← APRON MaritimeLast updated 2026-05-20
Draft — pending legal review. This document accurately describes how the platform handles data today. The formal legal wording is being finalised with our solicitor and will be signed for clients in its final form.

Privacy Policy

This policy explains how APRON Maritime handles personal data on behalf of our customers (yacht fleets and management companies). It is written in plain English. Where a phrase has a specific legal meaning under UK GDPR or EU GDPR, the meaning is the one given in those regulations.

Who we are

APRON Maritime Ltd., a company registered in England and Wales ([Registered address — pending Companies House filing]). You can reach us about anything in this policy at privacy@apronmaritime.com.

Controller or processor

For most personal data held in the platform on behalf of a customer, our customer is the data controller (UK GDPR Article 4(7)) and APRON Maritime is the data processor (Article 4(8)). The Data Processing Agreement that sits alongside each customer contract documents that relationship in formal terms.

For a small set of data we hold about the people who run our business with us — for example billing contacts, support correspondence, and login data for the people using the platform itself — APRON Maritime is the controller. This policy covers that data too.

What we collect

On behalf of our customers we hold the data needed to run a professionally crewed yacht. Specifically:

  • Crew identity and contract data: name, date of birth, nationality, passport details (number and scan), visas, certifications, contract terms, rotation schedule, address, next-of-kin name and contact.
  • Vessel operating data: voyages, ports of call, deck and engine logbooks, drill records, port-clearance paperwork, fuel and provisions records.
  • Health-related data, where the customer chooses to record it: STCW medical certificates, vaccination records, fitness-to-work declarations, blood type, medications, allergies, dietary requirements, medical history and reimbursable medical claims with attached receipts.
  • Financial data, where the customer chooses to record it: crew payroll and per-diem, expense receipts, bank account name, IBAN and SWIFT for payment, petty cash and CTM card reconciliations, charter financials and supplier payment references.
  • Guest data, where the customer chooses to record it for charter operations: guest preferences and dietary requirements held for the duration of the charter (and retained only as long as a customer chooses).
  • Login data for the people who use the platform itself: email addresses, hashed passwords, session tokens, multi-factor secrets, and audit-log entries of administrative actions taken in the system.
  • Operational telemetry: error reports and basic request logs used to keep the platform working. These are designed not to carry personal data fields — they identify the request, the route, the timing and the status code.

The current platform does not collect live location-tracking data from crew devices, voice recordings, or biometric data.

Why we process it

The platform exists to do four things, and we process data for each:

  • Run the vessel day to day (rotations, voyages, documents, accounts, port operations, interior).
  • Help our customers meet maritime regulatory obligations (MLC 2006, ISM Code, STCW, flag-state requirements). Many of these obligations require keeping specific records for specific durations.
  • Allow each crew member to be represented in TouchBase Maritime, the companion seafarer app run by a separate company (see Data flow with TouchBase Maritime).
  • Operate, maintain and improve the platform itself — error monitoring, performance work and security.

Lawful basis

For each category above we rely on one or more of: performance of a contract (Article 6(1)(b)), compliance with a legal obligation (Article 6(1)(c)), or legitimate interests (Article 6(1)(f)) where the processing is needed to keep the platform secure and reliable. For health-related data we additionally rely on Article 9(2)(b), because the processing is necessary for the employer to meet employment-law obligations relating to crew fitness, fatigue and medical fitness.

Where your data lives

The primary database is a managed PostgreSQL instance hosted by Neon in the European Union (Frankfurt — eu-central-1). Uploaded files (passport scans, certificates, receipts, photos) are stored in Amazon Web Services S3, also in eu-central-1. The platform application runs on Vercel in the European region for our deployments. The yacht’s own onboard server (NAS) holds a local working copy of the data so the vessel can operate without internet connectivity, syncing back when connectivity is available.

We do not move personal data outside the European Economic Area for our own purposes. The exceptions are spelled out in the Subprocessors and International transfers sections below.

Encryption

Connections to the platform are protected with Transport Layer Security (TLS 1.2 or higher). The database and S3 storage are encrypted at rest by the underlying provider using AES-256. On top of that, the following sensitive columns are individually encrypted at the application layer using authenticated encryption (AES-256-GCM) with keys held outside the database content:

  • Crew phone, address, passport number, next-of-kin name and contact details, banking (account name, IBAN, SWIFT).
  • Crew health data: blood type, medications, allergies, dietary requirements, medical history, medical-claim descriptions and diagnoses.
  • Crew review notes (performance, strengths, areas for improvement).
  • Charter financials and payment reference fields.
  • Guest-profile fields used for charter operations.

That means an attacker with read access to the raw database alone cannot see these fields. Operational changes to data are recorded in an immutable audit log so administrative actions can be reviewed.

Subprocessors

We use a small number of third-party processors to actually run the service. Each is bound by a data-processing agreement that meets UK and EU GDPR Article 28 requirements:

  • Neon Inc. — managed PostgreSQL hosting (European region).
  • Amazon Web Services, Inc. — S3 file storage (eu-central-1) and supporting infrastructure.
  • Vercel Inc. — application hosting and CDN edge (European region for our deployments).
  • Stripe, Inc. / Stripe Payments Europe Ltd. — payment processing for customer subscriptions. Stripe is the controller for cardholder data; we never see your full card number.
  • Anthropic PBC — only relevant if the optional AI assistant is switched on for your account. The assistant is off by default; see the AI features section.
  • Google LLC (Gmail) — only relevant if the AI assistant is switched on; Gmail is the inbox the assistant reads. Off by default.
  • Firebase / Google LLC — push-notification delivery for the companion seafarer app (TouchBase Maritime), where a customer’s crew choose to receive operational notifications on their phones. Currently behind a feature flag.

