Privacy Policy
Version 1.0 — Effective 2026-05-15
This Privacy Policy explains how [PLATFORM ENTITY NAME] LIMITED ("we", "us", "our") collects, uses, shares, and protects your personal data when you use the Cyprus Boat Rentals website at cyprusboatrental.com, our mobile applications (when released), and related services (the "Platform").
We are committed to protecting your privacy and complying with the General Data Protection Regulation (Regulation (EU) 2016/679, the "GDPR"), the Cyprus Processing of Personal Data (Protection of Individuals) Law of 2018 (the "Cyprus Data Protection Law"), and the ePrivacy Regulations. If you have questions about this Policy, please contact us at the address in section 12.
1. Who We Are (Data Controller)
The data controller responsible for your personal data is:
[PLATFORM ENTITY NAME] LIMITED
A private company limited by shares, registered in Cyprus.
Company registration number: [HE XXXXXX]
Registered office: [ADDRESS], Cyprus
Email: support@cyprusboatrental.com
Telephone: [+357 XX XXX XXX]
We are registered with the Office of the Commissioner for Personal Data Protection of the Republic of Cyprus where required.
2. What Personal Data We Collect
We collect the following categories of personal data:
| Category | Examples | Source |
|---|---|---|
| Identity data | Name, date of birth, nationality, passport or ID number, photograph | You, when registering or booking |
| Contact data | Email, telephone, postal address | You |
| Account data | Username, password (hashed), profile preferences, role (Renter/Host/Admin), agreement acceptance timestamps and versions | You |
| Booking data | Booking history, vessel preferences, dates, parties travelling, special requests | You and Owners |
| Listing data (Owners) | Vessel specifications, photos, availability calendar, pricing, location, marina, third-party calendar (iCal) URLs you choose to sync | You (Owner) |
| Payment data | Payment method type, last 4 digits of card, transaction history (full card details handled by our payment processor only) | You via Stripe |
| Payout & bank data (Owners) | Bank country, account holder name, IBAN, BIC, Stripe Connect account ID | You (Owner) |
| Licence data | Boating licence type, number, issuing authority, scanned copy; signed competency declarations for visitors | You (Renter); Owners retain a copy under the Boat Owner Listing Agreement |
| Communications | Messages between Users, customer support tickets, reviews | You |
| Damage reports | Description, severity, photos of alleged damage submitted after a rental | You and Owners |
| Technical data | IP address, device type, browser, OS, language | Automatic |
| Usage data | Pages visited, search queries, click patterns, session duration | Automatic |
| Location data | Approximate location based on IP, precise location with permission | Automatic / you |
| Marketing data | Marketing preferences, response to marketing communications | You |
| Publicly published data (pre-claim Listings) | Vessel name, photos, specifications, and pricing previously published by the Owner on the Owner's own website or other public sources | Publicly available sources, used to pre-create Unclaimed Listings (see section 4A) |
We do not knowingly collect data from children under 18. If you are under 18, please do not use the Platform.
Special category data: we do not intentionally collect special category data (health, ethnicity, religion, etc.). If incidental special category data is provided (for example, dietary requirements when planning a trip), we process it only with your explicit consent and only for the specific purpose for which you provided it.
3. How We Use Your Personal Data and Legal Basis
Under the GDPR we must have a lawful basis for processing your data. We rely on the following bases:
| Purpose | Data used | Legal basis |
|---|---|---|
| Creating and managing your account | Identity, contact, account data | Performance of contract |
| Processing Bookings | Identity, contact, booking, licence data | Performance of contract |
| Processing payments and payouts (via Stripe and Stripe Connect) | Payment, payout/bank, booking data | Performance of contract; legal obligation (AML, tax) |
| Sharing booking data with the Owner | Identity, contact, booking, licence data | Performance of contract |
| Recording acceptance of the Boat Owner Listing Agreement | Account data (agreement timestamp and version) | Legitimate interests (evidence of consent); legal obligation |
| Pre-creating Unclaimed Listings from publicly available information | Publicly published Vessel data | Legitimate interests (see section 4A) |
| Operating the damage report and Security Deposit process | Damage reports, booking data, payment data | Performance of contract; legitimate interests |
| Synchronising third-party availability (iCal) | iCal URL provided by Owner | Performance of contract |
| Customer support | All categories as needed | Performance of contract; legitimate interests |
| Dispute resolution | All categories as needed | Performance of contract; legitimate interests |
| Fraud prevention and Platform security | Account, technical, usage, payment data | Legitimate interests; legal obligation |
| Improving the Platform | Usage, technical data | Legitimate interests |
| Marketing communications by email | Contact, account, booking history | Consent (withdrawable); legitimate interests for existing customers re similar services |
| Reviews and ratings publication | Identity (first name and initial), review content | Performance of contract; legitimate interests |
| Compliance with legal obligations | Any data as required | Legal obligation |
| Establishing or defending legal claims | Any data as required | Legitimate interests |
"Legitimate interests" means our or a third party's interests in operating, securing, and improving the Platform, defending against fraud, and pursuing legal rights, balanced against your interests and fundamental rights. You may object to processing based on legitimate interests at any time (see section 8).
