Privacy Policy
Last updated: June 9, 2026
Data Controller: Btm International Inc (“Nautic Garage”, “we”, “us”)
- Registered address: 17321 SW 149TH Ct, Miami, FL 33187, United States
- Data Protection Officer: privacy@nauticgarage.io
- Company ID: EIN: 36-5093778
- Trade register: Florida Corporation — Document No: P24000001864
1. Scope & applicable frameworks
This Privacy Policy applies globally to all users of Nautic Garage, regardless of their country of residence. We process personal data in compliance with the highest applicable standard among the following frameworks, depending on your location:
| Jurisdiction | Applicable regulation |
|---|---|
| European Union / European Economic Area | General Data Protection Regulation (GDPR — Regulation EU 2016/679) |
| United Kingdom | UK GDPR + Data Protection Act 2018 |
| United States (California) | California Consumer Privacy Act (CCPA/CPRA) |
| United States (other states) | Applicable state privacy laws (e.g. VCDPA, CPA, CTDPA, OCPA) where thresholds are met |
| United Arab Emirates (incl. Dubai) | UAE Federal Decree-Law No. 45 of 2021 (PDPL), DIFC Data Protection Law (if applicable) |
| Rest of world | We apply GDPR-equivalent standards as our baseline |
By creating an account and using Nautic Garage, you acknowledge this Privacy Policy. If you do not agree, you must not create an account or use the Service.
2. Data we collect
2.1 Data you provide directly
| Category | Examples | Purpose |
|---|---|---|
| Identity | First name, last name | Account identification |
| Contact | Email address, phone number | Communication, account verification, password recovery |
| Authentication | Email, hashed password, OAuth tokens (Google) | Secure account access |
| Vessel data | Boat name, registration number, HIN/VIN, brand, model, year, length, beam, draft, flag state, location, passenger capacity | Core nautical management |
| Equipment | Brand, model, serial number, year, usage hours, photos | Equipment inventory & maintenance tracking |
| Engines | Brand, model, serial number, power (HP), fuel type, current hours, photos | Engine management & maintenance |
| Documents | Type, document number, issuing country, expiry date, uploaded files | Document management |
| Insurance | Policy number, insurer, coverage type, contact person, annual premium, policy files | Insurance management |
| Maintenance | Workshop/vendor, cost, parts replaced, completion date, attached files | Maintenance history |
| Financial | Expenses, amounts, currency | Vessel expense tracking |
| Preferences | Language, timezone, currency, notification preferences | Experience personalization |
2.2 Data collected automatically
| Category | Data | Purpose |
|---|---|---|
| Session | IP address, approximate location (derived from IP), device type, browser | Security, fraud prevention, access audit |
| Usage | Access timestamps, features used, in-app actions | Service improvement, aggregated analytics |
| Device | OS version, app version, device language | Compatibility, error debugging |
| Diagnostics | Crash reports, performance data, error logs (if you opt in via your device settings) | App stability & bug fixing |
Note on diagnostics: Nautic Garage does not bundle a third-party crash reporting SDK. Crash reports are received solely through Apple (App Store) and Google (Play Console) built-in diagnostics, subject to your device-level privacy settings. You control this via: iOS → Settings → Privacy → Analytics & Improvements; Android → Settings → Google → Usage & Diagnostics.
2.3 Payment data
Nautic Garage does not store full credit/debit card numbers. Payments are processed by certified third-party providers (Stripe, Apple App Store, Google Play Store), all PCI-DSS Level 1 compliant. We retain only transaction references (payment IDs) and subscription status.
2.4 Data from third-party authentication
When you link your Google account via OAuth, Google provides: first name, last name, email, avatar URL, and a unique Google identifier. We do not access your contacts, calendar, or other Google account data.
