Effective date: March 22, 2026

1. Introduction

SeaPillar is a digital parcel custody platform designed for the maritime industry, operated by Keyton ("SeaPillar, a Keyton solution", "we", "us", or "our"). This Privacy Policy explains how we collect, use, store, share, and protect personal data and operational information processed through the SeaPillar platform (the "Platform") and any related services, websites, and applications we operate.

This policy applies to all individuals who interact with the Platform, including organization administrators, operators, viewers, vessel captains, and any other persons whose data is processed in connection with our services. It covers data collected through the Platform interface, our APIs, email communications, and customer support channels.

We are committed to transparency about our data practices and to complying with the European Union General Data Protection Regulation (EU) 2016/679 ("GDPR"), the Danish Data Protection Act (Databeskyttelsesloven), and other applicable data protection legislation. By accessing or using the Platform, you acknowledge that you have read and understood this Privacy Policy.

2. Definitions

For the purposes of this Privacy Policy, the following terms shall have the meanings set out below. These definitions are intended to align with the terminology used in the GDPR and other applicable data protection laws:

"Personal Data" means any information relating to an identified or identifiable natural person ("Data Subject"), as defined in Article 4(1) of the GDPR. This includes, but is not limited to, names, email addresses, IP addresses, and any other information that can be used directly or indirectly to identify a natural person.
"Processing" means any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, or destruction.
"Data Controller" means the natural or legal person which, alone or jointly with others, determines the purposes and means of the processing of Personal Data. For the purposes of this policy, SeaPillar (operated by Keyton) is the Data Controller.
"Data Processor" means a natural or legal person which processes Personal Data on behalf of the Data Controller. Our sub-processors (listed in Section 7) act as Data Processors.
"Data Subject" means the identified or identifiable natural person to whom the Personal Data relates. This includes users of the Platform, vessel captains, and any individuals whose data is entered into the system.
"Organization" means a legal entity (such as a port agency, ship agent, terminal operator, or vessel owner) that has registered an account on the Platform and whose employees or authorized representatives use the Service.
"Platform" means the SeaPillar web application, including all pages, dashboards, portals, APIs, and interfaces accessible at seapillar.com and any subdomains thereof.
"Service" means the digital parcel custody, vessel management, warehouse allocation, customs manifest processing, document generation, and related functionality provided through the Platform.

3. Data Controller

SeaPillar, a Keyton solution, is the Data Controller responsible for the processing of your Personal Data in connection with the Platform and our services. As Data Controller, we determine the purposes and means of processing your Personal Data and bear responsibility for ensuring that such processing complies with the GDPR and applicable Danish data protection law.

Where an Organization uses the Platform to process data about its own employees, agents, or third parties (for example, entering vessel crew information or parcel recipient details), the Organization may act as a joint controller or independent controller for that data. In such cases, the Organization is responsible for ensuring it has a lawful basis for providing such data to the Platform.

Data Controller Contact Information

SeaPillar, a Keyton solution

Email: inbox@seapillar.com

Phone: +45 78 70 78 75

4. Data We Collect

We collect and process several categories of data in order to provide, maintain, and improve the Platform. The specific data collected depends on your role, your Organization's configuration, and how you interact with the Platform.

4.1 Account & Identity Data

When an Organization registers on the Platform or an administrator creates user accounts, we collect identity and account information necessary for authentication, authorization, and service personalization. This includes:

Full name and professional email address.
Assigned role within the Organization (e.g., Administrator, Operator, Viewer, Captain).
Organization name, registration details, and organizational hierarchy.
Authentication credentials (managed securely through our authentication provider; passwords are never stored in plaintext).
Profile preferences and notification settings.
Invitation and onboarding metadata (date of account creation, inviting user, activation status).

4.2 Operational Data

The core purpose of the Platform is to manage the custody chain of parcels and goods in maritime logistics. In the course of providing this service, we process substantial operational data, including:

Vessel identifiers and particulars (Name, IMO number, MMSI, Flag State, call sign, vessel type, gross tonnage).
Vessel contact information (captain name, crew contacts, vessel agent details).
Port call schedules (estimated and actual arrival/departure, berth assignments, pilot information).
Parcel and cargo metadata (descriptions, quantities, weights, dimensions, supplier information, consignee details, tracking references).
Custody chain records (status transitions, timestamps, responsible personnel, custody transfer events).
Visual evidence and attachments (condition photographs, digital signatures, delivery notes, supporting documents).
Warehouse and facility data (storage zone allocations, capacity records, warehouse layouts).
Customs manifest information (bonded goods references, MIO numbers, customs authority submissions, release documentation).
Goods Delivery Notes (GDN) and related printed/digital documents.