4. Who We Share Your Data With
We share personal data with the following categories of recipient, only where necessary and subject to appropriate safeguards:
- Owners (where you make a Booking): we share your name, contact details, passport/ID details, licence details, and booking information with the Owner of the Vessel you book, so they can perform the rental, comply with Cyprus maritime law, and handle handover. The Owner becomes a separate data controller for that data.
- Renters (where you are an Owner): we share Renter contact and booking details with you so you can perform the rental.
- Payment processors: Stripe and Stripe Connect (and other regulated payment service providers we may select) process payments and payouts. They handle full payment data in accordance with PCI-DSS and their own privacy policies.
- Hosting and IT providers: cloud hosting, database, email, customer support, and analytics providers acting as data processors on our behalf under written data processing agreements.
- Communications providers: email, SMS, and push notification providers used to send transactional and (with consent) marketing messages.
- Identity verification and fraud prevention services: where used to verify identity, licences, or detect suspicious activity.
- Insurance providers: where required for claims handling under platform-level insurance arrangements.
- Professional advisors: lawyers, auditors, and accountants under duties of confidentiality.
- Public authorities: police, regulators, tax authorities, courts, and other authorities where required by law or to protect our or others' rights.
- Successor entities: in the event of a merger, acquisition, restructuring, or sale of all or part of our business, your data may be transferred to the successor entity, subject to the same protections.
Publicly visible Listing content: information you publish in a Listing (photographs, descriptions, capacity, pricing, location, availability, Owner first name and reviews) is shown publicly on the Platform and may be indexed by search engines. Do not include personal data in Listing content that you do not intend to be public.
We do not sell your personal data to any third party.
4A. Unclaimed Listings
To make the Platform useful at launch and to invite established boat operators to claim a presence on it, we may create draft Listings ("Unclaimed Listings") in advance of an Owner registering on the Platform. We do this on the legal basis of legitimate interests — operating a useful marketplace and giving boat owners the opportunity to claim their listing — balanced against the Owner's privacy interests.
When we create an Unclaimed Listing we:
- Only use information already publicly published by the Owner (typically the Owner's own website), such as Vessel name, specifications, photographs, and pricing.
- Mark the Listing as "unclaimed" in our system and indicate this to visitors where appropriate.
- Do not display contact details for the Owner. Booking enquiries on Unclaimed Listings are routed through the Platform until the Owner claims the Listing.
- Provide a one-time claim link to the Owner at an email address obtained from a publicly published business source.
- Remove or anonymise the Listing on request within seven (7) days of a verified request from the Owner sent to support@cyprusboatrental.com. The right of objection under Article 21 GDPR applies here without limitation.
- Strip third-party brand names from descriptive text before publication, to avoid creating any impression of an endorsement.
Once an Owner claims an Unclaimed Listing, they become a separate data controller for any further content they add and are bound by the Boat Owner Listing Agreement.
5. International Transfers
5.1 We are based in Cyprus and primarily process data within the European Economic Area (EEA). Some of our service providers (for example, certain cloud hosting and analytics providers) may process data outside the EEA, including in the United States and the United Kingdom.
5.2 Where data is transferred outside the EEA, we ensure appropriate safeguards are in place, including: (a) transfer to countries the European Commission has determined provide an adequate level of protection (such as the United Kingdom); (b) use of Standard Contractual Clauses approved by the European Commission; or (c) other lawful transfer mechanisms under Articles 44–49 GDPR.
5.3 You may request a copy of the relevant safeguards by contacting us at the address in section 12.
6. Cookies and Similar Technologies
6.1 We use cookies and similar technologies on the Platform. A cookie is a small data file stored on your device. We use the following categories:
- Strictly necessary cookies: required for the Platform to function (e.g., authentication, session management, security). These do not require consent.
- Functional cookies: remember your preferences (e.g., language, currency). Set with your consent.
- Analytics cookies: help us understand how Users use the Platform so we can improve it. Set with your consent.
- Marketing cookies: used to deliver relevant advertising and measure campaign performance, including third-party advertising cookies. Set with your consent.
