Privacy Policy

Last updated: March 12, 2026

ArcNautical ("we", "us", "our") operates the ArcNautical maritime intelligence platform at arcnautical.com. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our platform.

1. Information We Collect

Account Information: When you register, we collect your email address, company name, and password (stored as a salted cryptographic hash, never in plaintext).

Usage Data: We collect information about how you use the platform, including voyage queries, fleet configurations, alert settings, and report generation activity. This data is tied to your account and used to provide the service.

API Access Logs: When you use our API, we log request metadata (endpoint, timestamp, IP address) for rate limiting, security monitoring, and service improvement.

Vessel Data: Fleet vessel information (IMO numbers, MMSI, vessel names) that you configure for monitoring. This is operational data necessary to provide alerting and tracking services.

Analytics Data: Through our analytics provider (PostHog), we collect page views, feature interactions, performance metrics, anonymized error diagnostics, and session replays used to diagnose usability issues. In session replays, all text inputs — including email, password, and IMO fields — are masked and are never recorded. See Section 8 for details.

2. How We Use Your Information

• To provide and maintain the ArcNautical platform and its features
• To compute voyage risk scores, fleet assessments, and threat intelligence
• To deliver alerts and webhook notifications you have configured
• To generate PDF reports you have requested
• To send email verification and password reset communications
• To monitor and prevent abuse, fraud, and unauthorized access
• To improve and optimize the platform based on aggregate usage patterns

3. Data Sources

ArcNautical aggregates publicly available maritime intelligence data from sources including:

• GDELT Project (conflict event data)
• IMB Piracy Reporting Centre, ReCAAP, UKMTO (piracy incident data)
• NGA (navigational warnings, world port index)
• OFAC, UN, EU, OpenSanctions (sanctions screening data)
• Open-Meteo (marine weather forecasts)
• GDACS, NOAA NHC (natural disaster events)
• GLEIF (corporate ownership data)
• AIS vessel position data (via licensed AISStream feed)

All external data sources are publicly accessible or used under their respective terms of service.

4. Data Sharing

We do not sell, rent, or trade your personal information to third parties.

We may share information only in the following circumstances:

• Webhook Delivery: Alert data is sent to webhook URLs you have explicitly configured.
• Email Delivery: Report emails are sent via our SMTP provider to recipients you have configured.
• Product Analytics: Usage events, error diagnostics, and masked session replays are processed by our analytics sub-processor, PostHog, Inc. (United States). This data is used only to operate and improve ArcNautical and is never sold or used for third-party advertising.
• Legal Compliance: When required by law, regulation, or valid legal process.

5. Data Security

We implement industry-standard security measures including:

• Passwords hashed with scrypt (N=16384) with random salts
• API keys hashed with SHA-256 before storage
• Session tokens generated with cryptographically secure randomness
• HMAC-SHA256 webhook signature verification
• TLS encryption for all data in transit
• Rate limiting on authentication endpoints
• Per-customer data isolation in the database

6. Data Retention

• Account data: Retained for the lifetime of your account
• Vessel position history: 90 days
• Dark activity events: 1 year
• Chokepoint throughput data: 1 year
• Natural disaster events: 90 days
• Voyage risk score cache: 2 hours
• Session tokens: 7 days from creation

Automated data retention is enforced by a daily cleanup process.

7. Your Rights

You have the right to:

• Access the personal data we hold about you
• Correct inaccurate data
• Request deletion of your account and associated data
• Export your fleet configurations and alert settings
• Withdraw consent for non-essential data processing

To exercise these rights, contact us at [email protected].

8. Cookies & Analytics

ArcNautical uses essential browser storage (localStorage) to maintain your session token and application preferences.

Product analytics & session replay. We use PostHog to understand how our marketing site and platform are used so we can improve them. We capture page views, feature interactions, performance and error diagnostics, and session replays. In session replays, all text inputs — including email, password, and IMO fields — are masked and never recorded. Analytics are routed through our own domain rather than a third-party advertising cookie, and we do not track you across other websites. If you provide your email (by creating an account or requesting a vessel dossier), it is linked to your analytics profile so we can connect your activity to your account; it is never sold or used for third-party advertising.

Analytics are processed by our sub-processor PostHog, Inc. (United States). To opt out of non-essential analytics, contact [email protected].

9. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page with a revised "Last updated" date.

10. Contact

If you have questions about this Privacy Policy, contact us at:
[email protected]