GDPR Compliance & Your Rights
Last Updated: November 14, 2024
SeaDays is committed to protecting your privacy and complying with the General Data Protection Regulation (GDPR) and other applicable data protection laws. This page explains your rights and how we comply with GDPR requirements.
🇪🇺 EU/EEA Users: If you're located in the European Union, European Economic Area, or Switzerland, you have additional privacy rights under GDPR. We're here to help you exercise those rights.
Your GDPR Rights
Under GDPR, you have the following rights regarding your personal data:
1. Right to Access
You can request a copy of all personal data we hold about you, including:
- Account information
- Cruise history and data
- Community posts and photos
- Usage analytics
- Communication history
2. Right to Rectification
You can update or correct inaccurate or incomplete personal data at any time through:
- In-app profile settings
- Editing your posts and content
- Contacting our support team
3. Right to Erasure
You can request deletion of your personal data ("right to be forgotten") when:
- Data is no longer necessary
- You withdraw consent
- You object to processing
- Data was unlawfully processed
4. Right to Restriction
You can request we restrict processing of your data while we:
- Verify data accuracy
- Assess objections to processing
- Retain data for legal claims
5. Right to Portability
You can receive your data in a structured, machine-readable format (JSON, CSV) and transfer it to another service.
6. Right to Object
You can object to:
- Processing for direct marketing
- Processing based on legitimate interests
- Automated decision-making
How to Exercise Your Rights
In-App Tools
Access most privacy controls directly in the app:
- Settings > Privacy > Download My Data - Export all your data
- Settings > Account > Delete Account - Permanent account deletion
- Settings > Privacy > Manage Consent - Update privacy preferences
- Settings > Data & Privacy - View and manage collected data
Contact Our Data Protection Team
For requests that require manual processing:
📧 Email: gdpr@seadays.app
Subject Line: "GDPR Request - [Your Request Type]"
Response Timeline
We will respond to your GDPR requests:
- Within 30 days of receiving your request
- Extended to 60 days for complex requests (we'll notify you)
- Free of charge for the first request per year
Legal Basis for Processing
We process your personal data based on:
1. Contract Performance
To provide SeaDays services as outlined in our Terms of Service
2. Consent
When you explicitly agree to:
- Marketing communications
- Non-essential cookies
- Location tracking
- Personalized recommendations
3. Legitimate Interests
For purposes such as:
- Fraud prevention and security
- App improvement and analytics
- Customer support
- Business development
4. Legal Obligations
When required by law for:
- Tax and accounting requirements
- Compliance with court orders
- Regulatory requirements
Data We Collect
Personal Data
- Email address, username, password (encrypted)
- Profile information (name, photo, bio)
- Cruise booking details you provide
- User-generated content (posts, photos, reviews)
Usage Data
- App usage statistics and feature interactions
- Device information (model, OS version, unique identifiers)
- IP address and approximate location
- Performance and error logs
Optional Data
- Precise location (only with permission)
- Camera and photo library access (for uploads)
- Social media profile data (for social login)
- Contact list (for friend finding, with permission)
How We Protect Your Data
Security Measures
- Encryption: All data encrypted in transit (TLS/SSL) and at rest (AES-256)
- Access Control: Role-based access with multi-factor authentication
- Regular Audits: Security assessments and penetration testing
- Data Minimization: We only collect necessary data
- Anonymization: Analytics data is anonymized when possible
Data Storage
- Provider: Supabase (GDPR-compliant cloud infrastructure)
- Location: EU-based servers for EU users
- Backups: Regular encrypted backups with 30-day retention
- Redundancy: Multiple geographic regions for reliability
International Data Transfers
If we transfer your data outside the EEA, we ensure adequate protection through:
- Standard Contractual Clauses (SCCs): EU-approved data transfer agreements
- Adequacy Decisions: Transfers only to countries with adequate protection
- Privacy Shield Alternatives: Additional safeguards for US transfers
- Your Consent: Explicit consent when required
Data Retention
We retain your data for different periods:
- Active Account Data: While your account is active plus 30 days
- Deleted Account Data: Securely deleted within 90 days
- Backup Data: Removed from backups within 30 days of deletion
- Legal Requirements: Some data kept longer for compliance (tax, legal)
- Anonymized Data: Analytics may be retained indefinitely (non-identifiable)
Children's Privacy
SeaDays is not intended for children under 16 (or applicable age in your country). We:
- Do not knowingly collect data from children
- Require parental consent for users under 16
- Delete data if we learn it's from a child
- Comply with COPPA and other child protection laws
Automated Decision-Making
We use limited automated processing for:
- Fraud Detection: Automated systems flag suspicious activity
- Content Moderation: AI helps identify inappropriate content
- Recommendations: Algorithms suggest cruises and content
You have the right to:
- Request human review of automated decisions
- Contest the decision
- Opt out of profiling for marketing
Third-Party Processors
We work with GDPR-compliant processors:
- Supabase: Database and authentication
- Cloudflare: CDN and DDoS protection
- SendGrid: Transactional emails
- Google Analytics: Usage analytics (anonymized)
- Stripe: Payment processing (premium subscriptions)
All processors sign Data Processing Agreements (DPAs) with us.
Data Breach Notification
In the unlikely event of a data breach:
- We'll notify supervisory authorities within 72 hours
- Affected users will be notified without undue delay
- We'll describe the breach, potential consequences, and mitigation steps
- We'll provide support and guidance to affected users
Supervisory Authority
You have the right to lodge a complaint with your local data protection authority:
- EU Users: Find your authority at EDPB.europa.eu
- UK Users: Information Commissioner's Office (ICO) - ico.org.uk
- Other Countries: Contact your national privacy regulator
Updates to This Policy
We may update our GDPR practices. You'll be notified of material changes via:
- Email notification (at least 30 days before changes)
- In-app notification
- Notice on this page
Continued use after notification indicates acceptance.
Contact Information
Data Protection Officer (DPO):
📧 Email: dpo@seadays.app
📧 GDPR Requests: gdpr@seadays.app
📬 Address: SeaDays Inc., [Your EU Address Here]
Related Documents
Questions about GDPR? Our data protection team is here to help. Email us at gdpr@seadays.app or use the contact buttons above.
← Back to Home