Privacy Policy

1. Who we are

ShoreBound is operated by Shore Bound Ltd.(“ShoreBound”, “we”, “us”, “our”), a private limited company registered in England and Wales under company number 17179727, with its registered office at:

Shore Bound Ltd. is the data controller responsible for your personal data under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. For any privacy-related enquiries, contact us at hello@shoreboundtravel.com.

2. What data we collect

• Account data: your email address, a securely hashed password, and an optional display name. Provided by you when you create an account.
• Cruise itinerary data: ship name, cruise line, sailing dates, and port stops you enter, import, or that we extract from itineraries you share with us.
• Saved preferences: interests, saved listings, day plans, schedule selections, and onboarding choices.
• Subscription & billing data: your plan tier (free or premium), subscription status, and billing history. Card details and payment information are processed by our payment provider (Paddle) and are never seen or stored by us.
• Communications: messages you send us via email, feedback forms, or support requests.
• Usage & technical data: pages visited, features used, IP address, browser type, device type, and approximate location (city/country) derived from IP. Collected via server logs and product analytics.

3. How we use your data and our lawful basis

We process your personal data for the following purposes:

• To provide the service (account creation, saving itineraries, generating AI suggestions, processing payments). Lawful basis: performance of a contract.
• To communicate with you (transactional emails such as account verification, password resets, and billing receipts). Lawful basis: performance of a contract.
• To improve and secure the product (analytics, debugging, fraud prevention). Lawful basis: legitimate interests in running a functional, secure service.
• To send marketing emails (product updates, occasional newsletters). Lawful basis: consent. You can unsubscribe at any time using the link in any marketing email.
• To comply with legal obligations (tax, accounting, responding to lawful requests). Lawful basis: legal obligation.

4. Who we share your data with

We do not sell your personal data. We share data only with the following sub-processors necessary to run the service:

• Supabase (Supabase Inc.) — database and authentication hosting (EU region). Stores your account, preferences, and cruise data.
• Vercel (Vercel Inc.) — application hosting, edge functions, and server logs.
• Paddle (Paddle.com Market Ltd. / Paddle.com Inc.) — Merchant of Record for subscription payments. Paddle is the legal seller for Premium purchases and is responsible for collecting payment, charging applicable taxes (e.g. VAT, US sales tax), and processing refunds. Paddle's privacy policy is available at paddle.com/legal/privacy.
• Anthropic (Anthropic PBC) — AI-generated itinerary suggestions. Only non-identifying port and schedule metadata is sent; we do not transmit your name, email, or account ID.
• Resend (Resend Inc.) — transactional email delivery (account verification, password resets, receipts).
• Product analytics provider — anonymised usage events to help us improve the service. No personal identifiers are linked to these events beyond a random session ID.

We may also disclose your data where required by law, court order, or to protect the rights, property, or safety of Shore Bound Ltd., our users, or others.

5. International data transfers

Some of our sub-processors are based outside the UK (notably in the United States and the European Economic Area). When personal data is transferred outside the UK, we rely on one of the following legal safeguards:

• The UK's adequacy decision for transfers to the EEA;
• The UK Addendum to the EU Standard Contractual Clauses (SCCs) for transfers to other countries (including the United States);
• Where applicable, the UK Extension to the EU-US Data Privacy Framework.

Copies of the safeguards we rely on are available on request by emailing us.

6. Data retention

We retain your account data for as long as your account is active. If you delete your account, we will delete or anonymise your personal data within 30 days, except where we are required to retain it by law (for example, billing and tax records, which we keep for six years under UK tax law). Anonymised analytics data may be retained indefinitely in aggregated form.

7. Your rights under UK GDPR

You have the right to:

• Access the personal data we hold about you;
• Correct inaccurate or incomplete data;
• Request erasure of your data (the “right to be forgotten”);
• Object to or restrict certain processing;
• Withdraw consent at any time where processing is based on consent;
• Data portability (receive your data in a machine-readable format);
• Lodge a complaint with a supervisory authority.

To exercise any of these rights, email hello@shoreboundtravel.com. We will respond within one month. You also have the right to lodge a complaint with the UK's Information Commissioner's Office (ico.org.uk).

8. Cookies and similar technologies

We use only the cookies and similar technologies strictly necessary to operate the service:

• Authentication cookies set by Supabase to keep you signed in.
• Preference cookies to remember settings such as your chosen theme.
• Anonymous analytics using first-party storage to measure aggregated feature use. No cross-site tracking, no advertising cookies, no third-party advertising networks.

Because we use only essential and first-party analytics with no advertising or cross-site tracking, no cookie consent banner is required under UK PECR. You can clear cookies at any time via your browser settings.

9. Children's privacy

ShoreBound is not directed at children. You must be at least 16 years old to create an account. We do not knowingly collect personal data from anyone under 16. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

10. Data security

We take appropriate technical and organisational measures to protect your data, including TLS encryption in transit, encryption at rest, hashed passwords (bcrypt), access controls, and regular security reviews. No system is perfectly secure; if you suspect your account has been compromised, contact us immediately.

11. Changes to this policy

We may update this Privacy Policy from time to time. The “Last updated” date at the top of this page will reflect the most recent change. Material changes will be communicated by email or via an in-app notice. Continued use of the service after changes take effect constitutes acceptance.

12. Contact

For any questions about this policy or how we handle your data, contact us at hello@shoreboundtravel.com or by post at the registered office address above.