Privacy Policy
How Tagsia collects, uses, protects, and respects your personal data
Table of Contents
1 Who We Are
Tagsia (“Tagsia“, “we“, “us“, or “our“) operates the website www.tagsia.com and its associated maritime OT cybersecurity tools, including the Maritime Cyber Risk Assessment tool (CyRA), the CBS Network Risk Assessor (CBS Assessor), and the E26 Search tool.
Tagsia is the Data Controller for personal data processed through this website and its associated services. Our data protection contact details are provided in Section 13.
We are committed to protecting your privacy in accordance with the EU General Data Protection Regulation (GDPR), the UK GDPR, and any other applicable data protection laws.
2 Data We Collect
2.1 Account Registration Data
When you create a free account, we collect:
- First name and last name
- Email address
- Company or organisation name (optional)
- Username (auto-generated from your name)
- Password (stored as a one-way cryptographic hash — we cannot read your password)
- Date of registration
2.2 Assessment Data
When you use the CyRA or CBS Assessor tools, all assessment data — including system names, vessel information, questionnaire responses, risk scores, topology data, and notes — is stored exclusively in your browser’s local storage on your own device.
2.3 Payment Data
No paid subscriptions are currently available. No payment data of any kind is collected at this time. When commercial plans launch in the future, this section will be updated to describe payment processing arrangements, and you will be notified in advance.
2.4 Usage and Technical Data
We automatically collect certain technical data when you use our services:
| Data Type | Purpose | Retention |
|---|---|---|
| IP address | Security audit logging, fraud prevention | 90 days |
| Browser type / OS | Service compatibility and analytics | 13 months |
| Pages visited, timestamps | Service improvement, analytics | 13 months |
| API access logs | Security monitoring, abuse detection (AI rate limit enforcement) | 90 days |
| Error logs | Debugging and service quality | 30 days |
2.5 Communications Data
If you contact us by email or through the contact form, we retain correspondence for the purpose of responding and maintaining a record of communications. We will not use your contact details for marketing without your explicit consent.
3 How We Use Your Data
We use your personal data for the following purposes:
- Service delivery: Creating and managing your account, providing access to tools and member resources
- Authentication and security: Verifying your identity, detecting and preventing fraud, abuse, and unauthorised access
- AI rate limit enforcement: Tracking daily AI analysis usage per account to enforce the 5-per-day limit on the CBS Assessor
- Communication: Sending transactional emails (account creation, password reset), and service announcements where you have a legitimate interest or have given consent
- Product improvement: Understanding how users interact with the tools to improve usability and regulatory alignment — based on anonymised, aggregated usage data only
- Legal compliance: Meeting our obligations under applicable law, including responding to lawful requests from authorities
- Audit trail: Maintaining security logs of access events for accountability and incident response
We do not sell your personal data to any third party. We do not use your data for advertising profiling or share it with advertising networks.
4 Legal Basis for Processing (GDPR)
We rely on the following legal bases under Article 6 GDPR:
| Processing Activity | Legal Basis |
|---|---|
| Account creation and management | Contract (Art. 6(1)(b)) — necessary to provide the service you requested |
| AI analysis rate limit tracking | Contract (Art. 6(1)(b)) — necessary to deliver the service within stated limits |
| Security logging and fraud prevention | Legitimate interests (Art. 6(1)(f)) — protecting the platform and its users |
| Service improvement analytics | Legitimate interests (Art. 6(1)(f)) — improving product quality |
| Marketing emails (where applicable) | Consent (Art. 6(1)(a)) — you may withdraw at any time |
| Legal obligations (e.g. responding to authorities) | Legal obligation (Art. 6(1)(c)) |
5 Data Sharing & Third Parties
We share your personal data only where necessary, and only with the following categories of recipients:
5.1 Service Providers (Data Processors)
| Provider | Role | Data Shared | Location |
|---|---|---|---|
| Hostinger | Web hosting & database | Account registration data, access logs | EU/EEA |
| Email delivery service | Transactional email delivery | Email address, name | EU/EEA or SCCs |
Assessment data is never shared with any third party because it never leaves your device. All service providers are bound by Data Processing Agreements (DPAs) and are contractually required to process data only on our instructions and in compliance with GDPR.
When commercial plans launch, a payment processor (SureCart/Stripe) will be added to this table and you will be notified.
5.2 Legal Disclosures
We may disclose your data to law enforcement, regulators, or courts where required by law, or to protect the rights, property, or safety of Tagsia, its users, or the public.
5.3 Business Transfers
In the event of a merger, acquisition, or sale of assets, personal data may be transferred to a successor entity. You will be notified via email and/or a prominent notice on our website prior to any such transfer, and you will retain your rights under this policy.
