OpSkipper Privacy Policy

Overview

OpSkipper (“we,” “our,” or “us”) is a crew scheduling and management platform designed specifically for boat tour companies. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our service.

Important Note: While we strive to implement privacy best practices, our current implementation may not fully comply with all GDPR requirements or other privacy regulations. We are actively working to improve our privacy practices and welcome feedback on our current capabilities.

Current Limitations: Some advanced privacy features (such as self-service data export, account deletion, and comprehensive consent management) are not yet fully implemented. We recommend contacting support for assistance with privacy-related requests to be fulfilled manually.

Who We Are

Our website address is: https://opskipper.com, our app address is: https://app.opskipper.com

Information We Collect

1. Account Information

  • Email address and basic profile information from Google OAuth authentication
  • Personal profile data including first name, last name, nickname, phone number, avatar URL
  • Employment information including position, hire date, separation date, seniority, hourly pay rate
  • User preferences including username and crew status
  • Client association – which tour company you belong to (for multi-tenant isolation)
  • Account status – active/inactive status tracking

2. Operational Data

  • Trip scheduling and assignment data – crew assignments, boat assignments, tour details, trip datetime, locations
  • Time-off requests and availability – crew availability schedules, time-off requests with approval workflow, rejection reasons
  • Qualification and certification information – crew certifications, licenses, qualification implications, certification expiry dates, issuing authorities
  • Work hour tracking – duty time, rest periods, USCG compliance data, crew actual duty times
  • Trip logs and documentation – post-trip reporting, safety documentation, trip log fields, maintenance logs
  • Fleet management – boat information, maintenance schedules, recurring maintenance, boat aliases

3. Fleet and Tour Data

  • Boat information – vessel details, maintenance schedules, operational status
  • Tour type configurations – trip categories, duration settings, credit hours
  • Location data – pickup/drop-off locations and operational areas

4. System Data

  • Authentication tokens – JWT tokens for secure access (stored in HTTP-only cookies)
  • Session data – encrypted session cookies containing client context and timezone preferences
  • Device and browser information – for security and performance optimization
  • IP addresses and access logs – for security monitoring and fraud prevention

5. External Integration Data

  • FareHarbor integration – tour booking data from connected booking systems
  • Weather data – real-time weather information for trip planning
  • Calendar sync data – ICS calendar feeds for automated tour imports

How We Use Your Information

1. Core Service Functionality

  • Crew scheduling – Assign crew members to trips based on availability and qualifications
  • Compliance monitoring – Track work hours and ensure USCG regulatory compliance
  • Time-off management – Process and approve crew time-off requests
  • Fleet management – Track boat availability and maintenance schedules

2. Safety and Operations

  • Contact information – Phone numbers for operational coordination
  • Certification tracking – Monitor qualification expiration dates and certification validity
  • Incident reporting – Document and track safety incidents through trip logs
  • Maintenance tracking – Record boat maintenance and safety inspections

3. Performance and Analytics

  • Service optimization – Analyze usage patterns to improve system performance
  • Operational insights – Provide analytics for tour company management
  • Real-time monitoring – Live dashboards for operational oversight

4. Security and Compliance

  • Authentication and authorization – Secure access control and permission management
  • Audit logging – Track administrative actions for security and compliance
  • Fraud prevention – Monitor for suspicious activity

Information Sharing and Disclosure

1. Within Your Organization

  • Multi-tenant isolation – Your data is strictly separated from other tour companies
  • Role-based access – Information is shared only with authorized personnel within your organization
  • Position-based permissions – Access is controlled based on job roles and responsibilities

2. Third-Party Service Providers

  • Supabase – Database, authentication, and hosting services (EU-based with GDPR compliance)
  • Google OAuth – Secure authentication and account management (Google’s privacy policy applies)
  • FareHarbor – Tour booking synchronization (shares trip data, booking information, and customer details)
  • Weather Services – Real-time weather data for trip planning (location-based weather requests)
  • Payment Processors – If integrated, for payroll and billing (payment information only)

3. Anonymous Statistics

We may share aggregated, anonymous statistics and usage metrics that cannot identify individual users, businesses, or personal information. These anonymous statistics help us:

  • Improve our service performance and features
  • Understand usage patterns for operational optimization
  • Generate industry insights (without revealing specific business data)
  • All statistical data is fully anonymized with no personally identifiable information included

4. Password Reset and Security Communications

If you request a password reset or other security-related actions, your IP address may be included in security communications for fraud prevention and account protection purposes. This helps us verify the legitimacy of security requests and protect your account from unauthorized access.

