1. Who we are
Cruise-port.com is operated by Cruise Port, an independent business established in Spain.
For all privacy-related questions, contact us at hello@cruise-port.com.
Additional business-identification information may be provided where legally required to competent authorities, regulators, courts, or consumers.
This policy describes how we collect, use, store, and protect your personal data when you visit cruise-port.com or use any associated services (the "Services"). It is written to comply with the EU General Data Protection Regulation (GDPR) and Spain's Ley OrgΓ‘nica 3/2018 (LOPDGDD).
2. Personal data we collect
We collect only the data needed to provide the Services. Categories:
2.1 Data you give us when you create an account
- Email address (required, used for sign-in and transactional email)
- Username and optional display name
- Password hash (we never store passwords in plain text β we use Supabase Auth's bcrypt hashing)
- Profile fields you choose to fill in: home country, preferred language, preferred currency, unit system, optional bio, optional avatar image
- Cruises you choose to add to your "cruises taken" list
2.2 Data we generate when you use the Services
- Authentication tokens and session identifiers (necessary for keeping you signed in)
- Records of your cookie consent decisions (so we can demonstrate compliance)
- Cruise pass purchase records linked to your account (when applicable)
2.3 Data collected only with your explicit consent
- Analytics data (PostHog and Google Analytics): pages visited, time on site, anonymised session data. Used to understand how the Services are used so we can improve them.
- Error monitoring data (Sentry): JavaScript errors, performance traces, browser metadata. Used to detect and fix bugs.
- Marketing data (Meta Pixel): pages visited and conversion events (e.g. starting or completing a Plan My Port Days purchase). Used to measure the effectiveness of our advertising on Meta platforms (Facebook, Instagram) and to show relevant cruise-port.com ads to people who have visited the site. Off by default.
- Live location (paid "Find my ship" features only): your device's reported location while using ship-return features. Never stored server-side; only used in-browser.
You can decline or revoke any category at any time via the cookie banner or the Cookie settings link in the footer.
2.4 Data processed when you generate an itinerary
When you use the paid Plan My Port Days product, the following data is sent to our AI provider (Anthropic) to generate your itinerary:
- The ports your cruise visits and the dates and times of each port call
- Your questionnaire answers (interests, mobility, budget band, party composition without identifying individuals, pace preference, language)
- Public information about the ports themselves (things to do, transport options, opening hours)
We do not send your name, email, account ID, payment information, IP address, or any other directly identifying information to the AI provider. Anthropic processes the data only to generate the itinerary and does not use it to train its models, in line with its enterprise API terms.
Content you submit via free-form fields (reviews, port tips, comments) is processed by OpenAI's moderation API to detect abuse, spam, and unlawful content. This processing is strictly automated, does not produce a stored record at OpenAI, and is required to keep the Services safe and lawful (legitimate interest under Art. 6(1)(f) GDPR).
2.5 Data we never collect
- Payment card details β Stripe handles all payment processing. We never see, store, or transmit your card number, CVV, or expiry date. We only receive a payment confirmation token from Stripe.
- Sensitive personal data (race, religion, health information, etc.) β we have no use case for this and no mechanism to collect it.
3. Why we use your data (legal bases)
| Purpose | Legal basis under GDPR |
|---|---|
| Operating the Services (account, profile, sign-in, cruise pass access) | Contract performance (Art. 6(1)(b)) |
| Sending transactional email (verification, password reset, receipts) | Contract performance (Art. 6(1)(b)) |
| Marketing email (Phase 1+) | Your explicit consent at signup (Art. 6(1)(a)) β opt-in only |
| Analytics (PostHog, Google Analytics) | Your explicit consent in the cookie banner (Art. 6(1)(a)) |
| Error monitoring (Sentry) | Your explicit consent in the cookie banner (Art. 6(1)(a)) |
| Marketing and ad-conversion measurement (Meta Pixel) | Your explicit consent in the cookie banner (Art. 6(1)(a)) |
| Compliance with Spanish tax and accounting law (invoice retention) | Legal obligation (Art. 6(1)(c)) |
| Detecting fraud and abuse | Legitimate interest (Art. 6(1)(f)) |
4. Who we share your data with (processors)
We use the following third-party processors, each bound by a Data Processing Agreement (DPA) and either located in the EU or operating under EU-approved safeguards.
