Privacy Policy

Yacht Charter Contract is a contract generation and document management platform for professional charter brokers. The platform enables brokers to select, populate, generate, review, and execute charter agreements across a range of vessel types, charter models, and jurisdictions.

For the purposes of data protection law, the data controller responsible for personal data collected in connection with broker account registration, subscriptions, and platform communications is Yacht Charter Contract. Our contact details for data protection queries are set out in section 13.

Broker account data. When you register for an account or manage your subscription, we collect personal data that you provide directly, including:

• (a)your full name;
• (b)your email address;
• (c)your company or brokerage name;
• (d)your telephone number;
• (e)billing information collected by our payment processor (we do not store full card numbers on our systems);
• (f)any other information you provide when contacting us for support or making an enquiry.

Charter party data entered during contract generation. When you use the platform to generate charter agreements, you enter personal data relating to the parties to those agreements. This data is entered by you and may include:

• (a)the names, addresses, and contact details of owners, charterers, operators, and other named parties;
• (b)vessel details, including name, flag state, registration number, and IMO number where applicable;
• (c)financial terms, including charter fees, advance provisioning allowances, payment schedules, and applicable tax rates;
• (d)charter particulars, including embarkation and disembarkation details, cruising areas, and charter period dates;
• (e)any additional personal data relating to charter parties that you choose to enter into the platform in the course of generating or managing a contract.

Usage data. We collect information about how you interact with the platform, including the pages you visit, the features you use, the agreements you browse and generate, the actions you take within the review and signing workflow, and the frequency and duration of your sessions.

Technical data. We collect technical information automatically when you access the platform, including your IP address, browser type and version, operating system, device type, screen resolution, referring URLs, and session identifiers. This information is used for platform security, performance monitoring, and aggregate analytics.

We use the personal data we collect for the following purposes:

• (a)Contract generation and management — to enable you to select, populate, generate, review, and execute charter agreements through the platform, and to store and make accessible the contracts you have generated;
• (b)Account administration — to create and maintain your account, process your subscription and billing, manage access to platform features, and communicate with you about your account and subscription;
• (c)Platform improvement — to analyse usage patterns and technical performance, identify and fix errors and bugs, develop and test new features, and improve the overall user experience;
• (d)Security and fraud prevention — to monitor for and respond to suspicious activity, protect the platform and its users from unauthorised access, and maintain the integrity of the contract generation and signing process;
• (e)Service communications — to send you notifications that are necessary for the operation of the service, including subscription renewal reminders, payment confirmations, contract status updates, and material changes to these policies;
• (f)Marketing communications — where you have given your consent or where we have a legitimate interest to do so, to send you information about platform updates, new agreements, and relevant industry content. You may opt out of marketing communications at any time using the unsubscribe link in any such communication or by contacting us at the address in section 13.

We rely on the following legal bases under UK GDPR and EU GDPR to process personal data:

Performance of a contract (Article 6(1)(b)). Processing is necessary to perform our contractual obligations to you under the Terms of Use, or to take steps at your request before entering into a contract. This basis applies to:

• (a)broker account data collected during registration and account management;
• (b)the processing of charter party data entered by you during contract generation, to the extent necessary to deliver the contract generation service you have subscribed to;
• (c)billing and subscription management.

Legitimate interests (Article 6(1)(f)). Processing is necessary for our legitimate interests, or those of a third party, except where those interests are overridden by your interests or fundamental rights. This basis applies to:

• (a)analytics and platform improvement — we have a legitimate interest in understanding how the platform is used in order to improve it;
• (b)security and fraud prevention — we have a legitimate interest in protecting the platform and its users from unauthorised access and fraudulent activity;
• (c)direct marketing to existing subscribers about relevant updates and services, where this is proportionate and you would reasonably expect to receive such communications.

Consent (Article 6(1)(a)). Where we rely on your consent as the legal basis for processing — including in relation to marketing communications to prospective users who are not yet subscribers, or the placement of non-essential cookies — we will make this clear at the point of collection and will only process data for those purposes where you have freely given, specific, informed, and unambiguous consent. You may withdraw your consent at any time without affecting the lawfulness of processing carried out before withdrawal.

Compliance with a legal obligation (Article 6(1)(c)). Where we are required to process personal data to comply with a legal obligation — for example, to maintain records required by applicable law or to respond to lawful requests from regulatory authorities — we will process personal data to the extent required by that obligation.

The roles of data controller and data processor are distinct under UK GDPR and EU GDPR. The distinction is important in the context of this platform because it handles two categories of personal data with different relationships to the platform operator.

Broker account data — data controller. Yacht Charter Contract acts as a data controller in respect of personal data collected from registered brokers in connection with their account and subscription. This includes name, email address, company details, telephone number, and billing information. As data controller, we determine the purposes and means of processing this data and are directly responsible for its lawful handling in accordance with this policy.

Charter party data — data processor. Yacht Charter Contract acts as a data processor in respect of personal data relating to third parties — including owners, charterers, crew, and other named parties — that is entered by brokers during contract generation and management. In this capacity, we process such data only on the broker's instructions and for the purpose of delivering the contract generation service.

