Privacy Policy

1. Data Controller

The controller of your personal data is:

2. Data We Collect

We collect and process the following personal data:

• Account information: email address, hashed password
• Usage data: generated reports, task/activity descriptions, credit balance, subscription plan
• Payment data: Stripe customer ID and subscription status (full payment details are handled exclusively by Stripe)
• Technical data: IP address, browser type, access timestamps
• Report data: AI-generated risk assessment content stored in JSON format for re-download purposes

3. Purpose of Data Processing

Your personal data is processed for the following purposes:

• Providing and maintaining the Service, including AI-powered risk assessment generation
• Managing your user account, authentication, and password reset functionality
• Processing payments and managing subscriptions via Stripe
• Generating and storing risk assessment documents for download and re-download
• Translating report content via DeepL API (Enterprise plan only)
• Sending transactional emails (e.g., password reset) via Resend
• Communicating with you about your account or the Service
• Complying with legal obligations

4. Legal Basis for Processing

We process your data based on:

• Contract performance (Art. 6(1)(b) GDPR) – to provide the Service you registered for
• Legitimate interest (Art. 6(1)(f) GDPR) – to improve and secure the Service
• Consent (Art. 6(1)(a) GDPR) – where you have given explicit consent (e.g., accepting Terms during registration)
• Legal obligation (Art. 6(1)(c) GDPR) – to comply with applicable laws

5. Third-Party Processors

We share your data with the following trusted third-party service providers who process data on our behalf:

6. Data Retention

We retain your personal data for as long as your account is active or as needed to provide the Service. Generated report data is stored to allow re-downloading of previously created reports. Upon account deletion (available via Account Settings), your personal data including all reports will be removed within 30 days, except where retention is required by law. Active Stripe subscriptions are automatically cancelled upon account deletion.

7. Your Rights (GDPR)

Under the General Data Protection Regulation (GDPR), you have the following rights:

• Right of access – obtain a copy of your personal data
• Right to rectification – correct inaccurate personal data
• Right to erasure – request deletion of your personal data (also available via Account Settings)
• Right to restrict processing – limit how we use your data
• Right to data portability – receive your data in a structured format
• Right to object – object to certain types of processing
• Right to withdraw consent – where processing is based on consent

To exercise any of these rights, please contact us at: hello@offshoreriskapp.com

8. Data Security

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. Passwords are stored using industry-standard hashing algorithms (Werkzeug/PBKDF2). Payment data is handled exclusively by Stripe's PCI-compliant infrastructure. Password reset tokens expire after 30 minutes for security.

9. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any significant changes via the email address associated with your account. Your continued use of the Service after changes constitutes acceptance of the updated policy.

10. Contact

If you have any questions about this Privacy Policy or wish to exercise your rights, please contact us at: hello@offshoreriskapp.com