Privacy Policy

Effective date: March 15, 2026 Last updated: April 25, 2026 — added section on derived sign-up country / connection metadata used for internal spam detection (raw IP not stored)

1. Who We Are

Yachtie is a professional networking platform for the yachting industry. The data controller responsible for your personal data is Sonce Studio d.o.o., registration number (matična številka): 9724575000, tax number (davčna številka): 97200034, registered in Slovenia, with its registered address at Ljubljanska cesta 11, 4220 Škofja Loka, Slovenia, operating the Yachtie product on behalf of its founder and product owner, Jure Kovač. References to "we", "us", and "our" in this policy refer to Sonce Studio d.o.o. in its capacity as data controller for the Yachtie service.

In the event that a dedicated Yachtie entity is established, the data controller role will transfer to that entity and this policy will be updated accordingly.

Contact details:

This Privacy Policy explains how we collect, use, store, share, and protect your personal information when you use the Yachtie iOS application and the yachtie.co website (collectively, the "Service"). We are committed to protecting your privacy and complying with the General Data Protection Regulation (GDPR) and other applicable data protection laws.

2. What This Policy Covers

This Privacy Policy applies to:

  • The Yachtie iOS app — our mobile application for professional networking in the yachting industry.
  • The yachtie.co website — our marketing website, including early access sign-up forms.
  • Any related services operated by Yachtie.

3. Data We Collect

3.1 Data You Provide Directly

Account information: When you create an account, we collect your email address and name. If you sign in with Apple, we receive your name and email as authorised by you through Apple's sign-in flow.

Profile information: You may provide additional profile details including your username, biography, profile photo, home country, department (e.g., deck, engineering, interior), and role within the yachting industry.

Professional information: You may add certifications (stored as boolean flags indicating you hold a certification — we do not store the certificate documents themselves), vessel assignments (including vessel name, role, and dates), and upload your CV (PDF). Your CV is compressed and stored securely.

Communications: Messages you send to other users through the Yachtie messaging feature, including any media shared within conversations.

Reference contacts: When adding references to vessel assignments, you may provide a reference's name, email address, and phone number. This is third-party personal data, and you must confirm that you have the reference's permission before providing it.

Social links: You may optionally add links to your Instagram, X (formerly Twitter), TikTok, and personal website profiles.

Employer verification data: If you are a captain, head of department, or other employer-side user undergoing verification, we collect your name, role, WhatsApp contact, CV, and a government-issued photo ID (passport, national ID, or driving licence).

Event data: If you create or attend a Hangout (social event), we collect event details and attendance information.

Phone number (optional): If you add a contact phone number in the Work/dockwalking section, we store it securely. When you have dockwalking enabled, your phone number may be visible to employer-side users (captains, heads of department) who view your profile. Your phone number is deleted when you delete your account, and you can remove or update it at any time in the app's Work section.

Interests: You may select interests and activities that help others discover and connect with you.

Early access sign-up (website): If you sign up for early access via our website, we collect your email address, role/department, device preference, and any optional free-text responses you provide through the Tally sign-up form.

3.2 Data Collected Automatically

Location data (with your permission): If you enable location sharing, we collect your device's GPS location. Your location is only shared with other users after being approximated (spoofed to roughly a 1 km radius) — we never display your precise location to other users. Location data is only collected when the app is in use ("When In Use" permission), not in the background. Only your most recent location is stored; we do not maintain a location history.

Device and usage data: We collect usage analytics through PostHog, including feature interactions and app events. When you are signed in, analytics events are linked to your user ID (pseudonymised data under GDPR Art. 4(5)); when you are not signed in, events are not linked to your identity. PostHog is configured to run through our own domain (e.yachtie.co) and we do not use analytics data for advertising, profiling, or cross-app tracking. Analytics are enabled by default under legitimate interest, but you can opt out at any time in Settings.

Push notification tokens: If you enable push notifications, we receive a device token from Apple's Push Notification Service to deliver notifications to your device. Your device token is deleted when you delete your account.