6.2 When you first visit the Platform, you will see a cookie banner allowing you to accept all, reject non-essential, or customise your preferences. You can change your preferences at any time via the cookie settings link in the Platform footer.
6.3 A full list of cookies used, their purposes, and retention periods is available in our Cookie Policy.
7. How Long We Keep Your Data
We keep personal data only for as long as necessary for the purposes for which it was collected, including legal, accounting, or reporting requirements:
- Account data: while your account is active, plus 12 months after closure to handle late disputes, then deleted or anonymised.
- Booking and rental records: 7 years from rental completion (Cyprus tax and VAT record-keeping requirements).
- Payment and payout records (including bank/IBAN data for paid-out Owners): 7 years from transaction (AML and tax obligations). Where an Owner closes their account without ever receiving a payout, bank details are deleted on closure.
- Listing data: while the Listing is live, plus 12 months after delisting. Unclaimed Listings that are never claimed are reviewed annually and removed where they no longer serve the legitimate-interest purpose under section 4A.
- Damage reports and dispute records: 3 years from closure of the matter (or longer if required for legal claims).
- Licence copies and competency declarations: 2 years from rental, then deleted.
- Communications: 3 years from closure of the relevant matter.
- Reviews: indefinitely while published, but anonymised on account closure (first name and initial only).
- Marketing data: until you withdraw consent or 24 months of inactivity, whichever is sooner.
- Agreement acceptance records: for the lifetime of the account plus 6 years thereafter, as evidence of the basis on which we processed your data.
- Cookies: as set out in our Cookie Policy.
Where we are required to retain data for legal reasons, we restrict its use to those legal purposes only.
8. Your Rights Under the GDPR
You have the following rights in respect of your personal data:
- Right of access: you can request a copy of the personal data we hold about you.
- Right to rectification: you can ask us to correct inaccurate or incomplete data.
- Right to erasure ("right to be forgotten"): you can ask us to delete your data where there is no compelling reason for us to keep it. Note: we may retain data where required by law (e.g., booking records for tax purposes).
- Right to restriction of processing: you can ask us to limit how we use your data in certain circumstances.
- Right to data portability: you can ask us to provide your data in a structured, commonly used, machine-readable format, or transmit it directly to another controller.
- Right to object: you can object to processing based on legitimate interests, including direct marketing and the pre-creation of Unclaimed Listings (see section 4A).
- Right to withdraw consent: where we rely on consent, you can withdraw it at any time. Withdrawal does not affect the lawfulness of prior processing.
- Rights related to automated decision-making: we do not currently use solely automated decision-making with legal or similarly significant effects on you. Where this changes, we will notify you and offer the right to obtain human intervention.
To exercise any of these rights, please contact us at support@cyprusboatrental.com. We will respond within one (1) month, extendable by two further months for complex requests. We may need to verify your identity before acting on your request. Exercising these rights is free in most cases.
9. Right to Lodge a Complaint
If you believe we have not handled your personal data in accordance with the law, you have the right to lodge a complaint with the supervisory authority in Cyprus:
Office of the Commissioner for Personal Data Protection
1 Iasonos Street, 1082 Nicosia, Cyprus
Postal address: P.O. Box 23378, 1682 Nicosia
Telephone: +357 22 818 456
Email: commissioner@dataprotection.gov.cy
Website: https://www.dataprotection.gov.cy
If you are resident in another EU member state, you may also complain to the supervisory authority in your country of residence. We would, however, appreciate the chance to address your concerns first — please contact us at support@cyprusboatrental.com.
10. How We Protect Your Data
10.1 We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, accidental loss, alteration, disclosure, or destruction. These include:
- Encryption of data in transit (TLS) and at rest where appropriate
- Hashed passwords (we never store plaintext passwords)
- Access controls and authentication for our staff and systems
- Logging, monitoring, and intrusion detection
- Regular security reviews and vulnerability assessments
- Written data processing agreements with all processors
- Staff training on data protection and confidentiality
10.2 Despite our efforts, no system can be guaranteed 100% secure. If we become aware of a personal data breach that is likely to result in a risk to your rights, we will notify the supervisory authority within 72 hours and you without undue delay where required.
11. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. The current version is always available on the Platform with an effective date. Material changes will be notified to registered Users by email at least thirty (30) days before they take effect.
12. Contact Us
For any questions, requests, or complaints regarding this Privacy Policy or your personal data, please contact:
[PLATFORM ENTITY NAME] LIMITED — Privacy Team
Email: support@cyprusboatrental.com
Postal address: [ADDRESS], Cyprus
If we appoint a Data Protection Officer (DPO), their contact details will be published here. We are not currently required to appoint a DPO under Article 37 GDPR but may do so voluntarily as the Platform grows.