On this page
- 1. About this policy
- 2. Who we are (data controller)
- 3. Personal data we collect
- 4. How we use your personal data and our lawful bases
- 5. Sharing with third parties (processors)
- 6. Google user data and limited use
- 7. International data transfers
- 8. Data retention
- 9. Your rights under UK GDPR
- 10. Cookies and similar technologies
- 11. Security
- 12. Children’s privacy
- 13. Changes to this policy
- 14. Contact us
This Privacy Policy explains how Procursea Group (“Procursea”, “we”, “us” or “our”) collects, uses, shares, and protects personal data when you use the Procursea platform, mobile application, websites at procursea.com and procursea.app, and any related services (together, the “Service”).
1. About this policy
This Privacy Policy explains how Procursea Group (“Procursea”, “we”, “us” or “our”) collects, uses, shares, and protects personal data when you use the Procursea platform, mobile application, websites at procursea.com and procursea.app, and any related services (together, the “Service”).
We are committed to protecting your privacy and complying with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and, where applicable, the EU GDPR.
2. Who we are (data controller)
For the purposes of UK data protection law, the data controller is:
Procursea Group United Kingdom Email: info@procursea.com
3. Personal data we collect
We collect the following categories of personal data:
3.1 Account data — name, email address, role/title, yacht assignment, profile photo, hashed password, authentication tokens.
3.2 Operational data you create — inventory entries, photographs of equipment, supplier details, RFQs, quotes, purchase orders, invoices, approvals, audit log entries, and any free-text notes you add.
3.3 Communications data — emails sent to or received from suppliers via integrated mail accounts (Outlook, Gmail), and support correspondence with us.
3.4 Device and usage data — IP address, browser type, device type, operating system, pages viewed, actions taken, timestamps, approximate location derived from IP.
3.5 Payment data — billing contact, subscription tier, and transaction history. Card details are handled directly by our payment processor (Stripe) and we never store full card numbers.
4. How we use your personal data and our lawful bases
Under UK GDPR Article 6, we rely on one of the following lawful bases for each processing activity:
4.1 Performance of contract — to create and manage your account, deliver the Service, process subscriptions, and provide customer support.
4.2 Legitimate interests — to secure the Service, prevent fraud and abuse, improve our product, generate aggregated analytics, and communicate service updates. We balance these against your rights.
4.3 Legal obligation — to keep accounting records, respond to lawful requests from regulators, and comply with tax law.
4.4 Consent — for optional cookies, marketing emails, and any processing where consent is the appropriate basis. You may withdraw consent at any time.
5. Sharing with third parties (processors)
We share personal data only with vetted service providers acting as our processors under contract, and only to the extent necessary to provide the Service:
- Stripe, Inc. — payment processing.
- Neon, Inc. — managed PostgreSQL database hosting.
- Replit, Inc. — application hosting and deployment.
- Microsoft (Outlook) and Google (Gmail) — only when you choose to connect a mailbox for supplier communications.
- OpenAI, Anthropic, and Google AI — for the AI inventory scanner, item identification, and assistant features, using product and inventory data and images. Inputs are sent on a per-request basis and are not used to train these providers’ models. Data from connected Gmail or Outlook mailboxes is never sent to these AI providers.
- Email and notification providers — for transactional email delivery.
We do not sell your personal data and we do not share it for third-party advertising.
6. Google user data and limited use
When you choose to connect a Google (Gmail) account, Procursea requests two permissions:
- Send email on your behalf (
gmail.send) — used only to send the Request-for-Quotation (RFQ) and purchase-order emails that you compose and send from within Procursea, so suppliers receive them from, and reply to, your own email address. - Read-only access to Gmail (
gmail.readonly) — used only to retrieve suppliers’ replies in the specific email threads that Procursea created, so that quotations and their attachments appear back in Procursea against the correct request. Procursea does not scan, index, or read the rest of your mailbox.
Google access and refresh tokens are encrypted (AES-256-GCM) before storage and are deleted when you disconnect the integration. Email content we retrieve is used solely to populate the corresponding request inside your Procursea account.
Limited Use. Procursea’s use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:
- we do not use Google user data for serving advertisements;
- we do not allow humans to read this data, except with your explicit consent, for security purposes, to comply with applicable law, or where the data is aggregated and anonymised for internal operations in line with our privacy obligations;
- we do not sell this data;
- we do not use it to train any generalised or third-party AI or machine-learning models; and
- we do not transfer it to third parties except as necessary to provide or improve these features, to comply with applicable law, or as part of a merger or acquisition.
Microsoft (Outlook) mailbox data, when you connect an Outlook account, is handled on the same principles: used solely to send your procurement emails and retrieve supplier replies, never sold, never used for advertising, and never used to train AI models.
7. International data transfers
Some of our processors are located outside the United Kingdom and European Economic Area, principally in the United States. Where we transfer personal data outside the UK / EEA, we rely on UK International Data Transfer Agreements, the EU Standard Contractual Clauses, or an adequacy decision, together with appropriate technical and organisational safeguards.
8. Data retention
We retain personal data only for as long as necessary for the purpose for which it was collected:
- Account data — for the life of your account, and up to 12 months after closure for legal and dispute-resolution purposes.
- Procurement records (RFQs, POs, invoices) — for 6 years after creation, to meet UK accounting and tax record-keeping rules.
- Connected-mailbox data (Gmail/Outlook tokens and retrieved supplier replies) — retained only while the integration is connected; tokens are deleted on disconnection.
- Audit logs — for up to 24 months.
- Support correspondence — for up to 36 months.
- Backups — encrypted, retained on a rolling basis up to 90 days.
9. Your rights under UK GDPR
You have the following rights in respect of your personal data:
- Access — request a copy of the personal data we hold about you.
- Rectification — correct inaccurate or incomplete data.
- Erasure — request deletion of your personal data, subject to legal retention obligations.
- Restriction — limit how we use your data while a query is being resolved.
- Portability — receive your data in a structured, machine-readable format.
- Objection — object to processing based on legitimate interests.
- Withdraw consent — at any time where we rely on consent.
- Lodge a complaint with the UK Information Commissioner’s Office (ICO) at ico.org.uk.
To exercise any of these rights, email info@procursea.com. We will respond within one month.
10. Cookies and similar technologies
We use strictly necessary cookies for authentication, session management, and security. We do not use third-party advertising cookies. Where we use analytics cookies to understand usage, we request your consent and you can decline without affecting access to the Service.
11. Security
We protect personal data with industry-standard technical and organisational measures, including TLS encryption in transit, encryption at rest for the database and backups (including AES-256-GCM encryption of connected-mailbox tokens), role-based access control, audit logging, and least-privilege access for our engineers. No system can be guaranteed 100% secure, but we continually review and improve our controls.
12. Children’s privacy
The Service is intended for use by adult professional crew. We do not knowingly collect personal data from anyone under 18. If you believe a minor has provided personal data to us, please contact us and we will delete it.
13. Changes to this policy
We may update this Privacy Policy from time to time. The “Last updated” date at the top of this page will reflect the most recent revision. Material changes will be notified to you by email or in-product banner before they take effect.
14. Contact us
For any privacy-related question, request, or concern, contact:
Procursea Group Email: info@procursea.com Subject line: “Privacy request”
© 2026 Procursea Group. All rights reserved.