Privacy Policy.

Last updated 13 May 2026.

1. Introduction

This Privacy Policy explains how Nautis ("we", "us", "our"), operated by EightTen Labs (Sole Trader), collects, uses, stores, and protects your personal data when you use the Nautis mobile application ("the App").

Nautis is a digital maritime logbook application available on iOS and Android. We are committed to protecting your privacy and complying with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

Data Controller: EightTen Labs, United Kingdom
Contact: [email protected]
Last Updated: 13 May 2026

2. Data We Collect

2.1 Account Information

When you create an account, we collect:

Email address: required for account creation and communication
Full name: displayed on your profile
Username: optional, used for social search and discovery
Profile photo: optional, uploaded by you
Authentication provider data: if you sign in via Google or Apple, we receive your name and email from those providers. We do not receive or store your Google or Apple password.

2.2 Location Data

Location data is central to how Nautis works. We collect precise GPS data to track your sailing trips and plot your route on a map.

When you start a trip with GPS tracking enabled, we collect:

Latitude and longitude: precise position (typically accurate to ~5 metres)
Altitude: elevation above sea level (when available)
GPS accuracy: the precision of the position reading
Speed and heading: speed over ground and direction of travel
Timestamps: when each GPS reading was taken

GPS data is collected continuously while a trip is active, including when the app is running in the background. You can disable GPS tracking for any trip. Location data is only collected during active trips. We do not track your location at other times.

2.3 Log Entry Data

When you create log entries (manually or via Auto Logging), we collect the data you provide:

Navigation data: course steered, speed, course over ground, speed over ground, log reading, distance covered
Weather and conditions: barometric pressure, sea state, wind speed and direction, visibility, weather conditions
Engine and propulsion: engine status, RPM, battery voltage
Sail plan: which sails are set
Notes: free-text notes you add to entries
Position: latitude and longitude at the time of the entry

2.4 Photos

You may attach photos to log entries. When you do, we store:

The photo file itself (uploaded to our cloud storage)
File metadata: file name, file size, MIME type

We access your device camera or photo library only when you explicitly choose to take or select a photo. We do not access your camera or photos without your action.

2.5 Vessel Information

You may register vessels in the app. This data includes:

Vessel name, type, and flag state
Dimensions: length, beam, draft, gross tonnage
Registration number and MMSI number
Engine details and sail inventory
Vessel photos

2.6 Trip Data

For each trip, we store:

Trip name and description
Departure and destination locations (name and coordinates)
Planned and actual start/end dates
Trip status, distance, and duration
Timezone settings

2.7 Device and Technical Data

Device tokens: for sending push notifications via Firebase Cloud Messaging (FCM)
Crash reports: via Firebase Crashlytics. Includes device model, OS version, app version, and crash stack traces. Crashlytics is disabled in debug/development builds.
Breadcrumb logs: anonymised usage events (e.g. "user opened map", "sync started") to help diagnose issues. These do not contain personal data.

2.8 Social, Visibility, and Friend Data

Nautis is public by default. When you create log entries, trips, or GPS tracks in Nautis, this content is visible to other Nautis users by default. This includes the data fields described in sections 2.2 (Location Data), 2.3 (Log Entry Data), 2.4 (Photos), and 2.6 (Trip Data) above.

We currently do not offer per-log or per-trip privacy toggles. If you do not want your content to be publicly visible to other Nautis users, do not record it in Nautis. You can delete any log entry, trip, or photo at any time, and you can delete your account at any time (see §6 and §7).

In addition to public visibility, we collect:

Friends: user IDs of people you add as friends in the app. The friend graph exists for social discovery. Adding a friend does not change the visibility of your logs (they were already public).
Invite codes: codes used to join the app, including which code you used and who referred you.

2.9 On Watch Share Links

Nautis includes a feature called On Watch, which generates a public, token-based web link for an active trip. Anyone with the link can view the trip as it unfolds, including position, course, speed, and any log entries you make during the trip. The link is not bound to a specific recipient. Anyone you share it with, and anyone they forward it to, can open it.

On Watch links remain accessible during the trip and indefinitely afterwards. On Watch link revocation is on the product roadmap; in the meantime, contact [email protected] to disable a link.

3. How We Use Your Data

Purpose	Data Used	Legal Basis (UK GDPR)
Providing the core logbook service	Account info, location, log entries, trips, vessels, photos	Contract performance (Art. 6(1)(b))
GPS tracking during trips	Precise location data	Consent (Art. 6(1)(a)). You enable tracking per trip
Public visibility of logs, trips, and GPS tracks	Log entries, trip data, location data, photos	Contract performance (Art. 6(1)(b)). Public visibility is a core feature of Nautis during the alpha phase, disclosed at signup
Friend connections	Friend list (user IDs)	Consent (Art. 6(1)(a)). You choose to add friends
On Watch share links	Active trip data, location data, log entries	Contract performance (Art. 6(1)(b)). You activate the share by generating a link
Push notifications	Device tokens	Consent (Art. 6(1)(a)). You grant notification permission
Crash reporting and diagnostics	Device info, crash data, breadcrumbs	Legitimate interest (Art. 6(1)(f)). Improving app stability
Account security and authentication	Email, auth provider data	Contract performance (Art. 6(1)(b))
Responding to support requests	Email, account data	Contract performance (Art. 6(1)(b))

