Privacy Policy

01 Who we are

VesselFront IKE is a private capital company (Ιδιωτική Κεφαλαιουχική Εταιρεία) established under the laws of the Hellenic Republic, with its registered office in Piraeus, Greece. We act as the data controller for personal data processed in connection with our website and Services, unless this Policy or a separate agreement says otherwise.

If you have any question about how we handle your personal data, the simplest way to reach us is by email at support@vesselfront.com.

02 Scope of this policy

This Policy applies to:

• Our marketing and product websites, including vesselfront.com, vesselfront.ai and any subdomain such as developers.vesselfront.com;
• Our beta programme, including waitlist sign-ups, evaluation accounts, and pilot deployments;
• Our SaaS platform and associated applications, including the weather-routing and voyage planning services, AIS-integrated services, vessel particulars databases, and related distribution channels (AI-services, iOS/Android/Windows/Mac apps, WhatsApp and others);
• Our communications with you, including email, in-product messaging, support channels, events, and demonstrations.

Where we provide our Services to a shipping company, vessel operator, or other business customer (each a "Customer"), the Customer is typically the data controller for personal data that its users, crew, or representatives input into or generate through the Services. In those cases, VesselFront acts as a data processor on the Customer's behalf, and a separate data processing agreement governs that processing. This Policy still describes our general practices and applies to data we process as a controller (for example, account administrators, billing contacts, and website visitors).

03 Personal data we collect

3.1 Information you give us

• Contact and identification data: name, business email address, telephone number, job title, employer or company name, country, and similar information you submit through forms, the beta waitlist, demo requests, support tickets, or events.
• Account data: credentials, role, permissions, language, time zone, profile preferences, and security information (such as multi-factor authentication settings) when you register for or are provisioned with an account.
• Commercial and contractual data: information exchanged during sales, onboarding, contracting, billing, and support, including signatories, vessel particulars, historical voyage data, commercial agreements, purchase orders, invoices, and tax identifiers.
• Communications: the content of messages you send us, including email, chat, support requests, survey responses, and recordings of demonstrations or meetings where you have been informed and, where required, have consented.

3.2 Information we collect automatically

• Device and connection data: IP address, approximate location derived from IP, browser type and version, operating system, device identifiers, time-zone, language, and referring URLs.
• Usage data: pages and features viewed, actions taken, session duration, click and navigation patterns, performance and error logs, and other diagnostic information generated by your interaction with our websites and Services.
• Cookies and similar technologies: see Section 5.

3.3 Information we receive from others

• Customers and colleagues: where you are invited to use the Services by your employer or a colleague, we receive your contact details and role from that party.
• Public and commercial sources: where relevant, we obtain or enrich business contact information from public sources (such as company registries, professional networks, and industry databases) and commercial data providers, to support our sales, marketing, and customer-management activities.
• Service providers: we receive information from analytics, security, fraud-prevention, payment, and identity-verification providers acting on our behalf.

We do not deliberately collect special categories of personal data (such as data on health, political opinions, or biometric data used to uniquely identify a person), and we ask that you do not submit such information through the Services unless we have specifically requested it and provided a separate legal basis.

04 How we use personal data and our legal bases

We process personal data only where we have a legal basis to do so under Article 6 GDPR. The principal purposes and corresponding legal bases are summarised below.

Where we rely on legitimate interests, we have considered whether those interests are overridden by your rights and freedoms. You can object to this processing under Section 11, and we will give your objection due consideration.

05 Cookies and similar technologies

We and our service providers use cookies, local storage, pixels, and similar technologies on our websites and in parts of our Services. We use these technologies to:

• Keep you signed in and remember your preferences (strictly necessary and functional);
• Measure and improve the performance of our websites and Services (analytics);
• Understand how prospective customers find us and engage with our content (marketing).

Cookies that are not strictly necessary are set only with your consent, which you can give, refuse, or withdraw at any time using the cookie banner or the preference centre on our website. Strictly necessary cookies do not require consent under the ePrivacy framework.

