← Back to home
Draft — pending legal review before general availability. Provided as a good-faith description of current practice during the private beta.

Privacy Policy

Effective: 2026-05-06

This Privacy Policy describes how Developer Hub d.o.o.(“Quaylo”, “we”, “us”) collects, uses, and shares personal data when you use the Quaylo platform at quaylo.appand its sub-domains (collectively, the “Service”).

Quaylo is a B2B SaaS platform for mega yacht agencies. The agencies using Quaylo are our Customers; the people whose data Customers store in Quaylo (their crew, vendors, and contacts) are Customer Data Subjects. For Customer Data, we act as a data processor under GDPR — the Customer is the controller. For data we collect directly (account holders, marketing site visitors), we are the controller.

1. Data we collect

1.1 Account & agency data (we are controller)

  • Name, email, organisation name, role, profile photo
  • Authentication data (Google OAuth tokens scoped to sign-in only)
  • Locale preference, timezone, UI settings
  • Billing identity: business name, tax ID (where applicable), address, bank details

1.2 Customer Data (we are processor)

Data your agency stores in Quaylo about its yachts, contacts, services, and invoices — e.g. yacht names, crew contacts, vendor records, service descriptions, invoice line items, itineraries, voice-order recordings, uploaded documents and images.

1.3 Operational data

  • Server logs (IP address, user-agent, request paths, timestamps) — retained 30 days for security and abuse prevention
  • Audit log of administrative actions inside the agency tenant
  • Error reports and performance traces (no message bodies, no Customer Data; PII keys are redacted server-side before logging)

1.4 Marketing site visitors

The marketing site at quaylo.app does not use analytics cookies, advertising trackers, or behavioural fingerprinting. If we add analytics in the future, we will use a privacy-preserving tool (cookieless, no cross-site tracking) and update this policy.

2. How we use data

  • To provide the Service to your agency and its authorised users
  • To send transactional email (auth, invites, vendor reply routing)
  • To detect, investigate, and prevent abuse, fraud, and security incidents
  • To meet our legal and tax obligations under Croatian and EU law
  • To improve the Service through aggregated, non-identifying usage signals

We do not sell your data. We do not use Customer Data to train AI models. Voice-to-order transcription and parsing is performed by Anthropic on a per-request basis with no model-training opt-in.

3. Legal bases (GDPR)

  • Contract (Art. 6(1)(b)) — providing the Service to account holders
  • Legitimate interests (Art. 6(1)(f)) — security logging, abuse prevention, aggregated product analytics
  • Legal obligation (Art. 6(1)(c)) — fiscal records, tax-ID verification
  • Consent (Art. 6(1)(a)) — only where we explicitly ask for it

4. Sub-processors

We rely on the following sub-processors to deliver the Service. All are bound by Data Processing Agreements compliant with GDPR Art. 28.

Sub-processorPurposeData location
Supabase (PostgreSQL, Auth, Storage)Primary database, authentication, file storageEU (Frankfurt)
VercelApplication hosting, edge networkEU (Frankfurt) primary
ResendTransactional email (invites, vendor reply bridge)EU / US
AnthropicVoice-order transcription, content translationUS (no training on submitted data)
MapboxMap tiles and sea routingUS
Google (OAuth, Places API, Gmail)Sign-in, place lookups, optional Gmail integrationEU / US
TwilioOptional WhatsApp / SMS vendor messaging (post-beta)US
Eurofaktura / CodatOptional fiscal e-invoicing per agency configurationEU

Transfers outside the EEA rely on the European Commission's Standard Contractual Clauses or equivalent safeguards.

5. How long we keep data

  • Active accounts: for the duration of the subscription
  • Closed accounts: Customer Data is retained for 30 days post-cancellation to allow export, then deleted
  • Server logs: 30 days
  • Fiscal records: retained as required by Croatian / EU tax law (typically 11 years for invoice records)
  • Backups: rolling 30-day window, then expunged

6. Your rights (GDPR / UK GDPR)

You have the right to:

  • Access the personal data we hold about you
  • Request correction of inaccurate data
  • Request erasure (subject to fiscal-retention obligations)
  • Object to or restrict certain processing
  • Receive your data in a portable format
  • Withdraw consent at any time, where processing is based on consent
  • Lodge a complaint with the Croatian Personal Data Protection Agency (AZOP) or your local supervisory authority

For Customer Data Subjects: please contact your agency directly — they are the controller. We will assist agencies in fulfilling subject requests.

To exercise rights regarding data we control, email privacy@quaylo.app.

7. Security

Data is encrypted in transit (TLS 1.3) and at rest. Each agency is a fully isolated multi-tenant environment enforced by row-level security at the database layer. Secrets (API keys, fiscal-provider credentials) are encrypted with AES-256-GCM using per-deployment keys. We do not access your data except as necessary to provide the Service or comply with law.

8. Cookies

The application uses strictly necessary cookies for authentication and session management. No advertising or third-party tracking cookies are set. The crew and agent portals use separate cookie names so sessions on different portals do not collide.

9. Children

Quaylo is not directed at children under 16. We do not knowingly collect data from children.

10. Changes

We will post material changes here and notify account holders by email at least 30 days before they take effect.

11. Controller details

Developer Hub d.o.o.
Croatia
privacy@quaylo.app

Questions about this document? Email legal@quaylo.app.