Where Yacht Charter Contract acts as data processor, the registered broker is the data controller and is responsible for:

• (a)ensuring that a lawful basis exists for providing charter party personal data to the platform;
• (b)giving appropriate privacy notices to charter parties whose data is entered into the platform, where required by applicable law;
• (c)complying with their own obligations as data controller in respect of that data.

Where required by applicable data protection law, we will enter into a data processing agreement with brokers governing the terms on which we process charter party data on their behalf. Please contact us at the address in section 13 if you require a data processing agreement.

We do not sell personal data to third parties. We do not share personal data with third parties for their own marketing purposes. We share personal data only with the sub-processors and service providers necessary to operate the platform, as described in this section.

We share personal data with the following categories of third-party processors:

• (a)Database infrastructure and hosting provider — we use a cloud-based database and storage provider to host broker account data, generated contracts, review comments, audit logs, and charter party data entered during contract generation. This provider processes data on our behalf from servers located within the European Union and is subject to appropriate data processing terms;
• (b)Electronic signature provider — our electronic signature service processes the personal data of signatories (including names and email addresses) in connection with the review and signing workflow. Each party's signing ceremony is conducted through a secure link issued by this provider. This provider is compliant with eIDAS (EU) and the Electronic Communications Act 2000 (UK);
• (c)Email service provider — we use a third-party email service to send transactional notifications (including contract status updates, account communications, and subscription notices) and, where applicable, marketing communications. This provider processes email addresses and associated communication metadata on our behalf;
• (d)Payment processor — subscription billing is handled by a third-party payment processor. We do not store full payment card data on our systems. The payment processor is subject to PCI-DSS requirements and its own privacy practices.

We may also disclose personal data where required to do so by law, by a court order, by a regulatory authority, or where we reasonably believe that disclosure is necessary to protect the rights, property, or safety of Yacht Charter Contract, our users, or the public. Any such disclosure will be limited to what is strictly required by the relevant legal obligation or safety consideration.

In the event that Yacht Charter Contract is involved in a merger, acquisition, or sale of all or part of its assets, personal data may be transferred to the successor entity as part of that transaction. We will give reasonable prior notice of any such transfer and ensure that the successor entity is bound by data protection obligations no less protective than those in this policy.

Our primary database infrastructure is hosted within the European Union. We use EU-based data centre regions for the storage of broker account data and charter party data entered during contract generation, in order to maintain data residency within the EEA where practicable.

Some of our sub-processors and service providers may process personal data outside the United Kingdom and the European Economic Area. Where personal data is transferred to a country that does not provide an equivalent level of data protection, we ensure that appropriate safeguards are in place as required by UK GDPR and EU GDPR, including:

• (a)Standard Contractual Clauses (SCCs) approved by the European Commission, or the UK International Data Transfer Agreement (IDTA) or UK Addendum as appropriate;
• (b)transfers to countries that benefit from an adequacy decision made by the European Commission or, in respect of transfers from the United Kingdom, by the Secretary of State;
• (c)other appropriate safeguards permitted under Article 46 of UK GDPR and EU GDPR.

If you would like further information about the safeguards we have in place for any particular international transfer, or to obtain a copy of the relevant transfer mechanism, please contact us using the details in section 13.

We retain personal data only for as long as is necessary for the purposes for which it was collected, or as required by applicable law. Our retention periods are as follows:

Broker account data. Personal data associated with your broker account — including your name, email address, company details, and subscription history — is retained for the duration of your active subscription and for a period of 24 months following cancellation or termination of your account. This retention period allows us to respond to any post-cancellation queries, resolve disputes, and comply with applicable legal and accounting obligations. After this period, broker account data is securely deleted or anonymised.

Generated contracts. Charter agreements generated through the platform — including the charter party data entered during generation — are retained in accordance with our standard contract retention schedule for the duration of your subscription and for the same 24-month period following account cancellation. If you request deletion of your account and associated data before the end of this period, we will action that request subject to any overriding legal obligations to retain specific records.

Review comments and audit logs. Comments submitted during the contract review workflow and audit logs recording user actions within that workflow are retained for the same period as the associated Generated Contract. Audit logs relating to e-signature ceremonies are subject to the retention policy of our e-signature provider and may be retained for longer periods where required to support the legal validity of executed contracts.

Usage and technical data. Aggregated analytics and technical log data are typically retained for up to 12 months for platform improvement and security monitoring purposes, after which they are deleted or fully anonymised.

Under UK GDPR and EU GDPR, you have the following rights in respect of your personal data. These rights apply to personal data for which Yacht Charter Contract acts as data controller. In respect of charter party data for which Yacht Charter Contract acts as data processor, rights requests should be directed to the data controller (the registered broker) in the first instance.

Right of access. You have the right to request a copy of the personal data we hold about you, together with information about how and why we process it. We will respond to access requests within one calendar month of receipt.

Right to rectification. You have the right to request correction of any inaccurate or incomplete personal data we hold about you. Where correction is straightforward — for example, updating your name or email address — you can make these changes directly through your account settings.