We may engage additional or replacement subprocessors with at least 30 days’ prior written notice (by email to the customer’s administrator and by update to this page). A customer may object on reasonable grounds during that period; if the parties cannot resolve the objection, we will work with the customer in good faith to find an acceptable arrangement, which may include termination of the affected contract with pro-rata refund of pre-paid fees for the unused period. The current list of subprocessors lives at the bottom of this section.

Data flow with TouchBase Maritime

TouchBase Maritime Ltd. is a separate company (separate legal entity, separate contracts) that operates the TouchBase Maritime companion app used by seafarers. When a seafarer is connected to a vessel or fleet that uses APRON Maritime, specific crew data flows between the two platforms so that the seafarer’s record stays consistent across their TouchBase career profile and their employer’s APRON record. Typical data moved: crew identity and certifications, work-and-rest entries, training and document expiry dates, voyage assignments. TouchBase Maritime’s own handling of that data is governed by its own privacy policy at https://touchbasemaritime.com/privacy.

We share with TouchBase Maritime only the data needed for that connected-fleet scenario. We do not sell or otherwise commercialise crew data with TouchBase Maritime or any other party.

International transfers

The subprocessors above that are US-incorporated (Anthropic, Google, Stripe in some flows) only see data when the relevant feature is active for your account. Such transfers rely on the standard contractual clauses adopted by the European Commission, the UK addendum where relevant, and on each processor’s published data-protection practices. The other subprocessors operate within the EU for the regions we use.

Retention

We retain data only as long as we need it for the purpose it was collected, or as required by maritime regulation. As a rule of thumb:

  • Crew employment and certification records: duration of the contract plus five years (MLC and STCW minimum).
  • Voyage and logbook records: five years.
  • Financial records: six years (UK statutory).
  • Audit-log entries: for the lifetime of the account.
  • Active-account login data: for the lifetime of the account; deleted on closure.

A customer ending their contract can request export of all their data and deletion of the rest, subject to the regulatory minimums above. Individual crew members can request export and deletion of their personal record through TouchBase Maritime where they hold it directly.

Your rights

If we hold personal data about you, you have the rights set out in UK GDPR Articles 15–22: access, rectification, erasure, restriction, portability, and objection. Crew members exercise these rights through their employer (our customer) for vessel records, and directly with TouchBase Maritime for the career profile they hold with them.

If you believe we have not handled your data properly you have the right to complain to the UK Information Commissioner’s Office (ICO) or to the data protection authority in your country of residence. Please give us a chance to fix the issue first — write to privacy@apronmaritime.com.

Anonymised and aggregated data

We may collect, use, retain, and publish aggregated and anonymised data derived from the platform for any lawful purpose, including service improvement, fleet-wide benchmarking, statistical analysis, research, security analytics, and reporting on the maritime industry. We will only do this where the result cannot reasonably be used to re-identify a customer, a data subject, a vessel or a charter. Anonymised and aggregated outputs are not personal data and are not subject to the rights in the section above.

AI features

The platform contains an optional AI assistant that can read your operational inbox and triage messages. It is switched off for every account by default. We keep it off because most yachts do not want AI involved in their inbox, and because the cost of the underlying AI calls is not built into our standard pricing. If you want to switch it on for your account, ask us at support@apronmaritime.com and we will explain what it does, what it would cost, and switch it on explicitly.

When the AI assistant is on for your account, the relevant requests are sent to Anthropic’s API; Anthropic’s published terms state that data sent through the API is not used to train their models. The inbox source is read via Gmail with the access scope you have granted.

Cookies and SDKs

The marketing website at apronmaritime.com does not set tracking or advertising cookies. When we add web analytics in the future, this section and a consent banner will be added at the same time.

The platform application sets a small number of strictly necessary cookies — a session cookie for keeping you signed in and a cross-site request forgery token. These are required for the application to work and are not used for any other purpose.

What the platform is and is not

The platform provides the tools and recordkeeping our customers use to manage compliance. It does not perform compliance and we do not certify any audit, inspection, or regulatory outcome. The customer’s qualified personnel — master, DPA, HOD, captain — make every operational and regulatory decision. The platform records their entries, surfaces relevant data, and exports records when asked; it does not authorise vessel movements, sign off training adequacy, certify rest-hours compliance, or grant flag-state approvals. Customers remain responsible for the accuracy of the data they enter and for the regulatory outcomes of their fleet, regardless of the platform’s status. The Terms of Service give the full picture of these allocations.

Security incidents

We test for and monitor security incidents. If a personal data breach happens that is likely to result in a risk to the rights and freedoms of individuals, we will notify the relevant supervisory authority within 72 hours and (where required) the affected individuals as soon as practicable. Customers will be notified of breaches affecting their data without undue delay so they can meet their own controller obligations. Security-relevant reports can be sent to security@apronmaritime.com.

Changes to this policy

We will update this policy when the platform changes in a way that affects how we handle data. The "last updated" date at the top of the page reflects the most recent material change. Significant changes that affect customers’ obligations will be communicated to active customers separately.

Contact

Privacy questions: privacy@apronmaritime.com.
Security questions: security@apronmaritime.com.
General platform questions: support@apronmaritime.com.

Version 2026-05-20.