3. Purposes & lawful bases for processing
We process your data only for specified, explicit, and legitimate purposes. The lawful basis varies by jurisdiction:
| Purpose | GDPR / UK GDPR basis | CCPA / US basis | UAE PDPL basis |
|---|---|---|---|
| Create and manage your account | Contract performance (Art. 6.1.b) | Reasonable business purpose | Contract performance |
| Provide nautical management service | Contract performance (Art. 6.1.b) | Reasonable business purpose | Contract performance |
| Manage subscriptions & billing | Contract performance (Art. 6.1.b) | Reasonable business purpose | Contract performance |
| Send transactional emails (verification, password reset, email change) | Contract performance (Art. 6.1.b) | Reasonable business purpose | Contract performance |
| Send push notification alerts (maintenance, expiries, engine hours) | Legitimate interest (Art. 6.1.f) | Reasonable business purpose | Legitimate interest |
| Send commercial communications about new features or plans | Explicit consent (Art. 6.1.a) | Right to opt out at any time | Explicit consent (Art. 8) |
| Product improvement & aggregated analytics | Legitimate interest (Art. 6.1.f) | Reasonable business purpose | Legitimate interest |
| Fraud prevention & abuse detection | Legitimate interest (Art. 6.1.f) | Reasonable business purpose | Legitimate interest |
| Compliance with legal obligations (tax, accounting, law enforcement requests) | Legal obligation (Art. 6.1.c) | Legal obligation | Legal obligation |
You may withdraw consent for commercial communications at any time from Settings → Preferences, or by emailing privacy@nauticgarage.io.
4. Data sharing & disclosure
4.1 Service providers (data processors)
We share only the minimum necessary data with the following processors. All are contractually bound to process data solely per our documented instructions:
| Provider | Function | Data shared | Location & safeguards |
|---|---|---|---|
| Supabase | PostgreSQL database & authentication | All application data | EU region (Ireland); SOC 2 Type II, ISO 27001 |
| Stripe | Payment processing (web) | Email, customer ID, subscription history | US; PCI-DSS Level 1, DPF certified |
| Apple (App Store) | Payment processing (iOS) | Transaction ID only | Global; PCI-DSS certified |
| Google (Play Store) | Payment processing (Android) | Transaction ID only | Global; PCI-DSS certified |
| OneSignal | Push notifications | Internal user ID (external_id), language preference | US; DPF certified |
| SMTP provider | Transactional email delivery | Email, first name, email content | EU region |
4.2 We do NOT sell your data
Nautic Garage does not sell, rent, trade, or share personal data with third parties for their own commercial purposes, including under the CCPA definition of “sale” or “sharing” for cross-context behavioral advertising. Nautic Garage operates a subscription-based business model — our revenue comes from our users, not from advertisers or data brokers.
4.3 International data transfers
Your data is stored on servers located in the European Union (via Supabase, Ireland region). When we use processors in other jurisdictions (e.g., US-based OneSignal), we ensure adequate safeguards through:
- EU-US Data Privacy Framework (DPF) certification.
- Standard Contractual Clauses (SCCs) approved by the European Commission.
- Data Processing Agreements (DPAs) with all processors, including supplementary measures (encryption, access controls, audit rights).
For UAE users: data transferred outside the UAE is only sent to jurisdictions deemed to have an adequate level of protection, or where appropriate contractual and technical safeguards are in place per UAE PDPL.
5. Data retention
| Category | Retention period |
|---|---|
| Active account data | For as long as the account remains active |
| Deleted account data | 30-day grace period (recovery window), then permanently erased from live systems |
| Financial records (invoices, payment history) | Minimum period required by applicable tax law in your jurisdiction (typically 5–10 years) |
| Security & audit logs | 12 months |
| Backups | 30-day rotation (automatic) |
All vessel data, equipment records, documents, insurance details, and maintenance history are deleted alongside the account at the end of the retention period.
6. Security
We implement appropriate technical and organizational measures:
- Encryption in transit: TLS 1.3 across all communications.
- Encryption at rest: AES-256 (managed by Supabase).
- Authentication: bcrypt-hashed passwords, signed JWT tokens, dual-token session model (access + refresh).
- Data isolation: Row-Level Security (RLS) at the database layer — every user can only access their own data, enforced at the query level.
- Access control: Production data is accessible only to authorized personnel with a legitimate need, under audit logging.
- Secure development: Dependency monitoring, manual code reviews, no unvetted third-party scripts.
- Incident response: In the event of a data breach, we will notify affected users and relevant supervisory authorities within 72 hours (GDPR) or within the timeframe required by applicable law.
