CharterKit

Draft -- This document is a placeholder and has not been reviewed by legal counsel. It does not constitute a binding privacy policy until formally published.

Privacy Policy

Last updated: March 2026

1. Data Controller

CharterKit acts as a data processor on behalf of boat owners who use the platform. Each boat owner is the data controller for the personal data of their guests and crew members.

For data relating to boat owner accounts (registration, billing, usage), CharterKit acts as the data controller.

Controller contact: privacy@charterkit.com

2. Data We Collect

2.1 Boat Owner Data

  • Name, email address, phone number
  • Business name and registration details
  • Billing and payment information (processed via Stripe)
  • Boat registration and specification details

2.2 Guest and Crew Data

  • Full name, date of birth, nationality
  • Passport or identity document numbers
  • Passport scans and photo identification
  • Sailing license details
  • Contact information (email, phone)
  • Crew list information as required by Greek port authority regulations

2.3 Usage Data

  • Log data (IP address, browser type, pages visited, timestamps)
  • Feature usage and interaction patterns (anonymized)

3. Legal Basis for Processing

Under the General Data Protection Regulation (GDPR), we process personal data on the following legal bases:

  • Contract performance (Art. 6(1)(b)): Processing booking data, generating contracts, managing payments, and delivering the Service to boat owners and their guests.
  • Legal obligation (Art. 6(1)(c)): Generating crew lists for submission to Greek port authorities as required by maritime law. Retaining financial records as required by Greek tax regulations.
  • Legitimate interest (Art. 6(1)(f)): Improving the Service, preventing fraud, and ensuring platform security.
  • Consent (Art. 6(1)(a)): Where required, such as for optional marketing communications. Consent can be withdrawn at any time.

4. Your Rights Under GDPR

If you are located in the European Economic Area (EEA), you have the following rights regarding your personal data:

  • Right of access (Art. 15): You may request a copy of the personal data we hold about you.
  • Right to rectification (Art. 16): You may request correction of inaccurate or incomplete data.
  • Right to erasure (Art. 17): You may request deletion of your data, subject to legal retention obligations.
  • Right to data portability (Art. 20): You may request your data in a structured, commonly used, machine-readable format.
  • Right to restriction (Art. 18): You may request that we limit the processing of your data in certain circumstances.
  • Right to object (Art. 21): You may object to processing based on legitimate interest or for direct marketing purposes.

To exercise any of these rights, contact us at privacy@charterkit.com. We will respond within 30 days. You also have the right to lodge a complaint with the Hellenic Data Protection Authority (HDPA) or your local supervisory authority.

5. Data Retention

  • Account data: Retained for the duration of your account plus 30 days after deletion to allow for recovery.
  • Booking and contract data: Retained for 7 years after the charter date as required by Greek tax law.
  • Crew list data: Retained for 5 years in accordance with Greek maritime authority requirements.
  • Guest documents (passport scans, photos): Retained for 90 days after the charter ends, then automatically deleted unless required for ongoing disputes or legal proceedings.
  • Usage logs: Retained for 12 months, then anonymized or deleted.

6. Third-Party Data Processors

We share personal data with the following third-party processors, each operating under a Data Processing Agreement (DPA):

ProcessorPurposeData Location
SupabaseDatabase hosting, file storage, authenticationEU (Frankfurt)
VercelApplication hosting, edge deliveryEU / Global CDN
ResendTransactional email deliveryUS (EU SCCs in place)
StripePayment processingEU / US (EU SCCs in place)

We do not sell personal data to third parties. We do not share data with advertising networks or data brokers.

7. Cookie Policy

CharterKit uses only strictly necessary cookies for authentication and session management. We do not use:

  • Analytics or tracking cookies
  • Advertising or retargeting cookies
  • Third-party social media cookies

Because we use only essential cookies required for the Service to function, no cookie consent banner is required under the ePrivacy Directive. If we introduce non-essential cookies in the future, we will implement a consent mechanism before doing so.

8. Data Security

We implement appropriate technical and organizational measures to protect personal data, including:

  • Encryption in transit (TLS) and at rest
  • Row-level security policies on all database tables, ensuring owners can only access their own data
  • Regular security reviews and dependency updates
  • Minimal data collection -- we only collect what is necessary for the Service

9. International Data Transfers

Where personal data is transferred outside the EEA, we ensure adequate safeguards are in place, including EU Standard Contractual Clauses (SCCs) or adequacy decisions by the European Commission.

10. Data Protection Officer

For questions regarding our data protection practices, or to exercise your rights, contact our Data Protection Officer:

Email: dpo@charterkit.com

[DPO contact details to be confirmed]

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify registered users of material changes via email at least 30 days before they take effect. The "Last updated" date at the top of this page reflects the most recent revision.