Authentication metadata: We automatically collect technical data necessary for your account to function, including your user ID, account creation date, and last sign-in timestamp.

Sign-up country and connection metadata (derived from IP, raw IP not stored): When you sign up or first sign in to the iOS app, we briefly process the IP address that your request originates from in order to derive: (i) the country and region your sign-up came from, (ii) the name of your internet service provider or hosting org (text label only — no other network details), (iii) whether the IP belongs to a datacenter / hosting provider rather than a residential or mobile network, and (iv) whether you connected through Apple's iCloud Private Relay. We do not store the raw IP address itself — only these derived fields are persisted. We use this signal exclusively for internal spam and abuse detection (administrators may view your country and a per-account "trust score" while triaging suspicious accounts) — we never use it to advertise to you, profile you commercially, or share it externally. The signal is computed once at sign-up and is updated on first sign-in for users whose accounts pre-date this feature.

3.3 Data From Third Parties

Apple Sign-In: If you sign in with Apple, we receive your name and email address as authorised by you. Apple may provide a private relay email address if you choose to hide your email.

Tally (early access forms): If you sign up for early access via our website, your form responses (email, role, device preference, and any free-text answers) are collected through Tally, a third-party form provider based in the EU. Tally transmits this data to us for the purpose of managing our early access programme.

4. How We Use Your Data

We process your personal data for the following purposes and on the following legal bases:

PurposeData usedLegal basis (GDPR)
Account creation and authenticationEmail, nameContract (Art. 6(1)(b)) — necessary to provide the Service
Displaying your profile to other usersProfile information, certifications, social linksContract (Art. 6(1)(b)) — core app functionality
Messaging between usersMessages, mediaContract (Art. 6(1)(b)) — core app functionality
CV storage and sharing with employersCV file, professional historyContract (Art. 6(1)(b)) — user-requested feature
CV access by captains/heads of departmentCV fileConsent (Art. 6(1)(a)) — explicit sharing action required
Location sharing with friendsGPS location (approximated)Consent (Art. 6(1)(a)) — optional, explicit opt-in; only visible to friends
Dockwalking / daywork availabilityApproximate distance, availability statusConsent (Art. 6(1)(a)) — optional, explicit opt-in; visible only to employers
Contact phone number (dockwalking)Phone numberConsent (Art. 6(1)(a)) — optional; shared with employer-side users when dockwalking is enabled
Push notificationsDevice tokenConsent (Art. 6(1)(a)) — iOS requires explicit permission
Reference contact storageReference name, email, phoneConsent (Art. 6(1)(a)) — you must confirm you have the reference's permission
Employer identity verificationName, role, WhatsApp, CV, ID documentConsent (Art. 6(1)(a)) — explicit consent at submission
Hangouts and eventsEvent details, attendanceContract (Art. 6(1)(b)) — app functionality
Usage analytics (pseudonymised when signed in)Feature usage, app events (via PostHog)Legitimate Interest (Art. 6(1)(f)) — service improvement, balanced against your privacy (see Section 4.1)
Fraud prevention and platform safetyAccount activity, usage patternsLegitimate Interest (Art. 6(1)(f)) — protecting users and the platform
Spam and fake-account detection (admin triage)Derived sign-up country / region, ISP/org label, datacenter-vs-residential flag, Apple Private Relay flag, profile completeness, friend and message activity, vessel claim, position title — combined into an internal "trust score" visible only to administratorsLegitimate Interest (Art. 6(1)(f)) — protecting the integrity of a small, professional community against bots, scrapers, and impersonation. Country is shown as context only and is never used as an automated rejection criterion. Raw IP is discarded after derivation.
Early access sign-upEmail, role, preferencesConsent (Art. 6(1)(a)) — voluntary form submission
Marketing emailsEmailConsent (Art. 6(1)(a)) — explicit opt-in only