6 Security
We take the security of your account data seriously. Our security measures include:
- HTTPS/TLS in transit: All communications between your browser and our servers are encrypted using TLS 1.2 or higher.
- Password hashing: Passwords are hashed using bcrypt. We never store plaintext passwords and cannot read your password.
- Access controls: Account data is logically segregated by user. No user can access another user’s account through the application layer.
- Authentication: All gated API endpoints require authenticated sessions and WordPress nonce verification to prevent cross-site request forgery.
- Audit logging: Security-relevant events (login, API access, rate limit hits) are recorded with user ID, IP address, and timestamp.
Since assessment data is stored exclusively in your browser and never transmitted to our servers, there is no server-side risk of assessment data being exposed in a breach. The only personal data held server-side is your registration data (name, email, company).
In the event of a personal data breach affecting your rights and freedoms, we will notify you and the relevant supervisory authority within 72 hours of becoming aware, as required by GDPR Article 33–34.
7 Data Retention
We retain your personal data only for as long as necessary for the purposes set out in this policy:
| Data Category | Retention Period | Basis |
|---|---|---|
| Account data (name, email, company) | Duration of account + 30 days after deletion request | Contract, legal compliance |
| Assessment data (CyRA, CBS Assessor) | Not applicable — stored in your browser only, never on our servers | N/A |
| AI rate limit counters | 24 hours (daily reset) | Contract |
| Security audit logs | 90 days | Legitimate interests |
| Server/access logs | 30 days | Legitimate interests |
| Email communications | 3 years | Legitimate interests |
When data is no longer required, it is securely deleted or anonymised. Anonymised, aggregated data (e.g. page view statistics with no individual identifiers) may be retained indefinitely for product improvement.
8 Your Rights Under GDPR
As a data subject under the GDPR, you have the following rights. To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.
Request a copy of all personal data we hold about you.
Request correction of inaccurate or incomplete personal data.
Request deletion of your personal data (“right to be forgotten”), subject to legal retention requirements.
Request that we restrict processing of your data in certain circumstances.
Receive your account data in a structured, machine-readable format. Note: assessment data is already in your browser — export it directly using the tool’s Export function.
Object to processing based on legitimate interests, including for direct marketing.
Where processing is based on consent, you may withdraw it at any time without affecting prior processing.
Lodge a complaint with your national data protection authority (e.g. your country’s DPA).
9 Cookies & Tracking Technologies
Our website uses cookies and similar tracking technologies. We use the following categories:
| Category | Purpose | Examples | Consent Required |
|---|---|---|---|
| Strictly Necessary | Login sessions, security tokens | WordPress session cookie, WP nonce | No (essential) |
| Functional | Remembering preferences and settings | Language preference | No (legitimate interest) |
| Analytics | Understanding how visitors use the site | Analytics cookies (if used) | Yes |
Payment cookies (SureCart/Stripe) are not present during the current content-first phase as no commerce is active. They will be added to this table when the shop launches.
You can manage cookie preferences through our cookie consent banner or your browser settings. Disabling strictly necessary cookies will prevent login functionality.
10 International Data Transfers
Our primary hosting is within the EU/EEA. In the current content-first phase, the only potential international transfer is transactional email delivery, for which we apply Standard Contractual Clauses (SCCs) where the provider operates outside the EU/EEA.
When commercial plans launch and payment processors are introduced, this section will be updated to describe any US data transfers and the safeguards in place (SCCs as approved by the European Commission under GDPR Article 46(2)(c)).
We do not transfer your data to countries that do not provide an adequate level of data protection without implementing appropriate safeguards.
11 Children’s Privacy
Our services are designed for maritime industry professionals and are not directed at children under the age of 16. We do not knowingly collect personal data from children under 16. If you believe we have inadvertently collected such data, please contact us immediately at [email protected] and we will delete it promptly.
12 Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:
- Update the “Last Updated” date at the top of this document
- Send registered users a notification email at least 14 days before the change takes effect
- Post a prominent notice on our website
Material changes include: introduction of payment processing, changes to data storage practices, new third-party processors, or changes to retention periods.
Your continued use of our services after changes take effect constitutes acceptance of the revised policy. If you do not agree with material changes, you may delete your account and request erasure of your data before the effective date.
13 Contact & Data Protection
For any questions, requests, or complaints regarding this Privacy Policy or the processing of your personal data, please contact us:
Tagsia — Data Protection Contact
Email: [email protected]
Website: www.tagsia.com/contact
If you are not satisfied with our response, you have the right to lodge a complaint with your national supervisory authority. A list of EU data protection authorities is available at edpb.europa.eu.
