Privacy Policy

Effective date: 1 March 2026

This Privacy Policy explains how MCD ("we", "us", or "our"), based in Spain, collects, uses, and protects the personal data of users of NaviShare (navishare.io). As a company established in the European Union, we are subject to the General Data Protection Regulation (GDPR) and Spanish data protection law (LOPDGDD).

1. Data Controller

The data controller is MCD, Spain.
Contact: navishare@navishare.io

2. Data We Collect

Account data

When you register, we collect your first name, last name, and email address. You may optionally add a profile photo.

Boat and operational data

Data you enter about your boats, co-owners, bookings, expenses, maintenance logs, and uploaded documents (e.g. insurance certificates, registration papers). This data is provided entirely by you.

Usage and analytics data

We use PostHog (EU cloud) to collect anonymised analytics about how users interact with the platform. This includes page views, feature usage, and session recordings. PostHog data is stored within the European Union.

Technical data

Standard server logs including IP address, browser type, and timestamps, retained for security and debugging purposes.

3. How We Use Your Data

Purpose	Legal basis (GDPR)
Providing the NaviShare service	Performance of a contract (Art. 6(1)(b))
Sending transactional emails (booking confirmations, expense notifications, document expiry alerts)	Performance of a contract (Art. 6(1)(b))
Analytics and product improvement	Legitimate interests (Art. 6(1)(f))
Security, fraud prevention, and debugging	Legitimate interests (Art. 6(1)(f))
Compliance with legal obligations	Legal obligation (Art. 6(1)(c))

4. Third-Party Processors

We share your data only with trusted processors necessary to operate the service:

Processor	Purpose	Location
Supabase	Database, authentication, and file storage	EU (AWS eu-west-1)
PostHog	Product analytics and error tracking	EU (EU Cloud)
Resend	Transactional email delivery	USA (SCCs in place)

Resend is based in the United States. We rely on Standard Contractual Clauses (SCCs) approved by the European Commission to legitimise this transfer.

5. Data Retention

We retain your account and operational data for as long as your account is active. If you close your account, we will delete your personal data within 30 days, unless we are required by law to retain it longer. Anonymised analytics data may be retained indefinitely.

6. Your Rights Under GDPR

As a data subject in the EU, you have the right to:

Access — request a copy of the personal data we hold about you.
Rectification — request correction of inaccurate data.
Erasure ("right to be forgotten") — request deletion of your data.
Restriction — request that we limit how we process your data.
Portability — receive your data in a structured, machine-readable format.
Objection — object to processing based on legitimate interests.
Withdraw consent — where processing is based on consent, you may withdraw it at any time.

To exercise any of these rights, email us at navishare@navishare.io. We will respond within 30 days.

You also have the right to lodge a complaint with the Spanish data protection authority, the Agencia Española de Protección de Datos (AEPD): www.aepd.es.

7. Cookies

NaviShare uses only strictly necessary cookies to maintain your session (authentication). We do not use advertising or tracking cookies. PostHog analytics uses a first-party cookie to identify sessions; you can opt out via your browser settings.

8. Children

NaviShare is not directed at children under 18. We do not knowingly collect personal data from minors.

9. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you by email at least 14 days before material changes take effect. The current version is always available at navishare.io/privacy.

10. Contact

Privacy questions or requests: navishare@navishare.io