Privacy Policy
How Tagsia collects, uses, protects, and respects your personal data
Table of Contents
1 Who We Are
“Tagsia” (“we“, “us“, or “our“) is the trading name under which Sven Steigner operates the website www.tagsia.com and its associated maritime OT cybersecurity tools, including the Maritime Cyber Risk Assessment tool (CyRA), the CBS Network Risk Assessor (CBS Assessor), and the E26 Search tool.
Sven Steigner is the Data Controller for personal data processed through this website and its associated services. Tagsia is not currently operated through a registered company — it is operated by Sven Steigner as an individual. Data protection contact details are provided in Section 13.
We are committed to protecting your privacy in accordance with the EU General Data Protection Regulation (GDPR), the UK GDPR, and any other applicable data protection laws.
2 Data We Collect
2.1 Account Registration Data
When you create a free account, we collect:
- First name and last name
- Email address
- Company or organisation name (optional)
- Username (auto-generated from your name)
- Password (stored as a one-way cryptographic hash — we cannot read your password)
- Date of registration
2.2 Assessment Data
When you use the CyRA or CBS Assessor tools, all assessment data — including system names, vessel information, questionnaire responses, risk scores, topology data, and notes — is stored exclusively in your browser’s local storage on your own device.
2.3 Payment Data
No paid subscriptions are currently available. No payment data of any kind is collected at this time. When commercial plans launch in the future, this section will be updated to describe payment processing arrangements, and you will be notified in advance.
2.4 Usage and Technical Data
We automatically collect certain technical data when you use our services:
| Data Type | Purpose | Retention |
|---|---|---|
| IP address | Security, bot/fraud protection (via Cloudflare) | Per Cloudflare’s security policies |
| API access logs | Security monitoring, abuse detection (AI rate limit enforcement) | 90 days |
| Error logs | Debugging and service quality | 30 days |
2.5 Communications Data
If you contact us by email or through the contact form, we retain correspondence for the purpose of responding and maintaining a record of communications. We will not use your contact details for marketing without your explicit consent.
3 How We Use Your Data
We use your personal data for the following purposes:
- Service delivery: Creating and managing your account, providing access to tools and member resources
- Authentication and security: Verifying your identity, detecting and preventing fraud, abuse, and unauthorised access
- AI rate limit enforcement: Tracking daily AI analysis usage per account to enforce the 5-per-day limit on the CBS Assessor
- Communication: Sending transactional emails (account creation, password reset), and service announcements where you have a legitimate interest or have given consent
- Product improvement: Understanding how the tools are used to improve usability and regulatory alignment — based on anonymised, aggregated usage data only
- Legal compliance: Meeting our obligations under applicable law, including responding to lawful requests from authorities
- Audit trail: Maintaining security logs of access events for accountability and incident response
We do not sell your personal data to any third party. We do not use your data for advertising profiling or share it with advertising networks.
4 Legal Basis for Processing (GDPR)
We rely on the following legal bases under Article 6 GDPR:
| Processing Activity | Legal Basis |
|---|---|
| Account creation and management | Contract (Art. 6(1)(b)) — necessary to provide the service you requested |
| AI analysis rate limit tracking | Contract (Art. 6(1)(b)) — necessary to deliver the service within stated limits |
| Security logging and fraud prevention | Legitimate interests (Art. 6(1)(f)) — protecting the platform and its users |
| Web Analytics (non-EU visitors only) | Legitimate interests (Art. 6(1)(f)) — improving product quality; not applicable to EU/EEA visitors as this tool is disabled for them |
| Marketing emails (where applicable) | Consent (Art. 6(1)(a)) — you may withdraw at any time |
| Legal obligations (e.g. responding to authorities) | Legal obligation (Art. 6(1)(c)) |
5 Data Sharing & Third Parties
We share your personal data only where necessary, and only with the following categories of recipients:
5.1 Service Providers (Data Processors)
| Provider | Role | Data Shared | Location |
|---|---|---|---|
| Hostinger | Web hosting & database | Account registration data, access logs | EU/EEA |
| Cloudflare | Security, bot protection, content delivery, privacy-focused Web Analytics (non-EU visitors only) | IP address, technical request data | Global network; EU visitor data excluded from Web Analytics |
| Email delivery service | Transactional email delivery | Email address, name | EU/EEA or SCCs |
Assessment data is never shared with any third party because it never leaves your device. All service providers are bound by Data Processing Agreements (DPAs) or equivalent terms and are contractually required to process data only on our instructions and in compliance with GDPR.
When commercial plans launch, a payment processor (SureCart/Stripe) will be added to this table and you will be notified.
5.2 Legal Disclosures
We may disclose your data to law enforcement, regulators, or courts where required by law, or to protect the rights, property, or safety of Tagsia, its users, or the public.
5.3 Business Transfers
In the event of a sale of the Tagsia website or its assets, or its transfer to a newly formed company, personal data may be transferred to a successor entity. You will be notified via email and/or a prominent notice on our website prior to any such transfer, and you will retain your rights under this policy.
