1. Introduction
At CharterIO ('Platform', 'We'), the security and privacy of your personal data is extremely important to us. This Privacy Policy has been prepared to inform you about how your personal data is processed, stored, and protected when using our website and services.
This policy has been prepared in accordance with the General Data Protection Regulation (GDPR) and applicable data protection laws.
CharterIO
Web: www.charterio.com
Email: privacy@charterio.com
Data Controller Information
The data controller is CHARTERIO LTD, a company registered in England & Wales under company number 17289234 with its registered office at 71-75 Shelton Street, Covent Garden, London WC2H 9JQ, United Kingdom, operating the CharterIO platform at www.charterio.com. For data protection matters, you can reach us at privacy@charterio.com.
Data Protection Officer (DPO)
The platform is currently below the mandatory DPO appointment threshold under GDPR Article 37, therefore no formal Data Protection Officer has been appointed. All data protection requests are handled directly by the business owner through privacy@charterio.com. This status will be reassessed as the platform grows.
Right to Lodge a Complaint with a Supervisory Authority
If you have concerns about data processing activities, you have the right to lodge a complaint with the supervisory authority in your country of residence:
- Turkey: Personal Data Protection Authority (kvkk.gov.tr)
- United Kingdom: Information Commissioner's Office (ico.org.uk)
- EU member states: The relevant national data protection authority
2. Data Collected
CharterIO collects the following data:
- Name, surname, contact information
- Authentication data
- Payment information (processed by Stripe, we do not store it)
- IP address, device information, cookies
- Booking history
3. Data Processing Purposes
Service Delivery
- Processing bookings
- Payment processing
- Customer account management
Legal Obligations
- Compliance with regulations
- Requests from authorities
- Tax and accounting
Security
- Fraud detection and prevention
- Platform security
- Identity verification
Communication
- Information messages
- Customer support
- Marketing (with consent)
Legal Basis for Data Processing
Your personal data is processed under the following legal bases as set forth in GDPR Article 6 and KVKK Article 5:
Performance of Contract (GDPR Article 6(1)(b))
Data required for bookings, payments, communication between the renter and the boat owner, and the provision of platform services is processed under the performance of the user agreement we have with you.
Legal Obligation (GDPR Article 6(1)(c))
Data is retained for purposes such as accounting records, tax declarations, anti-money laundering (AML) and know-your-customer (KYC) obligations, and responding to requests from legal authorities.
Legitimate Interest (GDPR Article 6(1)(f))
Technical logs and limited usage data are processed to prevent fraud, maintain platform security, improve service quality, and prevent misuse. This processing is carried out with a balance between your rights and our interests.
Explicit Consent (GDPR Article 6(1)(a))
Your explicit consent is obtained for marketing emails, analytics cookies, marketing cookies, and personalised promotional content. You may withdraw your consent at any time, unsubscribe from marketing emails with one click, and update your cookie preferences via Settings.
4. Third-Party Sharing
Data is only shared in the following cases:
- Payment provider Stripe
- Boat owners (information required for booking)
- Legal authorities (when required)
International Data Transfers
CharterIO uses service providers located outside the European Union and the United Kingdom (in particular, the United States) to operate the platform. In these cases, your personal data is transferred to those countries.
Service Providers Receiving Data
- Stripe (US) — payment processing
- Cloudinary (US) — image hosting
- MongoDB Atlas (EU/US) — database
- Pusher (US) — real-time communication
- Resend (US) — email delivery
- Geoapify (EU) — maps and address services
Applied Safeguards
These transfers are carried out under Standard Contractual Clauses (SCCs) approved by the European Commission. A Data Processing Agreement (DPA) has been signed with each service provider under GDPR Article 28. You can access the privacy policies and DPAs of the service providers on their respective websites.
5. Data Retention
CharterIO retains personal data for the period necessary for processing purposes and limited to the periods stipulated in relevant legislation.
Retention Periods
- User Account Data: Retained while the account is active. Deleted when the account is closed.
- Booking Records: Retained for 6 years for accounting and tax obligations (UK Companies Act 2006 s.388 and HMRC requirements).
- Authentication Records: Retained for 12 months for security purposes.
- Communication Records: Retained for 3 years for customer support.
After Expiry
When retention periods expire, all data is securely anonymized or deleted.
6. User Rights (GDPR)
Users have the following rights:
The right to know what personal data is being processed
The right to request correction of incorrect or incomplete data
The right to request deletion of data if there is no legal retention obligation
The right to receive your data in a structured format
The right to request suspension of data processing in certain cases
The right to object to processing based on legitimate interest
Email: privacy@charterio.com
Response Time: Within 30 days
7. Cookie Policy
Our website uses cookies to improve user experience. For detailed information, please see our Cookie Policy.
Cookie Types We Use
- Essential cookies: Session and security
- Analytics cookies: Site usage analysis
- Marketing cookies: Works with explicit consent
Contact
For questions about our privacy policy, you can contact us:
Web
www.charterio.com
privacy@charterio.com
info@charterio.com