MMagnor Vessels

Privacy Policy

Effective: 6 May 2026

This Privacy Policy explains how Magnor Vessels ("we", "us") collects, uses, and protects personal data when you use our maritime compliance platform ("the Service"). It is written to comply with the EU General Data Protection Regulation (GDPR) and equivalent national laws. If you operate vessels on behalf of an organisation, that organisation is the data controller for the personal data you upload, and we act as the data processor.

1. What we collect

To deliver the Service we collect:

  • Account data — name, email, role, and login credentials (handled by our authentication provider, Clerk).
  • Vessel and operational records — vessel particulars (name, type, gross tonnage, IMO/MMSI, flag state), ownership records, and the company structure linking users to vessels.
  • Crew personal data — names, positions, contract dates, contact details, certifications and their expiry dates, rest-hours logs, and (where uploaded) copies of identity or training documents. This is the most sensitive category we process.
  • Compliance and incident records — non-conformities, near-miss reports, accident investigations, drill records, security incidents, expense receipts, and audit-log entries that track who changed what and when.
  • Documents — files you upload (certificates, contracts, accident photos, etc.) stored on our infrastructure.
  • AI chat conversations — messages you send to the AI compliance assistant and the responses generated. We use these to provide the assistant feature; we do not use them to train third-party models without your consent.
  • Technical data — IP address, device/browser, and basic telemetry needed to keep the Service running and to investigate security incidents.

2. Why we process it (legal bases)

  • Contract — to provide the Service you contracted us for (compliance tracking, document storage, AI assistant).
  • Legitimate interest — to keep the Service secure, prevent fraud, and improve product quality through aggregated analytics.
  • Legal obligation — to retain records that maritime authorities and tax authorities may compel (e.g. accident investigations, audit trails).
  • Consent — for any optional analytics or marketing communications, which you can withdraw at any time.

3. Who we share data with

We share personal data only with the third parties strictly needed to run the Service:

  • Authentication: Clerk (clerk.com) — handles login, MFA, and session management.
  • Infrastructure hosting: our managed cloud hosting and database providers under industry-standard data-processing agreements.
  • AI assistant: Anthropic — your chat messages are sent to the Anthropic API to generate responses. Anthropic does not train models on your data when accessed via the standard API.
  • Email delivery: a transactional email provider (e.g. Resend) used to send compliance alerts, password resets, and notifications you have opted into.

We do not sell or rent personal data, and we do notuse it for behavioural advertising.

4. How long we keep it

Account and vessel data is retained while your subscription is active and for a reasonable period afterwards (default 12 months) so you can reinstate service or export records. Audit-log entries and accident records may be retained longer if maritime regulations require it. You can export or request deletion of your personal data at any time under sections 5 and 6 below.

5. Your rights (GDPR)

If you are a data subject under GDPR you have the right to:

  • Access the personal data we hold about you (Article 15).
  • Correct inaccurate data (Article 16).
  • Erase personal data we no longer need (Article 17).
  • Restrict or object to certain processing (Articles 18, 21).
  • Receive your data in a portable format (Article 20).
  • Lodge a complaint with your national data-protection authority (Article 77).

6. Exercising your rights

Logged-in users can export a JSON bundle of their personal data and request account deletion from Account → Privacy (the export and deletion endpoints fulfil GDPR Articles 15 + 17). For other requests, email privacy@magnorvessels.com. We respond within 30 days.

7. Security

Data in transit is encrypted with TLS. Passwords are hashed by our authentication provider — we never see plaintext passwords. Vessel access is gated by company memberships so a captain on company A cannot read company B's data even if they discover a vessel ID. We log every state change to a tamper-evident audit log so we can detect unauthorised access.

8. International transfers

Our infrastructure is currently hosted in the EU and US. When we transfer personal data outside the EEA we rely on Standard Contractual Clauses or equivalent safeguards. Specifics on request.

9. Changes to this policy

We will notify account owners by email and post a prominent notice in the Service when we make material changes. The effective date at the top of this page reflects the latest version.

10. Contact

Privacy questions: privacy@magnorvessels.com. General legal: legal@magnorvessels.com.

Privacy Policy | Magnor Vessels | Magnor Vessels