~ cat privacy_policy.md
Privacy Policy
Last updated: 28 June 2026
1. Introduction
Sealogical ("We"; "Us"; the "Company") is a trading name of MXMG Ltd (Company No. 12253099; ICO registration ZA932873), a company registered in the United Kingdom. We are committed to protecting your personal information. This Privacy Policy explains how we collect, store and use personal data, the lawful bases on which we rely, and how we keep it safe.
Our two roles.
Sealogical provides a software-as-a-service platform for yacht and maritime management. The way data protection law applies to us depends on whose data it is:
Where we act as a processor: When our clients (for example, a yacht owner or management company) use our platform and add personal data to it — including crew identity, payroll and health/medical records — the client is the data controller and Sealogical acts as data processor, processing that data only on the client's documented instructions. The client decides what data is added, why, the lawful basis for it, and how long it is kept. Section A of this Policy applies to this data.
Where we act as a controller: For personal data we collect and use for our own business purposes — such as enquiries about our services, business contacts, account and billing data, newsletter subscribers, website visitors, and people who apply to work with Sealogical directly — Sealogical is the data controller. Section B of this Policy applies to this data.
We process all personal data in line with the UK GDPR and the Data Protection Act 2018. Information is held in a secure environment with access restricted on a "need to know" basis, supported by appropriate physical, electronic and managerial safeguards.
2. Definitions
- "consent"
- means a freely given, specific, informed and unambiguous indication of the data subject's wishes, by a statement or clear affirmative action, signifying agreement to the processing of their personal data.
- "controller"
- means the person or organisation which, alone or jointly with others, determines the purposes and means of the processing of personal data.
- "processor"
- means the person or organisation which processes personal data on behalf of a controller.
- "data subject" / "subject"
- means a living, identified or identifiable natural person about whom personal data is held.
- "EEA"
- means the European Economic Area (all EU Member States, Iceland, Liechtenstein and Norway).
- "personal data"
- means any information relating to an identified or identifiable natural person.
- "personal data breach"
- means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.
- "processing"
- means any operation performed on personal data, whether or not by automated means.
- "special category personal data"
- means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, sex life, sexual orientation, or biometric or genetic data.
- "UK GDPR"
- means the retained EU General Data Protection Regulation as it forms part of UK law under the Data Protection Act 2018.
- "lawful basis"
- means a legal ground under Article 6 (and, for special category data, Article 9) of the UK GDPR on which processing is permitted.
Our details:
Organisation: MXMG Ltd (trading as Sealogical)
Company No.: 12253099 | ICO registration: ZA932873
Address: c/o Hunts Accountants, Oborne Road, Sherborne, Dorset, DT9 3RX, United Kingdom
Email: info@mxmg.com
3. The Rights of Data Subjects
The following rights apply under the UK GDPR: (3.1) the right to be informed; (3.2) the right of access; (3.3) the right to rectification; (3.4) the right to erasure; (3.5) the right to restrict processing; (3.6) the right to data portability; (3.7) the right to object; (3.8) rights in relation to automated decision-making and profiling; (3.9) the right to withdraw consent at any time where processing is based on consent (withdrawal does not affect prior lawful processing); and (3.10) the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk or 0303 123 1113.
How to exercise your rights. If your personal data was added to our platform by a client (for example, your employer or a yacht management company), that client is the controller and you should direct your request to them; we will assist them in responding. For personal data we hold as controller (Section B), contact us at info@mxmg.com. We would appreciate the chance to address any concerns before you approach the ICO.
Section A — Where Sealogical acts as a processor
(client and crew data on the platform)
A1. Our role
When a client uses the Sealogical platform, the client determines what personal data is entered, the purposes for which it is processed, the lawful basis, and the applicable retention period. The client is the controller and Sealogical is the processor. We process this data only on the client's documented instructions and in accordance with our Data Processing Agreement (DPA) with that client, which governs this relationship and prevails over this Policy in respect of such data.
A2. Categories of data processed on the platform
Depending on how each client configures the service, this may include: name, address and country; telephone number and email; passport, visa and seaman's book details; date of birth and nationality; role and work experience; payroll information; next-of-kin details; and health information (for example medical certificates / ENG1s), which is special category data.
A3. Lawful basis
For data processed on the platform, the client (controller) is responsible for determining and documenting the lawful basis under Article 6 — and, for special category data such as health records, the condition under Article 9 — UK GDPR. Sealogical does not determine the purposes of this processing and does not rely on its own lawful basis for it; it processes the data solely as the client's processor.
A4. Source of data
We receive this data directly from the client (for example, an owner or management company adding crew records) and, where the client enables it, from crew members entering their own details. The categories are as listed in A2.
A5. Retention
Retention of platform data is determined by the client as controller. We retain and delete such data in accordance with the client's instructions and the terms of our DPA, and on termination of the service we return or securely delete it as the client directs.
A6. AI features and safeguards
Certain platform features use artificial intelligence (for example, document scanning and search). All AI processing of personal data is routed through the Vercel AI Gateway, on which zero data retention and no model-training are enforced. Source data is held at rest in the United Kingdom. Any decisions with legal or similarly significant effect remain subject to human review (see Section 6).
Section B — Where Sealogical acts as a controller
(our own business data)
B1. Personal data we collect as controller
- Information you provide when enquiring about our services;
- Information you provide when entering into a contract with us (account and billing data);
- Information you provide when subscribing to our e-newsletter;
- Information you provide if you apply to work with Sealogical directly;
- Business contact details (including business cards); and
- Information about your device and visits to this website, including online identifiers such as IP addresses.