4.1 Legitimate Interest Assessment (Analytics)

We use PostHog for usage analytics to understand how the app is used and to improve the Service. When you are signed in, analytics events are linked to your user ID (pseudonymised); when you are not signed in, events are not linked to your identity. We have assessed that this processing is in our legitimate interest because:

  • It is necessary to identify bugs, measure feature adoption, and improve the product.
  • The impact on your privacy is low — analytics are pseudonymised (linked to a user ID when signed in, but not used for advertising, profiling, or targeting).
  • PostHog is proxied through our own domain (e.yachtie.co) to minimise third-party exposure.
  • You can opt out of analytics at any time in the app's Settings, making consent withdrawal as easy as granting it.

5. Who We Share Your Data With

5.1 Other Yachtie Users

Your data is shared with other users based on your privacy settings:

  • Profile information (name, username, bio, photo, certifications, interests, social links): Visible to other users as part of the networking functionality.
  • Location: Only visible to confirmed friends if you have set location sharing to "Friends only." Never shared if set to "Off." Your displayed location is always approximated — we never reveal your precise coordinates.
  • Current vessel: Visible based on your vessel visibility setting: everyone, friends only, or hidden.
  • CV: Accessible only to authorised employer-side users (captains/heads of department) based on your CV sharing settings. Every access is logged, and you can review who has viewed your CV in the CV Access Log.
  • Dockwalking/daywork status: If enabled, your approximate distance and availability are visible to potential employers only — not to other crew members. If you have provided a contact phone number, it may also be visible to employer-side users viewing your profile while dockwalking is enabled.
  • Messages: Visible only to the participants in a conversation.

5.2 Service Providers (Data Processors)

We use the following third-party service providers to operate the Service. Each acts as a data processor on our behalf under appropriate data processing agreements:

Service providerPurposeData processedLocation
SupabaseDatabase, authentication, file storage, real-time featuresAll app data (profiles, messages, files, auth)AWS (EU region)
ApplePush notifications, Apple Sign-InDevice tokens, authentication credentialsGlobal
PostHogPseudonymised usage analytics (app and website)Feature usage events, user identification when signed in (opt-out available)EU / proxied via e.yachtie.co
VercelWebsite hostingWebsite access logs, IP addressesGlobal edge network
TallyEarly access sign-up formsEmail, role, device preference, free-text responsesEU

We maintain an up-to-date list of our sub-processors at yachtie.co/subprocessors. If this page is not yet available, you may request a current list by emailing privacy@yachtie.co.

5.3 Legal Requirements

We may disclose your personal data if required to do so by law, regulation, legal process, or enforceable governmental request, or where we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others, investigate fraud, or respond to a lawful request from a public authority.

5.4 Business Transfers

In the event of a merger, acquisition, reorganisation, or sale of assets, your personal data may be transferred as part of that transaction. We will notify you of any such change and any choices you may have regarding your data.

6. International Data Transfers

Our primary data infrastructure (Supabase) is hosted in the EU. Some of our service providers operate globally. Where your data is transferred outside the European Economic Area (EEA), we ensure appropriate safeguards are in place:

  • Standard Contractual Clauses (SCCs): We rely on EU-approved Standard Contractual Clauses with service providers that process data outside the EEA.
  • Adequacy decisions: Where the European Commission has determined that a country provides an adequate level of data protection, transfers are made on that basis.

You can request more information about the specific safeguards we apply by contacting us at privacy@yachtie.co.

