Privacy Policy
How Tagsia collects, uses, protects, and respects your personal data
Table of Contents
1 Who We Are
Tagsia (“Tagsia“, “we“, “us“, or “our“) operates the website www.tagsia.com and the Maritime Cyber Risk Assessment platform (CyRA), providing cyber risk assessment tools, compliance documentation, and intelligence resources for the maritime industry.
Tagsia is the Data Controller for personal data processed through this website and its associated services. Our registered address and data protection contact details are provided in Section 13.
We are committed to protecting your privacy in accordance with the EU General Data Protection Regulation (GDPR), the UK GDPR, and any other applicable data protection laws.
2 Data We Collect
2.1 Account Registration Data
When you create a free or paid account, we collect:
- First name and last name
- Email address
- Company or organisation name (optional)
- Username (auto-generated from your name)
- Password (stored as a one-way cryptographic hash — we cannot read your password)
- Account tier and subscription status
2.2 CyRA Assessment Data
When you use the Maritime CyRA tool, we store:
- System and equipment names and classifications
- Vessel name and IMO number (optional)
- Questionnaire responses (threat, vulnerability, impact assessments)
- Computed risk scores, CIA ratings, and assessor notes
- Assessment dates and authors
2.3 Payment Data
For paid subscriptions (Tier 1 and Tier 2), payment processing is handled by SureCart and their payment processors (including Stripe). We do not store your payment card details. We receive only non-sensitive billing confirmation data (subscription status, plan type, transaction reference).
2.4 Usage and Technical Data
We automatically collect certain technical data when you use our services:
| Data Type | Purpose | Retention |
|---|---|---|
| IP address | Security audit logging, fraud prevention | 90 days |
| Browser type / OS | Service compatibility and analytics | 13 months |
| Pages visited, timestamps | Service improvement, analytics | 13 months |
| REST API access logs | Security monitoring, abuse detection | 90 days |
| Error logs | Debugging and service quality | 30 days |
2.5 Communications Data
If you contact us by email or through a contact form, we retain correspondence for the purpose of responding and maintaining a record of communications. We will not use your contact details for marketing without your explicit consent.
3 How We Use Your Data
We use your personal data for the following purposes:
- Service delivery: Creating and managing your account, providing access to CyRA and member resources aligned to your subscription tier
- Authentication and security: Verifying your identity, detecting and preventing fraud, abuse, and unauthorised access
- Payment processing: Facilitating subscription purchases and renewals through SureCart/Stripe
- Communication: Sending transactional emails (account creation, password reset, subscription confirmation), and service announcements where you have a legitimate interest or have given consent
- Product improvement: Understanding how users interact with the CyRA tool to improve its accuracy, usability, and regulatory alignment
- Legal compliance: Meeting our obligations under applicable law, including responding to lawful requests from authorities
- Audit trail: Maintaining security audit logs of data access events for accountability and incident response
We do not sell your personal data to any third party. We do not use your data for advertising profiling or share it with advertising networks.
4 Legal Basis for Processing (GDPR)
We rely on the following legal bases under Article 6 GDPR:
| Processing Activity | Legal Basis |
|---|---|
| Account creation and management | Contract (Art. 6(1)(b)) — necessary to provide the service you requested |
| CyRA assessment storage | Contract (Art. 6(1)(b)) |
| Payment processing | Contract (Art. 6(1)(b)) |
| Security logging and fraud prevention | Legitimate interests (Art. 6(1)(f)) — protecting the platform and its users |
| Service improvement analytics | Legitimate interests (Art. 6(1)(f)) — improving product quality |
| Marketing emails (where applicable) | Consent (Art. 6(1)(a)) — you may withdraw at any time |
| Legal obligations (e.g. responding to authorities) | Legal obligation (Art. 6(1)(c)) |
5 Data Sharing & Third Parties
We share your personal data only where necessary, and only with the following categories of recipients:
5.1 Service Providers (Data Processors)
| Provider | Role | Data Shared | Location |
|---|---|---|---|
| SureCart / Stripe | Payment processing & subscription management | Email, billing info, subscription status | USA (SCCs apply) |
| WordPress hosting provider | Web hosting & database | All account and assessment data (encrypted at rest) | EU/EEA preferred |
| Email delivery service | Transactional email delivery | Email address, name | EU/EEA or SCCs |
All service providers are bound by Data Processing Agreements (DPAs) and are contractually required to process data only on our instructions and in compliance with GDPR.
5.2 Legal Disclosures
We may disclose your data to law enforcement, regulators, or courts where required by law, or to protect the rights, property, or safety of Tagsia, its users, or the public.
5.3 Business Transfers
In the event of a merger, acquisition, or sale of assets, personal data may be transferred to a successor entity. You will be notified via email and/or a prominent notice on our website prior to any such transfer, and you will retain your rights under this policy.
