Privacy Policy

1. Data Controller Information

The data controller responsible for your personal information is:

2. Information We Collect

2.1 Account Information

• Registration Data: Name, email address, password (encrypted), phone number, profile photo
• Profile Information: User type (buyer/seller/dealer), business name, location, bio
• Verification Data: Government-issued ID, business registration documents (for dealers)

2.2 Listing Information

• Boat Details: Title, description, category, specifications, condition, price
• Media: Photos, videos of boats and equipment
• Location Data: Address, city, country, GPS coordinates (for map display)
• Contact Information: Phone number, email for buyer inquiries

2.3 Transaction and Payment Information

• Payment Data: Processed securely through Stripe (we do not store full card details)
• Billing Information: Name, address, VAT number (if applicable)
• Transaction History: Listing fees, featured placement purchases, subscription plans

2.4 Communication Data

• Messages: Communications between buyers and sellers through our platform
• Support Inquiries: Customer service correspondence, feedback, complaints
• Reviews: Ratings and reviews you provide or receive

2.5 Technical and Usage Data

• Device Information: IP address, browser type, device type, operating system
• Usage Data: Pages visited, time spent, listings viewed, search queries
• Location Data: GPS location (with your permission) for proximity search
• Cookies: Session cookies, preference cookies, analytics cookies

3. How We Collect Information

3.1 Information You Provide

We collect information directly from you when you register, create listings, communicate with other users, make payments, or contact customer support.

3.2 Automated Collection

We automatically collect certain information through cookies, web beacons, and similar technologies when you use our platform. This includes browsing behavior, search patterns, and device information.

3.3 Third-Party Sources

We may receive information from third-party services such as social media platforms (if you sign in with Google or Facebook), payment processors (Stripe), analytics providers (Google Analytics), and fraud prevention services (Cloudflare Turnstile).

4. How We Use Your Information

We use your personal information for the following purposes:

4.1 Service Provision

• Create and manage your account
• Process and display your boat listings
• Facilitate communication between buyers and sellers
• Process payments and subscriptions
• Provide customer support
• Send transactional emails (confirmations, receipts, notifications)

4.2 Platform Improvement

• Analyze usage patterns to improve user experience
• Develop new features and services
• Conduct research and analytics
• Personalize content and recommendations

4.3 Safety and Security

• Prevent fraud, spam, and abuse
• Verify user identity and listings
• Enforce our Terms of Service
• Protect against security threats
• Resolve disputes

4.4 Marketing and Communication

• Send promotional emails (with your consent)
• Notify you about new features and updates
• Conduct surveys and gather feedback

5. Legal Basis for Processing (GDPR)

Under GDPR, we process your personal data based on the following legal grounds:

5.1 Contractual Necessity

Processing is necessary to provide our services to you, including account creation, listing management, and facilitating transactions.

5.2 Legitimate Interests

We process data to improve our services, prevent fraud, ensure platform security, and analyze usage patterns, where such processing does not override your rights and freedoms.

5.3 Legal Obligations

We process data to comply with legal requirements, including tax laws, financial regulations, and law enforcement requests.

5.4 Consent

For marketing communications, cookies (non-essential), and GPS location tracking, we obtain your explicit consent, which you can withdraw at any time.

6. Information Sharing and Disclosure

6.1 Public Information

Information in your public listings (boat details, photos, location, contact information) is visible to all users and may appear in search engines.

6.2 Other Users

When you communicate with other users, they can see your name, profile photo, and any information you choose to share.

6.3 Service Providers

We share information with third-party service providers who perform services on our behalf:

• Payment Processing: Stripe (for secure payment transactions)
• Cloud Hosting: Vercel, Supabase (for data storage and hosting)
• Analytics: Google Analytics, Facebook Pixel (for usage analytics)
• Maps & Geolocation: Mapbox (for address autocomplete and maps)
• Email Services: For transactional and marketing emails
• Security: Cloudflare Turnstile (for bot protection)

6.4 Business Transfers

If BoatSaga is involved in a merger, acquisition, or sale of assets, your information may be transferred. We will notify you before your information becomes subject to a different privacy policy.

6.5 Legal Requirements

We may disclose your information if required by law, including:

• Compliance with legal obligations or court orders
• Protecting the rights, property, or safety of BoatSaga, users, or the public
• Investigating fraud or security issues
• Responding to law enforcement requests

7. International Data Transfers

BoatSaga is a global marketplace. Your data may be transferred to and stored in countries outside the European Economic Area (EEA), including the United States.

7.1 Transfer Safeguards

When we transfer your data internationally, we ensure appropriate safeguards are in place:

• Standard Contractual Clauses (SCCs): EU-approved contracts with data processors
• Privacy Shield (where applicable): For transfers to certified U.S. companies
• Adequacy Decisions: Transfers to countries deemed adequate by the EU Commission
• Encryption: All data transfers are encrypted in transit and at rest

7.2 Third-Party Locations

• Stripe: United States (Payment processing)
• Vercel: Global CDN (Hosting)
• Supabase: Europe and United States (Database)
• Google/Facebook: Global (Analytics and authentication)

8. Data Retention

We retain your personal information for as long as necessary to fulfill the purposes outlined in this policy:

8.1 Retention Periods

• Active Accounts: Data retained while your account is active
• Deleted Accounts: Most data deleted within 30 days; some retained for legal compliance (up to 7 years for tax/financial records)
• Listings: Archived listings retained for 90 days after deletion; sold/expired listings may be kept for analytics (anonymized after 12 months)
• Messages: Deleted 90 days after account closure or upon request
• Transaction Records: Retained for 7 years for tax and accounting purposes (legal requirement)
• Analytics Data: Anonymized after 24 months

9. Data Security

We implement industry-standard security measures to protect your personal information:

9.1 Technical Measures

• Encryption: TLS/SSL encryption for data in transit; AES-256 encryption for data at rest
• Authentication: Secure password hashing (bcrypt), multi-factor authentication options
• Access Controls: Role-based access, principle of least privilege
• Bot Protection: Cloudflare Turnstile to prevent automated attacks
• Regular Security Audits: Penetration testing and vulnerability assessments

9.2 Organizational Measures

• Employee training on data protection and security
• Confidentiality agreements with all staff and contractors
• Incident response plan for data breaches
• Regular backups and disaster recovery procedures

9.3 Data Breach Notification

In the event of a data breach affecting your personal information, we will notify you and the relevant supervisory authority within 72 hours as required by GDPR.

10. Your Rights (GDPR & Global)

Under GDPR and other privacy laws, you have the following rights regarding your personal data:

10.1 Right to Access

You can request a copy of all personal data we hold about you. We will provide this in a structured, commonly used, machine-readable format.

10.2 Right to Rectification

You can update inaccurate or incomplete personal information through your account settings or by contacting us.

10.3 Right to Erasure ("Right to be Forgotten")

You can request deletion of your personal data. We will comply unless we have a legal obligation to retain it (e.g., financial records, legal disputes).

10.4 Right to Restriction

You can request that we restrict processing of your data in certain circumstances, such as while we verify the accuracy of data you've contested.

10.5 Right to Data Portability

You can request your data in a portable format and have it transferred to another service provider.

10.6 Right to Object

You can object to processing based on legitimate interests or for direct marketing purposes. We will stop processing unless we have compelling legitimate grounds.

10.7 Right to Withdraw Consent

Where processing is based on consent, you can withdraw it at any time. This does not affect the lawfulness of processing before withdrawal.

10.8 How to Exercise Your Rights

To exercise any of these rights, please contact us at info@boatsaga.com. We will respond within 30 days.

11. Cookies and Tracking Technologies

11.1 Types of Cookies We Use

Essential Cookies (Always Active)

• Authentication: Keep you logged in
• Security: Prevent CSRF attacks, bot detection
• Session Management: Remember your preferences during a visit

Analytics Cookies (Consent Required)

• Google Analytics: Track page views, user behavior, conversion rates
• Facebook Pixel: Measure ad performance and user engagement

Functional Cookies (Consent Required)

• Language Preference: Remember your language selection
• Map Settings: Remember map zoom and view preferences
• Filters: Save your search filter preferences

Marketing Cookies (Consent Required)

• Advertising: Show relevant ads based on your interests
• Retargeting: Display BoatSaga ads on other websites

11.2 Managing Cookies

You can manage cookie preferences through our cookie banner or your browser settings. Disabling certain cookies may limit functionality. Essential cookies cannot be disabled as they are necessary for the platform to function.

11.3 Cookie Duration

• Session Cookies: Deleted when you close your browser
• Persistent Cookies: Stored for up to 24 months
• Third-Party Cookies: Duration set by the third party (see their privacy policies)

12. Third-Party Services

Our platform integrates with the following third-party services. Each has its own privacy policy:

12.1 Payment Processing

• Stripe: stripe.com/privacy

12.2 Authentication

• Google OAuth: policies.google.com/privacy
• Facebook Login: facebook.com/privacy

12.3 Analytics and Advertising

• Google Analytics: policies.google.com/privacy
• Facebook Pixel: facebook.com/privacy

12.4 Maps and Geolocation

• Mapbox: mapbox.com/privacy

12.5 Security

• Cloudflare: cloudflare.com/privacypolicy

13. Children's Privacy

BoatSaga is not intended for users under 18 years of age. We do not knowingly collect personal information from children under 18. If you are under 18, please do not use our services or provide any information to us.

If we learn that we have collected personal information from a child under 18, we will delete that information immediately. If you believe we have collected information from a child, please contact us at info@boatsaga.com.

14. Marketing Communications

14.1 Opt-In

We only send marketing communications if you have opted in. You can manage your communication preferences in your account settings.

14.2 Opt-Out

You can unsubscribe from marketing emails at any time by:

• Clicking the "Unsubscribe" link in any marketing email
• Updating your preferences in account settings
• Contacting us at info@boatsaga.com

14.3 Transactional Emails

You cannot opt out of transactional emails (order confirmations, security alerts, account notifications) as they are necessary for the service.

15. Do Not Track Signals

Some browsers have a "Do Not Track" feature. Currently, there is no industry standard for how to respond to these signals. We do not currently respond to Do Not Track signals, but you can control tracking through our cookie settings and browser preferences.

16. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.

16.1 Notification of Changes

• We will update the "Last updated" date at the top of this policy
• For material changes, we will notify you by email or prominent notice on our platform
• Continued use of our services after changes constitutes acceptance of the updated policy

16.2 Your Options

If you do not agree with the updated policy, you can delete your account. We will process the deletion in accordance with our data retention policy.

17. Contact Information

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

17.1 Response Time

We aim to respond to all privacy-related inquiries within 30 days. For urgent matters (such as data breach concerns), contact us immediately by phone.

18. Supervisory Authority

If you are located in the European Economic Area (EEA) or Norway, you have the right to lodge a complaint with your local data protection authority.

18.1 Norway

18.2 Other Countries

For users in other countries, contact your local data protection authority. A list of EU data protection authorities can be found at: edpb.europa.eu

Additional Information for Specific Regions

California Residents (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

• Right to know what personal information is collected, used, shared, or sold
• Right to delete personal information held by businesses
• Right to opt-out of the sale of personal information (Note: We do not sell personal information)
• Right to non-discrimination for exercising your CCPA rights

UK Residents (UK GDPR)

If you are in the United Kingdom, your rights are protected under UK GDPR, which mirrors EU GDPR with similar protections and rights.

Rest of World

We respect privacy rights globally and strive to provide the same level of protection to all users, regardless of location.