7. Data Retention

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by law:

Data categoryRetention periodWhat happens after
Active account data (profile, certifications, social links, interests)Duration of your accountDeleted or anonymised on account deletion
MessagesDuration of your accountAnonymised on account deletion (sender name replaced with "Deleted User"; message content retained for conversation continuity)
CV and media files (avatars, hangout images)Duration of your accountPermanently deleted on account deletion
Location dataMost recent location only (overwritten on each update)Deleted on account deletion or when location sharing is disabled
Employer verification ID documentsMaximum 30 days after verification or rejectionAutomatically deleted; only a "verified" flag is retained
CV access logs2 yearsPurged after retention period
Authentication logs90 daysPurged after retention period
Derived sign-up country / connection metadataDuration of your accountDeleted on account deletion. Raw IP is never stored — only the derived country, region, ISP/org label, and the datacenter / Apple-Relay flags.
Early access sign-up dataUntil product launch + 6 monthsManually purged
Support correspondence3 yearsManually purged
Aggregated analyticsIndefinitelyNot personal data — contains no identifying information
Database backups30 days (rolling)Automatically overwritten

What we retain after account deletion

After you delete your account, we retain only:

  • Anonymised messages — your messages are attributed to "Deleted User" to preserve conversation flow for other participants. No identifying information is linked to these messages.
  • Aggregated analytics data — which contains no personally identifiable information.
  • Legal hold data — only if required by applicable law or legal proceedings.

We also retain a minimal audit record of the deletion event itself (user ID and deletion timestamp) for security and legal compliance purposes; this record does not include any profile or content data.

We permanently delete your profile information, location data, CVs, media files, phone number, push notification tokens, in-app notification history, social links, certifications, vessel assignments, friendships, and consent records.

8. Your Rights

Under the GDPR and applicable data protection laws, you have the following rights regarding your personal data:

Right of access (Art. 15). You have the right to request a copy of the personal data we hold about you. You can request a data export through the app's Settings or by contacting privacy@yachtie.co.

Right to rectification (Art. 16). You can correct inaccurate personal data directly in the app by editing your profile, or by contacting us for data that cannot be self-corrected.

Right to erasure / "right to be forgotten" (Art. 17). You can delete your account at any time through the app's Settings. Deletion is processed immediately and will delete or anonymise your personal data as described in Section 7. You may also request deletion by contacting privacy@yachtie.co.

Right to data portability (Art. 20). You have the right to receive your personal data in a structured, commonly used, machine-readable format (JSON). This includes data you provided to us under consent or contract: profile data, messages you sent, events you created, your CV, certifications, friendships, vessel assignments, social links, interests, consent records, notifications, CV access logs, and verification records. You can request a data export through the app or by emailing privacy@yachtie.co.

Right to restrict processing (Art. 18). You can request that we restrict the processing of your personal data in certain circumstances, such as while we verify the accuracy of your data following a dispute.

Right to object (Art. 21). You have the right to object to processing based on legitimate interest (such as analytics). You can opt out of analytics at any time in the app's Settings. For other objections, contact privacy@yachtie.co.

Right to withdraw consent (Art. 7(3)). Where we rely on your consent as the legal basis for processing, you can withdraw consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal. You can withdraw consent for:

  • Location sharing — via Settings in the app (toggle off).
  • Push notifications — via Settings in the app or iOS Settings.
  • Analytics — via Settings in the app (toggle off).
  • Marketing emails — via the unsubscribe link in any marketing email, or in Settings.
  • Dockwalking/daywork visibility — via Settings in the app (toggle off).
  • Contact phone number (dockwalking) — remove or update in the app's Work section, or contact us.

Withdrawing consent is always as easy as giving it — the same screen, the same controls.

How to Exercise Your Rights

You can exercise most of these rights directly within the Yachtie app:

  • Download your data: Settings > Privacy > Download My Data (the download link expires after 24 hours for security; you may request one export per 24-hour period)
  • Delete your account: Settings > Privacy > Delete My Account
  • Manage consent: Settings (analytics, location, notifications, marketing toggles)
  • Edit your profile: Your profile screen

For any request you cannot complete in-app, or for complex requests, email us at privacy@yachtie.co. We will verify your identity before processing any request — if you submit a request via email, we may ask you to confirm from the email address associated with your Yachtie account, which typically takes no more than 10 days. Once your identity is verified, we will respond within 30 days. If your request is complex, we may extend this by an additional 60 days, in which case we will notify you of the extension and the reasons for it.

