Privacy Policy

Chartrr, Inc. (“Chartrr,” “we,” “us,” or “our”) is committed to protecting the privacy and security of your personal information. This Privacy Policy describes how we collect, use, disclose, and safeguard your information when you access or use our mobile application, website located at chartrr.com, and any related services, features, or content (collectively, the “Service”).

By accessing or using the Service, you acknowledge that you have read, understood, and agree to the collection and use of your information as described in this Privacy Policy. If you do not agree, please do not use the Service.

2.1 Information You Provide Directly

• Account Information: Name, email address, phone number, password, and user type (angler or captain) when you register for an account.
• Profile Information: Profile photo, biography, location preferences, and other optional details you choose to provide.
• Payment Information: Payment card details, billing address, and transaction history. Payment card data is collected and processed directly by our payment processor, Stripe, Inc., and is not stored on our servers.
• Booking Information: Charter selections, trip dates, party size, special requests, and cancellation details.
• Communications: Messages sent between anglers and captains through our in-app messaging system, customer support inquiries, and feedback.
• Reviews and Content: Ratings, reviews, photos, and other content you post on the Service.
• Captain Verification Documents: For captains, we collect USCG captain's license information, state fishing/charter license details, insurance certificates (provider, policy number, coverage amounts, expiration dates), and photographs of vessels.

2.2 Information Collected Automatically

When you use the Service, we automatically collect certain information, including:

• Device Information: Device type, manufacturer, operating system and version, unique device identifiers, app version, and mobile network information.
• Location Data: With your permission, we collect precise geolocation data from your mobile device to show nearby charters, enable trip check-in verification, and provide location-based search results. We also collect coarse location data (such as city or region) derived from your IP address. You may disable location services in your device settings, though this may limit certain features.
• Usage Data: Pages viewed, features used, actions taken, search queries, referring URLs, time spent on pages, crash reports, and performance data.
• Log Data: IP address, browser type, access times, and system activity logs.

2.3 Information from Third Parties

• Authentication Providers: If you sign in using a third-party service (e.g., Apple Sign-In, Google), we receive your name, email address, and profile photo as permitted by that provider.
• Public Databases: We may verify captain credentials against USCG license databases, state licensing databases, and marina directories.
• Payment Processor: Stripe provides us with limited transaction information, such as the last four digits of your card, card brand, and payment status.

We use the information we collect for the following purposes:

3.1 Providing and Improving the Service

• Create and manage your account
• Facilitate charter bookings, payments, and refunds
• Enable in-app messaging between anglers and captains
• Process captain credential verification
• Display search results and personalize recommendations
• Provide customer support
• Analyze usage patterns to improve features and user experience

3.2 Communications

• Send transactional notifications (booking confirmations, reminders, cancellations, payment receipts)
• Send push notifications (trip reminders, weather alerts, safety notifications) via OneSignal
• Send marketing communications (with your consent, where required by applicable law)
• Respond to your inquiries and support requests

3.3 Safety and Security

• Verify captain licenses and insurance credentials
• Detect, investigate, and prevent fraud or abuse
• Enforce our Terms of Service
• Monitor for security incidents and respond to threats

3.4 Legal Compliance

• Comply with applicable laws, regulations, and legal processes
• Respond to subpoenas, court orders, or other legal requirements
• Establish, exercise, or defend legal claims

If you are located in the European Economic Area (EEA) or United Kingdom (UK), we process your personal data based on the following legal grounds:

• Contract Performance: Processing necessary to perform our agreement with you (e.g., creating your account, processing bookings and payments).
• Legitimate Interests: Processing necessary for our legitimate business interests (e.g., fraud prevention, platform improvement, security), provided these interests are not overridden by your data protection rights.
• Consent: Where you have given consent (e.g., for marketing communications, precise location data). You may withdraw consent at any time.
• Legal Obligation: Processing necessary to comply with applicable laws (e.g., tax records, regulatory reporting).

We do not sell, rent, or trade your personal information to third parties for their marketing purposes. We may share your information in the following circumstances:

5.1 With Other Users

When you book a charter, your name and contact information are shared with the captain to facilitate the trip. Captain profile information, including credential verification status, ratings, reviews, and boat details, is displayed publicly to build trust.

5.2 With Service Providers

We share information with third-party service providers who perform services on our behalf, including:

• Stripe, Inc. — Payment processing, subscription billing, and Connect payouts for captains. Stripe's privacy policy: stripe.com/privacy
• Supabase, Inc. — Backend infrastructure, database hosting, authentication, and file storage. Supabase's privacy policy: supabase.com/privacy
• OneSignal, Inc. — Push notification delivery. OneSignal's privacy policy: onesignal.com/privacy_policy
• Functional Software, Inc. (Sentry) — Error tracking and performance monitoring. Sentry's privacy policy: sentry.io/privacy
• Google LLC — Google Maps for map display and location services. Google's privacy policy: policies.google.com/privacy
• Apple Inc. — In-app purchase processing for iOS subscriptions and Apple Sign-In authentication.

5.3 For Legal Reasons

We may disclose your information if we believe in good faith that disclosure is necessary to: (a) comply with applicable law, regulation, legal process, or governmental request; (b) enforce our Terms of Service; (c) detect, prevent, or address fraud, security, or technical issues; or (d) protect the rights, property, or safety of Chartrr, our users, or the public.

5.4 Business Transfers

If Chartrr is involved in a merger, acquisition, bankruptcy, reorganization, or sale of assets, your information may be transferred as part of that transaction. We will notify you via email and/or a prominent notice on the Service of any change in ownership or uses of your personal information.