4. Third-Party Services

We use the following third-party services to operate Nautis:

Service	Provider	Data Shared	Purpose	Privacy Policy
Supabase	Supabase Inc.	All synced user data (account, trips, logs, photos, vessels, friends)	Cloud database, authentication, file storage	supabase.com/privacy
Firebase Crashlytics	Google LLC	Crash reports, device info, breadcrumb logs	Crash reporting and diagnostics	firebase.google.com/support/privacy
Firebase Cloud Messaging	Google LLC	Device tokens	Push notifications	firebase.google.com/support/privacy
Mapbox	Mapbox Inc.	Map tile requests (contain approximate location)	Map rendering	mapbox.com/legal/privacy
Google Sign-In	Google LLC	Authentication tokens	Optional sign-in method	policies.google.com/privacy
Apple Sign-In	Apple Inc.	Authentication tokens	Optional sign-in method	apple.com/legal/privacy
Google Fonts	Google LLC	Font download requests (IP address)	Typography	policies.google.com/privacy

We do not sell your data. We do not use advertising SDKs. We do not share your data with any parties other than those listed above, except where required by law.

5. Data Storage and Security

5.1 Where Your Data is Stored

On your device: All data is stored locally in a SQLite database. The app is designed offline-first. Your data exists on your device even without an internet connection. The database is not encrypted at rest by Nautis; it is protected by your device's standard application sandboxing and any device-level encryption you have enabled (such as iOS file protection or Android full-disk encryption).
In the cloud: When you are online, data syncs to Supabase (hosted on AWS). Photos are stored in Supabase Storage.
On Watch share links: Active trip data accessed via On Watch links is served in real-time from the same Supabase backend. No additional copies are created. The link grants public read access to your existing trip data.

5.2 Security Measures

All data transmitted between your device and our servers uses TLS encryption (HTTPS)
Authentication is handled by Supabase Auth with industry-standard security
Row Level Security (RLS) policies enforce server-side write restrictions. You cannot create, modify, or delete other users' content. Reads of publicly-visible content (logs, trips, GPS tracks) are permitted in line with the visibility model described in §2.8.
Passwords are hashed and never stored in plain text
Third-party sign-in (Google, Apple) uses OAuth 2.0 / OpenID Connect standards

5.3 Data Sync

Nautis uses an offline-first architecture with a sync queue. Data created or modified while offline is queued locally and synced to our servers when connectivity is restored. This means your data may exist in an unsynced state on your device until a network connection is available.

6. Your Rights (UK GDPR)

Under the UK GDPR, you have the following rights:

Right	Description	How to Exercise
Access	Request a copy of your personal data	Email [email protected]
Rectification	Correct inaccurate data	Edit in-app or email us
Erasure	Request deletion of your data	Delete your account in-app, or email us
Portability	Receive your data in a structured format	Email [email protected]
Restriction	Limit how we process your data	Email [email protected]
Objection	Object to processing based on legitimate interest	Email [email protected]
Withdraw consent	Withdraw consent for location tracking, notifications, etc.	Disable in device settings or in-app

We will respond to all requests within 30 days. To exercise any of these rights, contact us at [email protected].

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO): ico.org.uk.

7. Data Retention

Account data: Retained for as long as your account is active. Deleted upon account deletion.
Trip and log data: Retained for as long as your account is active. This is your logbook. We keep it until you tell us not to.
Photos: Retained until you delete them or delete your account.
Crash reports: Retained for 90 days by Firebase Crashlytics.
Device tokens: Deleted when you log out or delete your account.

When you delete your account, we delete all associated personal data from our servers within 30 days. Local data on your device is removed when you uninstall the app.

8. Children's Privacy

Nautis is intended for adult sailors. The App is not designed or marketed for children. We do not currently restrict account creation by age. If you are a parent or guardian and believe your child has created an account without your consent, please contact us at [email protected] and we will delete the account and any associated data.

9. International Data Transfers

Your data may be transferred to and processed in countries outside the United Kingdom, including the United States (where Supabase, Firebase, Mapbox, and Google are based). These transfers are protected by:

Standard Contractual Clauses (SCCs) adopted by the ICO
Adequacy decisions where applicable
The data protection frameworks of our service providers

10. Cookies and Tracking

The Nautis mobile app does not currently use cookies. Firebase Crashlytics collects diagnostic data only and is disabled in development builds.

We may incorporate analytics tools (such as Google Analytics or Google Analytics for Firebase) in the future to understand usage patterns and improve the App. If we do, we will update this Privacy Policy to reflect:

What data the analytics tool collects
How that data is used
How you can opt out

We do not, and do not plan to, use advertising trackers or behavioural tracking tools intended for targeted advertising.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes via the app or by email. The "Last Updated" date at the top of this policy indicates when it was last revised.

12. Contact Us

If you have questions about this Privacy Policy or how we handle your data:

Email: [email protected]
Support: [email protected]
Website: sailnautis.com