Right to erasure. You have the right to request deletion of your personal data in certain circumstances, including where the data is no longer necessary for the purpose for which it was collected, where you withdraw consent (where consent was the legal basis for processing), or where you object to processing and there are no overriding legitimate grounds. We will consider all erasure requests and respond within one calendar month. We may decline to erase data where we are required to retain it to comply with a legal obligation or to establish, exercise, or defend legal claims.

Right to data portability. Where we process your personal data on the basis of your consent or the performance of a contract, and that processing is carried out by automated means, you have the right to receive a copy of your personal data in a structured, commonly used, and machine-readable format, and to request that we transmit it directly to another controller where this is technically feasible.

Right to object. You have the right to object to processing of your personal data where that processing is based on our legitimate interests. Where you object, we will cease processing unless we can demonstrate compelling legitimate grounds for processing that override your interests, rights, and freedoms, or where the processing is necessary for the establishment, exercise, or defence of legal claims. You have an absolute right to object to processing of your personal data for direct marketing purposes, and we will always comply with such an objection.

Right to restriction of processing. You have the right to request that we restrict the processing of your personal data in certain circumstances — for example, where you contest the accuracy of the data, where processing is unlawful and you prefer restriction to erasure, or where we no longer need the data but you require it for legal claims.

How to exercise your rights. To exercise any of the rights set out in this section, please contact us by email at privacy@yachtchartercontract.com. We will acknowledge your request within five business days and respond in full within one calendar month. We may ask you to verify your identity before processing your request in order to protect the security of personal data.

Right to complain. If you are not satisfied with our response to a data protection query or concern, or if you believe we are processing your personal data in a manner that is inconsistent with applicable data protection law, you have the right to lodge a complaint with the relevant supervisory authority. In the United Kingdom, this is the Information Commissioner's Office (ICO) at ico.org.uk. For data subjects within the European Economic Area, the relevant supervisory authority is the data protection authority of your country of residence or place of work.

We use cookies and similar tracking technologies on the platform. A cookie is a small text file placed on your device by a website. Cookies allow the platform to remember your preferences, maintain your session, and understand how you interact with the platform.

We use the following categories of cookies:

• (a)Strictly necessary cookies — these are essential for the platform to function and cannot be switched off. They are used to maintain your authenticated session, enable core navigation, and support the security of the platform. These cookies do not require your consent;
• (b)Functional cookies — these allow the platform to remember choices you have made (such as your display preferences) and provide enhanced, personalised features. These cookies are set on the basis of your consent or our legitimate interest where they are integral to service delivery;
• (c)Analytics cookies — these help us understand how brokers use the platform by collecting and reporting information about site traffic, feature usage, and session behaviour in aggregate. Analytics cookies are set only with your consent.

We do not use advertising or third-party tracking cookies for the purposes of behavioural profiling or cross-site advertising.

You can manage your cookie preferences at any time through your browser settings. Most browsers allow you to refuse new cookies, delete existing cookies, and set preferences for certain websites. Please note that disabling strictly necessary cookies will affect the platform's core functionality and may prevent you from accessing certain features. Instructions for managing cookies in common browsers are available at www.aboutcookies.org.

We take the security of personal data seriously and implement appropriate technical and organisational measures to protect personal data against unauthorised access, accidental loss, destruction, or disclosure. Our security measures include:

• (a)Encryption in transit — all data transmitted between your browser and the platform is encrypted using TLS (Transport Layer Security);
• (b)Encryption at rest — personal data stored in our database infrastructure is encrypted at rest;
• (c)Access controls — access to personal data within our systems is restricted to personnel and automated processes that require it to perform their function, on a least-privilege basis;
• (d)Authentication — account access is protected by secure authentication mechanisms. We recommend that you use a strong, unique password for your account;
• (e)Audit logging — actions taken within the platform — including contract generation, review, and signing events — are logged to support audit and accountability;
• (f)Sub-processor security — we require our sub-processors to maintain appropriate security standards commensurate with the sensitivity of the data they process on our behalf.

While we implement these measures, no system is completely immune from security risks. You are responsible for maintaining the security of your account credentials and for notifying us immediately if you become aware of any unauthorised access to or use of your account.

In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of individuals, we will notify the relevant supervisory authority without undue delay and, where required, the affected individuals, in accordance with our obligations under UK GDPR and EU GDPR.

We may update this Privacy Policy from time to time to reflect changes in how we process personal data, changes in applicable data protection law, or changes in the platform and its features. The effective date at the top of this policy indicates when it was last revised.

Where changes are material — for example, where we introduce a new purpose for processing, a new category of data, or a new sharing arrangement — we will notify registered brokers by email to the address associated with their account before the revised policy takes effect. We will give at least 14 days' prior notice of material changes, except where changes are required by law or to address a security risk, in which case they may take effect immediately.

Your continued use of the platform following the effective date of any revised policy constitutes your acknowledgement of those changes. If you have any questions about a change to this policy, please contact us using the details in section 13.

If you have any questions about this Privacy Policy, wish to exercise any of your data subject rights, have a concern about our data protection practices, or wish to request a data processing agreement, please contact our data protection team: