Privacy Policy

Scope & who we are

This Privacy Policy explains how Triton Technical LLC ("Triton Technical," "we," "us," or "our") handles personal information in connection with the YMS360 software platform, the website at yms360.com, our mobile and desktop applications, APIs, help center, the AI chat assistant embedded on the website, and related services (collectively, the "Services").

For purposes of the EU and UK General Data Protection Regulation ("GDPR"), Triton Technical LLC is the controller of personal information collected about visitors to our website and users of our Services, except where we act as a processor on behalf of a yacht owner, management company, or other customer who has subscribed to YMS360. In those cases, our customer is the controller and determines how data within their account is used. This policy describes our practices as a controller; for processing done on behalf of a customer, their privacy notice and our data processing agreement apply.

This policy does not apply to third-party websites, services, or applications that you may access through the Services, even if we link to them.

Information we collect

We collect information in three ways: information you provide to us, information we collect automatically, and information we receive from third parties.

Information you provide

Information we collect automatically

• Server-side request data: when your browser loads a page or submits a form, our hosting platform records standard request information including IP address, user agent string, requested URL, and timestamp. This is used to deliver the page and to keep the site secure.
• AI chat assistant session data: when you interact with the chat widget, we record a session identifier, timestamps, and the content of the conversation as described in Section 6.
• Cookies: we currently set only strictly necessary cookies. See Section 12 for the full list and what each one does.

We do not currently operate any third-party analytics, advertising, or marketing tracking technologies on the Website. If we add any in the future, we will update this policy and request your consent through the cookie banner before they load.

Information from third parties

• Identity providers if you log in using single sign-on (e.g., your company's SSO provider).
• Payment processors for transaction status and fraud signals (we do not receive full card numbers).
• Business contact sources such as publicly available professional directories, which we may use for business-to-business outreach in line with applicable law.
• Integration partners where you connect YMS360 to another system (for example, an accounting package or fleet database), we receive the data that integration is configured to exchange.

We do not knowingly collect special categories of personal data (such as health, biometric, or government ID data) unless you voluntarily provide it — for example, if a crew certificate you upload contains such information. If you choose to upload such data, you are responsible for ensuring you have the legal basis to do so.

How we use information

We use personal information for the following purposes:

• Providing the Services: creating and maintaining accounts, delivering platform features, syncing data across devices, enabling integrations, processing your transactions, and operating the AI chat assistant on our website.
• Customer support: responding to questions, troubleshooting, training, and onboarding.
• Billing and account administration: invoicing, processing payments, tax compliance, and collecting amounts owed.
• Security and fraud prevention: authenticating users, detecting and preventing abuse, investigating incidents, and enforcing our terms.
• Product improvement: we may review AI chat transcripts to improve our prompts, topic coverage, and response quality, and to measure whether the assistant is helping visitors effectively. Where we use customer data to improve the Services more broadly, we do so in de-identified or aggregated form.
• Communications: sending transactional messages (such as service notices, security alerts, and billing), and — if you have opted in or where permitted by law — product updates and marketing.
• Legal and compliance: complying with applicable laws, responding to lawful requests, and protecting our rights and those of our users.

We do not use personal information for automated decision-making that produces legal or similarly significant effects about you (see Section 14). We do not sell personal information, we do not use customer content to train generative AI models, and we do not permit Anthropic or any other AI provider to use YMS360 customer content or chat assistant conversations to train their foundation models.

Legal bases for processing (GDPR)

If you are in the European Economic Area, the United Kingdom, or Switzerland, we rely on the following legal bases under the GDPR:

• Contract (Art. 6(1)(b)): to provide the Services you or your organization have subscribed to and to perform pre-contract steps at your request (for example, handling a demo inquiry or answering product questions through the AI chat assistant).
• Legitimate interests (Art. 6(1)(f)): to operate, secure, and improve the Services, including operating and improving the AI chat assistant; to conduct business-to-business marketing where our interests are not overridden by your rights; and to defend legal claims. You have a right to object to processing based on legitimate interests.
• Consent (Art. 6(1)(a)): for any non-essential cookies we may add in the future, certain marketing communications, and any processing where consent is legally required. You can withdraw consent at any time.
• Legal obligation (Art. 6(1)(c)): to meet accounting, tax, and other statutory requirements.

