Privacy Policy

Data Controller Identity & Corporate Details

For the purposes of the UK General Data Protection Regulation (UK GDPR), the EU General Data Protection Regulation 2016/679 (EU GDPR), and all applicable national data protection legislation, the Data Controller of personal data processed in connection with the Volaxin Maritime Suite platform and all related services is:

Where Volaxin processes personal data on behalf of its clients (ship operators, fleet managers, crewing agencies, and other maritime organisations), Volaxin acts as a Data Processor under the terms of the applicable Data Processing Agreement (DPA) executed between Volaxin and the respective client entity, which constitutes the Data Controller for such data.

Definitions & Interpretive Framework

Throughout this Privacy Policy, the following capitalised terms carry the meanings set out below:

Term	Definition
Personal Data	Any information relating to an identified or identifiable natural person ("data subject") as defined in Article 4(1) GDPR, including but not limited to names, identification numbers, location data, online identifiers, and professional credentials.
Special Category Data	Personal data revealing racial or ethnic origin, health data, biometric data processed for identification purposes, or any other category listed under Article 9(1) GDPR, processing of which requires an explicit supplementary lawful basis.
Processing	Any operation or set of operations performed on personal data, whether or not by automated means, including collection, recording, organisation, structuring, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, restriction, erasure or destruction.
Platform	The Volaxin Maritime Suite SaaS application, including all modules (PMS, INV, CREW, DMS, SHEQ, WRH, NAV, PRC, RPT, CRB), associated mobile applications, APIs, and offline synchronisation tooling.
Data Processing Agreement (DPA)	The binding contractual instrument executed between Volaxin and each client organisation governing the terms under which Volaxin processes personal data as a processor.
Standard Contractual Clauses (SCCs)	The European Commission-approved contractual mechanisms for the lawful transfer of personal data to third countries, as updated by Commission Implementing Decision (EU) 2021/914.

Categories of Personal Data We Collect

3.1 Account & Identity Data

When you or your organisation creates an account on the Volaxin platform, we collect:

• Full legal name, professional title, and business email address
• Job function, department, and organisational role within the fleet management hierarchy
• Phone number (optional, for multi-factor authentication and support escalation)
• Login credentials in hashed, salted, cryptographically irreversible form (bcrypt / Argon2id)
• IP address and device fingerprint metadata associated with authentication events
• Time-stamped access logs, session tokens, and API key associations

3.2 Seafarer & Crew Personal Data

The Crew Management module of the Platform processes significant volumes of personal data relating to seafarers and maritime personnel, including:

• Full name, date of birth, nationality, and passport / national ID details
• STCW Certificate of Competency numbers, flag state endorsements, and GMDSS licence details
• Medical fitness certificates (ENG1 or equivalent), vaccination records, and Yellow Fever certification — constituting Special Category (health) data under Article 9 GDPR
• Seafarer Employment Agreement (SEA) terms, rank, vessel assignment, and embarkation/disembarkation dates
• Wage scales, allotment instructions, and payroll records
• Next-of-kin contact details and emergency notification preferences
• Performance appraisal records and disciplinary history (where applicable)
• Flag state Continuous Discharge Book (CDB) and Seaman's Book details

3.3 Usage & Telemetry Data

The Platform automatically collects technical and behavioural data to ensure service performance, security monitoring, and product improvement:

• Browser type, operating system, screen resolution, and device hardware category
• Page views, feature interactions, click-path sequences, and session duration metrics
• API call logs, error events, and performance timing data (retained in anonymised aggregate form after 90 days)
• Vessel AIS identifiers and position data where integrated via approved SATCOM or AIS data providers

3.4 Communications Data

When you contact Volaxin support, submit a sales enquiry, or participate in a product demonstration, we collect the content of such communications, associated metadata, and any attachments you provide.

