Legal Document

Privacy Policy

How Tagsia collects, uses, protects, and respects your personal data

Effective Date: 2 April 2026 Last Updated: June 2026 Version: 1.2 Jurisdiction: EU / EEA (GDPR)
⚠ Content-First Phase. Tagsia is currently operating without paid subscriptions or commerce. No payment data is collected. Assessment data from CyRA and the CBS Assessor is stored exclusively in your browser — it never reaches our servers.

1 Who We Are

Tagsia” (“we“, “us“, or “our“) is the trading name under which Sven Steigner operates the website www.tagsia.com and its associated maritime OT cybersecurity tools, including the Maritime Cyber Risk Assessment tool (CyRA), the CBS Network Risk Assessor (CBS Assessor), and the E26 Search tool.

Sven Steigner is the Data Controller for personal data processed through this website and its associated services. Tagsia is not currently operated through a registered company — it is operated by Sven Steigner as an individual. Data protection contact details are provided in Section 13.

We are committed to protecting your privacy in accordance with the EU General Data Protection Regulation (GDPR), the UK GDPR, and any other applicable data protection laws.

2 Data We Collect

2.1 Account Registration Data

When you create a free account, we collect:

  • First name and last name
  • Email address
  • Company or organisation name (optional)
  • Username (auto-generated from your name)
  • Password (stored as a one-way cryptographic hash — we cannot read your password)
  • Date of registration

2.2 Assessment Data

When you use the CyRA or CBS Assessor tools, all assessment data — including system names, vessel information, questionnaire responses, risk scores, topology data, and notes — is stored exclusively in your browser’s local storage on your own device.

💾 Browser-Only Storage: Assessment data never leaves your device and is never transmitted to Tagsia servers. We have no access to, and do not store, any of your assessment content. You are solely responsible for backing up your data using the Export function provided in each tool.

2.3 Payment Data

No paid subscriptions are currently available. No payment data of any kind is collected at this time. When commercial plans launch in the future, this section will be updated to describe payment processing arrangements, and you will be notified in advance.

2.4 Usage and Technical Data

We automatically collect certain technical data when you use our services:

Data TypePurposeRetention
IP addressSecurity, bot/fraud protection (via Cloudflare)Per Cloudflare’s security policies
API access logsSecurity monitoring, abuse detection (AI rate limit enforcement)90 days
Error logsDebugging and service quality30 days
🌐 Web Analytics for non-EU visitors: We use Cloudflare Web Analytics, a privacy-focused analytics tool that does not use cookies and does not track individuals across sessions or sites. This tool is configured to exclude all visitors located in the EU/EEA — for EU/EEA visitors, no analytics script is loaded and no data is collected via this tool. For visitors located outside the EU/EEA, Cloudflare Web Analytics may collect aggregated data including page views, approximate country, browser type, and page load performance. This data is processed under Cloudflare’s own privacy policy, available at cloudflare.com/privacypolicy.

2.5 Communications Data

If you contact us by email or through the contact form, we retain correspondence for the purpose of responding and maintaining a record of communications. We will not use your contact details for marketing without your explicit consent.

3 How We Use Your Data

We use your personal data for the following purposes:

  • Service delivery: Creating and managing your account, providing access to tools and member resources
  • Authentication and security: Verifying your identity, detecting and preventing fraud, abuse, and unauthorised access
  • AI rate limit enforcement: Tracking daily AI analysis usage per account to enforce the 5-per-day limit on the CBS Assessor
  • Communication: Sending transactional emails (account creation, password reset), and service announcements where you have a legitimate interest or have given consent
  • Product improvement: Understanding how the tools are used to improve usability and regulatory alignment — based on anonymised, aggregated usage data only
  • Legal compliance: Meeting our obligations under applicable law, including responding to lawful requests from authorities
  • Audit trail: Maintaining security logs of access events for accountability and incident response

We do not sell your personal data to any third party. We do not use your data for advertising profiling or share it with advertising networks.

5 Data Sharing & Third Parties

We share your personal data only where necessary, and only with the following categories of recipients:

5.1 Service Providers (Data Processors)

ProviderRoleData SharedLocation
HostingerWeb hosting & databaseAccount registration data, access logsEU/EEA
CloudflareSecurity, bot protection, content delivery, privacy-focused Web Analytics (non-EU visitors only)IP address, technical request dataGlobal network; EU visitor data excluded from Web Analytics
Email delivery serviceTransactional email deliveryEmail address, nameEU/EEA or SCCs

Assessment data is never shared with any third party because it never leaves your device. All service providers are bound by Data Processing Agreements (DPAs) or equivalent terms and are contractually required to process data only on our instructions and in compliance with GDPR.

When commercial plans launch, a payment processor (SureCart/Stripe) will be added to this table and you will be notified.

5.2 Legal Disclosures

We may disclose your data to law enforcement, regulators, or courts where required by law, or to protect the rights, property, or safety of Tagsia, its users, or the public.

5.3 Business Transfers

In the event of a sale of the Tagsia website or its assets, or its transfer to a newly formed company, personal data may be transferred to a successor entity. You will be notified via email and/or a prominent notice on our website prior to any such transfer, and you will retain your rights under this policy.