4.3 Technical Data

When you access the Platform, we automatically collect certain technical information necessary for security, performance optimization, and troubleshooting. This includes:

IP address and approximate geolocation (country/region level).
Browser type, version, and language settings.
Operating system and device type (desktop, tablet, mobile).
Screen resolution and viewport dimensions.
Session identifiers and authentication tokens.
Referring URLs and landing pages.
Error logs and crash reports (collected via our error monitoring service).

4.4 Usage Data

To understand how the Platform is used and to prioritize improvements, we collect aggregated and, where necessary, individual-level usage data, including:

Feature usage patterns (which modules and features are used, frequency of use).
Page views, navigation paths, and session duration.
Search queries within the Platform.
Web Vitals performance metrics (page load times, interaction responsiveness).
Interaction patterns (clicks, form submissions, table sorting and filtering behavior).

4.5 Communication Data

When you contact us or interact with our communications, we collect:

Support ticket content, correspondence, and resolution history.
Contact form submissions from our website.
Email correspondence with our team (including automated notifications and their read/delivery status).
Feedback and survey responses.
Records of consent and communication preferences (e.g., marketing opt-in/opt-out status).

5. Legal Basis for Processing

Under Article 6 of the GDPR, we must have a valid legal basis for each processing activity involving your Personal Data. The following legal bases apply to our processing operations:

Contract Performance (Article 6(1)(b))

Processing that is necessary for the performance of the contract between us and your Organization, or to take steps at your request prior to entering into a contract. This covers the core service delivery: managing user accounts, processing operational data (vessel information, parcel custody, document generation), providing access to the Platform, and delivering the functionality described in our service agreement.

Legitimate Interest (Article 6(1)(f))

Processing that is necessary for the purposes of our legitimate interests or those of a third party, provided that such interests are not overridden by your fundamental rights and freedoms. This covers: security monitoring and incident response (protecting the Platform and its users from unauthorized access, fraud, and abuse), product improvement and analytics (understanding usage patterns to enhance the Platform), ensuring system reliability and performance, and protecting our legal rights. We conduct balancing tests to ensure our legitimate interests do not override your rights.

Legal Obligation (Article 6(1)(c))

Processing that is necessary for compliance with a legal obligation to which we are subject. This includes maintaining audit trails and custody chain records required by maritime regulations and customs authorities, retaining records for tax and accounting purposes, responding to lawful requests from courts, regulatory bodies, or law enforcement agencies, and complying with data protection obligations (such as responding to Data Subject rights requests).

Consent (Article 6(1)(a))

Where none of the above legal bases apply, we rely on your freely given, specific, informed, and unambiguous consent. This applies to: marketing communications (newsletters, product announcements, promotional content), the use of non-essential analytics cookies, and participation in optional surveys or research programs. You may withdraw consent at any time by using the unsubscribe mechanism in our communications, adjusting your cookie preferences, or contacting us at inbox@seapillar.com. Withdrawal of consent does not affect the lawfulness of processing carried out prior to withdrawal.

6. How We Use Your Data

We process your data for the following specific purposes:

Service DeliveryProviding the core Platform functionality: managing vessel registrations and port calls, processing parcel custody chains from receipt through delivery, generating Goods Delivery Notes and customs manifests, managing warehouse allocations and capacity, and operating the captain portal for vessel-side confirmation.
Security & IntegrityProtecting the Platform and its users: enforcing multi-tenant data isolation, monitoring for unauthorized access attempts and suspicious behavior, implementing rate limiting and abuse prevention, managing authentication sessions, conducting security audits and vulnerability assessments, and maintaining infrastructure integrity.
Compliance & AuditMeeting regulatory and contractual obligations: maintaining immutable audit logs of all material operations and state changes, supporting customs compliance for bonded goods and MIO workflows, generating compliance reports for organizational review, preserving evidence chains for dispute resolution, and retaining records as required by applicable law.
CommunicationsKeeping you informed and supported: sending operational notifications (parcel status updates, vessel arrivals, deadline reminders), delivering system alerts (security notices, scheduled maintenance, service updates), responding to support requests and inquiries, and sending marketing communications to those who have opted in.
Product ImprovementEnhancing the Platform experience: analyzing aggregated usage patterns to identify areas for improvement, monitoring platform performance and reliability metrics, conducting A/B testing for new features (using anonymized data where possible), understanding user workflows to optimize interface design, and developing new features informed by real usage data.
Legal ObligationsFulfilling our legal duties: responding to lawful data access requests from authorities, complying with court orders and legal proceedings, meeting tax, accounting, and corporate governance requirements, enforcing our Terms of Service, and protecting the rights, property, and safety of SeaPillar, our users, and the public.

