Privacy Notice & Data Protection Policy (UK GDPR + EU GDPR)

LUFF YACHTING LIMITED · Version: 1.0

Applies to: website, app, platform services, customer support, vendor onboarding, bookings, payments, marketing

1) Who we are (Controller)

Luff Yachting Limited ("Luff", "we", "us", "our") is the data controller for the personal data described in this Privacy Notice, except where stated otherwise.

Contact email: privacy@luffyachting.com (recommended)
Support email: podrska@luffyachting.com

2) What this notice covers

This notice explains how we collect, use, store, share, and protect personal data when:

  • you browse our website or use our platform;
  • you create an account;
  • you make or manage a booking;
  • you are a Vendor (boat owner/charter company) listing a vessel;
  • you are a guest/crew member whose details are submitted for a booking;
  • you contact support or make a complaint; or
  • we carry out fraud prevention, compliance checks, or legal obligations.

This policy is designed to meet UK GDPR requirements and is compatible with EU GDPR for EU/EEA users.

3) Marketplace roles

3.1 Luff's role

Luff typically acts as Controller for:

  • platform accounts and user management;
  • booking administration and communications;
  • customer support and complaints;
  • fraud prevention and security monitoring;
  • payment operations (at a metadata level, not full card details);
  • compliance recordkeeping and audit trails.

3.2 Vendor's role

Vendors (boat owners/charter companies) usually act as independent Controllers for certain data required to deliver the charter service, including:

  • operational delivery (marina check-in, port authority requirements);
  • crew/guest lists and identity verification where legally required;
  • service delivery communications and incident handling.

Vendors must maintain their own privacy compliance and only use personal data for the booking/service purposes.

3.3 Stripe / payment providers' role

Card payments and connected account onboarding are handled by our payment service providers such as Stripe. Stripe processes personal data to:

  • execute payments;
  • manage fraud and risk;
  • meet financial services/compliance requirements (including verification of vendors/connected accounts).

We do not store full card numbers. Stripe receives the payment details needed to process transactions. We receive payment identifiers, status, and metadata for reconciliation, refunds and disputes.

4) Personal data we collect

4.1 Data you give us (customers & users)

  • Full name
  • Email address (required for account/booking)
  • Phone number (often required for booking/security; otherwise optional)
  • Account credentials and verification signals
  • Messages to support / vendor communications via the platform

4.2 Booking and trip data

  • Booking details (dates, location, vessel chosen, pricing, add-ons)
  • Service preferences and special requests (avoid sensitive data where possible)

4.3 Crew / guest list data (high-risk category operationally)

Depending on destination and marina/port requirements, we (or the Vendor) may process:

  • guest/crew full names
  • contact details (email/phone if required)
  • passport/ID number (only if required for lawful service delivery or port/marina rules)

Strict rule: we only collect the minimum required, restrict access, and apply short retention (see Section 10).

4.4 Vendor data (boat owners/charter companies)

  • Business name, trading address, contact person(s)
  • Tax/VAT details (where relevant)
  • Bank details for payouts (via Stripe onboarding)
  • Verification information (KYC/KYB) required by payment providers and compliance
  • Vessel details (vessel name, model, year, location, availability)

4.5 Payments and transaction data

  • Transaction amount, currency, date/time, status
  • Payment identifiers (e.g., payment intent IDs), refunds, chargebacks, dispute data
  • Customer billing details as provided to Stripe (we typically see limited metadata)

4.6 Technical / usage data

  • IP address
  • device and browser information
  • log data, timestamps, session activity
  • cookie identifiers and analytics data (see Cookies section)

5) Why we use your data (purposes)

We use personal data to:

  • create and manage accounts
  • enable bookings and manage booking lifecycle
  • communicate with customers and vendors (service messages, confirmations, changes)
  • process payments, refunds, chargebacks, and accounting
  • prevent fraud, abuse, and keep the platform secure
  • meet legal obligations (tax, accounting, regulatory requests)
  • resolve disputes and enforce our Terms
  • improve platform performance and user experience
  • send marketing communications only where permitted (usually consent)

6) Legal bases (UK GDPR Article 6)

We rely on one or more of the following legal bases:

  • Contract: to provide platform services and manage bookings and vendor onboarding.
  • Legal obligation: tax, accounting, responding to lawful authority requests.
  • Legitimate interests: fraud prevention, platform security, dispute defence, service improvement, risk management, balanced against your rights.
  • Consent: marketing communications and non-essential cookies where required.

