Legal

Privacy Policy

Last updated: April 1, 2026

The data controller responsible for this platform under the General Data Protection Regulation (GDPR) and applicable data protection law is IT Solid Solutions, the company behind Decktrace. For data protection enquiries, contact hello@decktrace.io.

Decktrace is a platform that converts General Arrangement plans into structured vessel area catalogs with stable identifiers and an embeddable interactive viewer. This Privacy Policy describes what data we collect, how we use it, the legal basis for each processing activity, and the choices you have.

The short version: Your GA plan files and vessel catalog data belong to your organization. We do not sell personal data. We do not store your operational data — inspections, maintenance records, voyage logs, and compliance results live in your own systems. Decktrace provides the visual cataloging layer.

What We Mean by Legal Basis

Under GDPR, every processing activity must have a lawful basis. We rely on the following:

  • Contract (Art. 6(1)(b)) — processing is necessary to deliver the service you have subscribed to or taken steps to subscribe to
  • Legitimate interests (Art. 6(1)(f)) — processing serves a legitimate operational interest that is not overridden by your rights (for example, security logging and fraud prevention)
  • Legal obligation (Art. 6(1)(c)) — processing is required to comply with applicable law (for example, retaining billing records)
  • Consent (Art. 6(1)(a)) — where we rely on consent, you may withdraw it at any time with effect for the future

Who This Policy Applies To

This policy applies to anyone who accesses the Decktrace website (decktrace.io), creates an account, uses the web application, calls our API, or embeds the Decktrace viewer in their own platform. By using the platform you accept the practices described here.

Data We Collect

Account and organization data

When you register or join an organization we collect your name, work email address, organization name, and billing contact. Legal basis: contract (Art. 6(1)(b)) — necessary to create your account and issue invoices.

Uploaded files and catalog content

To use Decktrace you upload General Arrangement plans (PDF or image). We store these to process them into interactive catalogs. You also create vessel area definitions: names, stable identifiers, geometry, deck assignments, and classification tags. All catalog content belongs to your organization. Legal basis: contract (Art. 6(1)(b)) — necessary to provide the core service.

Server access logs

Our servers automatically log IP address, browser type, operating system, referrer URL, and request timestamps when you access the platform. These logs are retained for a maximum of 30 days, after which IP addresses are anonymized. Logs are never used for marketing or profiling. Legal basis: legitimate interests (Art. 6(1)(f)) — technically error-free operation and security of our systems.

Contact and support communications

If you contact us by email or through the contact form, we store your name, email address, IP address at time of submission, and the content of your message. This data is deleted when the conversation is concluded; metadata is deleted within 7 days of the conversation closing. Legal basis: legitimate interests (Art. 6(1)(f)) — responding to your request; or contract (Art. 6(1)(b)) where the purpose is entering into or performing an agreement.

What we do not collect

We do not collect or store your operational maritime data: inspection results, maintenance records, defect logs, voyage data, and compliance reports remain in your own systems unless you explicitly build an integration that sends them to us. We do not collect payment card details — all billing is handled by Stripe.

How We Use Your Data

  • Deliver and operate the Decktrace platform and API — contract
  • Process and render your GA plan files into interactive vessel catalogs — contract
  • Send transactional emails: account verification, invoices, plan change notifications — contract
  • Respond to support requests — legitimate interests
  • Maintain server logs for security and infrastructure diagnostics — legitimate interests
  • Improve the platform using aggregated, anonymized usage patterns — legitimate interests
  • Comply with legal obligations, including tax and invoicing requirements — legal obligation

We do not use your data to train AI models without your explicit consent. We do not send marketing emails without opt-in. We do not sell or rent personal data.