7. Data Sharing & Disclosure

We do not sell, rent, or trade your Personal Data or your Organization's operational data to any third party. We share data only in the limited circumstances described below, and only to the extent necessary for the stated purpose.

7.1 Within Your Organization

Data entered into the Platform is accessible to other authorized members of your Organization, in accordance with the role-based access control configuration set by your Organization's administrator. For example, an Operator may see parcel details for vessels they manage, while a Viewer may have read-only access to certain dashboards. The scope of internal data sharing is determined by your Organization's administrator and the permission model assigned to each user role.

7.2 With Vessel Stakeholders

Certain operational data (such as parcel delivery status and Goods Delivery Notes) may be shared with vessel captains and crew through the secure Captain Portal. Access to this portal is controlled through cryptographic, time-limited tokens and does not require the vessel stakeholder to create a SeaPillar account. Data shared through this channel is limited to the information directly relevant to the specific vessel and its associated parcels.

7.3 Sub-Processors

We engage a limited number of third-party service providers ("sub-processors") to assist in delivering the Platform. Each sub-processor is bound by a Data Processing Agreement (DPA) that imposes data protection obligations no less stringent than those set out in this policy. Our current sub-processors are:

Cloud infrastructure provider (EU-based) — Database hosting, authentication services, and file storage. Data center location: European Union. Acts as a Data Processor and processes Account Data, Operational Data, and authentication credentials on our behalf.
Hosting and edge delivery provider — Application hosting, content delivery, and edge computing. Data center locations: Global edge network with primary region in the European Union. Processes Technical Data and serves the Platform interface.
Transactional email provider — Transactional and notification email delivery. Processes email addresses and message content to deliver operational notifications, system alerts, and marketing communications on our behalf.
Error monitoring and performance analytics — Application error monitoring and performance tracking. Processes Technical Data and error context (which may incidentally include limited Personal Data such as IP addresses) to help us identify and resolve software issues.
Rate limiting and cache infrastructure — Rate limiting and abuse prevention. Processes IP addresses and request metadata to enforce rate limits and protect the Platform from abuse. Data center location: European Union.

A complete list of sub-processors is available upon request by contacting inbox@seapillar.com.

7.4 Legal Requirements

We may disclose your data if required to do so by law or in the good faith belief that such action is necessary to: comply with a legal obligation or lawful request from a court, regulatory authority, or law enforcement agency; protect and defend the rights, property, or safety of SeaPillar, our users, or the public; prevent fraud, security threats, or other illegal activity; or enforce our Terms of Service. Where permitted by law, we will notify you before disclosing your data in response to a legal request.

7.5 Business Transfers

In the event of a merger, acquisition, reorganization, bankruptcy, or sale of all or a portion of our assets, your data may be transferred to the acquiring entity as part of the transaction. In such circumstances, we will provide notice to affected Organizations and ensure that the acquiring entity assumes the obligations set out in this Privacy Policy or provides equivalent protections. You will be notified via email and/or a prominent notice on the Platform of any change in ownership or use of your Personal Data, as well as any choices you may have regarding your data.

8. International Data Transfers

SeaPillar is based in Denmark, and our primary data processing infrastructure is located within the European Union. However, some of our sub-processors may process data in jurisdictions outside the EU/EEA. When data is transferred outside the EU/EEA, we ensure that appropriate safeguards are in place, as required by Chapter V of the GDPR.

These safeguards include: transfers to countries that the European Commission has determined provide an adequate level of data protection (Article 45 GDPR "adequacy decisions"); the use of Standard Contractual Clauses (SCCs) approved by the European Commission (Article 46(2)(c) GDPR), supplemented by additional technical and organizational measures where necessary following the transfer impact assessment methodology outlined in the EDPB's post-Schrems II recommendations; and binding corporate rules where applicable.

