Privacy Policy
Last updated: April 2026
1. Who we are
Boaty Jobs (“we”, “us”, “our”) is a specialist marine industry job board operated from Ireland. Our registered office is at [Registered Address, Ireland — to be inserted before launch].
We act as a data controllerin respect of personal data we collect from users of this website (“the Service”). We are subject to the EU General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) and, where applicable, the Irish Data Protection Acts 1988 to 2018.
Our designated data protection contact is: privacy@boatyjobs.com
2. What personal data we collect and why
We collect personal data only for specified, explicit, and legitimate purposes. The following table describes the categories of data we process, together with the legal basis under Article 6 GDPR.
| Data category | Purpose | Legal basis |
|---|---|---|
| Name and email address | Creating and managing your account; sending transactional emails | Performance of a contract (Art. 6(1)(b)) |
| CV / résumé | Enabling job applications; stored in a private encrypted bucket; never publicly accessible | Consent (Art. 6(1)(a)); performance of a contract |
| Profile photograph | Displaying on your public Crewfinder profile (if you opt in to crewfinder visibility) | Consent (Art. 6(1)(a)) |
| Crewfinder profile data (certifications, experience, availability, bio) | Displaying your profile to recruiters browsing the Crewfinder board, only when you have opted in to crewfinder visibility | Consent (Art. 6(1)(a)) |
| Job application data (cover letter, applied job, application status) | Facilitating the application process between job seekers and employers | Performance of a contract (Art. 6(1)(b)) |
| Saved jobs list | Allowing you to bookmark and revisit job listings | Legitimate interests (Art. 6(1)(f)) — service feature expected by users |
| Job notification preferences | Sending you email alerts for new matching jobs | Legitimate interests (Art. 6(1)(f)); you may opt out at any time in account settings |
| Payment data (billing name, last 4 digits of card, transaction reference) | Processing payments for featured and premium job listings; fraud prevention; tax and legal obligations | Performance of a contract; legal obligation (Art. 6(1)(c)) |
| Usage and analytics data (page views, session data, device type) | Understanding how users interact with the Service so we can improve it | Consent (Art. 6(1)(a)) — only collected after cookie consent is given |
| GDPR consent record (consent flag and timestamp) | Demonstrating compliance with our accountability obligations | Legal obligation (Art. 6(1)(c)) |
3. Data retention
- Active accounts: personal data is retained for as long as your account is active.
- Deleted accounts: when you delete your account, a soft-delete flag is applied immediately. Your profile is deactivated and removed from all public views. After a 30-day grace period, all personal data associated with your account is permanently and irreversibly purged from our systems, except where we are required by law to retain certain records.
- Job applications: application records are retained for 12 months after the associated job listing expires, after which they are anonymised (the link to your user record is removed).
- Payment records: transaction records are retained for 7 years in accordance with Irish taxation and accounting requirements.
- Analytics data: aggregated and anonymised after 26 months.
4. Who we share your data with
We do not sell, rent, or trade your personal data. We share data only with the following sub-processors and only to the extent necessary for the purposes described above:
| Sub-processor | Purpose | Location |
|---|---|---|
| Supabase Inc. | Database hosting, file storage (CVs, photos), and authentication | EU region (Frankfurt) |
| Stripe Inc. | Payment processing for employer listing tiers | EU (Ireland) data residency options available |
| Resend Inc. | Transactional email delivery (account notifications, application updates) | United States — covered by EU Standard Contractual Clauses |
We may also disclose your data if required by law, court order, or to protect the rights, property, or safety of Boaty Jobs, our users, or the public.
5. International transfers
Where personal data is transferred outside the European Economic Area (EEA), we ensure adequate safeguards are in place. For transfers to Resend (US), we rely on Standard Contractual Clauses (SCCs) approved by the European Commission. Supabase stores data within the EU (Frankfurt region) and no transfer outside the EEA is required for core database operations.
6. Your rights under GDPR
As a data subject under the GDPR, you have the following rights:
- Right of access (Art. 15):you may request a copy of the personal data we hold about you. Job seekers can use the “Download my data” feature in their account dashboard for an immediate export.
- Right to rectification (Art. 16): you may correct inaccurate or incomplete personal data via your account settings at any time.
- Right to erasure / right to be forgotten (Art. 17):you may request deletion of your account and all associated personal data using the “Delete my account” button in your account dashboard. Hard deletion occurs within 30 days.
- Right to restriction of processing (Art. 18): you may request that we restrict processing of your data in certain circumstances (e.g. while a dispute is pending).
- Right to data portability (Art. 20):you may request your data in a structured, machine-readable format. Job seekers can use the “Download my data” feature to receive a JSON export immediately.
- Right to object (Art. 21): you may object to processing based on legitimate interests, including direct marketing and analytics.
- Right to withdraw consent: where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.
To exercise any of these rights, email us at privacy@boatyjobs.com. We will respond within one month as required by Art. 12 GDPR.
7. Complaints
If you believe we have not handled your personal data in accordance with GDPR, you have the right to lodge a complaint with the Irish supervisory authority:
Data Protection Commission (DPC)21 Fitzwilliam Square South
Dublin 2, D02 RD28
Ireland
www.dataprotection.ie
8. Security
We implement appropriate technical and organisational measures to protect your personal data against unauthorised or unlawful processing, accidental loss, destruction, or damage. These include encryption at rest and in transit, row-level security policies on our database, private storage buckets for CVs, and access controls limiting data access to authorised personnel only.
9. Changes to this policy
We may update this Privacy Policy from time to time. Material changes will be notified to registered users by email at least 14 days before the change takes effect. The “Last updated” date at the top of this page will always reflect the most recent revision.
⚠ This is a placeholder privacy policy for development purposes. A qualified solicitor with GDPR expertise should review and finalise this document before live launch.