06 Maritime and operational data

Our Services process significant volumes of operational and maritime data, most of which is not personal data. This section describes how we treat that data and where personal data may be involved.

6.1 AIS and publicly broadcast vessel data

The Automatic Identification System (AIS) is a maritime safety system that broadcasts vessel identification, position, course, and similar information over public radio frequencies and satellite networks. AIS data relating to vessels and their movements is publicly available and is generally not personal data. We ingest AIS data from licensed providers and from our own integrations, and we use it to deliver routing, monitoring, and analytics features within the Services.

6.2 Vessel particulars and reference data

We maintain a database of vessel particulars (such as IMO numbers, vessel names, flags, classification, dimensions, and ownership structures) compiled from public and commercial sources, including IMO GISIS, classification societies, EU MRV/THETIS, and our licensed data providers. This information relates to vessels and corporate entities rather than to individuals.

6.3 Customer-provided operational data

Customers upload or transmit operational data through the Services, including noon reports, voyage data, weather observations, fuel and performance data, route plans, and outputs from onboard sensors (including visual sensors compliant with applicable export-control requirements such as the U.S. NDAA). Where this data contains personal data (for example, the name of a master or watch officer in a noon report, or images captured by an onboard camera), VesselFront acts as a processor on behalf of the Customer and processes that data in accordance with the Customer's instructions and the applicable data processing agreement.

6.4 Crew and seafarer data

We do not collect crew or seafarer data directly. To the extent the Services receive such data from a Customer, the Customer is responsible for providing appropriate notices to and obtaining any necessary consents from the data subjects concerned, and for ensuring the lawful basis of any onward transfer to VesselFront.

07 Artificial intelligence and machine learning

Our Services are built around artificial intelligence and machine-learning models, including weather-routing models and vessel-dynamics models. To develop, train, evaluate, and continuously improve these models, we process data generated through the Services.

Where we use data to train or improve our models, we do so on the following basis:

• Aggregated and de-identified data: wherever possible, we aggregate, anonymise, or de-identify data so that it no longer relates to an identified or identifiable natural person. We may use such data for any purpose, including model training, benchmarking, research, and the development of new products and features, and we may retain it indefinitely.
• Operational maritime data: data relating to vessel performance, routing, weather conditions, and similar operational signals is generally not personal data, and we may use it to train and improve our models, subject to applicable agreements with Customers and data providers.
• Personal data: we do not use the content of Customer communications, support tickets, or personal data submitted by individual users to train models that are made available to other Customers, unless we have a specific legal basis to do so or have obtained appropriate consent.

Automated decision-making. Our Services produce recommendations (for example, suggested routes) that are intended to support, not replace, human judgement by qualified mariners and shore-side decision-makers. We do not use the Services to make decisions producing legal or similarly significant effects on individuals on a solely automated basis within the meaning of Article 22 GDPR.

08 How we share personal data

We share personal data only as described in this Policy. The principal categories of recipients are:

• Service providers and sub-processors acting on our instructions, including cloud-hosting and infrastructure providers (such as Amazon Web Services), database providers, communications and email-delivery providers, analytics and product-telemetry providers, customer-support and CRM providers, identity and authentication providers, payment processors, and professional advisers (lawyers, accountants, auditors, certification bodies, and consultants). We require these providers to protect personal data and to use it only for the purposes for which we engage them.
• Customers and their representatives, where you are a user, contact, or counterpart of one of our Customers.
• Other VesselFront group entities and affiliates, including any future subsidiary or affiliated company, where this is necessary for the operation of our business and the provision of the Services.
• Public authorities and regulators, where we are legally required to do so, including tax authorities, data-protection authorities, courts, law-enforcement agencies, and maritime regulators.
• Parties to corporate transactions, including potential investors, acquirers, lenders, and their advisers, in the context of a fundraising, financing, merger, acquisition, restructuring, sale of assets, or similar transaction. We require these parties to keep personal data confidential and to use it only for the relevant transaction.
• Other parties with your consent or at your direction.

We do not sell personal data.