Lawful Basis for Processing

Volaxin identifies and documents a specific lawful basis for each category of processing activity conducted as a Controller, in strict compliance with Article 6 GDPR:

Processing Activity	Lawful Basis (Art. 6)	Notes
Account creation and Platform access	6(1)(b) — Contract performance	Necessary to deliver subscribed services
Billing and invoicing	6(1)(b) — Contract performance; 6(1)(c) — Legal obligation	Tax and accounting obligations apply
Security monitoring and fraud prevention	6(1)(f) — Legitimate interests	LIA conducted; interests not overridden
Product analytics and improvement	6(1)(f) — Legitimate interests (anonymised)	Data pseudonymised or aggregated before use
Marketing communications	6(1)(a) — Consent	Opt-in only; unsubscribe honoured immediately
Regulatory reporting (flag state)	6(1)(c) — Legal obligation	MLC 2006, STCW, ISM requirements
Crew medical data	9(2)(b) and 9(2)(h) — Employment law & occupational health	Supplementary Art. 9 basis documented per jurisdiction

How We Use Personal Data

Personal data collected by Volaxin is used exclusively for the following clearly defined purposes, each of which is supported by a documented lawful basis and proportionality assessment:

1. Service Delivery. To provision, operate, maintain, and support the Volaxin Platform in accordance with the subscription agreement, including user account management, vessel data management, and scheduled maintenance workflows.
2. Regulatory Compliance & Reporting. To assist client organisations in meeting obligations under the Maritime Labour Convention 2006, STCW 1978 (as amended), ISM Code, ISPS Code, IMO CII regulations, EU-ETS, and applicable flag state legislation.
3. Security & Fraud Prevention. To detect, investigate, and prevent unauthorised access, data breaches, account compromise, or misuse of the Platform through continuous security monitoring, anomaly detection, and audit logging.
4. Platform Performance & Improvement. To analyse aggregated, pseudonymised usage patterns to identify performance bottlenecks, usability improvements, and new feature priorities — without building individual behavioural profiles.
5. Customer Support. To respond to technical queries, resolve incidents, and provide the 24/7 specialist maritime support that constitutes a core element of the Volaxin service commitment.
6. Contractual & Legal Obligations. To fulfil our contractual obligations to client organisations, including Data Processing Agreements, and to comply with applicable laws including tax, employment, and maritime regulations.
7. Marketing Communications (with Consent). To send product updates, industry intelligence reports, event invitations, and promotional communications to individuals who have expressly opted in to receive such content.

Data Sharing & Third-Party Disclosures

Volaxin does not sell, rent, or trade personal data. We share personal data only in the following defined and documented circumstances:

6.1 Sub-Processors

Volaxin engages a limited number of carefully vetted sub-processors to support the delivery of the Platform. All sub-processors are bound by a written Data Processing Agreement, are required to maintain equivalent data protection standards, and are assessed against our Security Supplier Questionnaire prior to engagement and at annual renewal. Current sub-processor categories include:

• Cloud infrastructure providers (hosting, storage, database management)
• Transactional email delivery services (for system notifications and alerts)
• Customer relationship management (CRM) platform (sales and support context only)
• Payment processing service (no card data touches Volaxin systems; fully PCI DSS scoped to provider)
• Security and monitoring tooling (SIEM, vulnerability scanning, penetration testing partners)
• Video conferencing and collaboration tools (for support and onboarding sessions)

A complete and current list of approved sub-processors is available upon written request to info@volaxin.com. Volaxin will provide 30 days' advance notice of any material sub-processor changes via the Platform notification system and email, affording clients the right to object as provided under Article 28(2) GDPR.

6.2 Regulatory & Legal Disclosures

We may disclose personal data to competent regulatory authorities, flag state administrations, port state control officers, or law enforcement bodies where we are legally compelled to do so, subject to appropriate verification of the legal basis and, where permitted, prior notification to the data subject or client organisation.

6.3 Professional Advisers

Volaxin may share data in anonymised or aggregated form with legal advisers, auditors, and insurers for the purpose of obtaining professional advice, conducting audits, or managing claims. Such sharing is governed by professional confidentiality obligations and, where applicable, data sharing agreements.

6.4 Business Transfers

In the event of a merger, acquisition, restructuring, or sale of all or substantially all of Volaxin's assets, personal data may be transferred to the acquiring entity, subject to equivalent privacy commitments and advance notification to affected data subjects in compliance with applicable law.

