DT
DeckTrust

DRAFT — NOT LEGAL ADVICE. This is a starting template that requires review by a qualified attorney before customer use.

DeckTrust Privacy Policy

Effective Date: [EFFECTIVE DATE — e.g., 2026-05-15]

[LEGAL ENTITY NAME] ("DeckTrust", "we", "us", or "our") operates the DeckTrust maritime cybersecurity compliance platform at decktrust.dev (the "Service"). This Privacy Policy explains how we collect, use, share, and protect personal information.

DeckTrust is a business-to-business service. Our Customers are MTSA-regulated commercial vessel operators and other maritime entities. When personal information about a Customer's personnel, contractors, or third parties is processed through the Service, the Customer is the data controller (or "business" under California law) and DeckTrust acts as the service provider / processor. Personnel-level data handling for Customer accounts is governed by the Customer's agreement with DeckTrust, not by this policy alone.

This policy covers:

  • Information we collect directly from website visitors and Customers.
  • How we handle personal information processed on behalf of Customers.
  • Rights available to California residents under the CCPA / CPRA.

Defined Terms

In this policy:

  • "Customer" means the business entity (typically an MTSA-regulated operator) that contracts with DeckTrust for the Service, and any individual administrator or other authorized user acting on its behalf.
  • "End User" means an individual whose personal information is processed in the Service on behalf of a Customer — typically the Customer's personnel, contractors, or other third parties enrolled in training or compliance workflows.
  • "Subprocessors" means the third-party vendors disclosed through the process described on our Subprocessors page that process personal information on DeckTrust's behalf.

Capitalized terms not defined in this policy have the meanings given in the Terms of Service (or in a Customer's signed Customer Agreement, where one exists).

1. Information We Collect

1.1 Information you provide directly

  • Account information: name, business email, role, organization name, phone number (optional).
  • Authentication information: hashed password, one-time passcodes, session tokens.
  • Billing information: name, billing email, billing address, last four digits of payment card, transaction history. Full card numbers are handled by our payment processor (see Subprocessors).
  • Support communications: contents of email or in-app messages you send us.

1.2 Information processed on behalf of Customers

When a Customer uses the Service, the Customer may upload or generate the following information about its End Users:

  • Personnel records: names, business email addresses, job role, hire date, system-access date, training assignments, and quiz results for End Users subject to 33 CFR Part 101 Subpart F training.
  • Vessel and facility data: vessel/facility identifiers, ownership, operational areas, security plan documents.
  • Compliance evidence: incident reports, drill records, assessment findings, attestations, signed acknowledgements.
  • Uploaded documents: PDFs, images, and other files attached to compliance records.

DeckTrust processes this data only as instructed by the Customer to provide the Service. Customers should consult their own privacy notice for End User disclosures.

1.3 Information collected automatically

  • Usage information: pages viewed, features used, training time-on-task, timestamps.
  • Device information: IP address, browser type, operating system, device type.
  • Cookies and similar technologies: session cookies for authentication and security; we do not use third-party advertising cookies.
  • Error and performance telemetry: stack traces and event metadata routed through our error-monitoring Subprocessor. See Subprocessors for our subprocessor disclosure and the process for requesting the current vendor list.

2. How We Use Information

We use information to:

  • Provide, operate, and maintain the Service.
  • Authenticate users and enforce role-based access.
  • Generate compliance reports, training records, and inspection-ready PDFs requested by the customer.
  • Send transactional emails (account confirmations, password resets, training reminders, compliance notifications).
  • Respond to support requests.
  • Detect, investigate, and prevent fraud, abuse, or security incidents.
  • Bill for paid services and collect payment.
  • Comply with legal obligations and enforce our agreements.
  • Improve the Service through aggregated, de-identified usage analysis.

We do not sell personal information. We do not share personal information for cross-context behavioral advertising.

3. Legal Bases (Where Applicable)

For website visitors and Customers, we rely on:

  • Performance of a contract — to deliver services you have signed up for.
  • Legitimate interests — to operate, secure, and improve the Service, prevent fraud, and communicate with customers.
  • Consent — where required by law (e.g., certain marketing emails).
  • Legal obligation — to comply with tax, accounting, and regulatory requirements.

For data processed on behalf of customers, we act under the customer's instructions and the data-processing terms of the applicable customer agreement.