6 Security

We take the security of your account data seriously. Our security measures include:

  • HTTPS/TLS in transit: All communications between your browser and our servers are encrypted using TLS 1.2 or higher.
  • Password hashing: Passwords are hashed using bcrypt. We never store plaintext passwords and cannot read your password.
  • Access controls: Account data is logically segregated by user. No user can access another user’s account through the application layer.
  • Authentication: All gated API endpoints require authenticated sessions and WordPress nonce verification to prevent cross-site request forgery.
  • Audit logging: Security-relevant events (login, API access, rate limit hits) are recorded with user ID, IP address, and timestamp.

Since assessment data is stored exclusively in your browser and never transmitted to our servers, there is no server-side risk of assessment data being exposed in a breach. The only personal data held server-side is your registration data (name, email, company).

In the event of a personal data breach affecting your rights and freedoms, we will notify you and the relevant supervisory authority within 72 hours of becoming aware, as required by GDPR Article 33–34.

7 Data Retention

We retain your personal data only for as long as necessary for the purposes set out in this policy:

Data CategoryRetention PeriodBasis
Account data (name, email, company)Duration of account + 30 days after deletion requestContract, legal compliance
Assessment data (CyRA, CBS Assessor)Not applicable — stored in your browser only, never on our serversN/A
AI rate limit counters24 hours (daily reset)Contract
Security audit logs90 daysLegitimate interests
Error logs30 daysLegitimate interests
Web Analytics data (non-EU visitors)Per Cloudflare’s own retention policyLegitimate interests
Email communications3 yearsLegitimate interests

When data is no longer required, it is securely deleted or anonymised. Anonymised, aggregated data (e.g. Web Analytics statistics with no individual identifiers) may be retained for as long as it remains useful for product improvement.

8 Your Rights Under GDPR

As a data subject under the GDPR, you have the following rights. To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.

📋 Right of Access (Art. 15)

Request a copy of all personal data we hold about you.

✏️ Right to Rectification (Art. 16)

Request correction of inaccurate or incomplete personal data.

🗑️ Right to Erasure (Art. 17)

Request deletion of your personal data (“right to be forgotten”), subject to legal retention requirements.

⏸ Right to Restriction (Art. 18)

Request that we restrict processing of your data in certain circumstances.

📦 Right to Portability (Art. 20)

Receive your account data in a structured, machine-readable format. Note: assessment data is already in your browser — export it directly using the tool’s Export function.

🚫 Right to Object (Art. 21)

Object to processing based on legitimate interests, including for direct marketing.

🤝 Right to Withdraw Consent

Where processing is based on consent, you may withdraw it at any time without affecting prior processing.

⚖️ Right to Complain

Lodge a complaint with your national data protection authority (e.g. your country’s DPA).

9 Cookies & Tracking Technologies

Our website currently sets only strictly necessary cookies. We do not use analytics cookies, advertising cookies, or any cross-site tracking cookies.

CategoryPurposeExamplesConsent Required
Strictly NecessarySecurity, bot/abuse protection, and login session managementcf_clearance (Cloudflare), WordPress session cookie, WP nonceNo (essential)

Our Cloudflare Web Analytics tool, described in Section 2.4, does not use cookies and is therefore not listed in the table above. It is excluded entirely for EU/EEA visitors.

Payment cookies (SureCart/Stripe) are not present during the current content-first phase as no commerce is active. They will be added to this table when the shop launches.

You can manage cookie preferences through your browser settings. Disabling strictly necessary cookies will prevent login functionality.

10 International Data Transfers

Our primary hosting is within the EU/EEA. Cloudflare operates a global network for security and content delivery; data relating to EU/EEA visitors is excluded from Cloudflare’s Web Analytics product, though IP address data necessarily passes through Cloudflare’s network as part of its core security and delivery function. Cloudflare’s data transfer safeguards are described in its own privacy policy.

In the current content-first phase, the only other potential international transfer is transactional email delivery, for which we apply Standard Contractual Clauses (SCCs) where the provider operates outside the EU/EEA.

When commercial plans launch and payment processors are introduced, this section will be updated to describe any further US data transfers and the safeguards in place (SCCs as approved by the European Commission under GDPR Article 46(2)(c)).

We do not transfer your data to countries that do not provide an adequate level of data protection without implementing appropriate safeguards.

11 Children’s Privacy

Our services are designed for maritime industry professionals and are not directed at children under the age of 16. We do not knowingly collect personal data from children under 16. If you believe we have inadvertently collected such data, please contact us immediately at [email protected] and we will delete it promptly.

12 Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:

  • Update the “Last Updated” date at the top of this document
  • Send registered users a notification email at least 14 days before the change takes effect
  • Post a prominent notice on our website

Material changes include: introduction of payment processing, formation of a registered company to operate Tagsia, changes to data storage practices, new third-party processors, or changes to retention periods.

Your continued use of our services after changes take effect constitutes acceptance of the revised policy. If you do not agree with material changes, you may delete your account and request erasure of your data before the effective date.

13 Contact & Data Protection

For any questions, requests, or complaints regarding this Privacy Policy or the processing of your personal data, please contact us:

Sven Steigner — Data Protection Contact

Operating as: Tagsia

Email: [email protected]

Website: www.tagsia.com/contact

If you are not satisfied with our response, you have the right to lodge a complaint with your national supervisory authority. A list of EU data protection authorities is available at edpb.europa.eu.

Scroll to Top