You may request a copy of the specific safeguards applied to any international transfer of your data by contacting us at inbox@seapillar.com. We maintain a record of all international transfers and the corresponding legal mechanisms as part of our data processing documentation.

9. Data Retention

We retain your data only for as long as is necessary to fulfill the purposes for which it was collected, or as required by applicable law. Our retention periods are determined by the nature of the data, the purpose of processing, and any legal or regulatory requirements.

Operational Data (vessel records, parcel custody chains, warehouse allocations, customs manifests): Retained in accordance with your Organization's configured data retention policy. The default retention period is two (2) years from the date of the last operation. Organizations may configure a shorter or longer retention period as required by their internal policies or applicable maritime regulations.
Audit Logs (state changes, administrative actions, security events): Retained for seven (7) years to comply with maritime compliance requirements, customs regulations, and corporate governance standards. Audit logs are immutable and cannot be modified or deleted prior to the expiration of the retention period.
Account Data (user profiles, credentials, organization details): Retained for the duration of the active account. Upon account closure or Organization termination, account data is deleted within thirty (30) days, except where retention is required by law or for the resolution of pending disputes.
Technical & Usage Data (logs, analytics, performance metrics): Retained for up to twelve (12) months, after which it is aggregated and anonymized. Anonymized data may be retained indefinitely for statistical and product improvement purposes.
Backups: Database backups are purged within ninety (90) days of the deletion of the source data. During this backup retention window, the data remains encrypted and is accessible only for disaster recovery purposes.

When data reaches the end of its retention period, it is securely deleted or irreversibly anonymized using industry-standard methods. We conduct periodic reviews of our data stores to ensure compliance with the above retention schedules.

10. Security Measures

SeaPillar implements comprehensive technical and organizational measures to protect your data against unauthorized access, alteration, disclosure, or destruction. These measures are designed in accordance with Article 32 of the GDPR and are regularly reviewed and updated.

Encryption: All data is encrypted using AES-256 at rest and TLS 1.3 in transit. Database connections use encrypted channels, and all API communications are served exclusively over HTTPS. Encryption keys are managed through our hosting provider's key management service and rotated according to industry best practices.
Multi-Tenancy Isolation: The Platform implements defense-in-depth tenant isolation through a combination of database-level tenant isolation policies and application-level multi-tenancy enforcement. These dual layers ensure that one Organization can never access, modify, or even become aware of another Organization's data, even in the event of an application-layer vulnerability.
Access Control: Granular role-based access controls limit data visibility and operational permissions based on the principle of least privilege. Each endpoint enforces authentication and authorization checks before processing any request. Administrative actions are logged and auditable.
Audit Logging: All material operations, state changes, and administrative actions are recorded in an immutable audit log. Audit entries include the identity of the acting user, the action performed, the timestamp, and relevant metadata. These logs support compliance reviews, dispute resolution, and security investigations.
Rate Limiting & Abuse Prevention: Authentication endpoints and sensitive operations are protected by server-side rate limiting to prevent brute-force attacks, credential stuffing, and denial-of-service attempts.
Input Validation & Sanitization: All user-supplied input is validated against strict schemas and sanitized before processing or storage. This protects against SQL injection, cross-site scripting (XSS), and other injection attacks. File uploads are validated for both MIME type and magic bytes.
CSRF Protection: Cross-Site Request Forgery protection is implemented through token-based verification on all state-changing operations.
Security Monitoring: We employ structured logging and error tracking to detect and respond to security anomalies in real time. Our incident response procedures include containment, investigation, notification, and remediation steps in accordance with GDPR Article 33 breach notification requirements.

11. Your Rights Under the GDPR

As a Data Subject, you have the following rights under the GDPR. These rights apply to your Personal Data and can be exercised at any time by contacting us at inbox@seapillar.com.

Right of Access (Article 15)

You have the right to obtain confirmation as to whether your Personal Data is being processed and, where that is the case, to access the data and receive information about the purposes of processing, the categories of data concerned, the recipients to whom the data has been or will be disclosed, the envisaged retention period, and the existence of your other rights. We will provide a copy of your Personal Data in a structured, commonly used, and machine-readable format upon request.

