1. Information We Collect
- Account information (name, email, phone)
- Professional information (employment history, certifications)
- Content you create (endorsements, bio, profile data)
- Usage data (page views, feature usage via PostHog analytics)
- Technical data (IP address, browser type, device identifiers, operating system) collected automatically when you use the Service
- Payment information (processed by Stripe — we do not store card details)
2. How We Use Your Information
We process your personal data for the following purposes and on the following legal bases:
- To provide and improve the YachtieLink service — contract performance (Article 6(1)(b) GDPR)
- To display your public profile to other users and recruiters — contract performance (Article 6(1)(b) GDPR)
- To send transactional emails (endorsement requests, cert expiry alerts, billing) — contract performance (Article 6(1)(b) GDPR)
- To improve the service using anonymised analytics — legitimate interests (Article 6(1)(f) GDPR): understanding how users interact with the Service to improve it
3. Information Sharing
- Your public profile is visible to anyone with the link (contact info visibility is controlled by your settings).
- We do not sell your data.
- We share payment data with Stripe for billing purposes.
- We use PostHog for analytics (stored in their EU infrastructure).
- We use Sentry for error tracking (anonymised error data only). Sentry may process data outside the EU/EEA; where this occurs, transfers are governed by Standard Contractual Clauses.
- We may disclose your information where required by applicable law or in response to valid legal process (such as a court order or regulatory request).
4. Data Storage
- Data is stored in the EU (Supabase EU region).
- Files (photos, documents, CVs) are stored securely with access controls.
- Passwords are managed by Supabase Auth (bcrypt hashed; we never see them).
- Data in transit is encrypted using TLS.
5. Your Rights (GDPR)
If you are located in the EU/EEA or UK, you have the following rights regarding your personal data:
- Access: View your data in your profile at any time.
- Export: Download all your data as JSON from account settings.
- Deletion: Delete your account and all personal data from account settings.
- Correction: Edit your profile at any time.
- Portability: Export your data and take it elsewhere.
- Object: You have the right to object to processing based on our legitimate interests. We will cease processing unless we have compelling legitimate grounds that override your interests.
- Restrict: You may request that we restrict processing of your personal data in certain circumstances (e.g., while a correction is disputed).
- Complain: You have the right to lodge a complaint with your national data protection authority (e.g., the Data Protection Authority in your EU country of residence) if you believe we have not handled your data in accordance with applicable law.
We will respond to all rights requests within one month of receipt (extendable to three months for complex requests). To exercise any right not available directly in your account settings, contact us at hello@yachtie.link.
6. Cookies & Local Storage
- We use essential cookies only (authentication session management).
- No tracking cookies are set.
- PostHog analytics uses localStorage rather than cookies. Depending on your jurisdiction, use of localStorage for analytics purposes may require your consent under applicable ePrivacy rules. We will update this section as our consent management practices are finalised.
7. Data Retention
- Active accounts: data retained while account is active.
- Deleted accounts: personal data removed within 30 days of deletion request.
- Financial and billing records: retained for up to 7 years as required by applicable tax and accounting laws, even after account deletion. Such records are retained solely to comply with legal obligations and will not be used for any other purpose.
- Anonymised analytics data may be retained indefinitely.
8. Children
YachtieLink is for professional use by adults only. We do not knowingly collect data from anyone under 18. If you believe a minor has created an account, please contact us.
9. Automated Decision-Making
We do not make any decisions about you based solely on automated processing that produce legal or similarly significant effects.
10. Changes to This Policy
We will notify users of material changes to this policy via email before they take effect.