If we rely on legitimate interests, we maintain internal notes describing the interest and balancing assessment.

7) Who we share data with (recipients)

We share personal data only as necessary with:

  • Vendors to deliver the booking and service
  • Payment service providers (e.g., Stripe) to process payments, refunds, chargebacks, and verification
  • Hosting, cloud, email, and IT providers that run our platform
  • Support tools/CRM providers for customer support and ticketing
  • Professional advisers (lawyers, accountants, auditors) under confidentiality
  • Authorities where required by law or lawful request

We do not sell personal data and do not share it for third-party advertising without valid consent.

8) International transfers (UK/EU "must have" section)

Our vendors, users, and service providers may be located outside the UK. If personal data is transferred internationally, we use appropriate safeguards such as:

  • UK International Data Transfer Agreement (IDTA) or UK Addendum to EU SCCs
  • EU Standard Contractual Clauses (SCCs) where EU GDPR applies
  • transfers to countries recognised as providing adequate protection (where applicable)

We also apply security controls and minimisation when transferring data.

9) Data minimisation (especially for identity / crew list)

We apply strict minimisation:

  • We do not request passport/ID information unless required for service delivery/legal rules.
  • Where possible, the Vendor should collect ID details directly for marina/authority compliance.
  • If Luff must handle such data, access is restricted (need-to-know), encrypted where feasible, and retained briefly (see below).

10) Retention

We keep data only as long as needed for the purposes above:

  • Payments / accounting / disputes: up to 7 years (UK tax/accounting norms)
  • Booking records + support communications: typically 2 years after trip completion (longer if dispute ongoing)
  • Vendor onboarding / KYB evidence: duration of vendor relationship + 5 years after offboarding (or longer if legally required)
  • Crew list / passport/ID numbers: 30–90 days after trip (unless the law requires longer or a dispute is active)
  • Security logs: typically 6–12 months depending on system need
  • Marketing consent logs: while you remain subscribed + 2 years after unsubscribe (for proof of consent)

After expiry, data is deleted or anonymised.

11) Your rights (UK GDPR + EU GDPR)

You may have the right to:

  • access your personal data
  • correct inaccurate data
  • request deletion
  • restrict processing
  • object (especially to legitimate interest processing)
  • data portability (where applicable)
  • withdraw consent (for consent-based processing)
  • complain to a supervisory authority

UK users: you can complain to the UK Information Commissioner's Office (ICO).

EU/EEA users: you can complain to your local data protection authority.

12) How to make a DSAR request (audit-ready procedure)

To request access/deletion/correction, email privacy@luffyachting.com (recommended) or podrska@luffyachting.com.

We will:

  • acknowledge within 7 days
  • verify identity (to prevent fraud)
  • respond within 30 days (may extend for complex requests; we will explain why)

We may refuse or limit requests only where the law allows (e.g., to protect others' rights, legal privilege, fraud prevention).

13) Security measures (minimum set)

We use appropriate technical and organisational measures such as:

  • TLS/HTTPS encryption in transit
  • access controls and role-based permissions
  • MFA for admin and finance tools
  • logging of high-risk admin actions (refunds, payout changes, vendor status changes)
  • staff training and internal procedures
  • vendor/service provider due diligence
  • incident response procedures (see next section)

No system is risk-free; we continuously improve security.

14) Data breaches & incident response

If we suspect a personal data breach, we will:

  • contain and assess impact promptly
  • preserve relevant logs and evidence
  • notify affected parties and regulators when required by law
  • coordinate with Stripe/payment providers where payment data or disputes are involved
  • document actions taken and lessons learned

15) Cookies and tracking

We use cookies and similar technologies for:

  • essential functionality (login, security)
  • performance analytics
  • marketing (only where consent is required and obtained)

We provide a Cookie Policy and cookie controls where required.

16) Children

Our services are not intended for children. If we learn we have collected personal data from a child unlawfully, we will delete it.

17) Changes to this notice

We may update this notice for legal or operational changes. The latest version will be published on our platform, and we may provide additional notice where required.

18) Contact

Privacy: privacy@luffyachting.com
Support: podrska@luffyachting.com

Don't think alone - we're here to help you.