6 Security & Encryption
We take the security of your data seriously, particularly given the sensitive nature of maritime cyber risk assessment findings. Our security measures include:
- AES-256-GCM encryption at rest: All CyRA assessment payload data is encrypted before database storage using authenticated encryption. The encryption key is stored separately from the database and is not accessible to hosting staff.
- HTTPS/TLS in transit: All communications between your browser and our servers are encrypted using TLS 1.2 or higher.
- Access controls: Assessment data is logically segregated by user account. No user can access another user’s data through the application layer.
- Authentication: Passwords are hashed using WordPress’s bcrypt implementation. We never store plaintext passwords.
- Audit logging: All data access, creation, and deletion events are recorded in a security audit log with user ID, IP address, and timestamp.
- REST API security: All API endpoints require authenticated sessions and WordPress nonce verification to prevent cross-site request forgery.
Despite our measures, no system is completely secure. In the event of a personal data breach affecting your rights and freedoms, we will notify you and the relevant supervisory authority within 72 hours of becoming aware, as required by GDPR Article 33–34.
7 Data Retention
We retain your personal data only for as long as necessary for the purposes set out in this policy:
| Data Category | Retention Period | Basis |
|---|---|---|
| Account data (name, email, company) | Duration of account + 2 years after deletion request | Contract, legal compliance |
| CyRA assessment records | Duration of account; deleted upon account deletion request | Contract |
| Payment records | 7 years (EU tax / accounting law requirement) | Legal obligation |
| Security audit logs | 90 days | Legitimate interests |
| Server/access logs | 30 days | Legitimate interests |
| Email communications | 3 years | Legitimate interests |
When data is no longer required, it is securely deleted or anonymised. Anonymised, aggregated data (e.g. aggregate risk statistics with no individual identifiers) may be retained indefinitely for product improvement.
8 Your Rights Under GDPR
As a data subject under the GDPR, you have the following rights. To exercise any of these rights, contact us at privacy@tagsia.com. We will respond within 30 days.
Request a copy of all personal data we hold about you.
Request correction of inaccurate or incomplete personal data.
Request deletion of your personal data (“right to be forgotten”), subject to legal retention requirements.
Request that we restrict processing of your data in certain circumstances.
Receive your data in a structured, machine-readable format (JSON export).
Object to processing based on legitimate interests, including for direct marketing.
Where processing is based on consent, you may withdraw it at any time without affecting prior processing.
Lodge a complaint with your national data protection authority (e.g. your country’s DPA).
9 Cookies & Tracking Technologies
Our website uses cookies and similar tracking technologies. We use the following categories:
| Category | Purpose | Examples | Consent Required |
|---|---|---|---|
| Strictly Necessary | Login sessions, security tokens, shopping cart | WordPress session cookie, WP nonce | No (essential) |
| Functional | Remembering preferences and settings | Language preference | No (legitimate interest) |
| Analytics | Understanding how visitors use the site | Google Analytics (if used) | Yes |
| Payment | SureCart / Stripe checkout functionality | Stripe session cookie | No (contract necessity) |
You can manage cookie preferences through our cookie consent banner or your browser settings. Note that disabling strictly necessary cookies will prevent login and checkout functionality.
10 International Data Transfers
Some of our service providers (including SureCart and Stripe) may process data in the United States or other countries outside the EU/EEA. In such cases, we ensure appropriate safeguards are in place, specifically:
- Standard Contractual Clauses (SCCs) as approved by the European Commission under GDPR Article 46(2)(c)
- Adequacy decisions where applicable
- Binding Corporate Rules where appropriate
We do not transfer your data to countries that do not provide an adequate level of data protection without implementing appropriate safeguards.
11 Children’s Privacy
Our services are designed for maritime industry professionals and are not directed at children under the age of 16. We do not knowingly collect personal data from children under 16. If you believe we have inadvertently collected such data, please contact us immediately at privacy@tagsia.com and we will delete it promptly.
12 Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:
- Update the “Last Updated” date at the top of this document
- Send registered users a notification email at least 14 days before the change takes effect
- Post a prominent notice on our website
Your continued use of our services after changes take effect constitutes acceptance of the revised policy. If you do not agree with material changes, you may delete your account and request erasure of your data before the effective date.
13 Contact & Data Protection
For any questions, requests, or complaints regarding this Privacy Policy or the processing of your personal data, please contact us:
Tagsia — Data Protection Contact
Email: privacy@tagsia.com
Website: www.tagsia.com/contact
If you are not satisfied with our response, you have the right to lodge a complaint with your national supervisory authority. A list of EU data protection authorities is available at edpb.europa.eu.