International Data Transfers

Given the inherently global nature of maritime operations, Volaxin processes and may transfer personal data to recipients located outside the United Kingdom and the European Economic Area (EEA). All such international transfers are governed by one or more of the following legally recognised safeguard mechanisms:

• UK Adequacy Regulations: Where the recipient country has been designated as adequate by the UK Secretary of State under Section 17A of the UK Data Protection Act 2018.
• EU Adequacy Decisions: Where the recipient country has been recognised as adequate by the European Commission under Article 45 GDPR.
• UK International Data Transfer Agreements (IDTAs): The UK-specific contractual mechanism approved by the Information Commissioner's Office (ICO) for transfers from the UK to third countries.
• EU Standard Contractual Clauses (SCCs): The 2021 European Commission-approved SCCs, Module 2 (Controller-to-Processor) and Module 3 (Processor-to-Processor), as applicable.
• Binding Corporate Rules (BCRs): Where sub-processors operate within a group subject to ICO or supervisory authority-approved BCRs.

Volaxin maintains a Transfer Impact Assessment (TIA) registry for all international data flows, which evaluates the legal landscape of the destination country and documents supplementary technical and organisational measures applied to ensure equivalent protection. This registry is reviewed quarterly and is available to clients upon request under the applicable DPA.

Data Retention Periods

Volaxin applies a documented data retention schedule aligned with legal obligations, legitimate business requirements, and data minimisation principles. We do not retain personal data beyond the period necessary for the stated purpose:

Data Category	Retention Period	Basis for Period
Active Platform account data	Duration of subscription + 90 days	Contract; post-termination data export window
Seafarer certification records	5 years post last voyage	MLC 2006 flag state requirements
Work & Rest Hours records	3 years (MLC 2006 Regulation 2.3)	Mandatory regulatory retention
Crew medical data	5 years or as required by flag state	STCW, MLC 2006, flag state regulations
SHEQ incident records	5 years from date of closure	ISM Code; limitation periods
Security audit logs	24 months rolling	ISO/IEC 27001; ICO guidance
Billing & financial records	7 years	UK Companies Act 2006; HMRC requirements
Marketing consent records	3 years from last interaction or withdrawal	UK PECR; ICO guidance
Support communication records	3 years from case closure	Legitimate interest; dispute resolution
Anonymised usage analytics	Indefinite (no personal identifiers)	Not personal data post-anonymisation

Upon expiry of the applicable retention period, personal data is permanently deleted using cryptographic erasure (where data is encrypted) or multi-pass secure overwrite techniques conforming to NIST SP 800-88 and NCSC guidance, with deletion certificates issued to clients upon request.

Your Data Subject Rights

Under UK GDPR, EU GDPR, and applicable national legislation, data subjects whose personal data is processed by Volaxin as Controller have the following enforceable rights:

1. Right of Access (Article 15 GDPR). The right to obtain confirmation of whether personal data is being processed and to receive a copy of that data, along with prescribed supplementary information.
2. Right to Rectification (Article 16 GDPR). The right to obtain correction of inaccurate personal data or completion of incomplete personal data without undue delay.
3. Right to Erasure / Right to be Forgotten (Article 17 GDPR). The right to request deletion of personal data where it is no longer necessary for the purpose for which it was collected, where consent is withdrawn, or where there is no overriding legitimate basis for continued processing. This right is subject to exceptions including legal retention obligations.
4. Right to Restriction of Processing (Article 18 GDPR). The right to request that processing be restricted in defined circumstances, including during a period of accuracy verification or pending an objection determination.
5. Right to Data Portability (Article 20 GDPR). The right to receive personal data in a structured, commonly used, machine-readable format and to transmit that data to another controller, where technically feasible. Volaxin supports export in JSON, XML, and CSV formats across all core modules.
6. Right to Object (Article 21 GDPR). The right to object at any time to processing based on legitimate interests, including profiling, and to processing for direct marketing purposes (absolute right without requirement to demonstrate prejudice).
7. Rights Related to Automated Decision-Making (Article 22 GDPR). The right not to be subject to decisions based solely on automated processing, including profiling, which produce legal or significant effects. Volaxin's AI-powered features provide recommendations and intelligence but do not produce automated decisions without human review and confirmation.
8. Right to Withdraw Consent (Article 7(3) GDPR). Where processing is based on consent, the right to withdraw that consent at any time without detriment, affecting only future processing.

To exercise any of the above rights, submit a written request to info@volaxin.com. Volaxin will respond within one calendar month of receipt of a valid, verifiable request, with the possibility of a two-month extension for complex or numerous requests (with prior notice). Identity verification may be required before disclosing personal data. There is no charge for exercising your rights except in cases of manifestly unfounded or excessive requests.