4. How We Share Information

We share information only as described below:

  • Subprocessors. We use third-party vendors to host the platform, send transactional email, process payments, and provide error monitoring. See Subprocessors for our subprocessor disclosure and how to request the current vendor list.
  • Customer's organization. Information submitted to a Customer's account is visible to that Customer's authorized administrators within their tenant.
  • Legal compliance. We may disclose information when legally required (subpoena, court order, regulatory request) or to protect our rights, property, or safety, or that of our Customers and End Users.
  • Business transfers. If DeckTrust is involved in a merger, acquisition, or asset sale, information may be transferred subject to this policy or a successor policy.
  • With your consent. For any other purpose disclosed at the time of collection.

We do not sell personal information and we do not share personal information for cross-context behavioral advertising under California law.

5. Data Retention

We retain personal information for as long as needed to provide the Service and to comply with legal, accounting, or reporting obligations.

  • Training records are retained for at least 2 years from the date of completion to satisfy 33 CFR Part 101.535(b) recordkeeping requirements. Customers may instruct us to retain training records for longer.
  • Customer account information is retained for the life of the account and for a reasonable period afterward to handle wind-down activities and legal claims.
  • Backups are retained for up to 30 days and then overwritten.
  • Billing records are retained for the period required by tax and accounting law.

When information is no longer needed, we delete or de-identify it.

6. Security

We implement administrative, technical, and physical safeguards designed to protect personal information, including:

  • TLS encryption in transit.
  • Encryption at rest for the database and file storage at the Subprocessor layer.
  • Tenant isolation enforced through Supabase Row-Level Security (RLS).
  • Role-based access controls aligned to the principle of least privilege.
  • Email one-time-passcode (OTP) or password authentication for primary login. Multi-factor authentication is not currently offered for Customer or End User logins; we plan to add it in a future release (see "Roadmap" below).
  • Dependency, configuration, and access reviews performed from time to time.
  • Internal audit logging for sensitive actions.

No system can be guaranteed to be 100% secure. If you suspect a security issue, contact security@decktrust.dev.

Roadmap. Security controls we are evaluating but have not yet shipped — including multi-factor authentication for Customer and End User logins — are not in scope of the safeguards above. We will update this section when those controls are in production.

7. Breach Notification

If we become aware of a confirmed unauthorized acquisition of personal information that we host on behalf of a Customer, we will notify the affected Customer without undue delay and provide information reasonably needed for the Customer to satisfy its own breach-notification obligations under 33 CFR Part 101.620, state law, and any other applicable law.

For Customers, we will notify you of incidents affecting your information consistent with applicable law.

8. Your Rights

Depending on where you reside, you may have rights regarding your personal information.

8.1 California residents (CCPA / CPRA)

The categories of personal information we collect, and the purposes for collecting them, are described in Section 1 ("Information We Collect") and Section 2 ("How We Use Information"). Information about Subprocessors that may receive personal information is available on our Subprocessors page.

You have the right to:

  • Know what personal information we collect, use, and share.
  • Access a copy of your personal information.
  • Delete your personal information, subject to legal exceptions.
  • Correct inaccurate personal information.
  • Limit use of sensitive personal information (we do not use it for purposes that would trigger this right).
  • Opt out of "sale" or "sharing" — we do not sell or share personal information for cross-context behavioral advertising.
  • Non-discrimination for exercising your rights.

To exercise these rights, contact privacy@decktrust.dev. We will verify your identity before fulfilling the request. If we cannot verify, or if an exception applies, we will explain why.

You may also designate an authorized agent to make a request on your behalf. The agent must provide signed written permission, and we may require you to verify your own identity.

8.2 If you are an End User (e.g., a mariner enrolled by your employer)

If your employer or service provider uses DeckTrust to track your training, they are the data controller for that data. Direct access, deletion, and correction requests to them. We will support the Customer's response.

9. Children

The Service is not directed to individuals under 16. We do not knowingly collect personal information from children. If you believe a child has provided us information, contact privacy@decktrust.dev and we will delete it.

10. International Users

The Service is operated from the United States and all of our current Subprocessors are located in the United States. If you access the Service from outside the United States, you understand that your information will be transferred to and processed in the United States, which may have data-protection laws different from your country.

11. Changes to This Policy

We may update this policy from time to time. We will post the new effective date at the top of this page and, for material changes, provide notice through the Service or by email to Customers.

12. Contact

[LEGAL ENTITY NAME] [REGISTERED AGENT ADDRESS] Email: privacy@decktrust.dev Security issues: security@decktrust.dev