Right to Rectification (Article 16)

You have the right to obtain the rectification of inaccurate Personal Data concerning you without undue delay. Taking into account the purposes of the processing, you also have the right to have incomplete Personal Data completed, including by means of providing a supplementary statement. Where possible, you may make corrections directly through the Platform interface.

Right to Erasure (Article 17)

You have the right to request the deletion of your Personal Data where: the data is no longer necessary for the purposes for which it was collected; you withdraw consent and there is no other legal basis for processing; you object to processing and there are no overriding legitimate grounds; the data has been unlawfully processed; or erasure is required for compliance with a legal obligation. Please note that certain data (particularly audit logs and custody chain records) may be exempt from erasure where retention is required for compliance with legal obligations or the establishment, exercise, or defence of legal claims.

Right to Restriction of Processing (Article 18)

You have the right to obtain restriction of processing where: the accuracy of the data is contested (for a period enabling verification); the processing is unlawful and you oppose erasure; we no longer need the data but you require it for legal claims; or you have objected to processing pending verification of our legitimate grounds.

Right to Data Portability (Article 20)

Where processing is based on consent or contract performance and is carried out by automated means, you have the right to receive your Personal Data in a structured, commonly used, and machine-readable format (such as JSON or CSV), and to transmit that data to another controller without hindrance from us. Upon request, we will provide a data export of your Organization's operational data in a standard format.

Right to Object (Article 21)

You have the right to object at any time to the processing of your Personal Data that is based on our legitimate interests (Article 6(1)(f)). Upon receiving such an objection, we will cease processing your data for the contested purpose unless we demonstrate compelling legitimate grounds for the processing that override your interests, rights, and freedoms, or the processing is necessary for the establishment, exercise, or defence of legal claims. You also have the right to object to processing for direct marketing purposes at any time, and we will cease such processing without exception.

Rights Related to Automated Decision-Making (Article 22)

You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. SeaPillar does not currently engage in automated decision-making or profiling that produces legal effects. If this changes, we will update this policy and implement appropriate safeguards, including the right to obtain human intervention, express your point of view, and contest the decision.

Right to Withdraw Consent

Where processing is based on your consent, you have the right to withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal. You can withdraw consent for marketing communications by clicking the unsubscribe link in any marketing email, or by contacting us directly.

How to Exercise Your Rights

To exercise any of the above rights, please send your request to inbox@seapillar.com. We will verify your identity before processing the request and respond within thirty (30) days. If the request is complex or we receive a large number of requests, this period may be extended by an additional sixty (60) days, in which case we will inform you of the extension and the reasons for the delay within the initial thirty-day period. There is no fee for exercising your rights, unless requests are manifestly unfounded or excessive, in which case we may charge a reasonable fee or refuse to act on the request.

12. Cookies & Tracking Technologies

The Platform uses cookies and similar technologies to provide essential functionality, remember your preferences, and understand how the Platform is used. A cookie is a small text file placed on your device by a website you visit.

Essential Cookies (Strictly Necessary)

These cookies are required for the Platform to function and cannot be disabled. They include session cookies (to maintain your authenticated session), CSRF tokens (to protect against cross-site request forgery), and cookie consent preferences. Legal basis: contract performance and legitimate interest (security). These cookies do not require consent under the ePrivacy Directive as they are strictly necessary for the service.

Functional Cookies

These cookies remember your preferences and settings to provide a personalized experience. This includes language preferences, dashboard layout selections, table column visibility settings, and notification preferences. Legal basis: legitimate interest (user experience). You may disable these cookies, but certain personalization features may not function correctly.

Analytics Cookies

These cookies help us understand how the Platform is used by collecting information about page visits, feature usage, and performance metrics (Web Vitals). Analytics data is collected in aggregate form and is used solely for product improvement. We do not use any third-party advertising or tracking cookies. Legal basis: consent. You may opt out of analytics cookies through the cookie consent banner or by contacting us.

We do not use third-party advertising cookies, retargeting pixels, or social media tracking technologies. The Platform does not participate in any advertising network or cross-site tracking program. You can manage your cookie preferences at any time through the Platform's cookie settings or by configuring your browser to reject non-essential cookies.