6 Security
We take the security of your account data seriously. Our security measures include:
- HTTPS/TLS in transit: All communications between your browser and our servers are encrypted using TLS 1.2 or higher.
- Password hashing: Passwords are hashed using bcrypt. We never store plaintext passwords and cannot read your password.
- Access controls: Account data is logically segregated by user. No user can access another user’s account through the application layer.
- Authentication: All gated API endpoints require authenticated sessions and WordPress nonce verification to prevent cross-site request forgery.
- Audit logging: Security-relevant events (login, API access, rate limit hits) are recorded with user ID, IP address, and timestamp.
Since assessment data is stored exclusively in your browser and never transmitted to our servers, there is no server-side risk of assessment data being exposed in a breach. The only personal data held server-side is your registration data (name, email, company).
In the event of a personal data breach affecting your rights and freedoms, we will notify you and the relevant supervisory authority within 72 hours of becoming aware, as required by GDPR Article 33–34.
7 Data Retention
We retain your personal data only for as long as necessary for the purposes set out in this policy:
| Data Category | Retention Period | Basis |
|---|---|---|
| Account data (name, email, company) | Duration of account + 30 days after deletion request | Contract, legal compliance |
| Assessment data (CyRA, CBS Assessor) | Not applicable — stored in your browser only, never on our servers | N/A |
| AI rate limit counters | 24 hours (daily reset) | Contract |
| Security audit logs | 90 days | Legitimate interests |
| Error logs | 30 days | Legitimate interests |
| Web Analytics data (non-EU visitors) | Per Cloudflare’s own retention policy | Legitimate interests |
| Email communications | 3 years | Legitimate interests |
When data is no longer required, it is securely deleted or anonymised. Anonymised, aggregated data (e.g. Web Analytics statistics with no individual identifiers) may be retained for as long as it remains useful for product improvement.
8 Your Rights Under GDPR
As a data subject under the GDPR, you have the following rights. To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.
Request a copy of all personal data we hold about you.
Request correction of inaccurate or incomplete personal data.
Request deletion of your personal data (“right to be forgotten”), subject to legal retention requirements.
Request that we restrict processing of your data in certain circumstances.
Receive your account data in a structured, machine-readable format. Note: assessment data is already in your browser — export it directly using the tool’s Export function.
Object to processing based on legitimate interests, including for direct marketing.
Where processing is based on consent, you may withdraw it at any time without affecting prior processing.
Lodge a complaint with your national data protection authority (e.g. your country’s DPA).
9 Cookies & Tracking Technologies
Our website currently sets only strictly necessary cookies. We do not use analytics cookies, advertising cookies, or any cross-site tracking cookies.
| Category | Purpose | Examples | Consent Required |
|---|---|---|---|
| Strictly Necessary | Security, bot/abuse protection, and login session management | cf_clearance (Cloudflare), WordPress session cookie, WP nonce | No (essential) |
Our Cloudflare Web Analytics tool, described in Section 2.4, does not use cookies and is therefore not listed in the table above. It is excluded entirely for EU/EEA visitors.
Payment cookies (SureCart/Stripe) are not present during the current content-first phase as no commerce is active. They will be added to this table when the shop launches.
You can manage cookie preferences through your browser settings. Disabling strictly necessary cookies will prevent login functionality.
10 International Data Transfers
Our primary hosting is within the EU/EEA. Cloudflare operates a global network for security and content delivery; data relating to EU/EEA visitors is excluded from Cloudflare’s Web Analytics product, though IP address data necessarily passes through Cloudflare’s network as part of its core security and delivery function. Cloudflare’s data transfer safeguards are described in its own privacy policy.
In the current content-first phase, the only other potential international transfer is transactional email delivery, for which we apply Standard Contractual Clauses (SCCs) where the provider operates outside the EU/EEA.
When commercial plans launch and payment processors are introduced, this section will be updated to describe any further US data transfers and the safeguards in place (SCCs as approved by the European Commission under GDPR Article 46(2)(c)).
We do not transfer your data to countries that do not provide an adequate level of data protection without implementing appropriate safeguards.
11 Children’s Privacy
Our services are designed for maritime industry professionals and are not directed at children under the age of 16. We do not knowingly collect personal data from children under 16. If you believe we have inadvertently collected such data, please contact us immediately at [email protected] and we will delete it promptly.
12 Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:
- Update the “Last Updated” date at the top of this document
- Send registered users a notification email at least 14 days before the change takes effect
- Post a prominent notice on our website
Material changes include: introduction of payment processing, formation of a registered company to operate Tagsia, changes to data storage practices, new third-party processors, or changes to retention periods.
Your continued use of our services after changes take effect constitutes acceptance of the revised policy. If you do not agree with material changes, you may delete your account and request erasure of your data before the effective date.
13 Contact & Data Protection
For any questions, requests, or complaints regarding this Privacy Policy or the processing of your personal data, please contact us:
Sven Steigner — Data Protection Contact
Operating as: Tagsia
Email: [email protected]
Website: www.tagsia.com/contact
If you are not satisfied with our response, you have the right to lodge a complaint with your national supervisory authority. A list of EU data protection authorities is available at edpb.europa.eu.
