guest@sealogical:~

~ cat privacy_policy.md

Privacy Policy

Last updated: 17 June 2026

1. Introduction

Sealogical ("We"; "Us") a trading name of MXMG LTD, a registered data controller in the UK (registration ZA932873), is committed to protecting your personal information. This Privacy Policy tells you how we collect your personal data, how we store it, how we use it, the lawful bases on which we rely, and how we keep it safe.

We shall only use your information in line with all applicable data protection laws, including the UK GDPR and the Data Protection Act 2018. We are committed to ensuring your information is secure, so it will be held in a secure environment and access will be restricted on a "need to know" principle. To prevent unauthorised access or disclosure we have put in place suitable physical, electronic and managerial procedures to safeguard the information we collect.

2. Definitions

"consent"
means the consent of the data subject, which must be a freely given, specific, informed and unambiguous indication of the data subject's wishes by which they, by a statement or clear affirmative action, signify their agreement to the processing of personal data relating to them.
"controller"
means the natural or legal person or organisation which, alone or jointly with others, determines the purposes and means of the processing of personal data. For the purposes of this Policy, the Company is the data controller of all personal data relating to data subjects (e.g. staff, customers, business contacts) used in our business for our commercial purposes.
"processor"
means the natural or legal person or organisation which processes personal data on behalf of a data controller.
"subject"
means a living, identified or identifiable natural person about whom the Company holds personal data.
"EEA"
means the European Economic Area, consisting of all EU Member States, Iceland, Liechtenstein and Norway.
"personal data"
means any information relating to a data subject who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that data subject.
"personal data breach"
means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
"processing"
means any operation or set of operations performed on personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
"special category personal data"
means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, sexual life, sexual orientation, biometric or genetic data.
"UK GDPR"
means the retained EU General Data Protection Regulation as it forms part of UK law under the Data Protection Act 2018.
"lawful basis"
means one of the legal grounds under Article 6 (and, for special category data, Article 9) of the UK GDPR on which processing is permitted.

Controller details:

Organisation name: MXMG Ltd

Reference: ZA932873

Address: c/o Hunts Accountants, Oborne Road, Sherborne, Dorset, DT9 3RX, United Kingdom

Email: info@mxmg.com

3. The Rights of Data Subjects

The following rights apply to data subjects under the UK GDPR:

  • 3.1 The right to be informed;
  • 3.2 The right of access;
  • 3.3 The right to rectification;
  • 3.4 The right to erasure ("right to be forgotten");
  • 3.5 The right to restrict processing;
  • 3.6 The right to data portability;
  • 3.7 The right to object;
  • 3.8 Rights in relation to automated decision-making and profiling;
  • 3.9 The right to withdraw consent at any time, where our processing is based on your consent. Withdrawing consent does not affect the lawfulness of processing carried out before withdrawal;
  • 3.10 The right to lodge a complaint with the Information Commissioner's Office (ICO), the UK's supervisory authority, at ico.org.uk or 0303 123 1113. We would, however, appreciate the chance to address your concerns before you approach the ICO.

To exercise any of these rights, please contact our Data Protection contact at info@mxmg.com.

4. Lawful Bases for Processing

We rely on the following lawful bases under Article 6 of the UK GDPR for each category of processing:

  • Performance of a contract — to deliver our yacht management, crew management and compliance services, and to administer crew records and payroll.
  • Legal obligation — to comply with employment, tax, payroll and maritime regulatory requirements (e.g. SOLAS, MLC, STCW, MARPOL record-keeping).
  • Legitimate interests — for recruitment and crew placement, managing business contacts and enquiries, securing our systems, and the day-to-day running of our business. Where we rely on legitimate interests, we have assessed that these are not overridden by your rights and freedoms; you may object at any time (see Section 3.7).
  • Consent — for sending our e-newsletter and for setting non-essential cookies. You may withdraw consent at any time.

Special category data. Some data we process (for example health information) is special category data. Where we process it, we rely on Article 9(2)(b) of the UK GDPR — processing necessary for carrying out obligations in the field of employment and social security law — as supported by Schedule 1 of the Data Protection Act 2018. We collect such data only where it is relevant to the service we provide.

5. Personal Data We Collect, Hold and Process

We process the personal data of subscribers, crew and other users added by clients or by crew themselves. We may collect, store and use:

  • Information you provide when enquiring about our services
  • Information you provide when entering into a contract
  • Information you provide when subscribing to our e-newsletter
  • Information provided directly or indirectly when recruited to work on board subscribed yachts
  • Information you give us when seeking to work on board our managed yachts
  • Any other information you provide, including business cards

The data may include: name, address, country; telephone number; email address; passport; date of birth; nationality; information about your role; work experience; payroll information; individuals you nominate as next of kin; and health information where relevant to our service.

We also collect information about your device and your visits to this website, including unique online identifiers such as IP addresses.

6. Source of Personal Data

We collect personal data both directly from you and indirectly from third parties. In particular, the companies and clients who use our services may enter your personal data into our systems (for example, a yacht owner or management company adding crew records). Where we receive your data this way, the categories of data are the same as those listed in Section 5, and this Privacy Policy explains how we then process it.

7. Who We Share Your Data With

We do not sell your personal data. We share it only with:

Technology and infrastructure providers who host and operate our platform on our behalf, namely:

  • Supabase — database, authentication and storage;
  • Vercel — application hosting and deployment;
  • Postmark (ActiveCampaign, LLC) — transactional email and our e-newsletter;
  • Sentry (Functional Software, Inc.) — error monitoring and diagnostics;
  • Anthropic, PBC — artificial-intelligence features;
  • OpenAI, L.L.C. — artificial-intelligence features;
  • Upstash, Inc. — caching and rate-limiting;
  • Liquid Web — hosting and server infrastructure for our legacy platform.

These providers act as our processors under written contracts (data processing agreements) that require them to process personal data only on our instructions and to apply appropriate security measures.

The clients and companies that enter the data into our systems (for example, a yacht owner or management company adding crew records), who act as controllers for the data they input and to whom we provide the service.

Professional advisers, regulators or authorities where we are legally required to disclose data.

8. International Transfers

Our platform is cloud-based and is used by clients and crew around the world, which means your personal data may be stored on, or accessed from, locations outside the United Kingdom.

Your data is held primarily in the United Kingdom (our database and document storage). A limited subset of personal data is held by certain providers in their own regions, namely: our transactional-email and newsletter provider (United States); our error-monitoring provider (European Union); and our artificial-intelligence feature providers (United States). Several of our providers — including Supabase, Vercel, Postmark, Anthropic and OpenAI — are headquartered in the United States and may operate data centres in multiple countries.

Where we transfer personal data outside the UK, we ensure an appropriate safeguard is in place, namely one of the following:

  • a transfer to a country covered by UK "adequacy" regulations; or
  • the UK International Data Transfer Agreement (IDTA); or
  • the EU Standard Contractual Clauses together with the UK International Data Transfer Addendum.

We do not rely on the EU-US Data Privacy Framework for these transfers. You may request details of the safeguards we use by contacting info@mxmg.com.

9. Lawfulness, Fairness, Transparency and Data Minimisation

9.1 We only collect and process personal data to the extent necessary for the specific purposes of which data subjects have been informed.

9.2 Employees, agents, contractors or others working on our behalf may collect and process personal data only as required to perform their duties and only in accordance with this Policy.

9.3 Third-party clients of the Company process personal data only as required for the purposes for which the service is provided.

10. Accuracy and Keeping Data Up to Date

Personal data is assumed accurate when collected or provided. If we are advised that any personal data is inaccurate or out of date, we will take all reasonable steps without delay to amend or erase it as appropriate.

11. Data Retention

We do not keep personal data for longer than necessary for the purposes for which it was collected. Our standard retention periods are:

Data categoryRetention period
Crew and payroll records6 years after the end of the engagement (to meet tax and employment law obligations)
Unsuccessful recruitment applicants12 months after the recruitment decision
Newsletter subscribersUntil you unsubscribe, then deleted promptly
Enquiry / business contact data24 months after last meaningful contact

When personal data is no longer required, we take all reasonable steps to erase or dispose of it securely.

12. Automated Decision-Making

We do not carry out any solely automated decision-making, including profiling, that produces legal or similarly significant effects on you. Where we use artificial-intelligence features to assist our service, any decisions with legal or similarly significant effect remain subject to human review.

13. Whether You Must Provide Data

For crew engagement, payroll and maritime compliance, providing certain personal data is a statutory and/or contractual requirement. If you do not provide it, we may be unable to engage you, pay you, or meet our regulatory obligations.

14. Data Subject Access Requests

You may make a subject access request ("SAR") at any time to find out what personal data we hold about you, what we do with it, and why. Please contact info@mxmg.com. We will respond within one month.

15. Cookies

We use cookies on this website. Strictly necessary cookies are set automatically; non-essential cookies (for example analytics) are only set after you give consent through our cookie banner. You can change your choice at any time using the "Cookie settings" link in the footer. For full details of the categories we use, the specific cookies in each category, their purposes and durations, please see our Cookie Policy.

16. Security

We hold personal data in a secure environment and apply appropriate technical and organisational measures — including access controls, row-level data isolation between customers, encryption in transit, and supplier due diligence — to protect against unauthorised access, loss or disclosure.

17. Changes to This Policy

We may update this Privacy Policy from time to time. The "Last updated" date at the top shows when it was last revised.