Privacy Policy

This Privacy Policy explains how CURSORIO, a French société par actions simplifiée à associé unique (SASU), registered with the RCS of Cannes under number 913 138 640, with registered office at 21 rue des Muriers, 06110 Le Cannet, France ("Cursorio", "we", "us", "our"), collects and processes personal data through the Cursorio mobile application and web platform (app.cursorio.com) (the "Service").

We comply with the EU General Data Protection Regulation (GDPR) and the French Loi Informatique et Libertés.

1. Controller and Processor — important distinction

• —When we act as Controller: for data relating to account creation, authentication, and our own communications with you, we determine the purposes and means of processing and act as the data controller.
• —When we act as Processor: where an organization (e.g. a yacht-management company or vessel owner) uses the Service to manage its crew and vessels, that organization is generally the controller of the data it enters, and we act as a processor on its behalf, under a separate Data Processing Agreement. In that case, the organization's own privacy notice governs how it uses that data, and individuals should direct certain requests to that organization.

1 bis. Information when your data is provided to us by your employer or the organisation that operates the vessel

When a client organisation (manager, owner, placement agency) creates an account in your name, your professional identification data is provided to us by that organisation. In accordance with Article 14 GDPR, we provide you with the following information:

• —Source of the data: your employer, the vessel manager or the agency that enrolled you.
• —Categories of data collected via this source: last name, first name, professional email, role on board, assigned vessel, identifiers required for enrolment (seafarer's book number, nationality — optional).
• —You are informed of the creation of your account through an onboarding email that includes a link to this policy.
• —In this context, Cursorio acts as a processor for the controlling organisation. Requests relating to your data (access, rectification, erasure) should in principle be addressed first to that organisation, which determines the purposes of processing. We can assist by forwarding your request.

2. Data we collect

a) Account and profile data

Email address, name, password (stored hashed/encrypted), role (Owner / Manager / Captain / Collaborator), profile photo / avatar, and language/time-format preferences.

b) Hours of Rest (HoR) and work data

Rest and working hours, onboard/ashore activities and events, schedules, work profiles/templates, and audit information (who created, edited, overrode or deleted an entry — kept in a signed, immutable history). This may include data connected to maritime labour compliance (MLC 2006).

c) Financial and maintenance data

Yacht-related financial information you manually enter (expenses, budgets, monthly reports), planned maintenance entries, certificates, administrative and safety documents you choose to store in the Service.

d) Technical and usage data

Device identifiers, app version, IP address, log data, push-notification tokens, and — where enabled — analytics and crash-report data used to operate, secure and improve the Service.

We do not process special categories of personal data within the meaning of Article 9 GDPR (including health data, philosophical, religious or trade-union opinions, biometric or genetic data).

Please do not enter such data in free-text fields (comments on rest hours, maintenance notes, incident descriptions). If a special category of data were strictly necessary (for example, a medical certificate to justify an absence), it must be the subject of a separate processing relying on a specific legal basis (Art. 9(2) GDPR).

3. How we use your data and legal bases (GDPR Art. 6)

4. Artificial intelligence and document processing

Some features use automated/AI processing (e.g. budget analysis, anomaly detection, forecasting, VAT-recovery suggestions, automated report commentary) based on the data you enter. We also use optical character recognition (OCR) to extract text from documents and certificates you upload, so they can be classified and searched. These features assist you but do not make legally or financially binding decisions about you without human review. AI and OCR processing are carried out using Anthropic and OpenRouter, Inc as sub-processors, under contractual safeguards. Automated outputs may be inaccurate and should be verified.

No-training commitment. The data you submit to AI and OCR features is not used by our sub-processors to train, re-train or improve their models, nor to feed shared training datasets. This restriction is contractually enforced:

• —with Anthropic, through the Data Processing Addendum and API parameters guaranteeing the non-retention of submitted data beyond immediate processing;
• —with OpenRouter, through terms of service requiring exclusive routing to models whose providers guarantee non-reuse of data.

AI outputs are suggestions of indicative value and are not retained by sub-processors beyond the time strictly necessary for computation.

Rights related to automated suggestions. For features that may have a financial impact (anomaly detection, VAT-recovery suggestions, automated report commentary), you have the following rights:

• —obtain human intervention from Cursorio to review the suggestion;
• —express your point of view on the automated suggestion;
• —contest the suggestion and request its review.

These requests can be sent to [email protected].

5. Push notifications

We use push notifications to remind you to log your hours, alert you to certificate expiry, and for operational messages. Notifications are delivered through Expo (and the underlying Apple/Google notification services). You can disable notifications at any time in your device settings.