How we share information

We share personal information only in the limited circumstances described below. We do not sell personal information for money, and we do not share personal information with third parties for their own marketing or advertising purposes.

Service providers (processors)

We use carefully selected vendors to help us run the Services. They act on our instructions under written contracts that require appropriate security and confidentiality. Categories include:

• Cloud hosting and infrastructure
• Website hosting (Webflow)
• Customer support and help desk tooling
• Email delivery (transactional)
• Payment processing
• Error monitoring and logging
• Identity and authentication providers
• AI and conversational assistant providers (currently Anthropic PBC, which provides the Claude large language model that powers our website chat assistant — see Section 6)

Within your organization

Data entered into a YMS360 customer account is accessible to other authorized users of that account based on permissions configured by the account's administrators. If you are a crew member or contractor using an employer's account, that employer controls access.

Legal, safety, and compliance

We may disclose information if we reasonably believe it is necessary to comply with a law, regulation, legal process, or enforceable governmental request; to enforce our terms; to detect, prevent, or address fraud or security issues; or to protect the rights, property, or safety of Triton Technical, our users, or others.

Business transfers

If Triton Technical is involved in a merger, acquisition, financing, reorganization, or sale of assets, personal information may be transferred as part of that transaction, subject to standard confidentiality protections. We will notify affected users consistent with applicable law.

With your direction

When you connect an integration or direct us to share information (for example, with a third-party app), we share what is needed to carry out your request.

AI chat assistant

Our website includes an AI-powered chat assistant that can answer questions about YMS360, our products, and general yacht management topics. We want to be clear about how it works so you can make informed choices when using it.

How it works

The assistant is powered by Claude, a large language model developed by Anthropic PBC ("Anthropic"), accessed through Anthropic's commercial API under a written agreement. When you send a message, the text of your conversation (including any information you include in it) is transmitted to Anthropic's API, where the model generates a response that is then returned to your browser. We also supply the model with a system prompt and, in some cases, reference content from our website or help center to help it answer accurately.

What data is processed

• Conversation content: the messages you type and the assistant's responses.
• Session metadata: a session identifier, timestamps, approximate language, and limited technical signals used to operate the chat widget.
• Contact information only if you choose to share it (for example, if you ask us to follow up with you by email).

What Anthropic does with chat data

Under Anthropic's commercial API terms, Anthropic processes conversation inputs and outputs solely to generate responses and to provide, maintain, and secure its API service. Anthropic does not use YMS360 chat conversations to train its foundation models. Anthropic retains inputs and outputs for a limited period for operational and trust-and-safety purposes and may retain content longer where required for legal or abuse-investigation reasons. You can review Anthropic's current API practices at anthropic.com/legal/privacy.

What we do with chat data

We retain chat transcripts on our own infrastructure for the purposes described in Section 3 — operating the assistant, improving its quality, troubleshooting, security, and, where you have shared contact details, responding to you. See Section 8 for retention periods.

Limitations and appropriate use

• The AI chat assistant generates responses automatically and its answers may be inaccurate, incomplete, or out of date. It is provided for general informational purposes only and is not a quote, commitment, warranty, legal advice, or professional advice.
• Please do not submit sensitive personal information (including health, financial account numbers, government IDs, or credentials), confidential business information, or information about third parties who have not consented.
• For anything that needs to be authoritative — pricing, contract terms, technical specifications for your vessel, or support matters — please reach a human on our team. Contact details are in Section 17.

Your choices

Use of the AI chat assistant is optional. You can get the same information by browsing the website, reading our help center, or emailing us. If you would like us to delete a chat transcript associated with you, contact us using the details in Section 17.

International data transfers

Triton Technical is headquartered in the United States. We and our service providers may process personal information in countries other than your own, including the United States and other jurisdictions where our vendors operate. Anthropic, which powers our AI chat assistant, processes data in the United States.

Where we transfer personal data out of the European Economic Area, United Kingdom, or Switzerland to a country that has not been granted an adequacy decision, we rely on appropriate safeguards, including the European Commission's Standard Contractual Clauses and the UK Addendum or UK International Data Transfer Agreement, supplemented by technical and organizational measures where necessary. These safeguards apply to transfers to Anthropic and to our other US-based sub-processors. You can request a copy of the relevant safeguards by contacting us at info@yms360.com.

Data retention

We retain personal information for as long as it is needed for the purposes described in this policy and for legitimate business or legal purposes after that. Retention periods vary by data type:

• Account and yacht data: for the life of the customer account, plus a reasonable period after termination to allow for data export and dispute resolution.
• Billing records: typically seven years to meet tax and accounting requirements.
• Support communications: generally up to three years after resolution.
• AI chat assistant transcripts: retained by us for up to 12 months for quality review, troubleshooting, and security. If you share contact details within a conversation and we open a sales or support record, the relevant transcript is retained with that record per the applicable retention period above. Anthropic's retention of API inputs and outputs is governed by its own policies (see Section 6).
• Marketing contacts: until you unsubscribe or object, plus a short suppression-list retention to honor your opt-out.
• Server-side request logs: typically up to 90 days for operational and security purposes.
• Security and audit logs: typically 12–24 months.
• Backups: rotated on a defined schedule; deletions propagate to backups within that cycle.

When personal data is no longer needed, we delete or anonymize it. If deletion is not technically feasible (for example, on archival backups), we isolate it and protect it from further processing until deletion is possible.

Security

We take reasonable and appropriate technical and organizational measures to protect personal information against unauthorized access, alteration, disclosure, or destruction. These include:

• Encryption of data in transit (TLS) and at rest for our production databases
• Role-based access controls and the principle of least privilege
• Multi-factor authentication for administrative access
• Regular vulnerability scanning and patching
• Secure development practices and code review
• Logging, monitoring, and alerting for suspicious activity
• Incident response procedures
• Employee training and confidentiality obligations

No system is perfectly secure. We cannot guarantee absolute security, but we work continuously to improve our controls. If we become aware of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority and, where required, affected individuals without undue delay.

Your rights under GDPR

If you are in the EEA, UK, or Switzerland, you have the following rights with respect to your personal data:

• Access — obtain confirmation of whether we process your personal data and a copy of that data.
• Rectification — correct inaccurate or incomplete data.
• Erasure — request deletion in certain circumstances (the "right to be forgotten"), including deletion of chat assistant transcripts associated with you.
• Restriction — ask us to limit how we process your data in certain circumstances.
• Portability — receive your data in a structured, commonly used, machine-readable format, and transmit it to another controller where technically feasible.
• Objection — object to processing based on legitimate interests, including profiling, and to direct marketing at any time.
• Withdraw consent — where we process on the basis of consent, withdraw it at any time without affecting the lawfulness of prior processing.
• Lodge a complaint — with your local data protection supervisory authority. We would appreciate the chance to address your concerns first — please contact us before doing so.

California privacy rights

If you are a California resident, the California Consumer Privacy Act, as amended by the California Privacy Rights Act (together, the "CCPA"), gives you the following rights:

• Right to know what personal information we collect, the sources, the purposes, and the categories of third parties with whom we share it.
• Right to access the specific pieces of personal information we hold about you, including AI chat assistant transcripts.
• Right to delete personal information, subject to certain exceptions.
• Right to correct inaccurate personal information.
• Right to opt out of the sale or sharing of personal information. We do not sell personal information for money, and we do not currently share personal information for cross-context behavioral advertising. If this changes in the future, we will update this policy and provide an opt-out before any such sharing begins.
• Right to limit use of sensitive personal information. We do not use sensitive personal information for purposes that would trigger this right.
• Right to non-discrimination — we will not discriminate against you for exercising any of these rights.

Categories we collect

In the preceding 12 months, we have collected the following categories of personal information (as defined by the CCPA): identifiers (name, email, IP address); commercial information (subscription details); internet or other electronic activity information (AI chat assistant conversations and server-side request logs); professional information (job title, employer); and inferences drawn from the above where applicable. Sources, purposes, and recipients are described in Sections 2, 3, 5, and 6.

How to exercise California rights

Submit a request by emailing info@yms360.com or by using our contact form. We will verify your request using information we already hold. You may designate an authorized agent to make a request on your behalf; we may require written proof of authorization and verify your identity directly.

"Shine the Light": California Civil Code § 1798.83 permits California residents to request information about certain disclosures of personal information to third parties for their direct marketing purposes. We do not make such disclosures.

Cookies & similar technologies

This site currently uses only strictly necessary cookies. We do not currently run analytics, advertising pixels, or marketing trackers. We do not use Google Analytics, Google Tag Manager, Microsoft Clarity, the LinkedIn Insight Tag, the Meta Pixel, or similar third-party technologies. There is no first-party email-engagement or lead-scoring tracker active on the Website at this time.

We display a brief cookie notice on first visit so you have a clear, transparent record of what is set. Because no optional categories are active, the notice asks only that you acknowledge it; there is nothing to opt in to. If we add any optional cookies in the future, they will be off by default, will not load before you opt in through the cookie banner, and the categories below will be updated.

Strictly necessary

Required for core site functions such as navigation, security, form submission, the AI chat assistant session (including a session identifier used to maintain your conversation thread), and remembering your cookie choice. These do not require consent under GDPR. Set by Webflow (our website host) and by YMS360 as first-party storage.

• Providers: Webflow, YMS360 (first-party).
• Purpose: Site delivery, security, consent acknowledgement storage.
• Retention: Session to 12 months.

Managing your preferences

• You can clear your stored cookie acknowledgement at any time using the cookie preferences icon on the site, by clearing your browser cookies, or by emailing us.
• Unsubscribe from any marketing emails using the link at the bottom of any message.
• Request deletion of any AI chat transcript by contacting us — see Section 10 (GDPR rights), Section 11 (California rights), or Section 17 (contact).
• You can also control cookies through your browser settings.

We honor the Global Privacy Control (GPC) signal as a valid opt-out of sale, sharing, and non-essential cookies for users in applicable jurisdictions. If we add optional cookies in the future and your browser sends a GPC signal, those categories will be treated as opted out automatically.

Children's privacy

The Services are intended for business users and are not directed to children. We do not knowingly collect personal information from individuals under 16. If you believe a child has provided personal information to us, please contact info@yms360.com and we will take appropriate steps to delete it.

Automated decision-making & profiling

We do not make decisions based solely on automated processing that produce legal effects concerning you or similarly significantly affect you. We may use limited automated techniques for security (such as rate-limiting and fraud detection), product recommendations within the platform, and the generation of responses by our AI chat assistant. The AI chat assistant provides informational responses to your questions and does not make decisions that produce legal or similarly significant effects about you. If you have questions about any specific processing, please contact us.

Third-party links and services

The Services may contain links to third-party websites, plugins, or integrations (for example, help center content, social media links, or partner applications). We are not responsible for the privacy practices of those third parties. We encourage you to review their privacy policies before providing any personal information.

Changes to this policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last Updated" date above and, where appropriate, provide additional notice — for example, by email to registered users or by a prominent notice in the Services. Your continued use of the Services after an update takes effect constitutes acceptance of the revised policy, to the extent permitted by law.

Contact us

If you have questions or concerns about this Privacy Policy or our data practices, including how to exercise your rights or request deletion of an AI chat transcript, please get in touch. We aim to respond promptly.