Legal

Privacy Policy

Last Updated: February 6, 2026 Effective: February 6, 2026

1. Introduction

Flotilla, LLC ("Flotilla," "we," "us," or "our") operates a mobile application that helps users discover yacht charter options, create group trips, invite guests, and coordinate costs. This Privacy Policy explains how we collect, use, store, and protect your personal information when you use our app and related services.

By using Flotilla, you agree to the practices described in this policy. If you do not agree, please do not use the app.

2. Information We Collect

2.1 Information You Provide Directly

Account Information

  • Phone number (required for account creation and SMS verification)
  • Full name (optional)
  • Email address (optional)

Profile and Travel Documents (Optional)

  • Passport number and expiry date
  • Nationality
  • Date of birth
  • Emergency contact name and phone number
  • Dietary restrictions
  • Medical conditions
  • Sailing certifications

Trip Information

  • Trip names, dates, and destinations
  • Guest invitations and status
  • Cost share amounts
  • Charter preferences (bareboat, skippered, or crewed)

Communications

  • Messages sent to yacht charter operators through our in-app messaging system
  • Inquiry details submitted to operators (destination, guest count, dates, charter type)

2.2 Information Collected Automatically

Usage Data

  • Search queries (country, dates, guest count, yacht type, price range)
  • Search result counts and interaction patterns

Security and Audit Data

  • IP address
  • Device user agent string
  • Timestamps of actions performed within the app
  • Resource access logs (e.g., document views)

2.3 Information from Third Parties

Contact Information: If you choose to use the contact picker to invite guests, we access only the specific contact you select. We do not upload or store your full contact list.

Payment Information: Payment details are collected and processed by Stripe, our third-party payment processor. We do not store credit card numbers, CVVs, or full payment card details on our servers.

3. How We Use Your Information

We use your information for the following purposes:

  • Account Authentication: To verify your identity via SMS one-time codes
  • Core App Features: To create and manage trips, invite guests, split costs, and facilitate yacht bookings
  • Operator Communication: To relay messages between you and yacht charter operators via our email relay system
  • Search and Discovery: To return relevant yacht search results based on your criteria
  • Analytics: To understand search patterns and improve yacht inventory coverage (aggregated, not individually identifying)
  • Security: To detect abuse, enforce rate limits, and maintain audit logs for compliance
  • Legal Compliance: To respond to legal requests and enforce our terms of service

4. How We Share Your Information

We do not sell your personal information. We share data only in the following circumstances:

4.1 Yacht Charter Operators

When you submit an inquiry or send a message to an operator, we share your inquiry details (destination, dates, guest count, charter type) and messages with that operator. Your phone number and passport information are not shared with operators.

4.2 Trip Organizers and Guests

  • Trip organizers can see guest names, invitation status, and payment status for their trips.
  • Guest document information (e.g., passport details) is shared with trip organizers only with your explicit consent.

4.3 Service Providers

We use the following third-party services to operate Flotilla:

Provider Purpose Data Shared
Supabase Database hosting and authentication Account data, trip data, messages
Twilio SMS verification Phone number
SendGrid Email relay for operator messaging Email content, relay addresses
Stripe Payment processing Payment details (handled directly by Stripe)

4.4 Legal Requirements

We may disclose your information if required by law, subpoena, court order, or governmental request, or if necessary to protect our rights, safety, or property.

5. Data Storage and Security

5.1 Where We Store Data

Your data is stored in a PostgreSQL database hosted by Supabase. All database tables are protected by Row Level Security (RLS) policies, ensuring users can only access their own data.

5.2 Security Measures

  • Authentication: SMS-based one-time codes with rate limiting (3 SMS/minute, 5 verification attempts/minute)
  • Session Management: Authentication sessions expire after 1 hour
  • Access Control: Row Level Security policies on all database tables
  • Transport Security: HTTPS enforced with HSTS headers
  • CORS Restrictions: API access restricted to authorized origins
  • Audit Logging: Security-relevant actions are logged with automatic PII redaction

5.3 Sensitive Documents

Passport numbers and travel documents are stored in our database. We are actively implementing field-level encryption (AES-256-GCM) for these fields. Until encryption is fully deployed, we limit access through strict Row Level Security policies and audit all document access events.

6. Data Retention

  • Account Data: Retained for as long as your account is active.
  • Trip Data: Retained for as long as your account is active or until you delete the trip.
  • Travel Documents: We plan to automatically delete passport and travel documents 30 days after the associated trip ends. You may also delete your documents at any time.
  • Audit Logs: Retained for up to 12 months for security and compliance purposes.
  • Search Analytics: Retained in aggregated form. Individual search queries are not linked to your identity long-term.

7. Your Rights

Depending on your location, you may have the following rights regarding your personal data:

7.1 Access and Portability

You can request a copy of all personal data we hold about you. Use the Export Data option in your profile settings, or contact us directly. We provide your data in a machine-readable JSON format (GDPR Article 20).

7.2 Deletion

You can delete your account and all associated data at any time through the Delete Account option in your profile settings (GDPR Article 17). This will permanently remove:

  • Your user profile
  • All trips you organized
  • Guest records and invitations
  • Operator inquiries and conversations
  • Travel documents
  • Audit log entries associated with your account

7.3 Correction

You can update your profile information directly within the app at any time.

7.4 Objection and Restriction

You may object to certain processing of your data or request that we restrict processing. Contact us using the details in Section 12.

8. Children's Privacy

Flotilla is not intended for use by anyone under the age of 18. We do not knowingly collect personal information from children. If we learn that we have collected data from a child under 18, we will delete it promptly.

9. International Data Transfers

Your data may be processed in countries other than your own. We use service providers (Supabase, Twilio, SendGrid, Stripe) that may process data in the United States or other jurisdictions. These providers maintain appropriate safeguards for international data transfers.

10. Cookies and Tracking

Flotilla is a mobile application and does not use browser cookies. We do not use third-party advertising trackers or analytics SDKs that track you across other apps or websites.

11. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you through the app or via the contact information you have provided. The "Last Updated" date at the top of this document reflects the most recent revision.

12. Contact Us

If you have questions about this Privacy Policy or wish to exercise your data rights, please contact us at:

Email: privacy@flotillaapp.com

This privacy policy applies to the Flotilla mobile application (iOS and Android) and the associated backend services operated at flotillaapp.com.