13. Children's Privacy

The Platform is a professional B2B service designed exclusively for use by maritime industry professionals and is not intended for, directed at, or designed to attract persons under the age of eighteen (18). We do not knowingly collect or solicit Personal Data from anyone under 18 years of age. If we become aware that we have collected Personal Data from a child under 18 without verification of parental consent, we will take steps to delete that information promptly. If you believe we have inadvertently collected data from a person under 18, please contact us immediately at inbox@seapillar.com.

14. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or for other operational reasons. When we make changes, we will update the "Effective date" at the top of this policy.

For material changes that significantly affect how we process your Personal Data (such as changes to the categories of data collected, new purposes of processing, or changes to data sharing arrangements), we will provide at least thirty (30) days' advance notice via email to the Organization administrator and/or through a prominent notice within the Platform. We encourage you to review this policy periodically. Your continued use of the Platform after the effective date of an updated policy constitutes your acceptance of the changes, except where consent is specifically required by applicable law.

15. Contact & Complaints

If you have any questions, concerns, or requests regarding this Privacy Policy or our data processing practices, please contact us using the details below. We take all privacy inquiries seriously and will respond to your correspondence promptly.

SeaPillar, a Keyton solution

Email: inbox@seapillar.com

Phone: +45 78 70 78 75

Supervisory Authority

If you believe that our processing of your Personal Data infringes the GDPR or applicable data protection law, you have the right to lodge a complaint with a supervisory authority, in particular in the EU Member State of your habitual residence, place of work, or place of the alleged infringement. In Denmark, the competent supervisory authority is:

Datatilsynet (Danish Data Protection Agency)
Carl Jacobsens Vej 35
2500 Valby, Denmark
Website: www.datatilsynet.dk
Email: dt@datatilsynet.dk

We encourage you to contact us first so that we can try to resolve your concern directly before you file a formal complaint with the supervisory authority.

16. Data Protection Inquiries

For data protection inquiries, contact our privacy team at inbox@seapillar.com or +45 78 70 78 75.

Effective date: March 22, 2026

1. Introduction

2. Definitions

"Personal Data" means any information relating to an identified or identifiable natural person ("Data Subject"), as defined in Article 4(1) of the GDPR. This includes, but is not limited to, names, email addresses, IP addresses, and any other information that can be used directly or indirectly to identify a natural person.
"Processing" means any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, or destruction.
"Data Controller" means the natural or legal person which, alone or jointly with others, determines the purposes and means of the processing of Personal Data. For the purposes of this policy, SeaPillar (operated by Keyton) is the Data Controller.
"Data Processor" means a natural or legal person which processes Personal Data on behalf of the Data Controller. Our sub-processors (listed in Section 7) act as Data Processors.
"Data Subject" means the identified or identifiable natural person to whom the Personal Data relates. This includes users of the Platform, vessel captains, and any individuals whose data is entered into the system.
"Organization" means a legal entity (such as a port agency, ship agent, terminal operator, or vessel owner) that has registered an account on the Platform and whose employees or authorized representatives use the Service.
"Platform" means the SeaPillar web application, including all pages, dashboards, portals, APIs, and interfaces accessible at seapillar.com and any subdomains thereof.
"Service" means the digital parcel custody, vessel management, warehouse allocation, customs manifest processing, document generation, and related functionality provided through the Platform.

3. Data Controller

Data Controller Contact Information

SeaPillar, a Keyton solution

Email: inbox@seapillar.com

Phone: +45 78 70 78 75

4. Data We Collect

4.1 Account & Identity Data

Full name and professional email address.
Assigned role within the Organization (e.g., Administrator, Operator, Viewer, Captain).
Organization name, registration details, and organizational hierarchy.
Authentication credentials (managed securely through our authentication provider; passwords are never stored in plaintext).
Profile preferences and notification settings.
Invitation and onboarding metadata (date of account creation, inviting user, activation status).

4.2 Operational Data

Vessel identifiers and particulars (Name, IMO number, MMSI, Flag State, call sign, vessel type, gross tonnage).
Vessel contact information (captain name, crew contacts, vessel agent details).
Port call schedules (estimated and actual arrival/departure, berth assignments, pilot information).
Parcel and cargo metadata (descriptions, quantities, weights, dimensions, supplier information, consignee details, tracking references).
Custody chain records (status transitions, timestamps, responsible personnel, custody transfer events).
Visual evidence and attachments (condition photographs, digital signatures, delivery notes, supporting documents).
Warehouse and facility data (storage zone allocations, capacity records, warehouse layouts).
Customs manifest information (bonded goods references, MIO numbers, customs authority submissions, release documentation).
Goods Delivery Notes (GDN) and related printed/digital documents.