5.5 Aggregated or De-Identified Data

We may share aggregated or de-identified information that cannot reasonably be used to identify you for business analytics, research, or marketing purposes.

Our website uses essential cookies necessary for the Service to function (e.g., authentication session cookies). We do not use advertising cookies or third-party tracking pixels for targeted advertising.

Our mobile application does not use cookies but may use local storage and device identifiers for authentication and push notification delivery.

Do Not Track: We currently do not respond to “Do Not Track” browser signals, as there is no uniform standard for interpreting them. However, we do not engage in cross-site tracking for advertising purposes.

We retain your personal information for as long as your account is active or as needed to provide the Service. Specific retention periods include:

• Account data: Retained while your account is active and for 30 days after account deletion to allow for reactivation.
• Booking and payment records: Retained for a minimum of 7 years for tax, legal, and regulatory compliance.
• Captain credential documents: Retained for the duration of the captain's active listing and for 1 year after account closure or credential expiration.
• Messages: Retained for 3 years after the associated booking is completed.
• Error logs and analytics: Retained for up to 90 days.

When personal information is no longer needed, we securely delete or anonymize it. Some information may be retained longer if required by applicable law or for the establishment, exercise, or defense of legal claims.

We implement industry-standard technical and organizational security measures to protect your personal information, including:

• Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
• Secure authentication with hashed passwords and optional biometric login
• Row-level security (RLS) policies on all database tables to ensure users can only access their own data
• Regular security assessments and dependency vulnerability scanning
• Captain documents stored in private, access-controlled storage buckets
• Payment card data handled exclusively by PCI DSS Level 1 compliant processor (Stripe)

Despite these measures, no method of electronic transmission or storage is completely secure. We cannot guarantee absolute security, and you use the Service at your own risk. If we become aware of a security breach affecting your personal information, we will notify you in accordance with applicable law.

Chartrr is based in the United States. Your information may be transferred to, stored, and processed in the United States or other countries where our service providers operate. These countries may have data protection laws that differ from your country of residence.

If you are located in the EEA, UK, or Switzerland, we ensure appropriate safeguards are in place for international data transfers, including Standard Contractual Clauses approved by the European Commission or reliance on service providers' certifications under applicable data transfer frameworks.

10.1 All Users

• Account Information: You may update your profile information at any time through the app settings.
• Account Deletion: You may delete your account through the app settings or by contacting us. Upon deletion, we will remove your personal data subject to the retention periods described above and any legal obligations.
• Push Notifications: You can opt out of push notifications through your device settings.
• Marketing Communications: You can unsubscribe from marketing emails using the “unsubscribe” link in any marketing email. Transactional communications (booking confirmations, safety alerts) cannot be opted out of while you maintain an active account.
• Location Data: You can disable location permissions through your device settings. Note that this may affect the ability to search for nearby charters and use check-in features.

10.2 California Residents (CCPA/CPRA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

• Right to Know: You may request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources, the business purposes for collection, and the categories of third parties with whom we share it.
• Right to Delete: You may request that we delete your personal information, subject to certain exceptions.
• Right to Correct: You may request that we correct inaccurate personal information.
• Right to Opt Out of Sale/Sharing: We do not sell or share your personal information for cross-context behavioral advertising. No opt-out is necessary.
• Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights.
• Right to Limit Use of Sensitive Personal Information: We only use sensitive personal information (such as precise geolocation) for purposes permitted under the CPRA.

To exercise these rights, contact us at privacy@chartrr.com. We will verify your identity before processing your request. You may also designate an authorized agent to make requests on your behalf.

Categories of personal information collected in the preceding 12 months: Identifiers; financial information; geolocation data; internet or electronic network activity information; professional information (captains); audio, visual, or similar information (photos); and inferences drawn from the above.

10.3 EEA, UK, and Swiss Residents (GDPR)

If you are located in the EEA, UK, or Switzerland, you have the following rights under the General Data Protection Regulation (GDPR):

• Right of Access: Obtain confirmation of whether we process your data and request a copy.
• Right to Rectification: Request correction of inaccurate or incomplete data.
• Right to Erasure: Request deletion of your data in certain circumstances.
• Right to Restriction: Request restriction of processing in certain circumstances.
• Right to Data Portability: Receive your data in a structured, commonly used, machine-readable format.
• Right to Object: Object to processing based on legitimate interests, including profiling.
• Right to Withdraw Consent: Where processing is based on consent, withdraw at any time without affecting the lawfulness of prior processing.
• Right to Lodge a Complaint: File a complaint with your local data protection authority.

10.4 Other U.S. State Privacy Rights

Residents of Virginia, Colorado, Connecticut, Utah, and other states with comprehensive privacy laws may have similar rights to access, correct, delete, and port their personal data, and to opt out of targeted advertising, profiling, and sale of personal data. We do not sell personal data or engage in targeted advertising as defined by these laws. To exercise your rights, contact us at privacy@chartrr.com.

The Service is not directed to children under the age of 16 (or the applicable age of consent in your jurisdiction). We do not knowingly collect personal information from children under 16. If we learn that we have collected personal information from a child under 16, we will promptly delete that information. If you believe we have collected information from a child under 16, please contact us at privacy@chartrr.com.

The Service may contain links to third-party websites, applications, or services that are not operated by us. We are not responsible for the privacy practices of these third parties. We encourage you to review their privacy policies before providing any personal information to them.

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by: (a) updating the “Last Updated” date at the top of this page; (b) sending you an email notification; or (c) posting a prominent notice in the app. Your continued use of the Service after the effective date of any changes constitutes your acceptance of the updated Privacy Policy.