7. App Store & Google Play compliance
Nautic Garage is distributed through the Apple App Store and Google Play Store. This Privacy Policy has been drafted to satisfy the disclosure requirements of both platforms, including:
7.1 App Privacy labels (Apple) & Data safety section (Google)
The data types declared in our App Store privacy labels and Google Play Data safety section correspond to the categories described in §2 of this policy. Specifically:
| Data category | App Store label | Google Play safety | Collected? | Purpose |
|---|---|---|---|---|
| Contact Info (name, email, phone) | Linked to identity | ✅ Collected | Yes | Account & communications |
| User Content (photos, files, documents) | Linked to identity | ✅ Collected | Yes | Core service functionality |
| Identifiers (User ID) | Linked to identity | ✅ Collected | Yes | Account management |
| Purchases (subscription status) | Linked to identity | ✅ Collected | Yes | Subscription management |
| Usage Data (feature analytics) | Linked to identity | ✅ Collected | Yes | Product improvement |
| Diagnostics (crash logs) | Not linked to identity | ✅ Collected (optional) | Opt-in only | App stability |
| Approximate Location (derived from IP) | Not linked to identity | ✅ Collected | Yes | Security & fraud prevention |
| Payment Info (full card numbers) | — | ❌ Not collected | No | N/A |
7.2 Account deletion (in-app)
Both Apple App Store and Google Play Store require apps that support account creation to also offer account deletion from within the app. Nautic Garage provides this via:
Settings → Security → Delete my account and data
This flow permanently erases all personal data after a 30-day grace period, satisfying both Apple’s App Store Review Guidelines (§5.1.1(v)) and Google’s User Data policy.
7.3 No tracking (App Tracking Transparency)
Nautic Garage does not track users across apps and websites owned by other companies for advertising or measurement purposes. We do not use advertising identifiers (IDFA, AAID) for any purpose. Accordingly, we do not display the App Tracking Transparency (ATT) prompt. Any data collection is limited to what is necessary for the core functionality of the Service.
7.4 No third-party advertising or data brokering
We do not display advertisements from third-party ad networks, nor do we sell, share, or trade user data with data brokers, advertisers, or analytics firms. Our revenue model is subscription-based. OneSignal is used exclusively for push notification delivery (transactional alerts and maintenance reminders), not for advertising or user profiling.
8. Your data rights by jurisdiction
We honor data subject rights regardless of your location. Below are the specific rights available under each framework:
8.1 GDPR (EU/EEA) & UK GDPR
| Right | Description |
|---|---|
| Access (Art. 15) | Know what data we hold and how we process it |
| Rectification (Art. 16) | Correct inaccurate or incomplete data |
| Erasure (Art. 17) | Request deletion of your data (“right to be forgotten”) |
| Restriction (Art. 18) | Temporarily limit processing of your data |
| Data portability (Art. 20) | Receive your data in structured format (JSON/CSV) and transfer it to another controller |
| Objection (Art. 21) | Object to processing based on legitimate interest, including profiling |
| Automated decision-making (Art. 22) | Not to be subject to solely automated decisions with legal or significant effects |
8.2 CCPA/CPRA (California)
| Right | Description |
|---|---|
| Right to know | Request disclosure of categories and specific pieces of personal data collected |
| Right to delete | Request deletion of personal data |
| Right to correct | Correct inaccurate personal data |
| Right to opt out | Opt out of the “sale” or “sharing” of personal data (Nautic Garage does not sell or share data — see §4.2) |
| Right to limit use of sensitive data | Limit use of sensitive personal information (Nautic Garage does not collect sensitive data as defined by CCPA) |
| Non-discrimination | Exercise your rights without discrimination |
California residents may designate an authorized agent to submit requests on their behalf.
8.3 UAE PDPL
| Right | Description |
|---|---|
| Right to access | Obtain a copy of your personal data and processing details |
| Right to rectification | Correct inaccurate or incomplete data |
| Right to erasure | Request deletion where processing is no longer necessary or consent is withdrawn |
| Right to restriction | Restrict processing in certain circumstances |
| Right to data portability | Receive your data in a structured, machine-readable format |
| Right to object | Object to processing based on legitimate interest or for direct marketing |
8.4 How to exercise your rights
To exercise any of the above rights, email privacy@nauticgarage.io from the email address associated with your account. We will:
- Verify your identity (via email confirmation or, if necessary, additional verification to prevent unauthorized access).
- Respond within the legally required timeframe:
- GDPR / UAE PDPL: 30 calendar days (extendable to 60 for complex requests with prior notice).
- CCPA: 45 calendar days (extendable to 90 with prior notice).
You may also delete your account and all associated data directly from the app: Settings → Security → Delete my account and data.