4.3 Technical Data

When you access the Platform, we automatically collect certain technical information necessary for security, performance optimization, and troubleshooting. This includes:

IP address and approximate geolocation (country/region level).
Browser type, version, and language settings.
Operating system and device type (desktop, tablet, mobile).
Screen resolution and viewport dimensions.
Session identifiers and authentication tokens.
Referring URLs and landing pages.
Error logs and crash reports (collected via our error monitoring service).

4.4 Usage Data

To understand how the Platform is used and to prioritize improvements, we collect aggregated and, where necessary, individual-level usage data, including:

Feature usage patterns (which modules and features are used, frequency of use).
Page views, navigation paths, and session duration.
Search queries within the Platform.
Web Vitals performance metrics (page load times, interaction responsiveness).
Interaction patterns (clicks, form submissions, table sorting and filtering behavior).

4.5 Communication Data

When you contact us or interact with our communications, we collect:

Support ticket content, correspondence, and resolution history.
Contact form submissions from our website.
Email correspondence with our team (including automated notifications and their read/delivery status).
Feedback and survey responses.
Records of consent and communication preferences (e.g., marketing opt-in/opt-out status).

5. Legal Basis for Processing

Under Article 6 of the GDPR, we must have a valid legal basis for each processing activity involving your Personal Data. The following legal bases apply to our processing operations:

Contract Performance (Article 6(1)(b))

Legitimate Interest (Article 6(1)(f))

Legal Obligation (Article 6(1)(c))

Consent (Article 6(1)(a))

6. How We Use Your Data

We process your data for the following specific purposes:

Service DeliveryProviding the core Platform functionality: managing vessel registrations and port calls, processing parcel custody chains from receipt through delivery, generating Goods Delivery Notes and customs manifests, managing warehouse allocations and capacity, and operating the captain portal for vessel-side confirmation.
Security & IntegrityProtecting the Platform and its users: enforcing multi-tenant data isolation, monitoring for unauthorized access attempts and suspicious behavior, implementing rate limiting and abuse prevention, managing authentication sessions, conducting security audits and vulnerability assessments, and maintaining infrastructure integrity.
Compliance & AuditMeeting regulatory and contractual obligations: maintaining immutable audit logs of all material operations and state changes, supporting customs compliance for bonded goods and MIO workflows, generating compliance reports for organizational review, preserving evidence chains for dispute resolution, and retaining records as required by applicable law.
CommunicationsKeeping you informed and supported: sending operational notifications (parcel status updates, vessel arrivals, deadline reminders), delivering system alerts (security notices, scheduled maintenance, service updates), responding to support requests and inquiries, and sending marketing communications to those who have opted in.
Product ImprovementEnhancing the Platform experience: analyzing aggregated usage patterns to identify areas for improvement, monitoring platform performance and reliability metrics, conducting A/B testing for new features (using anonymized data where possible), understanding user workflows to optimize interface design, and developing new features informed by real usage data.
Legal ObligationsFulfilling our legal duties: responding to lawful data access requests from authorities, complying with court orders and legal proceedings, meeting tax, accounting, and corporate governance requirements, enforcing our Terms of Service, and protecting the rights, property, and safety of SeaPillar, our users, and the public.

7. Data Sharing & Disclosure

7.1 Within Your Organization

7.2 With Vessel Stakeholders

7.3 Sub-Processors

Cloud infrastructure provider (EU-based) — Database hosting, authentication services, and file storage. Data center location: European Union. Acts as a Data Processor and processes Account Data, Operational Data, and authentication credentials on our behalf.
Hosting and edge delivery provider — Application hosting, content delivery, and edge computing. Data center locations: Global edge network with primary region in the European Union. Processes Technical Data and serves the Platform interface.
Transactional email provider — Transactional and notification email delivery. Processes email addresses and message content to deliver operational notifications, system alerts, and marketing communications on our behalf.
Error monitoring and performance analytics — Application error monitoring and performance tracking. Processes Technical Data and error context (which may incidentally include limited Personal Data such as IP addresses) to help us identify and resolve software issues.
Rate limiting and cache infrastructure — Rate limiting and abuse prevention. Processes IP addresses and request metadata to enforce rate limits and protect the Platform from abuse. Data center location: European Union.

