This Privacy Policy explains what personal data we collect, why we collect it, how we use it, and what rights you have over it. It applies to the BoatRoute web platform at boatroute.com and the BoatRoute mobile application. We are committed to protecting your personal data in accordance with the General Data Protection Regulation (GDPR) and applicable Romanian data protection law.
The data controller responsible for your personal data is:
Manolescu Sebastian
Operating as: BoatRoute
Country: Romania
Email: contact@boatroute.com
Website: boatroute.com
As a data controller, we determine the purposes and means of processing personal data collected through BoatRoute. We do not have a formally appointed Data Protection Officer (DPO), as we are not required to designate one under Article 37 GDPR at our current scale. All data protection enquiries should be directed to the contact address above.
This Policy distinguishes between two categories of people whose data we process:
When you register and use BoatRoute as an Operator, we collect the following personal and business data:
| Data | Why we collect it |
|---|---|
| Email address | Account registration, login authentication, email verification, password reset, and service communications |
| Password (hashed) | Securing your account. We never store your password in plain text — it is stored as a one-way cryptographic hash |
| Company name, phone number, website | Displayed to your End Users within the mobile application as your company contact information |
| Company logo | Displayed to your End Users within the mobile application |
| Map content (routes, danger zones, place markers) | Core service functionality — displayed to End Users in the mobile application |
| App access code | Used to authenticate End Users into the mobile application |
| Subscription status and plan | Managing your account access and billing |
| Registration and confirmation timestamps | Account management and security |
| IP address | Collected automatically by our server on login and key actions for security and fraud prevention. Stored in server logs |
| Notification settings (enable/disable, redirect URL, scheduled time) | Delivering push notifications to your End Users as configured by you |
We do not collect or store payment card details. All payment information is handled exclusively by PayPal — see Section 5.
End Users access BoatRoute through the mobile application using an access code provided by an Operator. The data collected from End Users is minimal:
| Data | Details |
|---|---|
| GPS location | Never sent to our servers. GPS positioning is processed entirely on the End User's device and is used solely to display their position on the map within the app. Location data is not transmitted to, or stored by, BoatRoute |
| Device identifiers & usage events | Collected by Google Firebase Analytics within the app to help us understand how the app is used (e.g. which screens are visited, feature usage). This data is anonymised and aggregated where possible |
| Crash reports | Collected by Firebase Crashlytics when the app encounters an error. May include device model, OS version, and the state of the app at the time of the crash. No personally identifiable information is intentionally included |
| Access code entered | Used to authenticate the End User and load the correct Operator's map. Stored temporarily during the session |
Important: BoatRoute does not require End Users to create an account, provide an email address, or submit any personally identifiable information to use the mobile application. The only identifying action is entering the Operator's access code.
We do not collect, and have no interest in collecting: biometric data, financial data beyond subscription status, sensitive personal data as defined under Article 9 GDPR, or any data relating to children.
Under GDPR, we must have a valid legal basis for every type of personal data processing we carry out. The following bases apply:
| Processing activity | Legal basis |
|---|---|
| Creating and managing your account, delivering the core Service | Contract (Article 6(1)(b)) — processing is necessary to perform our agreement with you |
| Sending transactional emails (account activation, password reset, billing) | Contract (Article 6(1)(b)) — necessary for account management |
| Sending product updates, new features, and occasional offers | Legitimate interest (Article 6(1)(f)) — keeping existing Operators informed about the Service they have chosen to use. You may opt out at any time by contacting us |
| Server logs and IP address collection | Legitimate interest (Article 6(1)(f)) — security, fraud prevention, and service integrity |
| Firebase Analytics and Crashlytics (mobile app) | Legitimate interest (Article 6(1)(f)) — improving the stability and performance of the mobile application |
| Retaining records for legal or tax compliance | Legal obligation (Article 6(1)(c)) — Romanian and EU law may require us to retain certain records |
Where we rely on legitimate interest, we have balanced our interests against your rights and freedoms and concluded that our interests do not override yours. You have the right to object to processing based on legitimate interest — see Section 9.
We use the personal data we collect only for the following purposes:
We will never sell your personal data to third parties. We will never use your personal data for automated decision-making or profiling that produces legal or similarly significant effects.
We share your data with the following third-party data processors only to the extent necessary to provide the Service. Each processor is bound by data processing agreements or equivalent safeguards:
We do not share your personal data with any other third party beyond those listed above.
Some of our third-party processors (Google/Firebase, PayPal) are based in the United States, which means your data may be transferred outside the European Economic Area (EEA).