Data Sharing and Sub-processors

We share data only with the sub-processors necessary to operate the platform. All are bound by Data Processing Agreements (DPAs):

  • Cloud infrastructure (EU) — application hosting, database, and file storage
  • Amazon CloudFront (US) — content delivery network; processes IP, browser type, and request timestamp. Transfer basis: SCCs or EU-US Data Protection Framework
  • Stripe (US) — subscription payment processing (PCI DSS Level 1). Transfer basis: SCCs or EU-US Data Protection Framework
  • Transactional email provider — account and billing notifications
  • Plausible Analytics (EU) — cookieless, no personal data processed
  • LinkedIn Ireland Unlimited Company (IE/US) — retargeting and advertising analytics via the LinkedIn Insight Tag. LinkedIn sets cookies to measure campaign performance and enable retargeting of visitors on LinkedIn. Legal basis: legitimate interests (Art. 6(1)(f)) — B2B marketing to relevant professional audiences. Transfer basis: SCCs or EU-US Data Protection Framework. You may opt out at linkedin.com/psettings.
  • Crisp IM S.A.S. (FR) — live chat support widget. Crisp may store your chat session transcript (name, email if provided, messages) to enable us to respond to support inquiries. Data is stored on Crisp's EU-based infrastructure. Legal basis: legitimate interests (Art. 6(1)(f)) — providing timely customer support. You can request deletion of your chat history by contacting hello@decktrace.io.

We may disclose data if required by law, court order, or to protect the rights and safety of our users. We notify account holders of such disclosures where legally permitted.

You may request copies of the Standard Contractual Clauses we have in place with US sub-processors by contacting hello@decktrace.io.

International Transfers

Our primary infrastructure is hosted in the EU. Where data is transferred outside the EU — for example, to Stripe or Amazon CloudFront in the United States — we ensure equivalent protection by relying on Standard Contractual Clauses (SCCs) adopted by the European Commission, or the EU-US Data Protection Framework where the relevant provider participates.

Embeddable Viewer

When you embed the Decktrace viewer in your own application, the viewer does not set third-party cookies on your users' devices. Access control is handled via share tokens passed as URL parameters or HTTP headers. Your end users' interactions with the embedded viewer are not tracked by Decktrace.

Data Retention

  • Server access logs: 30 days, then IP anonymization
  • Contact form and email communications: deleted when the conversation concludes; metadata within 7 days of closing
  • Account and catalog data: retained while your subscription is active, plus a 30-day export window after cancellation, then permanently deleted
  • Encrypted backups: purged within 30 days of active data deletion
  • Billing records: retained for the period required by applicable tax and accounting law

Security

All data in transit is encrypted with TLS 1.2 or higher. Data at rest is encrypted using AES-256. Access is enforced at the database level so organizations cannot access each other's data. See our Security page for a full overview.

Your Rights

Under GDPR you have the following rights regarding your personal data:

  • Right of access (Art. 15) — request confirmation of what data we hold and a copy
  • Right to rectification (Art. 16) — request correction of inaccurate or incomplete data
  • Right to erasure (Art. 17) — request deletion in applicable circumstances
  • Right to restriction of processing (Art. 18) — request that we limit processing in certain circumstances
  • Right to data portability (Art. 20) — receive your data in a structured, machine-readable format
  • Right to object (Art. 21) — object to processing based on legitimate interests

To exercise your rights, contact hello@decktrace.io. You can download your vessel catalog at any time from the platform. Account deletion can be requested by email.

If you consider that our processing of your personal data infringes the GDPR, you have the right to lodge a complaint with the supervisory authority in your EU member state. A list of EU data protection authorities is available at edpb.europa.eu.

No Unsolicited Communications

We do not send unsolicited commercial messages (spam, cold emails, or robocalls). We only contact individuals who have explicitly opted in to receive communications or with whom we have an existing business relationship that permits contact. To report suspected abuse, contact hello@decktrace.io.

Changes to This Policy

We will post updates to this policy on this page with a revised date. For material changes we will notify account holders by email at least 14 days in advance. Continued use of the platform after changes take effect constitutes acceptance.

Contact

General privacy questions: hello@decktrace.io
Data protection and legal matters: hello@decktrace.io

← HomeTerms of ServiceCookie PolicySecurityContact