A complete list of sub-processors is available upon request by contacting inbox@seapillar.com.

7.4 Legal Requirements

7.5 Business Transfers

8. International Data Transfers

9. Data Retention

Operational Data (vessel records, parcel custody chains, warehouse allocations, customs manifests): Retained in accordance with your Organization's configured data retention policy. The default retention period is two (2) years from the date of the last operation. Organizations may configure a shorter or longer retention period as required by their internal policies or applicable maritime regulations.
Audit Logs (state changes, administrative actions, security events): Retained for seven (7) years to comply with maritime compliance requirements, customs regulations, and corporate governance standards. Audit logs are immutable and cannot be modified or deleted prior to the expiration of the retention period.
Account Data (user profiles, credentials, organization details): Retained for the duration of the active account. Upon account closure or Organization termination, account data is deleted within thirty (30) days, except where retention is required by law or for the resolution of pending disputes.
Technical & Usage Data (logs, analytics, performance metrics): Retained for up to twelve (12) months, after which it is aggregated and anonymized. Anonymized data may be retained indefinitely for statistical and product improvement purposes.
Backups: Database backups are purged within ninety (90) days of the deletion of the source data. During this backup retention window, the data remains encrypted and is accessible only for disaster recovery purposes.

10. Security Measures

Encryption: All data is encrypted using AES-256 at rest and TLS 1.3 in transit. Database connections use encrypted channels, and all API communications are served exclusively over HTTPS. Encryption keys are managed through our hosting provider's key management service and rotated according to industry best practices.
Multi-Tenancy Isolation: The Platform implements defense-in-depth tenant isolation through a combination of database-level tenant isolation policies and application-level multi-tenancy enforcement. These dual layers ensure that one Organization can never access, modify, or even become aware of another Organization's data, even in the event of an application-layer vulnerability.
Access Control: Granular role-based access controls limit data visibility and operational permissions based on the principle of least privilege. Each endpoint enforces authentication and authorization checks before processing any request. Administrative actions are logged and auditable.
Audit Logging: All material operations, state changes, and administrative actions are recorded in an immutable audit log. Audit entries include the identity of the acting user, the action performed, the timestamp, and relevant metadata. These logs support compliance reviews, dispute resolution, and security investigations.
Rate Limiting & Abuse Prevention: Authentication endpoints and sensitive operations are protected by server-side rate limiting to prevent brute-force attacks, credential stuffing, and denial-of-service attempts.
Input Validation & Sanitization: All user-supplied input is validated against strict schemas and sanitized before processing or storage. This protects against SQL injection, cross-site scripting (XSS), and other injection attacks. File uploads are validated for both MIME type and magic bytes.
CSRF Protection: Cross-Site Request Forgery protection is implemented through token-based verification on all state-changing operations.
Security Monitoring: We employ structured logging and error tracking to detect and respond to security anomalies in real time. Our incident response procedures include containment, investigation, notification, and remediation steps in accordance with GDPR Article 33 breach notification requirements.

11. Your Rights Under the GDPR

As a Data Subject, you have the following rights under the GDPR. These rights apply to your Personal Data and can be exercised at any time by contacting us at inbox@seapillar.com.

Right of Access (Article 15)

Right to Rectification (Article 16)

Right to Erasure (Article 17)

Right to Restriction of Processing (Article 18)

Right to Data Portability (Article 20)

Right to Object (Article 21)

Rights Related to Automated Decision-Making (Article 22)

Right to Withdraw Consent

How to Exercise Your Rights

12. Cookies & Tracking Technologies

Essential Cookies (Strictly Necessary)

Functional Cookies

Analytics Cookies

13. Children's Privacy

14. Changes to This Policy

15. Contact & Complaints

SeaPillar, a Keyton solution

Email: inbox@seapillar.com

Phone: +45 78 70 78 75

Supervisory Authority

Datatilsynet (Danish Data Protection Agency)
Carl Jacobsens Vej 35
2500 Valby, Denmark
Website: www.datatilsynet.dk
Email: dt@datatilsynet.dk

We encourage you to contact us first so that we can try to resolve your concern directly before you file a formal complaint with the supervisory authority.

16. Data Protection Inquiries

For data protection inquiries, contact our privacy team at inbox@seapillar.com or +45 78 70 78 75.