09 International data transfers

Our primary infrastructure is hosted in the European Union (Amazon Web Services, eu-central-1 region). Some of our service providers, sub-processors, or affiliates may be located outside the European Economic Area ("EEA"), including in countries that have not received an adequacy decision from the European Commission.

When we transfer personal data outside the EEA, we put in place appropriate safeguards as required by Articles 44 to 49 GDPR, including:

• The European Commission's Standard Contractual Clauses (and, where applicable, the UK International Data Transfer Addendum or Swiss equivalent);
• Adequacy decisions issued by the European Commission, where the destination country benefits from one;
• Supplementary technical and organisational measures, where required, following a transfer impact assessment.

You can request a copy of the safeguards we apply by contacting us at support@vesselfront.com.

10 How long we keep personal data

We keep personal data only for as long as is necessary for the purposes set out in this Policy, taking into account the nature of the data, the purpose of processing, our legal and contractual obligations, and applicable limitation periods. In general:

• Account and Service data is kept for the duration of the contract with the Customer and for a reasonable period thereafter (typically up to seven (7) years) to allow us to comply with Greek tax, accounting, and commercial-law retention requirements and to handle disputes.
• Beta waitlist and prospect data is kept until you ask us to delete it or until we conclude that you are no longer interested in the Services (typically up to three (3) years after the last meaningful interaction), whichever is sooner.
• Marketing data is kept until you unsubscribe or object, and for a reasonable period thereafter to honour your preference.
• Logs and security data are kept for the periods necessary to detect and investigate incidents and to meet our compliance obligations (typically up to two (2) years).
• Aggregated and de-identified data may be kept indefinitely.

Where we are required by law to retain personal data for longer, we will do so.

11 Your rights

Subject to applicable law, you have the following rights in relation to your personal data:

• Access: to obtain confirmation of whether we process personal data about you and a copy of that data;
• Rectification: to ask us to correct inaccurate or incomplete personal data;
• Erasure: to ask us to delete personal data in certain circumstances;
• Restriction: to ask us to restrict the processing of your personal data in certain circumstances;
• Portability: to receive personal data you have provided to us in a structured, commonly used, and machine-readable format, and to ask us to transmit it to another controller, where technically feasible;
• Objection: to object, on grounds relating to your particular situation, to processing based on our legitimate interests, including profiling, and to object at any time to processing for direct marketing;
• Withdrawal of consent: where we rely on your consent, to withdraw that consent at any time, without affecting the lawfulness of processing carried out before withdrawal.

To exercise any of these rights, please contact us at support@vesselfront.com. We may ask you to verify your identity before responding. We will respond within the timeframes required by law (generally within one month, extendable by a further two months for complex requests).

If you believe we have not handled your personal data in accordance with applicable law, you have the right to lodge a complaint with a data-protection supervisory authority. In Greece, the competent authority is the Hellenic Data Protection Authority (Αρχή Προστασίας Δεδομένων Προσωπικού Χαρακτήρα), Kifissias 1-3, 11523 Athens, Greece — www.dpa.gr.

12 Security

We apply appropriate technical and organisational measures designed to protect personal data against unauthorised or unlawful processing, accidental loss, destruction, alteration, disclosure, or access. These include encryption in transit and at rest where appropriate, access controls and least-privilege principles, network segmentation, logging and monitoring, vulnerability management, secure development practices, and staff training. No system can be guaranteed to be completely secure, and you remain responsible for keeping your account credentials confidential.

13 Children

Our Services are intended for use by business users and are not directed to children. We do not knowingly collect personal data from children under the age of 16. If you believe that we have inadvertently collected such data, please contact us so that we can take appropriate action.

14 Changes to this policy

We may update this Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons. Where changes are material, we will notify you by email or through the Services in advance of the changes taking effect. The "Effective date" at the top of this Policy indicates when it was last updated. The most current version is always available at vesselfront.com/privacy.

15 Contact us

If you have any questions, concerns, or requests in relation to this Policy or your personal data, please contact: