Privacy Policy

Last Updated: April 22, 2026

Floatist BV (“Floatist”, “we”, “us”) operates a SaaS platform for yacht charter fleet operators. This Privacy Policy explains how we handle personal data. It is written to comply with the EU General Data Protection Regulation (GDPR) and Dutch data protection law.

We are registered in the Netherlands with our registered office at Weesperstraat 107, 1018VN Amsterdam. You can reach us at hello@floatist.com.

1. Our Two Roles

Floatist acts in two different capacities depending on whose data is involved:

As a Controller — for our own account holders (the Fleet Operators who subscribe to Floatist). We decide how and why we process account holders’ business-contact data, billing details, and platform usage.

As a Processor — for data that Fleet Operators upload or generate inside Floatist about their guests, crew, charters, and staff. The Fleet Operator is the Controller of that data. We process it strictly under their instructions and under the Data Processing Agreement in Section 17 of our Terms of Service.

This Privacy Policy describes both roles. If you are a guest or crew member whose personal data is in Floatist, your primary relationship is with the Fleet Operator — contact them first for requests about your data.

2. Data We Collect

When you are a Floatist account holder (Controller role):

• Identity and contact: name, email, phone, company name, role
• Billing: company details, VAT number, payment method (card data is held by Stripe, not by us)
• Platform usage: logins, actions taken, feature usage
• Support communications: emails and in-app chat history

When a Fleet Operator uses Floatist (Processor role):

• Guest and crew: names, email, phone, date of birth, nationality, passport or ID number
• Boat licences: ICC and equivalent licences submitted in crew lists
• Booking records: guest name, email, phone, booking dates, boat, pricing
• Contracts and signatures: executed charter agreements
• Payment status: whether a deposit or balance has been paid (full payment data stays with Stripe)
• Operational notes: check-in/check-out records, maintenance issues, messages

We do not knowingly collect special category data (health, biometric, etc.). Fleet Operators are responsible for not uploading special category data into free-text fields.

3. Children’s Data

Floatist is not designed for use by children and we do not knowingly collect children’s data directly. Minors may appear on crew lists for family charters. That data is uploaded by the Fleet Operator, is subject to the same 2-year retention as other crew list data, and is handled under the Fleet Operator’s responsibility as Controller.

4. How We Use Data

As Controller, we use account-holder data to:

• Deliver the Floatist service and provide support
• Bill and collect subscription fees
• Improve the product using aggregated, non-identifying usage data
• Send operational and service-related communications
• Meet legal obligations (tax, accounting, audit)

As Processor, we use Fleet Operator data only to perform the service as instructed. We do not use it for our own purposes.

We do not sell personal data. We do not use personal data for marketing without consent.

5. Legal Basis (GDPR Art. 6)

• Contract — to deliver Floatist under your subscription (Art. 6(1)(b))
• Legitimate interests — product improvement, security, fraud prevention (Art. 6(1)(f))
• Legal obligation — tax records, regulatory requirements (Art. 6(1)(c))
• Consent — optional features and marketing communications (Art. 6(1)(a))

6. Sub-Processors

We use a small number of trusted sub-processors. The current list, their purpose, and their location is published at floatist.com/sub-processors. We give account holders at least 30 days’ email notice before adding a new sub-processor.

7. International Transfers

Most data stays inside the European Economic Area (EEA). Our hosting (Hetzner) and signing (Docuseal) are EU-based, and our analytics (Umami) and support (Chatwoot) are self-hosted by us on our EU infrastructure.

Stripe (our payment processor) is contracted through Stripe Payments Europe Ltd. (Ireland). Payment data may be processed on Stripe’s global infrastructure, including servers in the United States. This transfer is covered by Standard Contractual Clauses and Stripe’s participation in the EU–US Data Privacy Framework.

8. Retention

Data Type	Retention Period
Crew list data (incl. passport/ID numbers, boat licences, minors)	2 years, then automatic deletion
Booking data (name, email, phone)	7 years (Dutch tax law), unless earlier deletion is requested by the data subject
Signed charter contracts	5 years after contract end
Support conversations	3 years
Usage / telemetry logs	24 months
Audit logs (security-relevant actions)	3 years
Payment status records (deposit paid, etc.)	7 years (Dutch tax law)
Account holder data	Retained while the subscription is active; deleted within 90 days of termination, except billing records retained 7 years under Dutch tax law

Crew list data is automatically deleted from our systems at the 2-year mark. Fleet Operators can request earlier deletion at any time.

9. Your Rights

Under GDPR, you have the right to:

• Access the personal data we hold about you
• Correct inaccurate data
• Request deletion (“right to be forgotten”)
• Restrict processing
• Receive your data in a portable format
• Object to processing
• Withdraw consent at any time

To exercise these rights, email hello@floatist.com. We respond within one month.

If you are a guest or crew member of a Fleet Operator, please contact that operator first — they are the Controller of your data and are best placed to act on your request. We will support them in responding.

You may also lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens).

10. Automated Decision-Making

Floatist does not make fully automated decisions with significant legal effect on individuals. Our payment processor, Stripe, performs automated fraud and risk assessments on transactions, which may result in a payment being declined. Stripe’s practices are described in Stripe’s Privacy Policy.

11. Security

We protect personal data with encryption in transit and at rest, strict role-based access controls, multi-factor authentication for staff, audit logging, and regular review of our infrastructure. Our Technical and Organisational Measures are described in Annex C of our Terms of Service.

12. Breach Notification

If we become aware of a personal data breach, we will notify affected Fleet Operators without undue delay and in any case within 72 hours of detection. Fleet Operators are responsible for onward notification to their guests, crew, and staff as required under GDPR. Where we are the Controller, we will notify the Dutch Data Protection Authority within 72 hours where required by law.

13. Changes to This Policy

When we make material changes to this Privacy Policy, we will notify account holders by email at the address on file. The change takes effect on the date indicated in the notice.

14. Contact

Questions? Email hello@floatist.com or write to: Floatist BV, Weesperstraat 107, 1018VN Amsterdam, the Netherlands.

15. Governing Law

Dutch law applies. Disputes are subject to the jurisdiction of the Dutch courts.

By signing a Floatist quote or otherwise agreeing to use the Floatist platform, you acknowledge this Privacy Policy and the Data Processing Agreement in our Terms of Service.