We may disclose information if required by law, court order, or government regulation, including:

  • Maritime safety investigations
  • USCG compliance audits
  • Legal proceedings related to workplace safety

6. Business Transfers

In the event of a merger, acquisition, or sale of assets, your data may be transferred to the new entity, subject to continued privacy protections.

Important: We do not sell, rent, or share personal data with other companies for their commercial purposes.

Data Security

1. Encryption

  • Data at rest – Data is encrypted using industry-standard encryption through Supabase infrastructure
  • Data in transit – Communications use TLS encryption for secure data transmission
  • Session data – Encrypted cookies with automatic expiration for session management

2. Access Controls

  • Row Level Security (RLS) – Database-level isolation between tour companies
  • JWT-based permissions – Role-based access control with permission management
  • Session-based architecture – Efficient session management for user authentication

3. Monitoring and Security

  • Administrative action logging – Admin actions are logged for operational monitoring
  • Access logging – User authentication and access events are tracked
  • Security monitoring – System monitoring for security and operational health
  • Audit trails – Logging of administrative actions and system events

Data Retention

1. Operational Data

  • Active user data – Retained while your account is active and for operational purposes
  • Trip logs and safety records – Retained for operational and compliance purposes
  • Certification and qualification records – Retained for operational purposes during active employment
  • Time-off and scheduling data – Retained for operational and scheduling purposes
  • Maintenance records – Retained for operational and maintenance tracking purposes

2. Inactive Accounts

  • Account deactivation – Profile status can be changed to inactive, data retained for operational purposes
  • Data retention – Data is retained as needed for operational, compliance, and legal purposes
  • Backup retention – Data may be retained in backups for system recovery purposes

3. Audit Logs

  • Administrative actions – Admin actions are logged for operational monitoring
  • Access logs – Authentication and access events are tracked for security purposes

Your Rights and Choices

1. Access and Portability

  • Data access – View your profile information directly in the application
  • Profile management – Update your personal information through the application’s profile editing interface
  • Data export – Request an exported file of the personal data we hold about you (contact support for assistance)
  • Account information – Access your employment details, certifications, and scheduling history through the application
  • Data portability – Request your data in a structured, commonly used format where technically feasible

2. Correction and Updates

  • Profile updates – Modify your personal information through the application’s profile editing interface
  • Data accuracy – Correct inaccurate or incomplete information via profile editing or by contacting support

3. Deletion and Restriction

  • Account deactivation – Limited account deactivation available through profile status changes
  • Data deletion – Contact support to request deletion of specific data (subject to operational and compliance requirements)
  • Data minimization – Manual review of data minimization requests (contact support)
  • Data processing consent – Currently managed through account creation and continued use
  • Third-party integrations – Control connections to external services through admin settings
  • Data sharing preferences – Managed through organizational permission settings

International Data Transfers

1. Data Hosting

  • Primary hosting – Data is hosted in secure, SOC 2 compliant data centers through Supabase
  • Regional hosting – Data may be hosted in different regions based on Supabase’s infrastructure
  • Cross-border transfers – May occur as part of standard cloud operations

2. Timezone Handling

  • Client-specific timezones – All scheduling respects your configured timezone
  • Timezone preferences – Stored securely and used for display formatting
  • Regional operations – Timezone handling supports operations across different regions

Cookies and Tracking

1. Essential Cookies

  • Authentication cookies – HTTP-only, secure cookies for session management
  • Client context cookies – Encrypted cookies containing client and timezone information
  • Security cookies – Cookies for fraud prevention and security monitoring

2. Functional Cookies

  • Preference cookies – Remember your UI preferences and settings
  • Performance cookies – Track application performance and error rates

3. Third-Party Cookies

  • Google OAuth – Authentication cookies from Google (subject to Google’s privacy policy)
  • Supabase – Service cookies for database and authentication services

4. Embedded Content from Other Websites

Articles and content on our site may include embedded content (e.g. videos, images, maps, or other media). Embedded content from other websites behaves in the exact same way as if you visited those websites directly.

