Privacy Policy

1. Introduction

MyCruiseScout ("we", "us", "our") is committed to protecting your privacy and personal data. This Privacy Policy explains how we collect, use, store, and protect your information when you use our website and services.

We are the data controller responsible for your personal information. This means we determine how and why your personal data is processed. If you have any questions about this policy or how we handle your data, please contact us at info@mycruisescout.co.uk.

By using MyCruiseScout, you acknowledge that you have read and understood this Privacy Policy. Where we rely on your consent, we will ask for it separately and you may withdraw it at any time.

2. Data Controller Information

If you have concerns about how we process your personal data, you have the right to complain to the Information Commissioner's Office (ICO).

3. What Personal Data We Collect

We collect different types of personal information depending on how you interact with our services:

3.1 Information You Provide Directly

• Account Registration: Username, full name, email address, and password stored securely through our authentication provider
• Profile Information: Optional profile details you choose to provide, such as past cruise count or saved preferences
• Payment Information: For Premium memberships, payment details are collected and processed by Stripe. We do not store your full payment card details on our own servers
• Contact Information: When you contact us, we collect your email address and any information you choose to include in your message
• Marketing Preferences: Your choices about whether you want to receive marketing emails or updates from us

3.2 Information Collected Automatically

• Login Activity: Sign-in times, session activity, login count, and authentication records
• Usage Data: Pages viewed, features used, deals viewed, saved items, clicks, and site interactions
• Technical Data: IP address, browser type, device type, operating system, approximate location inferred from IP, referral source, and diagnostic logs
• Cookies and Similar Technologies: Small text files and similar technologies stored on or accessed from your device

3.3 Information from Third Parties

• Google Sign-In: If you register or sign in using Google, we receive information such as your name, email address, and profile picture from Google
• Stripe: Payment status, subscription details, billing events, and limited transaction information needed to manage your subscription

4. Legal Bases for Processing Your Data

Under UK GDPR, we must have a valid legal basis for each use of your personal data. Depending on the purpose, we rely on one or more of the following:

• Contractual Necessity: Where processing is necessary to create and manage your account, provide access to our services, manage your subscription, or provide customer support
• Legitimate Interests: Where processing is necessary for our legitimate interests, such as improving our services, preventing fraud, maintaining security, understanding website usage, and administering our business
• Consent: Where required, including for certain marketing communications and non-essential cookies. You may withdraw consent at any time
• Legal Obligation: Where we need to comply with laws or regulations, including tax, accounting, fraud prevention, or responding to lawful requests from authorities

5. How We Use Your Personal Data

We use your personal information for the following purposes:

• Service Delivery: To create and manage your account, provide access to cruise deals, and deliver Premium membership features
• Authentication: To verify your identity and secure your account
• Payment Processing: To process Premium membership payments, manage subscriptions, and handle billing issues
• Communication: To respond to enquiries, send service messages, account notifications, security alerts, and support communications
• Service Improvement: To analyse usage patterns, monitor performance, troubleshoot problems, and improve the design and functionality of our services
• Security: To detect, prevent, and investigate fraud, abuse, security threats, unauthorised access, and technical issues
• Legal Compliance: To comply with legal obligations and to establish, exercise, or defend legal claims
• Marketing: To send you updates, news, or promotional emails where permitted and, where required, with your consent. You can opt out at any time

6. How We Store and Protect Your Data

We take data security seriously and implement appropriate technical and organisational measures to protect your personal information:

• Password Protection: Passwords are not stored in plain text and are protected using secure authentication measures
• Secure Transmission: Data transmitted between your device and our services is protected using SSL/TLS encryption
• Access Controls: Access to personal data is restricted to authorised persons who need it for legitimate business purposes
• Secure Infrastructure: We use providers such as Supabase for database and authentication infrastructure and Stripe for payment processing
• Monitoring and Updates: We maintain our systems and providers to help protect against unauthorised access and vulnerabilities
• Payment Security: Payment card details are processed by Stripe and are not stored on our own servers

While we take reasonable steps to protect your personal data, no method of transmission over the internet or electronic storage is completely secure. We cannot guarantee absolute security.

