Privacy Policy

How FRANCISCO GARRIDO PAULO - UNIPESSOAL LDA (“MYACHT”) collects, uses, shares, and protects personal information in connection with the MYACHT yacht operations and maintenance platform.

Last updated: 9 May 2026 · Effective date: 9 May 2026

We are committed to protecting your privacy and complying with the EU General Data Protection Regulation (GDPR), the Portuguese Lei n.º 58/2019 (Lei de Proteção de Dados Pessoais), and other applicable data protection laws.

1. Data controller

The data controller for personal information processed through MYACHT is:

FRANCISCO GARRIDO PAULO - UNIPESSOAL LDA
NIPC: 519391845
Avenida da República, nº 13, Apt. CB
2775-273 Parede, Portugal
Email: privacy@myachtsystems.com

For all privacy-related requests, contact privacy@myachtsystems.com.

2. Information we collect

2.1 Account information

• Name
• Email address
• Role (e.g., captain, engineer, deckhand, technical manager)
• Authentication credentials (passwords are stored hashed and salted; we do not have access to plaintext passwords)
• Vessel and management company association

2.2 Vessel and maintenance data

Operational data uploaded or generated through your use of the Service, including:

• Vessel identification and configuration data
• Equipment registers and technical specifications
• Planned maintenance schedules and completion records
• Defect reports and resolution records
• Inventory and spare parts records
• Technical documentation, manuals, and reference materials
• Photographs and file attachments (e.g., maintenance evidence, equipment photos)

2.3 Crew personal information

Where authorized by your employer, vessel operator, or yacht management company, the Service may store:

• Crew member contact details (name, email, phone)
• Professional qualifications and certifications (e.g., STCW certificates, endorsements, flag-state documentation)
• Certificate validity dates and renewal reminders
• Where required for vessel operational compliance, references to medical fitness certificates (e.g., certificate number and validity dates; we do not store full medical records)

Where this information includes special categories of personal data under GDPR Article 9 (such as data revealing health status), we process it only under a specific lawful basis (see Section 4) and apply additional safeguards including access controls and minimum-necessary retention.

2.4 Technical information

• Device information (model, operating system version)
• App version and feature usage logs (when transmitted)
• Crash reports and error diagnostics
• IP address (recorded by our backend infrastructure for security and reliability; not used to track end-user location)

2.5 Subscription and billing information

For B2B subscribers via myachtsystems.com:

• Company name, billing address, NIF/VAT number
• Authorized representative contact details
• Payment information (processed by our payment processor; we do not store full card numbers)

3. How we use personal information

We use personal information for the following purposes:

• Service operation — providing, maintaining, and improving the MYACHT Service, including offline-first data storage, synchronization, and backup
• Account management — creating and authenticating user accounts, managing permissions, and providing access to your vessel's data
• Compliance and safety — supporting vessel operational compliance, certification tracking, and safety-critical maintenance management
• Communication — sending service-related notifications, security alerts, and responding to your inquiries
• Billing — processing B2B subscription payments and issuing invoices in compliance with Portuguese tax law
• Diagnostics — identifying and fixing bugs, monitoring service reliability, and improving performance
• Legal compliance — complying with applicable laws, responding to legal requests, and enforcing our Terms of Service

4. Lawful basis for processing (GDPR)

We process personal data under the following lawful bases:

• Contract performance (Article 6(1)(b)) — processing necessary to provide the MYACHT Service to you under a subscription agreement
• Legal obligation (Article 6(1)(c)) — compliance with maritime regulations, tax law, and other legal requirements
• Legitimate interests (Article 6(1)(f)) — improving our Service, securing our infrastructure, and preventing fraud, balanced against your privacy rights and freedoms
• Consent (Article 6(1)(a)) — for optional features such as marketing communications, where applicable

For special category data (e.g., medical fitness certificate references), we rely on:

• Article 9(2)(b) — processing necessary for carrying out obligations and exercising specific rights in the field of employment law and maritime safety
• Article 9(2)(g) — processing necessary for reasons of substantial public interest related to maritime safety, on the basis of EU and Portuguese law

5. Sharing of personal information

We share personal information only with the following categories of recipients, and only as necessary:

5.1 Service providers (sub-processors)

We rely on the following sub-processors to operate the Service. A current list of sub-processors is available on request to privacy@myachtsystems.com.

• Apple Inc. (United States) — App Store distribution, TestFlight beta testing
• Google LLC / Google Ireland Limited (Ireland / United States) — Google Play Store distribution
• Sentry (United States; EU region used where available) — application crash reporting and error monitoring
• Fly.io (EU region used; parent company in United States) — backend hosting and infrastructure

5.2 Within the vessel organization

Personal data within your vessel's MYACHT account is shared among authorized users (other crew members, technical managers, owners' representatives) according to permissions configured by the vessel's account administrator.