B2. Lawful bases (Article 6)
- Performance of a contract — to provide our services to, and administer our relationship with, our direct customers and contacts.
- Legal obligation — to comply with our own tax, accounting and corporate record-keeping requirements.
- Legitimate interests — for managing business contacts and enquiries, direct recruitment for Sealogical, securing our systems, and the day-to-day running of our business. We have assessed that these interests are not overridden by your rights; you may object at any time (Section 3.7).
- Consent — for sending our e-newsletter and for setting non-essential cookies. You may withdraw consent at any time.
Where, in this controller capacity, we process special category data of our own staff or applicants, we rely on Article 9(2)(b) UK GDPR (employment, social security and social protection law) as supported by Schedule 1 of the Data Protection Act 2018, and collect such data only where relevant.
B3. Retention (controller data)
| Data category | Retention period |
|---|---|
| Account, billing and contract records | 6 years after the end of the contract (tax/accounting obligations) |
| Direct (Sealogical) recruitment applicants — unsuccessful | 12 months after the decision |
| Newsletter subscribers | Until you unsubscribe, then deleted promptly |
| Enquiry / business contact data | 24 months after last meaningful contact |
When data is no longer required, we take reasonable steps to erase or dispose of it securely.
General Provisions
(apply to both roles)
4. Who We Share Data With
We do not sell personal data. We share it only with:
(a) Technology and infrastructure providers who host and operate our platform on our behalf:
- Supabase — database, authentication and storage (UK – London);
- Vercel — application hosting, deployment and AI Gateway (US compute region);
- Postmark (AC PM LLC / ActiveCampaign) — transactional email and e-newsletter (US);
- Sentry (Functional Software, Inc.) — error monitoring and diagnostics (EU – Frankfurt);
- Anthropic, PBC — AI features, as Vercel's sub-processor (US);
- OpenAI, L.L.C. — AI features (embeddings), as Vercel's sub-processor (US);
- Upstash, Inc. — workflow queue / rate-limiting (US);
- Liquid Web — hosting for our legacy platform.
These providers act under written data processing agreements requiring them to process personal data only on instructions and to apply appropriate security measures. For data processed on the platform, these providers act as the client's sub-processors through us.
(b) Our clients, who act as controllers for the data they enter into the platform and to whom we provide the service as processor.
(c) Professional advisers, regulators or authorities where we are legally required to disclose data.
5. International Transfers
Our platform is cloud-based and used by clients and crew worldwide, so personal data may be stored on, or accessed from, locations outside the United Kingdom. Data is held primarily in the United Kingdom (our database and document storage, at rest). A limited subset is held by certain providers in their own regions: transactional email/newsletter (United States); error monitoring (European Union); and AI feature providers (United States).
Where we transfer personal data outside the UK, we ensure an appropriate safeguard is in place, namely either:
- a transfer to a country covered by UK "adequacy" regulations; or
- the EU Standard Contractual Clauses (Commission Decision (EU) 2021/914) together with the UK International Data Transfer Addendum (version B1.0, in force 21 March 2022).
We do not rely on the standalone UK International Data Transfer Agreement (IDTA), nor on the EU-US Data Privacy Framework, as our transfer mechanism. You may request details of the safeguards we use by contacting info@mxmg.com.
6. Automated Decision-Making
We do not carry out solely automated decision-making, including profiling, that produces legal or similarly significant effects on you. Where we use artificial-intelligence features to assist the service (for example, document scanning or search), any decision with a legal or similarly significant effect remains subject to human review.
7. Whether You Must Provide Data
Where your data is processed on the platform (Section A), any requirement to provide data — for crew engagement, payroll or maritime compliance — is determined by the relevant client (controller); if you do not provide it, that client may be unable to engage you, pay you, or meet its regulatory obligations. Where we process data as controller (Section B), providing certain data may be necessary to enter into or perform a contract with us, or to respond to your enquiry.
8. Data Subject Access and Other Requests
You may make a request to exercise any of the rights in Section 3 at any time. If your data was added to the platform by a client, that client is the controller and you should direct your request to them; we will assist them as their processor. For data we hold as controller (Section B), contact info@mxmg.com and we will respond within one month (extendable by up to two further months for complex or numerous requests, in which case we will tell you within the first month).
9. Accuracy and Keeping Data Up to Date
For data we hold as controller, we take all reasonable steps to keep personal data accurate and up to date, and to amend or erase inaccurate or out-of-date data without delay once notified. For data processed on the platform, accuracy and correction are managed by the client (controller) on whose instructions we act.
10. Cookies
We use cookies on this website. Strictly necessary cookies are set automatically; non-essential cookies (for example analytics) are set only after you give consent through our cookie banner. You can change your choice at any time using the "Cookie settings" link in the footer. For full details of the categories, the specific cookies, their purposes and durations, please see our Cookie Policy.
11. Security
We hold personal data in a secure environment and apply appropriate technical and organisational measures — including access controls, row-level data isolation between customers, encryption in transit, zero-data-retention and no-training controls on AI processing, and supplier due diligence — to protect against unauthorised access, loss or disclosure.
12. Complaints
If you have any concern about how your personal data is handled, please contact us at info@mxmg.com so we can try to resolve it. You also have the right to lodge a complaint with the ICO at ico.org.uk or 0303 123 1113.
13. Changes to This Policy
We may update this Privacy Policy from time to time. The "Last updated" date at the top shows when it was last revised.