Datenschutzrichtlinie

1. Who We Are (Data Controller)

MarineTech Balearics ("MarineTech", "we", "us", or "our") is a product of Fusion Metrics Inc., the entity acting as the data controller under the General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR") and Spain's Organic Law 3/2018 on Personal Data Protection and Guarantee of Digital Rights ("LOPDGDD").

We have not appointed a Data Protection Officer (DPO) as our processing activities do not meet the mandatory thresholds of GDPR Article 37. You can direct any data protection query to the privacy contact above; a human will read and respond.

2. Personal Data We Collect

We collect the following categories of personal data:

• Account data: name, email, hashed password. If you register via Google, we receive name, email, and profile picture from Google.
• Business listing data (business users only): business name, address, phone, website, description, photos, opening hours, services offered.
• User content: reviews, ratings, favourites, stock uploads.
• Usage data: pages visited, interactions, referrer, IP address, browser and device info, timestamps. Collected automatically.
• Location data: only if you enable browser geolocation to find nearby services; coordinates are used on-demand and not stored against your account.
• Chatbot interactions: the text of messages you send to our Claude-powered assistant, our responses, token counts, and latency — for debugging and service improvement.
• Cookies: see section 5 for a full table of cookies and their purposes.

We do not knowingly collect special categories of personal data (Art. 9 GDPR) such as health, political opinions, or religious beliefs. Please do not submit such data through reviews or support requests.

3. Why We Process Your Data (Purposes & Legal Bases)

Under GDPR Article 6, every processing purpose must have a legal basis. Ours are as follows:

4. Our Legitimate Interests

Where we rely on legitimate interests, we have balanced those interests against your rights and freedoms. Our legitimate interests are: (i) keeping the platform secure and free from abuse, (ii) preventing fraud, (iii) basic aggregated product analytics for reliability (distinct from marketing analytics, which is consent-based), and (iv) responding to customer support requests. You have the right to object to any processing based on legitimate interests — see section 9.

5. Cookies and Similar Technologies

A cookie banner asks for your choice before any non-essential cookie is set. You can change that choice at any time via "Cookie Settings" in the footer.

For the precise list and duration of Google cookies, consult Google's cookie policy.

6. Who Receives Your Data (Processors & Third Parties)

We do not sell personal data. We share it only with the processors below, each bound by a data-processing agreement (or an equivalent legal basis):

• Google LLC — Google Analytics 4 (analytics), Google AdSense (advertising), Google OAuth (optional sign-in), Google Places (for our business-discovery scraping of publicly listed businesses). Privacy Policy.
• Mapbox, Inc. — interactive map rendering. Privacy Policy.
• Anthropic, PBC — the Claude model that powers our chatbot. Your chat messages are sent to Anthropic's US-hosted API. Privacy Policy.
• Amazon Web Services, Inc. — our hosting infrastructure (EC2 instance in eu-west-1, Dublin).
• Competent authorities and courts — only where strictly required by law.

7. International Data Transfers

Google LLC, Mapbox Inc., and Anthropic PBC are established in the United States. Where your personal data is transferred outside the European Economic Area, it is protected by one or more of the following safeguards under GDPR Chapter V:

• EU-US Data Privacy Framework (DPF) — where the recipient is self-certified. Google LLC is DPF-certified; see dataprivacyframework.gov.
• Standard Contractual Clauses (SCCs) — European Commission-approved contract clauses, used where DPF does not apply.
• Supplementary measures where necessary (encryption in transit, access controls).

You may request a copy of the relevant safeguards by emailing privacy@marinetech.es.

8. Data Retention

We retain personal data only for as long as necessary for the purposes for which it was collected:

9. Your Rights Under GDPR

Regardless of where you are in the EEA, you have the following rights:

• Access (Art. 15) — receive a copy of the data we hold on you.
• Rectification (Art. 16) — correct inaccurate data.
• Erasure / "right to be forgotten" (Art. 17).
• Restriction of processing (Art. 18).
• Data portability (Art. 20) — receive your data in a machine-readable format.
• Object (Art. 21) — particularly to processing based on legitimate interests or to direct marketing.
• Withdraw consent (Art. 7(3)) — at any time, without affecting the lawfulness of processing that took place before.
• Not be subject to automated decision-making (Art. 22) — see section 11.
• Complain to a supervisory authority. You can lodge a complaint with the Spanish Data Protection Agency (Agencia Española de Protección de Datos — AEPD), C/ Jorge Juan 6, 28001 Madrid, Spain — www.aepd.es. You may also complain to the supervisory authority of your country of habitual residence.

To exercise any right, email privacy@marinetech.es. We respond within one month (extendable to three months for complex requests, GDPR Art. 12(3)). We may ask for reasonable proof of identity before acting on a request.

10. Is Providing Your Data Required?

Browsing MarineTech does not require an account. Creating an account requires an email address and password — without them we cannot provide the account. Creating a business listing requires the information shown on the public listing (name, address, contact, etc.) because its purpose is to be displayed publicly. No other data is contractually or statutorily required.

11. Automated Decision-Making and Profiling

We do not subject you to decisions based solely on automated processing — including profiling — that produce legal or similarly significant effects on you (GDPR Art. 22). Our chatbot and ranking algorithms make recommendations only; they do not make decisions about you.

12. Security

We implement appropriate technical and organisational measures to protect personal data (GDPR Art. 32), including HTTPS/TLS for all traffic, password hashing (bcrypt), access controls, security headers, CSRF protection, rate limiting, and regular dependency updates. In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the AEPD without undue delay and, where required, notify you directly.

13. Children's Privacy

MarineTech is not directed at minors. In Spain, under LOPDGDD Art. 7, the age of digital consent is 14. We do not knowingly process personal data of anyone under 14, or under 16 elsewhere in the EEA. If you believe a child has provided us personal data, contact privacy@marinetech.es and we will delete it.

14. Data We Did Not Collect from You

Our business-discovery pipeline (see our Terms) uses Google Places and public websites to build a pending list of marine businesses for admin review. Where this information includes a sole trader's personal data (for example, a business address that is also the trader's home), the source is public Google Places data or the business's own public website. If you are a sole trader and would like your listing removed or corrected, email privacy@marinetech.es.

15. Changes to This Policy

We may update this Privacy Policy. Material changes will be announced on the site and reflected in the "Last updated" date at the top. We recommend reviewing the policy periodically.

16. Contact