6. Sharing and third parties

We do not sell your personal data. We share it only with:

• —Service providers (sub-processors) acting on our behalf:
  • ·Supabase — hosting, database and authentication;
  • ·Anthropic — AI processing of the data you submit to AI features;
  • ·OpenRouter, Inc (United States) — technical gateway to OCR models. Cursorio contractually restricts routing to a subset of models whose providers guarantee: (i) no reuse of submitted data for training, and (ii) a GDPR-compliant retention policy. An up-to-date list of models used is available on request from [email protected];
  • ·Expo — push-notification delivery;
  • ·Google Firebase — analytics and crash reporting.
• —The organization that manages your account (e.g. your employer, management company or fleet operator), consistent with your role.
• —Authorities or third parties where required by law, or to protect rights, safety and the integrity of the Service.

All sub-processors are bound by contracts requiring appropriate confidentiality and security.

7. International transfers

Our hosting and database provider (Supabase) is configured to store your data in the European Union. Some other sub-processors are located outside the European Economic Area and may process certain data in the United States — in particular Anthropic (AI), OpenRouter, Inc (OCR), Google Firebase (analytics/crash reporting) and Expo (push notifications). These transfers are governed by appropriate safeguards, in particular the European Commission's Standard Contractual Clauses.

8. Data retention

We keep personal data only as long as necessary for the purposes above:

• —Account/profile data: for the life of your account, then deleted or anonymized after closure (subject to legal retention).
• —Hours of Rest / work records: retained for 2 years, in line with applicable flag-state requirements.
• —Financial and accounting records: retained as required by French accounting/tax law (typically up to 10 years).
• —Technical logs: retained for a limited period for security and diagnostics.

Where we act as processor, retention follows the controlling organization's instructions.

9. Your rights (GDPR)

Subject to applicable law, you have the right to: access your data; rectify inaccurate data; erase your data ("right to be forgotten"); restrict or object to processing; data portability; and withdraw consent at any time. Where we act as processor, we will forward your request to the relevant controller or assist them in responding.

To exercise your rights, contact our data protection contact at [email protected]. We respond within one month. You have the right to lodge a complaint with the French supervisory authority, the CNIL (cnil.fr). If you reside in another EU/EEA Member State, you may also lodge a complaint with the supervisory authority of your country of residence. The list of authorities is available at edpb.europa.eu.

10. Account and data deletion

You can delete your account directly in the app (Settings → Account → Delete account) or by emailing [email protected]. On deletion we remove or anonymize your personal data, except records we are legally required to keep (e.g. accounting records). Where your account is managed by an organization, deletion may also depend on that organization's instructions and legal obligations.

11. Security

We implement appropriate technical and organizational measures to protect your data, including encryption in transit (HTTPS), hashed passwords, role-based access controls, a signed/immutable audit history, and restricted access to production systems. No method of transmission or storage is completely secure, but we work to protect your data and to notify affected users and the CNIL of any breach as required by law.

11 bis. Cookies and local storage

The web application (app.cursorio.com) uses the following storage mechanisms, all strictly necessary for its operation:

• —Authentication cookies / localStorage: Supabase tokens used to keep your session open. Duration: until logout or expiry (typically 7 days).
• —Preferences localStorage: language, time format, display preferences (dark/light). Indefinite duration or until you clear them.
• —Cloudflare security cookies: __cf_bm, cf_clearance. See site policy cursorio.com/confidentialite.

No advertising cookies, no third-party tracking cookies, no marketing cookies are placed. Crash reports and product analytics (Google Firebase) use technical identifiers distinct from web cookies; they can be disabled in the application settings.

12. Children

The Service is intended for professional adult users and is not directed to anyone under 18. We do not knowingly collect data from minors.

13. Changes to this Policy

We may update this Privacy Policy. We will post the new version with an updated "Last updated" date and, for material changes, take reasonable steps to inform you.

14. Contact

CURSORIO (SASU)
21 rue des Muriers, 06110 Le Cannet, France
RCS Cannes 913 138 640
General/account contact: [email protected] — Tel: +33 7 89 25 83 77
Data protection contact: [email protected]
Supervisory authority: CNIL — cnil.fr

Cursorio has not appointed a Data Protection Officer (DPO) within the meaning of Article 37 GDPR, as such appointment is not mandatory given our size and the nature of our activities. The data protection contact indicated above is your single point of contact for any question relating to your data.