We do our best to honor data-subject rights wherever you live. If you are covered by the Brazilian LGPD, Quebec Law 25, the Australian Privacy Act / APPs, the UK Data Protection Act, or any other framework granting equivalent rights, contact privacy@vesseltwin.io and we will help you exercise them. Before launching monetization that requires a local consent, opt-out, assessment, representative, or notice mechanism, we will localize that mechanism for affected users.
15. Children
The Service is intended for adults. You must be at least 18 years old to create an account. We do not knowingly collect personal data from anyone under 18. If you believe we have collected data from a minor, contact privacy@vesseltwin.io and we will delete it.
16. Security
We protect your data with encryption in transit (TLS) and at rest (provider-side encryption on storage and database services), authenticated access controls, audit logging on sensitive actions, periodic review of our subprocessors' security posture, and operational controls on our own engineering practices. No system is perfectly secure. In the event of a breach affecting your personal data, we will notify you and applicable regulators where required (e.g., within 72 hours under GDPR Art. 33).
17. Changes to this Policy
We may update this Policy. Material changes will be notified by email to your account address and by an in-app banner. The "Effective" date at the top of this page will move. If a change materially expands how we use personal information, we will apply it only going forward unless applicable law allows otherwise or you give any required consent. Prior versions are available on request.
18. Contact
Privacy questions, data-subject rights requests, and DPA inquiries: privacy@vesseltwin.io
Security incidents: security@vesseltwin.io
Mailing address: [VESSELTWIN_POSTAL_ADDRESS]
Data Protection Officer designation: under review (interim DPO contact: privacy@vesseltwin.io)