These third-party websites may:

  • Collect data about you
  • Use cookies and tracking technologies
  • Embed additional third-party tracking services
  • Monitor your interaction with embedded content

We recommend reviewing the privacy policies of these third-party services for more information about their data practices.

Media Uploads

If you upload images or media files to the OpSkipper platform (such as crew photos, boat images, or trip documentation), you should avoid uploading files with embedded location data (EXIF GPS) included. Visitors and users of the platform can download and extract any location data from images on the website.

We recommend removing metadata from images before uploading them to protect location privacy and other potentially sensitive information.

Automated Data Processing

We may use automated systems and algorithms to:

  • Process and analyze scheduling data for optimization
  • Monitor system performance and security
  • Detect potential security threats or unusual activity
  • Generate insights and analytics for operational improvement
  • Assist with compliance monitoring and reporting

These automated processes help ensure the efficient and secure operation of our platform while maintaining data accuracy and system integrity.

Children’s Privacy

OpSkipper is designed for business use by maritime industry professionals. We do not knowingly collect personal information from children under 16 years of age. If we become aware that we have collected personal information from a child under 16, we will take steps to delete such information.

Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or for other operational, legal, or regulatory reasons. We will notify users of any material changes through:

  • In-app notifications
  • Email communications
  • Prominent notices on our website

Contact Information

For all privacy-related questions, data rights requests, security concerns, or general support:

Email: deckhand@opskipper.com
Subject: Privacy Inquiry – [Your Company Name]
Response Time: Within 5-10 business days (depending on request complexity and current capabilities)

Support Channels

  • Privacy & Data Rights: deckhand@opskipper.com
  • Security Issues: deckhand@opskipper.com
  • General Support: deckhand@opskipper.com
  • In-App Support: Contact forms available in application
  • Documentation: Available through application help sections

Compliance and Security Measures

OpSkipper implements industry-standard security practices and is working toward comprehensive compliance with privacy regulations:

Current Security Measures

  • SOC 2 compliant infrastructure – Security, availability, and confidentiality controls through Supabase
  • Row Level Security (RLS) – Database-level data isolation between organizations
  • JWT-based authentication – Secure token-based access control
  • Audit logging – Comprehensive logging of administrative actions
  • Encryption – Data encrypted at rest and in transit

Regulatory Compliance

  • USCG regulations – United States Coast Guard maritime safety and compliance requirements
  • Industry best practices – Following privacy and security best practices for maritime operations

Future Privacy Compliance Goals

We are actively working to achieve full compliance with:

  • GDPR – General Data Protection Regulation (EU)
  • CCPA – California Consumer Privacy Act (California, USA)

Enterprise Features

For enterprise customers and larger tour operations, we provide enhanced security and organizational features:

Enterprise Security Features

  • Advanced audit logging and monitoring
  • Enhanced access controls and permission management
  • Multi-tenant data isolation
  • Comprehensive administrative controls

Support Services

  • Technical support for operational needs
  • Administrative assistance for account management
  • Custom configuration for organizational requirements

Contact: deckhand@opskipper.com for enterprise inquiries and support

OpSkipper – Streamlining maritime crew management with a focus on security and operational efficiency.

This privacy policy reflects OpSkipper’s current privacy practices and capabilities. We are continuously working to improve our privacy features and compliance. For third-party services integrated with OpSkipper (such as Google OAuth and FareHarbor), please refer to their respective privacy policies.