Privacy Policy
Last updated: 13 May 2026
HarborIQ ("we", "us") is built privacy-first and designed to comply with the EU General Data Protection Regulation (GDPR). This policy explains what personal data we process, on what legal basis, where it is stored, and which sub-processors we rely on.
1. Data controller
The data controller for HarborIQ is the operator of this deployment. For questions or to exercise your rights, contact the address listed on the project's contact page.
2. What we process
- Account data: email address, display name, authentication identifiers, and (for social sign-in) the subject identifier returned by Google or Apple.
- Boat & maintenance data: vessels, maintenance items and logs, spareparts inventory you create.
- Network data: harbors you save and opt-in connections to other sailors.
- Audit & security logs: timestamps, user IDs and event types for security-relevant actions (zero-trust principle).
- Technical data: minimal request metadata (IP, user agent) processed transiently for security and abuse prevention.
We do not collect special-category data, do not run advertising trackers, and do not sell data.
3. Legal basis (Art. 6 GDPR)
- Performance of contract — providing the HarborIQ service to you.
- Legitimate interest — security logging, abuse prevention, service integrity.
- Consent — opt-in sharing with other users in the network feature; revocable at any time.
- Legal obligation — retention of records where required by law.
4. Where your data is stored (EU hosting)
All application data (database, authentication, file storage, audit logs) is hosted in the European Union, in AWS eu-west-1 (Ireland), operated through Supabase as managed backend infrastructure. Data at rest is encrypted (AES-256) and all traffic is TLS-encrypted in transit.
5. Sub-processors
We rely on the following sub-processors. Each is bound by a Data Processing Agreement (DPA) and appropriate transfer safeguards (SCCs / EU-US Data Privacy Framework where applicable).
| Sub-processor | Purpose | Location | Documents |
|---|---|---|---|
| Supabase | Managed Postgres database, authentication, file storage | EU — Ireland | DPA · Privacy Policy · Sub-processors |
| Amazon Web Services | Underlying cloud infrastructure (eu-west-1, Ireland) | EU — Ireland | DPA · Privacy Notice · GDPR Center |
| Lovable | Application hosting & global CDN for static assets | EU + global edge | DPA · Privacy Policy |
| Google LLC | OAuth identity (only if you Sign in with Google) | USA — SCCs / DPF | Processor Terms · Privacy Policy · DPF Certification |
| Apple Inc. | OAuth identity (only if you Sign in with Apple) | USA — SCCs / DPF | Developer Agreement · Privacy Policy · Sign in with Apple |
A consolidated, printable version of all sub-processor documents is available at /legal/sub-processors.
When you sign in with Google or Apple, your browser communicates directly with that provider; we receive only the authentication token and the minimum profile fields (subject identifier, email, optional display name) needed to create your account.
6. International transfers
Application data does not leave the EU. Authentication via Google or Apple involves transfer to the United States; those providers self-certify under the EU-US Data Privacy Framework and we rely on Standard Contractual Clauses as an additional safeguard.
7. Retention
- Account & user-generated data: retained until you delete your account.
- Audit / security logs: retained up to 12 months, then deleted.
- Backups: rolling encrypted backups, automatically purged within 30 days.
8. Your rights (Art. 15–22 GDPR)
You have the right to access, rectify, export (portability), restrict, object to, and erase your personal data. You can:
- Export all your data as JSON from Account settings.
- Delete your account and all associated data from Account settings.
- Revoke network sharing consents at any time.
- Lodge a complaint with your national data-protection authority.
9. Security
HarborIQ is designed with zero-trust principles: row-level security (RLS) is enforced on every database table, secrets are stored in a managed vault, all traffic is TLS, and access to backend infrastructure requires strong authentication. We continuously monitor for vulnerabilities and apply security updates promptly.
10. Breach notification
In the event of a personal data breach likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority within 72 hours and inform affected users without undue delay, in line with Art. 33–34 GDPR.
11. Changes to this policy
Material changes will be communicated in-app and via email where appropriate.
This policy is provided as a working draft tailored to HarborIQ's actual architecture. Have it reviewed by qualified legal counsel before public launch and add your controller contact details, supervisory authority, and any jurisdiction-specific clauses.