Privacy Policy

Information We Collect

Account information: when you create an account we collect your email address and display name. Authentication is handled through Microsoft Entra External ID; we receive only the identity claims required to sign you in (no password is stored by Afloat).

App content you create: vessel profile (name, dimensions, propulsion, hull material, registration number, home port, notes), engines, safety equipment, inventory items, maintenance tasks and events, emergency contacts, and trip records.

Location information: when you actively log a trip, Afloat records GPS coordinates and timestamps so you can review your trip history and build a record of where you have been. Location collection only occurs while the app is in active use; Afloat does not track your location in the background, and Afloat does not share live location with any third party.

Crash reports and diagnostics: when the app crashes or encounters an error, Afloat records the stack trace, device model, operating system version, and app version so we can fix bugs. Crash reports do not include your name, email, vessel data, trip data, location coordinates, authentication tokens, or other personal identifiers — these are scrubbed from each report before it leaves your device.

Device identifiers: build number, app version, OTA update channel, and operating system version — used to verify which build you are running and to attach to crash reports for debugging.

How We Use Your Information

Provide the core functionality of Afloat: store and synchronize your vessel records, inventory, maintenance schedule, trips, and readiness score across your devices.

Authenticate you and keep your account secure.

Send you transactional communications related to your account (for example, account-deletion confirmation).

Diagnose crashes and reliability issues so we can ship fixes.

Comply with applicable laws and respond to lawful requests.

Afloat does not use your personal information to display advertising, and Afloat does not sell your personal information.

Third-Party Service Providers

Afloat uses a small set of service providers to operate the app. Each provider processes data only on Afloat's behalf and under contract.

Microsoft Entra External ID (Microsoft Corporation) — handles sign-in and identity. Microsoft receives your email address and authentication events. Microsoft's privacy practices: https://privacy.microsoft.com/.

Sentry (Functional Software, Inc.) — receives crash reports and diagnostics from the mobile app to help us fix bugs. Crash reports are scrubbed of personal identifiers before transmission. Sentry is hosted in the United States. Sentry's privacy practices: https://sentry.io/privacy/.

Microsoft Azure (Microsoft Corporation) — hosts Afloat's backend servers and database in the Canada Central region. Your account and app content are stored on Microsoft Azure infrastructure within Canada.

Expo / EAS (650 Industries, Inc.) — distributes the mobile app build and over-the-air updates. Expo does not receive your personal information; it receives only build and update metadata.

Cross-Border Data Transfers

Most of your personal information stays in Canada: your account, vessel records, trip history, and inventory are stored on Microsoft Azure servers in the Canada Central region.

Crash reports are sent to Sentry, which processes them in the United States. Crash reports are scrubbed of personal identifiers (name, email, vessel data, trip data, location coordinates, and authentication tokens are removed) before transmission, but the data is nonetheless processed outside Canada and may therefore be subject to lawful requests by U.S. authorities. By using Afloat, you acknowledge this transfer.

Data Storage and Retention

Afloat is offline-first. Most app content is stored on your device in a local database and synchronized to our backend when you are online.

We retain your account and app content for as long as your account is active. When you delete your account through the app, we permanently delete your account record and app content from our backend within 30 days. Your authentication record at Microsoft Entra is deleted as part of the same process.

Encrypted database backups may persist for up to 30 days after deletion to protect against data loss; backups are then permanently destroyed.

Crash reports retained by Sentry are kept for up to 90 days and then deleted automatically.

Your Choices and Rights

Access and correct your information: you can view and edit your profile, vessel data, inventory, and trip records at any time inside the app.

Delete your account: tap More → Account → Delete account. This removes your account, your content, and your authentication record at Microsoft Entra. This action cannot be undone.

Withdraw location consent: you can revoke Afloat's location permission at any time from your device's system settings. Trip logging relies on this permission and will be unavailable until it is re-granted. All other features of Afloat continue to work without location access.

Export your data: contact support@afloat.ca for a copy of the personal information we hold about you.

Lodge a complaint: if you believe Afloat has not handled your personal information appropriately, you can contact our Privacy Officer at privacy@afloat.ca and, if unresolved, file a complaint with the Office of the Privacy Commissioner of Canada (https://www.priv.gc.ca/). California and other US-state residents can also escalate to their state attorney general.

US Residents (California, Virginia, Colorado, Connecticut, Utah)

If you are a resident of California or another US state with comprehensive privacy law, you have specific rights in addition to those described above.

Right to know — you can request a copy of the personal information Afloat holds about you, including categories collected, sources, purposes, and the categories of third parties with whom it has been shared (in our case: Microsoft, Sentry, and Expo, as described in the Third-Party Service Providers section above).

Right to delete — you can request that Afloat delete the personal information we hold about you. You can do this from inside the app (More → Account → Delete account) or by submitting a request to privacy@afloat.ca. Carve-outs in the law (legal obligation, fraud detection, etc.) may apply in rare cases.

Right to correct — you can correct inaccurate personal information from inside the app (vessel details, account information, emergency contacts) or by emailing privacy@afloat.ca.

Right to limit use of sensitive personal information — Afloat collects precise geolocation, which is classified as sensitive under California law. We limit our use of this data to trip logging while you are actively using the app. We do not use precise location for profiling, targeted advertising, inferences about your preferences, or sale or sharing with any third party. You can stop this collection at any time by revoking the location permission in your device settings.

Right to opt out of the sale or sharing of personal information — Afloat does not sell or share your personal information with any third party. Because no sale or sharing occurs, there is no opt-out to apply. We honor Global Privacy Control (GPC) browser signals by default.

Right to non-discrimination — we will not discriminate against you for exercising any of these rights. Service quality, pricing, and features remain the same regardless of any rights request.

Authorized agent — you can appoint an authorized agent to submit a request on your behalf. The agent must provide written authorization (power of attorney, notarized letter, or signed authorization). We will verify your identity before processing the request.

Verification — to protect your account, we verify your identity before honoring a request. The standard method is sending a confirmation email to the address on file; you reply from that address to confirm. We may use alternative verification (in-app sign-in, account-data confirmation) where standard verification is not possible.

How to exercise these rights — email privacy@afloat.ca with the subject line beginning with "Privacy Request:" (for example, "Privacy Request: Deletion"). We will respond within 45 days. If we cannot verify your identity with reasonable confidence, we will notify you.

Security

All network traffic between Afloat, our backend, and our service providers is transmitted over TLS (HTTPS).

Authentication tokens are stored on your device using the operating system's secure credential storage (Android Keystore on Android, Keychain on iOS).

Backend data is encrypted at rest by Microsoft Azure.

No system is perfectly secure. If we become aware of a security breach affecting your personal information, we will notify you and the Office of the Privacy Commissioner of Canada as required by law.

Children's Privacy

Afloat is not directed at children under 13 years of age. We do not knowingly collect personal information from children under 13. If you believe a child under 13 has provided us with personal information, contact support@afloat.ca and we will delete the information.

Changes to This Policy

We may update this policy as Afloat evolves. When we do, we update the date at the top of this page. For material changes that affect how we use or share your personal information, we will notify you in the app or by email before the change takes effect.

Contact

Privacy Officer: Andrew Jefferies. For questions about this policy or to exercise any of the rights described above, email privacy@afloat.ca.

General app support and other questions: support@afloat.ca.

Mailing address: Critical Impact Inc., 156 Leeland Way, Fredericton, NB E3A 5M7, Canada.