| Processor | Purpose | Data location |
|---|---|---|
| Supabase | Database, authentication | EU (Ireland) |
| Stripe | Payment processing, VAT calculation | EU + US (under Standard Contractual Clauses) |
| Resend | Transactional email | EU + US (under Standard Contractual Clauses) |
| PostHog | Analytics (with consent) | EU |
| Sentry | Error monitoring (with consent) | EU (Frankfurt) |
| Meta Platforms | Ad-conversion measurement and retargeting via the Meta Pixel (with consent) | US (under EU-US Data Privacy Framework / Standard Contractual Clauses) |
| Anthropic | AI generation for Plan My Port Days itineraries | US (under Standard Contractual Clauses) |
| OpenAI | Content moderation of user-generated content | US (under Standard Contractual Clauses) |
| Mapbox | Routing and geocoding for itinerary maps (server-side only) | US (under Standard Contractual Clauses) |
| Sign-in with Google (optional) + Google Analytics (with consent) | US (under EU-US Data Privacy Framework) | |
| Apple | Sign-in with Apple (optional) | US (under EU-US Data Privacy Framework) |
| Vercel | Web hosting | EU + US (under Standard Contractual Clauses) |
| Cloudflare | DNS, CDN | Global edge |
Third-party data sources (not processors of your personal data). cruise-port.com pulls cruise schedules, ship data, and port-call information from third-party providers such as Widgety, and map tiles and points of interest from OpenStreetMap. These sources do not receive any of your personal data β we fetch reference information from them, we do not send anything about you to them.
We do not sell your personal data to anyone. We do not share your data for advertising purposes without your consent β the only advertising-related sharing is via the Meta Pixel, which loads and sends data to Meta Platforms solely when you have given marketing consent in the cookie banner, and which you can withdraw at any time.
5. How long we keep your data
| Data | Retention period |
|---|---|
| Account data | While your account is active. Deleted within 30 days of account deletion request. |
| Cruise pass purchase records | 6 years after purchase (Spanish tax/accounting law) |
| Marketing email opt-ins | Until you unsubscribe |
| Cookie consent decisions | Until you change them or 12 months, whichever is shorter |
| Analytics data (PostHog, GA) | 12 months |
| Error monitoring data (Sentry) | 90 days |
| Marketing / ad-conversion data (Meta Pixel) | Per Meta's standard retention (up to ~24 months for ad event data) |
| Transactional email logs (Resend) | 30 days |
6. Your rights
Under GDPR, you have the right to:
- Access the personal data we hold about you (Art. 15)
- Rectify inaccurate personal data (Art. 16)
- Erase your personal data (Art. 17) β note that some records (invoices, fraud-prevention logs) may be retained for legal compliance even after account deletion
- Restrict processing of your data (Art. 18)
- Port your data to another service in a structured, machine-readable format (Art. 20)
- Object to processing based on legitimate interest (Art. 21)
- Withdraw consent for any processing based on consent, at any time (Art. 7(3))
- Lodge a complaint with the Spanish Data Protection Authority (Agencia EspaΓ±ola de ProtecciΓ³n de Datos, www.aepd.es) or your local supervisory authority
To exercise these rights, log into your account and use the Privacy & data page in your settings (available from Phase 1 onwards), or email us at hello@cruise-port.com. We respond within 30 days.
7. Cookies and similar technologies
cruise-port.com uses four categories of cookies:
- Strictly necessary (always on): authentication, language preference, your cookie consent choice itself
- Analytics (opt-in): PostHog and Google Analytics
- Error monitoring (opt-in): Sentry
- Marketing (opt-in): Meta Pixel (Facebook/Instagram ad-conversion measurement and retargeting)
You can review and change your choices at any time via Cookie settings in the footer. See our Cookie Policy for the full list.
8. International data transfers
We prefer EU-region data processors. Where a processor is established outside the EEA (Stripe, Sentry US fallback, Anthropic, OpenAI, Mapbox, Google, Apple, Vercel, Cloudflare), we rely on the EU-US Data Privacy Framework or Standard Contractual Clauses to ensure adequate protection. Copies of these safeguards are available on request.
8.1 Automated decision-making and AI
The Plan My Port Days product uses an AI model (Anthropic Claude) to generate a personalised itinerary from your questionnaire answers. This is not automated decision-making in the GDPR Art. 22 sense β no legal or similarly significant effect is produced; the output is a travel suggestion that you are free to ignore, modify, or replace. If you have questions about how an itinerary was generated, contact hello@cruise-port.com.
9. Children
cruise-port.com is not directed at children under 16 and we do not knowingly collect personal data from children under 16. If you believe a child has provided us personal data, contact us at hello@cruise-port.com and we will delete it.
10. Security
We use industry-standard security measures, including:
- TLS encryption for all data in transit
- Encryption at rest for the database (Supabase)
- Hashed passwords (bcrypt via Supabase Auth)
- Row-Level Security (RLS) policies on all user data tables
- Two-factor authentication for our admin accounts
- Regular security reviews of our codebase
No system is perfectly secure, but we work hard to protect your data. If you discover a vulnerability, please email hello@cruise-port.com.
11. Changes to this policy
We may update this policy from time to time. Material changes will be flagged via in-app notification and email. The "Last updated" date at the top of this page reflects the current version.
12. Governing law
This Privacy Policy is governed by Spanish law and the EU General Data Protection Regulation. Any disputes are subject to the exclusive jurisdiction of the courts of Alicante, Spain.