9. Cookies and Tracking

9.1 Yachtie iOS App

The Yachtie app does not use cookies. We use PostHog for usage analytics, which is proxied through our domain (e.yachtie.co). PostHog identifies you for analytics purposes using your user ID when you are signed in. You can disable analytics entirely in the app's Settings. PostHog analytics in the app do not track you across other apps or websites.

9.2 yachtie.co Website

Our website uses PostHog for analytics to understand how visitors interact with our site, including page views, referral sources, and device types. PostHog is configured to respect user privacy and is proxied through e.yachtie.co.

We use only essential cookies that are strictly necessary for the website to function. We do not use advertising cookies or cross-site tracking.

If we change our cookie practices in the future, we will update this section and implement an appropriate consent mechanism.

10. Children's Privacy

Yachtie is not intended for use by anyone under the age of 18. We do not knowingly collect personal data from children under 18. The yachting industry is a professional environment, and positions aboard vessels require individuals to be at least 18 years of age.

If we become aware that we have collected personal data from a person under 18, we will take steps to delete that data as quickly as possible. If you believe that a user under 18 has created an account, please contact us at privacy@yachtie.co.

11. Automated Decision-Making

Yachtie does not use automated decision-making or profiling that produces legal effects or similarly significant effects on you. We do not use AI or algorithms to make decisions about your access to features, employment opportunities, or standing on the platform.

12. Security

We take the security of your personal data seriously and implement appropriate technical and organisational measures to protect it:

Technical measures:

  • Encryption in transit (HTTPS/TLS) for all data transmitted between your device, our servers, and our service providers.
  • Encryption at rest for all data stored in our database and file storage.
  • Row-Level Security (RLS) policies at the database level, ensuring users can only access data they are authorised to see.
  • Parameterised queries to prevent SQL injection attacks.
  • Signed, time-limited URLs (15-minute expiry) for accessing stored files such as CVs.
  • Location spoofing and approximation to prevent precise location exposure.

Organisational measures:

  • Strict access controls limiting who can access the database and stored files.
  • ID documents for employer verification are only accessible to a small, trained internal team and are automatically deleted within 30 days.
  • CV access logging to maintain an audit trail of who accessed your professional documents.

While we strive to protect your personal data, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security, but we are committed to promptly addressing any security incidents.

Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours. If the breach is likely to result in a high risk to you, we will also notify you directly without undue delay, providing information about the nature of the breach and the steps we are taking.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, the Service, or applicable law. When we make material changes, we will:

  • Update the "Last updated" date at the top of this page.
  • For significant changes, notify you via email or through an in-app notification.

We encourage you to review this Privacy Policy periodically. Your continued use of the Service after any changes constitutes your acceptance of the updated policy.

14. How to Contact Us and File a Complaint

Contact us:

For any questions or concerns about this Privacy Policy or our data practices, or to exercise any of your rights:

  • Email: privacy@yachtie.co
  • General inquiries: hello@yachtie.co
  • Data controller: Sonce Studio d.o.o., Ljubljanska cesta 11, 4220 Škofja Loka, Slovenia (matična številka: 9724575000)

Supervisory authority:

If you are not satisfied with our response to a privacy concern, you have the right to lodge a complaint with a data protection supervisory authority in the EU/EEA member state where you reside, work, or where you believe an infringement has occurred.

For users in Slovenia, the relevant authority is:

Informacijski pooblaščenec (Information Commissioner) Dunajska cesta 22, 1000 Ljubljana, Slovenia Website: https://www.ip-rs.si Email: gp.ip@ip-rs.si Phone: +386 1 230 97 30

A full list of EU/EEA data protection authorities can be found on the European Data Protection Board website at https://edpb.europa.eu/about-edpb/about-edpb/members_en.

You also have the right to seek a judicial remedy if you believe your rights under the GDPR have been infringed.

This Privacy Policy was last updated on March 15, 2026.

← Back