Data subjects also have the right to lodge a complaint with the relevant supervisory authority. For UK-based individuals this is the Information Commissioner's Office (ICO) at ico.org.uk. EU-based individuals should contact the supervisory authority of their Member State of habitual residence.

Cookies, Tracking & Web Analytics

The Volaxin corporate website (volaxin.com) uses a limited set of cookies and similar tracking technologies. The Platform application itself uses session cookies strictly necessary for authentication and security, with no advertising or third-party tracking cookies deployed within authenticated Platform sessions.

Cookie Category	Purpose	Consent Required	Duration
Strictly Necessary	Session management, CSRF protection, load balancing, authentication tokens	No (exempt)	Session / 14 days
Performance Analytics	Anonymised page-view statistics, error tracking, feature usage patterns	Yes	12 months
Marketing	No marketing or advertising cookies are deployed on any Volaxin property	N/A	N/A

Analytics data collected on the Volaxin website is processed in anonymised, aggregated form and does not involve cross-site tracking, real-time bidding, or data enrichment from third-party data brokers. You may withdraw consent to non-essential cookies at any time via the cookie preference centre accessible in the website footer.

Maritime-Specific Data Processing Considerations

The maritime industry presents unique data protection challenges not contemplated by standard enterprise software contexts. Volaxin has embedded specific safeguards to address these:

11.1 Offline Vessel Data Synchronisation

The Platform supports seamless offline operation for vessels operating in remote sea areas with limited or no SATCOM connectivity. During offline periods, all personal data remains encrypted on vessel-side devices (AES-256 at-rest encryption) and synchronises to Volaxin's cloud infrastructure upon re-establishment of connectivity via TLS 1.3-encrypted HTTPS channels. No unencrypted personal data is ever stored on portable media or unmanaged devices without explicit client approval and documented compensating controls.

11.2 Port State Control & Flag State Disclosures

In furtherance of client compliance obligations, the Platform generates PSC-ready work and rest hours reports. Where such reports are transmitted to port state control authorities or flag state administrations, the disclosure is supported by Article 6(1)(c) GDPR (legal obligation on the data controller). Volaxin facilitates such disclosures as processor but documents each instance within the processing activity log.

11.3 AIS & Vessel Tracking Data

Automatic Identification System (AIS) data processed within the Platform is primarily vessel-level data and does not ordinarily constitute personal data. Where individual seafarers can be identified through a combination of AIS data, watch schedules, and position records, Volaxin treats such combined data as personal data and applies commensurate protections.

11.4 Multinational Crew Data

Maritime crews are frequently multinational. The processing of personal data relating to seafarers may engage the data protection legislation of multiple jurisdictions simultaneously. Volaxin operates under the principle of applying the most protective standard applicable to a given processing activity and maintains flag-state-specific data handling annexes for all supported jurisdictions.

Children's Privacy

The Volaxin Platform is designed exclusively for use by maritime industry professionals and organisations. We do not knowingly collect or process personal data of individuals under the age of 18. If Volaxin becomes aware that personal data of a minor has been provided without appropriate parental or guardian consent, it will be deleted without undue delay. Contact privacy@volaxin.com if you believe we have inadvertently collected such data.

Policy Changes & Version Control

Volaxin reserves the right to amend this Privacy Policy from time to time to reflect changes in applicable law, regulatory guidance, Platform functionality, or our processing practices. This policy is version-controlled; the current version, effective date, and full change history are maintained at volaxin.com/privacy.

For material changes — defined as changes that significantly affect data subject rights, introduce new processing purposes, or alter the categories of data processed — Volaxin will provide not less than 30 days' advance notice via:

• A prominently displayed in-Platform notification banner
• Direct email communication to the primary account holder email address on record
• Updated version documentation in the Privacy Policy change log

Continued use of the Platform following the expiry of the notice period constitutes acceptance of the updated policy. Where required by law, Volaxin will seek renewed consent rather than relying on continued use as acceptance.

Contact Information & Data Protection Officer

All privacy-related enquiries, data subject rights requests, complaints, and Data Processing Agreement negotiations should be directed to:

Volaxin has appointed an external, independent Data Protection Officer (DPO) in accordance with Article 37 GDPR. The DPO provides independent oversight of all data protection matters and is contactable directly at dpo@volaxin.com. The DPO operates free from any instruction from Volaxin management on matters within the scope of their duties, and reports directly to the highest management level.