Where such transfers occur, we rely on appropriate safeguards to ensure your data remains protected to the standard required by GDPR. These safeguards include:
Your core account data and Map Content are stored on BoostedHost servers located within the EU and are not subject to international transfer.
You may request a copy of the relevant transfer safeguards by contacting us at contact@boatroute.com.
We retain your personal data only for as long as necessary for the purposes described in this Policy, or as required by law. The following retention periods apply:
| Data | Retention period |
|---|---|
| Account data (email, password hash, subscription status) | For the duration of your account, plus 30 days following account deletion to allow for recovery requests, then permanently deleted |
| Company information and Map Content | For the duration of your account. Upon cancellation or termination, retained for 30 days then permanently and irreversibly deleted |
| Unconfirmed accounts (email not verified) | Periodically purged. Unconfirmed accounts are deleted along with all associated data on a regular basis |
| Server logs (IP addresses, access timestamps) | Up to 90 days, then deleted or anonymised |
| Firebase Analytics and Crashlytics data | Governed by Google's retention settings — typically up to 14 months for analytics data. See Google's privacy policy for details |
| Email communications sent to you | May be retained in our email system for up to 12 months for record-keeping, then deleted |
When data is deleted, it is removed from our live database. Residual copies may exist in encrypted server backups for a short additional period, after which they are also purged as part of the normal backup rotation cycle.
BoatRoute uses only one cookie. We do not use advertising cookies, tracking cookies, analytics cookies, or any third-party cookies on boatroute.com.
The single cookie we use is a session cookie, which is strictly necessary for the functioning of the website. It is used to keep you logged into your account during a browsing session. This cookie:
Because we use only strictly necessary cookies, we are not required under the ePrivacy Directive to obtain your consent before setting this cookie. No cookie consent banner is required.
The mobile application does not use cookies. Firebase may use device-level identifiers which serve an analogous purpose — see Section 5.
If you are an Operator based in the European Economic Area, you have the following rights regarding your personal data. To exercise any of these rights, contact us at contact@boatroute.com. We will respond within 30 days.
You can request a copy of all personal data we hold about you and information about how we process it.
You can ask us to correct any inaccurate or incomplete personal data we hold about you. Most data can be updated directly in your account settings.
You can request deletion of your personal data. We will action this within 30 days. Some data may be retained where we have a legal obligation to do so.
You can ask us to restrict processing of your data in certain circumstances, for example while you contest the accuracy of data we hold.
You can request your personal data in a structured, commonly used, machine-readable format so you can transfer it to another service.
You can object to processing based on legitimate interest — including product update emails. To opt out of marketing emails, contact us and we will stop immediately.
End Users who wish to exercise their GDPR rights regarding data collected through the mobile application may contact us directly at contact@boatroute.com, or through the Operator (rental company) whose access code they used. We will work with both parties to fulfil any valid request. Because End Users do not register an account with us, the data we hold relating to them is minimal — primarily anonymised usage and crash data via Firebase, governed by Google's own data practices.
BoatRoute is intended for use by businesses and adults aged 18 and over. We do not knowingly collect personal data from anyone under the age of 18.
If you believe that a child under 18 has provided us with personal data, please contact us immediately at contact@boatroute.com and we will take steps to delete that information as quickly as possible.
We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, accidental loss, destruction, or disclosure. These measures include:
No method of transmission over the internet or electronic storage is 100% secure. While we strive to protect your personal data, we cannot guarantee absolute security.
Data breach notification. In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority (ANSPDCP) within 72 hours of becoming aware of the breach, as required by Article 33 GDPR. If the breach is likely to result in a high risk to you personally, we will also notify you directly without undue delay.
We may update this Privacy Policy from time to time to reflect changes in the Service, applicable law, or our data practices. When we make material changes, we will notify you by email to the address associated with your account at least 14 days before the changes take effect.
The current version of this Policy is always available at boatroute.com/privacy_policy. The "Last updated" date at the top of this page indicates when the most recent changes were made. We encourage you to review this Policy periodically.
Your continued use of the Service after the effective date of any revised Policy constitutes your acceptance of the changes.
For any questions, requests, or concerns relating to this Privacy Policy or our handling of your personal data, please contact us:
We aim to respond to all data-related requests within 30 days of receipt. In complex cases we may extend this period by a further two months, in which case we will notify you of the extension and the reason for it within the initial 30-day period.
If you believe we have processed your personal data in breach of GDPR and we have not adequately resolved your concern, you have the right to lodge a complaint with the relevant supervisory authority. In Romania, this is:
If you are based in another EU member state, you also have the right to lodge a complaint with the supervisory authority in your country of residence or place of work.
