Privacy Policy

Last updated: February 3, 2026

1. Introduction

This Privacy Policy applies to all products, services, and websites operated by MarSoft AI ("we", "us", "our"), including but not limited to: CrewRef, Voyage Stories, Explorers Hub, CrewPost, Dust Free Film, and Seafarer Capital (collectively, "the Services").

We are committed to protecting your privacy and handling your personal data in accordance with the General Data Protection Regulation (GDPR), applicable Greek and EU data protection laws, and international privacy standards.

2. Data Controller

MarSoft AI is the data controller for all personal data processed through our Services.

3. Data We Collect

3.1 Account Data

  • Full name and email address
  • Professional title, rank, or position
  • Profile photo (if provided via Google OAuth or upload)
  • Phone number, vessel name, company name (where applicable, optional)
  • Authentication data (hashed passwords, OAuth tokens)

3.2 Service-Specific Data

Depending on which Services you use, we may collect:

  • CrewRef: Reference letter content, crew member details, vessel information, service dates, professional assessments, referee information, verification records
  • Voyage Stories: KML/GPX voyage data, route coordinates, waypoint names, photos, captions, voyage narratives, guest book entries
  • Explorers Hub: Expedition logs, community posts, user interactions
  • CrewPost: Job postings, crew profiles, application data
  • Dust Free Film: Customer information, vehicle details, service records, appointment data
  • Seafarer Capital: Financial preferences, portfolio data

3.3 Technical Data

  • IP address and approximate geolocation
  • Browser type, version, and device information
  • Usage patterns and page interactions (via analytics)
  • Error reports and performance data (via Sentry)
  • Cookies and session identifiers

3.4 Payment Data

Where Services involve payments (e.g., premium features), payment processing is handled entirely by our payment provider (Polar). We never store your full credit card number, CVV, or banking details. We receive only: transaction ID, amount, currency, and payment status.

4. How We Use Your Data

  • Service delivery: Providing, maintaining, and improving the Services you use — including creating content, sending verifications, processing transactions, and enabling collaboration.
  • Account management: Authentication (including Google OAuth), profile management, and dashboard functionality.
  • Communication: Transactional emails (verification, notifications, confirmations) via our email service providers. We will never send unsolicited marketing emails without explicit consent.
  • Security: Fraud prevention, abuse detection, and maintaining platform integrity.
  • Analytics: Understanding usage patterns to improve user experience and fix issues.
  • Legal compliance: Meeting obligations under applicable laws and regulations.

5. Legal Basis for Processing (GDPR)

We process your data under the following legal bases (Article 6 GDPR):

  • Contract performance (Art. 6(1)(b)): Processing necessary to provide the Services you requested.
  • Legitimate interests (Art. 6(1)(f)): Platform security, fraud prevention, analytics, service improvement, and direct business communications.
  • Consent (Art. 6(1)(a)): Where explicitly obtained — for example, optional marketing communications or non-essential cookies.
  • Legal obligation (Art. 6(1)(c)): Where required by EU, Greek, or other applicable law.

6. Data Sharing & Sub-Processors

We share your data only as necessary to operate the Services:

  • Supabase (database & authentication) — EU-hosted infrastructure
  • Neon (database) — for select Services
  • Vercel (hosting & deployment) — serves and processes requests
  • Resend (email delivery) — transactional emails only
  • Polar (payment processing)
  • Google Analytics (analytics) — anonymized usage data
  • Sentry (error monitoring) — error reports for platform stability
  • Google OAuth (authentication) — when you choose to sign in with Google

We do not sell, rent, or trade your personal data. We do not share data for advertising or third-party marketing purposes.

7. Public Content

Some Services allow you to publish content that becomes publicly accessible:

  • CrewRef: Published references are accessible via unique verification links. Both referee and crew member participate in the publication process through email confirmation.
  • Voyage Stories: Published voyages are accessible via shareable links. Guest book entries on public voyages are visible to all visitors.
  • Explorers Hub: Public expedition logs and community posts.

You can revoke or unpublish your content at any time from your dashboard, which removes public access.

8. Data Retention

  • Account data: Retained until you request account deletion.
  • Service content: Retained until you delete it or request account deletion.
  • Technical/analytics data: Up to 12 months for analytics; up to 90 days for error reports.
  • Payment records: Retained as required by tax and accounting regulations (typically 7 years).

Upon account deletion, we will delete or anonymize your personal data within 30 days, except where retention is required by law.

9. Your Rights (GDPR)

You have the following rights under the GDPR:

  • Access: Request a copy of your personal data.
  • Rectification: Request correction of inaccurate data.
  • Erasure: Request deletion of your personal data ("right to be forgotten").
  • Restriction: Request limitation of processing.
  • Portability: Receive your data in a structured, machine-readable format.
  • Objection: Object to processing based on legitimate interests.
  • Withdraw consent: Where processing is based on consent, withdraw at any time without affecting prior processing.

To exercise any right, email privacy@marsoft.ai. We will respond within 30 days.

10. Data Security

We implement appropriate technical and organizational measures including:

  • Encryption in transit (TLS/HTTPS) and at rest
  • Row-level security (RLS) policies on all database tables
  • Secure authentication with hashed passwords and OAuth 2.0
  • Regular security reviews and dependency audits
  • Principle of least privilege for all system access

No system is 100% secure. We cannot guarantee absolute security, but we take all reasonable measures to protect your data.

11. International Data Transfers

Your data may be transferred to and processed in countries outside the European Economic Area (EEA). Where such transfers occur, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs), adequacy decisions by the European Commission, or other legally recognized mechanisms.

12. Cookies & Tracking

  • Essential cookies: Required for authentication, session management, and core functionality. Cannot be disabled.
  • Analytics cookies: Used to understand how the Services are used. You may opt out via browser settings, cookie preferences, or browser extensions.

We do not use advertising cookies or trackers.

13. Children's Privacy

Our Services are not intended for individuals under the age of 16. We do not knowingly collect personal data from children. If we become aware that a child has provided us with personal data, we will delete it promptly. If you believe a child has provided us data, contact us immediately.

14. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or prominent notice on our Services. Your continued use after changes are posted constitutes acceptance. We encourage you to review this page periodically.

15. Supervisory Authority

If you believe your data protection rights have been violated, you have the right to lodge a complaint with your local data protection authority. In Greece, this is the Hellenic Data Protection Authority (HDPA): www.dpa.gr

16. Contact

For any privacy-related inquiries:

← Back to Home