1. Who we are
BoatHire24 is a boat charter marketplace operated by X24Consulting OÜ, a company registered in Estonia under registry code 16971898, with registered office at Lossi 8-3, Põltsamaa 48103, Estonia. We connect boat owners (“Hosts”) with people who want to charter boats (“Guests”). Our platform is accessible at boathire24.com and associated subdomains.
For the purposes of EU data protection law (GDPR), X24Consulting OÜ (trading as BoatHire24) is the data controller for personal data collected through our platform. Questions about this policy can be sent to info@boathire24.com.
2. Data we collect
We collect the following categories of personal data:
Account information
- Full name, email address, and password (hashed — we never store plain-text passwords)
- Profile photo (optional)
- Phone number (optional, used for booking communications)
- Bio and host information (if you list a boat)
Booking and transaction data
- Booking details: dates, duration, guest count, special requests
- Payment data — handled entirely by Stripe. We receive a tokenised reference only; we never see or store your full card number
- Stripe Connect payout information (for Hosts — bank details go directly to Stripe, not us)
Usage data
- Pages visited, search queries, filters applied, listings viewed
- Device type, browser, operating system, IP address
- Referral source and marketing attribution
Communications
- Messages exchanged with other users through our messaging system
- Emails sent to our support address
- Reviews and ratings you submit
3. How we use your data
We use your personal data for the following purposes:
- To provide the service: creating and managing your account, processing bookings, facilitating payments, connecting Guests with Hosts
- To communicate with you: booking confirmations, receipts, host notifications, support replies, system updates
- To improve the platform: analysing usage patterns, fixing bugs, testing new features, fraud detection
- To comply with the law: meeting tax, anti-money-laundering, and maritime regulatory obligations
- Marketing (with your consent): sending newsletters, promotional offers, and charter inspiration — you can opt out at any time
We rely on the following legal bases under GDPR: contract performance (to fulfil your booking), legitimate interests (platform security, fraud prevention, analytics), legal obligation (tax records, regulatory compliance), and consent (marketing emails, optional cookies).
4. Sharing your data
We share personal data only in the following circumstances:
- With the other party in a booking: Guests receive the Host's name and marina contact details after a confirmed booking; Hosts receive the Guest's name and booking details
- Stripe: our payment processor. Stripe processes all card and bank transactions. Their privacy policy governs how they handle your financial data
- Supabase: our database and authentication infrastructure provider. Data is stored on Supabase servers in the EU
- Resend: our transactional email provider, used for booking confirmations and notifications
- Vercel: our hosting provider. Web traffic passes through Vercel's infrastructure
- Legal authorities: if required by law, court order, or to protect the safety of users or the public
We do not sell your personal data. We do not share it with advertisers or data brokers.
5. Cookies
We use cookies and similar tracking technologies to operate the platform and improve your experience. The categories we use are:
- Essential cookies: required for login sessions, booking flow, and security. Cannot be disabled
- Functional cookies: remember your preferences (language, filter settings)
- Analytics cookies: measure which pages are visited and how users navigate (with your consent)
You can manage cookie preferences through our consent banner or your browser settings. Disabling non-essential cookies will not prevent you from using the platform.
6. Data retention
We keep your personal data for as long as necessary to provide the service and meet our legal obligations:
- Account data: retained while your account is active and for 2 years after account deletion (fraud prevention)
- Booking records: 7 years from the charter date (tax and financial regulatory requirements)
- Messages: 3 years from the date of the related booking
- Marketing data: until you unsubscribe or withdraw consent
7. Your rights
Under GDPR, you have the following rights regarding your personal data:
- Access: request a copy of the data we hold about you
- Rectification: ask us to correct inaccurate data
- Erasure: ask us to delete your data (“right to be forgotten”), subject to legal retention obligations
- Restriction: ask us to limit how we process your data in certain circumstances
- Portability: receive your data in a machine-readable format
- Objection: object to processing based on legitimate interests or for marketing purposes
- Withdraw consent: at any time where processing is based on consent
To exercise any of these rights, email info@boathire24.com. We will respond within 30 days. You also have the right to lodge a complaint with your national data protection authority (in Spain: the AEPD — aepd.es).
8. Security
We implement technical and organisational measures to protect your personal data, including: TLS encryption for all data in transit, encrypted storage for sensitive data at rest, strict row-level security on our database (users can only access their own data), regular security reviews, and limited internal access to personal data on a need-to-know basis.
No system is completely secure. If you discover a security vulnerability, please report it to info@boathire24.com immediately.
9. International transfers
Our core infrastructure (Supabase database) is hosted within the European Union. Some of our service providers (Stripe, Vercel, Resend) operate globally and may process data outside the EU. Where this occurs, we rely on Standard Contractual Clauses or equivalent safeguards approved by the European Commission.
10. Children
BoatHire24 is not intended for use by anyone under the age of 18. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.
11. Changes to this policy
We may update this Privacy Policy from time to time. We will notify registered users by email of any material changes and update the “Last updated” date above. Continued use of the platform after changes take effect constitutes acceptance of the revised policy.
12. Contact
For any privacy-related questions, data subject requests, or concerns:
Registry code: 16971898
Lossi 8-3, Põltsamaa 48103, Estonia
info@boathire24.com