8.5 Right to lodge a complaint
If you believe we have not adequately addressed your rights, you may file a complaint with the competent supervisory authority in your jurisdiction:
- EU: Your local Data Protection Authority (list: https://edpb.europa.eu/about-edpb/about-edpb/members_en)
- UK: Information Commissioner’s Office (ICO) — https://ico.org.uk
- California: California Privacy Protection Agency (CPPA) — https://cppa.ca.gov
- UAE: UAE Data Office — https://u.ae/en/about-the-uae/digital-uae/data/data-protection-in-the-uae
9. Children’s data
Nautic Garage is not directed at individuals under the age of digital consent applicable in their jurisdiction:
- EU/EEA: 16 years (member states may set a lower age, no lower than 13)
- UK: 13 years
- United States: 13 years (under COPPA)
- UAE: 18 years (or 21 under certain interpretations of PDPL)
We do not knowingly collect data from individuals below the applicable age threshold. If a parent or guardian becomes aware that their child has created an account without consent, contact privacy@nauticgarage.io for immediate deletion.
10. Push notifications
Nautic Garage sends push notifications for maintenance alerts, document/insurance expiries, engine hour thresholds, and custom reminders. You may disable push notifications at any time:
- In-app: Settings → Notifications.
- iOS: Device Settings → Notifications → Nautic Garage.
- Android: Device Settings → Apps → Nautic Garage → Notifications.
11. Email communications
We send the following types of email:
- Transactional (mandatory): Email verification, password reset, email change confirmation, subscription receipts, invoices. You cannot opt out of these while your account is active.
- Alert notifications: Maintenance reminders, document/insurance expiry warnings. Configurable in-app (Settings → Preferences).
- Commercial communications: New features, plan upgrades, offers. Sent only with your explicit opt-in consent, revocable at any time from Settings → Preferences.
12. Changes to this Privacy Policy
We will notify you of material changes via:
- Email to your registered address, at least 15 days before the change takes effect.
- An in-app notice displayed on next login.
Minor changes (typographical fixes, clarifications) will be published without prior notice. The “Last updated” date at the top reflects the current version.
13. Contact
Data Protection Officer / Privacy team:
- Email: privacy@nauticgarage.io
- Postal address: 17321 SW 149TH Ct, Miami, FL 33187, United States
For any questions about this policy or how we handle your data, please contact us. We aim to acknowledge all privacy inquiries within 5 business days.
14. Governing law & jurisdiction
This Privacy Policy is governed by the data protection laws applicable to your place of habitual residence. Specifically:
- For users in the EU/EEA: GDPR as implemented in your member state of residence.
- For users in the United Kingdom: UK GDPR and the Data Protection Act 2018.
- For users in the United States: applicable federal and state privacy laws of your state of residence.
- For users in the UAE: Federal Decree-Law No. 45 of 2021 (PDPL).
Any dispute relating to the processing of your personal data shall be brought before the courts of your place of habitual residence, or — at your election — before the competent data protection supervisory authority in your jurisdiction.
Annex A — Key definitions across jurisdictions
| Term | GDPR definition | CCPA/CPRA equivalent | UAE PDPL equivalent |
|---|---|---|---|
| Personal data / personal information | Any information relating to an identified or identifiable natural person | Information that identifies, relates to, describes, or could reasonably be linked to a consumer or household | Any data relating to an identified or identifiable natural person |
| Processing | Any operation performed on personal data | Collecting, using, storing, disclosing, etc. | Any operation on personal data (collection, storage, use, disclosure, etc.) |
| Data controller / business | Entity determining purposes and means of processing (Btm International Inc) | Entity that determines purposes and means of processing personal information | Entity that determines the method, criteria, and purpose of processing |
| Data processor / service provider | Entity processing data on behalf of the controller (Supabase, Stripe, OneSignal) | Entity processing personal information on behalf of a business | Entity processing personal data on behalf of the controller |
| Consent | Freely given, specific, informed, and unambiguous indication of the data subject’s wishes | N/A under CCPA (opt-out model); consent required for sensitive data | Clear, specific, and unambiguous expression of will |
| Sensitive data | Racial/ethnic origin, political opinions, religious beliefs, trade union membership, genetic/biometric data, health, sex life/orientation | Government ID, financial account details (full), precise geolocation, race, religion, union membership, health, biometric data, contents of communications | Ethnic origin, political opinions, religious beliefs, health data, biometric data, criminal records |
Nautic Garage is a product of Btm International Inc.