7. Data Retention

We retain your personal data only for as long as necessary for the purposes for which it was collected, including to satisfy legal, regulatory, tax, accounting, or reporting requirements.

• Active Accounts: We keep your account data while your account remains active
• Closed Accounts: After account deletion, we aim to delete or anonymise personal data within 30 days unless we need to retain some information for legal, security, fraud prevention, or accounting reasons
• Payment Records: Financial and subscription records may be retained for up to 7 years to comply with tax and accounting requirements
• Marketing Data: We keep marketing preferences until you opt out, withdraw consent, or close your account, unless longer retention is required to maintain suppression records
• Legal and Security Records: Some records may be retained longer where necessary to investigate misuse, prevent fraud, or establish, exercise, or defend legal claims

You can request deletion of your account and associated data at any time by contacting us at info@mycruisescout.co.uk.

8. Your Rights Under UK GDPR

Under UK GDPR and the Data Protection Act 2018, you may have the following rights regarding your personal data:

To exercise any of these rights, please contact us at info@mycruisescout.co.uk. We will normally respond within one month. We may need to verify your identity before acting on your request.

9. Cookies and Similar Technologies

We use cookies and similar technologies to make our website work, keep it secure, remember preferences, and understand how it is used.

9.1 Types of Cookies We Use

• Strictly Necessary Cookies: Required for core website functionality, security, sign-in, session management, and services you have requested
• Performance or Analytics Cookies: Help us understand how visitors use our website so we can improve it. We only use these where required consent has been obtained
• Functional Cookies: Remember your preferences and settings to improve your experience. Where these are not strictly necessary, we only use them with your consent

9.2 Third-Party Cookies and Similar Technologies

Some technologies may be provided by third-party services used on our website, for example:

• Stripe: To support payment processing and fraud prevention
• Google OAuth: To support sign-in with Google accounts

9.3 Consent and Managing Cookies

Where required by law, we will ask for your consent before placing or using non-essential cookies or similar technologies. You can change your preferences at any time through our cookie controls, where available, or through your browser settings.

Disabling strictly necessary cookies may affect the operation of our website or prevent certain services from working properly.

10. Third-Party Data Sharing

We do not sell your personal data. We share personal data only where necessary with carefully selected service providers who help us operate our services.

We require our service providers to protect personal data appropriately and use it only as necessary for the relevant services or as otherwise permitted by law.

Other Circumstances for Sharing

We may also disclose personal data where necessary:

• To comply with legal obligations, court orders, or lawful requests from public authorities
• To protect our rights, property, users, or the public
• In connection with a business sale, merger, restructuring, or acquisition
• With your consent or at your direction

11. International Data Transfers

Some of our service providers may process or make personal data accessible outside the United Kingdom. Where this happens, we will only transfer personal data where permitted by UK data protection law and where appropriate safeguards are in place.

• Transfers to countries or territories covered by UK adequacy regulations
• Transfers subject to approved contractual safeguards, such as the International Data Transfer Agreement, Addendum, or other recognised transfer mechanisms where appropriate
• Other lawful transfer mechanisms or exceptions permitted under UK data protection law

12. Children's Privacy

Our services are not intended for anyone under the age of 18, and we do not knowingly collect personal data from children.

If we become aware that we have collected personal data from a child under 18, we will take reasonable steps to delete that information. If you believe this has happened, please contact us at info@mycruisescout.co.uk.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, services, technology, or legal requirements.

• We will update the "Last Updated" date at the top of this policy
• Where appropriate, we may notify account holders by email or through the website
• If a change requires consent under applicable law, we will request that consent

We encourage you to review this Privacy Policy periodically.

14. Contact Us and Data Protection Requests

If you have questions, concerns, or requests about this Privacy Policy or how we use personal data, please contact us:

To help us process your request, please include:

• Your full name and the email address associated with your account
• A clear description of your request or concern
• Any relevant supporting information

We may need to verify your identity before acting on your request.

15. Complaints and Regulatory Authority

If you are unhappy with how we have handled your personal data or your privacy concerns, you have the right to complain to the Information Commissioner's Office (ICO), the UK supervisory authority for data protection matters.