5.3 Legal and safety

We may disclose personal information if required by law, court order, or to protect the vital interests of any person (e.g., maritime safety emergencies).

5.4 Business transfers

If we are involved in a merger, acquisition, or asset sale, your personal information may be transferred as part of that transaction. We will notify you before your information becomes subject to a different privacy policy.

We do not sell personal information to third parties. We do not use personal information for cross-context behavioral advertising.

6. International data transfers

Some of our sub-processors are located outside the European Economic Area (EEA), primarily in the United States. Where personal data is transferred outside the EEA, we ensure appropriate safeguards are in place:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Adequacy decisions where applicable (e.g., the EU-US Data Privacy Framework)
• Sub-processor commitments under their own GDPR/DPA terms

7. Data retention

We retain personal information for as long as necessary to provide the Service and comply with legal obligations:

• Account data — retained while your account is active and for up to 24 months after account closure (for legal/audit purposes)
• Vessel and maintenance records — retained for the duration of your subscription and for the period required by maritime regulations (typically up to 5 years for safety-related records)
• Crew certifications — retained while the crew member is associated with a vessel using MYACHT, plus a reasonable archival period to demonstrate historical compliance
• Crash reports and diagnostics — retained for up to 90 days
• Billing records — retained for the period required by Portuguese tax law (typically 10 years)

After the retention period, personal data is securely deleted or anonymized.

8. Offline-first data storage

MYACHT is designed as an offline-first application. Data created on a vessel is stored locally on the device and on the on-vessel server, and synchronized with our cloud backend when an internet connection is available. This means:

• Personal data may be stored on multiple devices (phone, tablet, on-vessel server, cloud)
• Synchronization occurs in the background when connectivity is available
• You retain control over which devices have access to vessel data via our user permissions system
• Local data is subject to the same security measures as cloud data, but local device security (e.g., device passcode, encryption) is the responsibility of the user

9. Your rights under GDPR

If you are in the EEA, you have the following rights regarding your personal data:

• Right of access (Article 15) — obtain a copy of the personal data we hold about you
• Right to rectification (Article 16) — correct inaccurate or incomplete data
• Right to erasure (Article 17) — request deletion of your data (“right to be forgotten”)
• Right to restriction of processing (Article 18) — limit how we use your data
• Right to data portability (Article 20) — receive your data in a structured, machine-readable format
• Right to object (Article 21) — object to processing based on legitimate interests
• Right not to be subject to automated decision-making (Article 22) — including profiling
• Right to withdraw consent (Article 7) — where processing is based on consent

To exercise any of these rights, contact us at privacy@myachtsystems.com. We will respond within 30 days as required by GDPR.

If your data is held within a vessel account managed by your employer or yacht management company, certain requests may need to be coordinated with the vessel's account administrator.

You also have the right to lodge a complaint with the Comissão Nacional de Proteção de Dados (CNPD), the Portuguese supervisory authority:

• Website: www.cnpd.pt
• Address: Av. D. Carlos I, 134, 1.º, 1200-651 Lisboa, Portugal

10. Security

We implement technical and organizational measures to protect personal data, including:

• Encryption in transit (TLS 1.2+) and at rest
• Hashed and salted password storage
• Role-based access control within vessel accounts
• Regular security audits and dependency updates
• Sub-processor due diligence

No system is 100% secure. If we become aware of a personal data breach affecting your data, we will notify you and the CNPD as required by GDPR Articles 33 and 34.

11. Children's privacy

MYACHT is intended for professional maritime users (crew, captains, technical managers, yacht management companies) and is not directed to individuals under 16 years of age. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a minor, contact us at privacy@myachtsystems.com and we will delete it.

12. Cookies and similar technologies

Our website (myachtsystems.com) may use cookies and similar tracking technologies for essential functionality (e.g., session management) and, with your consent, for analytics. Detailed information is provided in our Cookie Notice when you visit the site.

The MYACHT mobile application does not use third-party advertising cookies.

13. Changes to this policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify users via email and/or an in-app notice and update the “Last updated” date above. Continued use of the Service after changes take effect constitutes acceptance of the updated policy.

14. Contact

For questions or requests regarding this Privacy Policy or our processing of your personal data:

FRANCISCO GARRIDO PAULO - UNIPESSOAL LDA
Email: privacy@myachtsystems.com
Postal: Avenida da República, nº 13, Apt. CB, 2775-273 Parede, Portugal
NIPC: 519391845

Read the Terms of Service →