Privacy Policy

1. Introduction and Scope

Arctic Applications ehf. ("Navoa," "we," "us," or "our") operates a marine vessel tracking and safety platform consisting of (i) a website at navoa.is (the "Website"), and (ii) the Navoa native mobile application for iOS and Android (the "Mobile Application") (collectively, the "Services"). This Privacy Policy governs the collection, use, disclosure, retention, and protection of personal data obtained through your use of the Services.

This Privacy Policy applies to all users of the Services, including: (a) vessel owners who register their vessels; (b) vessel owners who activate GPS tracking; (c) emergency contacts designated by vessel owners; (d) personnel from the Icelandic Coast Guard or other maritime authorities who may receive emergency data; and (e) any other individuals whose personal information we process in connection with the Services.

By accessing or using the Services, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree, you must discontinue use of the Services.

The data controller responsible for processing personal data via the Services is:

Arctic Applications ehf.
Geitlandi 41, 108 Reykjavík, Iceland
Email: contact@arcticapplications.com

2. Legal Basis and Regulatory Compliance

As an Icelandic entity, Arctic Applications is subject to the Icelandic Data Protection Act (Lög um persónuvernd og vinnslu persónuupplýsinga nr. 90/2018) and the European Union General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679), as incorporated into Icelandic law through Iceland's membership in the European Economic Area (EEA).

Our lawful bases for processing personal data include:

• Performance of a Contract (GDPR Art. 6(1)(b)): Processing is necessary for the performance of our contract with you to provide vessel tracking and safety services.
• Legitimate Interests (GDPR Art. 6(1)(f)): We have legitimate interests in ensuring maritime safety, preventing loss of life at sea, facilitating emergency response coordination, securing the Services, preventing fraud, and improving the Services through diagnostics.
• Vital Interests (GDPR Art. 6(1)(d)): In emergency SOS situations, processing is necessary to protect the vital interests of vessel occupants and others at sea.
• Consent (GDPR Art. 6(1)(a)): Where required by law — in particular for location tracking — we obtain your explicit consent before processing.

Where processing is based on consent, you may withdraw it at any time via your device settings (e.g., removing location permissions from the Navoa application). Withdrawal does not affect the lawfulness of processing carried out before withdrawal.

3. Categories of Personal Data Collected

We collect and process the following categories of personal data:

3.1 Account Registration Information

• Full name
• Email address
• Phone number
• Password (stored only as a salted hash; never in plaintext)
• Account creation timestamp

3.2 Vessel Registration Data

• Vessel registration name
• Vessel registration number
• Vessel type
• Vessel capacity

3.3 Emergency Contact Information

• Emergency contact name
• Emergency contact phone number

3.4 Real-Time GPS Location Data

When GPS tracking is active, we collect:

• Precise geographic coordinates (latitude and longitude) transmitted approximately every 15 seconds
• Speed and heading derived from GPS readings
• Timestamp of each GPS reading
• Trip start time, duration, and session identifier
• Calculated trip route and history

3.5 Emergency SOS Data

When an SOS alert is activated, we collect and process:

• SOS activation timestamp
• GPS coordinates at the time of activation
• The trip route leading up to the emergency
• All vessel and contact information listed above
• Identification of other registered vessels within 30 nautical miles of your location

3.6 Mobile Device Information

• Device push notification token (used to deliver SOS alerts and operational notifications)
• Operating system name and version, and device model (used for compatibility and diagnostics)
• App version and build number

3.7 Technical and Usage Data

• IP address
• Browser type and version (Website only)
• Operating system
• Access times and dates
• Server logs and diagnostic information
• Interaction with features and performance data

3.8 Communication Data

• SOS signals you initiate
• Contact details you provide for emergency contacts
• Any messages you exchange with us through support channels

4. Purposes and Uses of Personal Data

We process your personal data for the following purposes:

• Core Service Provision: To provide real-time GPS tracking of registered vessels, display vessel locations on interactive maps, and maintain trip history records.
• Emergency Response: To detect and respond to SOS emergencies by (i) sending automated alerts to designated emergency contacts via SMS; (ii) routing alerts directly to the Icelandic Coast Guard under our direct- alert agreement; (iii) optionally notifying nearby registered vessels within 30 nautical miles; and (iv) generating emergency reports with location and route data.
• Account Management: To create and maintain user accounts, authenticate users, process password reset requests, and manage user preferences.
• System Operations: To maintain, troubleshoot, and improve the Services; ensure system security; prevent fraud and abuse; and comply with legal obligations.
• Communications: To send service-related notifications, emergency alerts, system status updates, and respond to user inquiries.
• Service Improvement: To analyze performance, reliability, and usage of the Services. Personal data may be anonymized or aggregated for these purposes.

5. Data Sharing and Third-Party Disclosure

We do not sell, rent, or trade your personal data to third parties for marketing purposes. We may share your personal data only in the following limited circumstances:

5.1 Emergency Contacts

When you activate an SOS alert, we will immediately share your vessel information, GPS location, recent trip route, and emergency details with the emergency contact you have designated, by SMS.

5.2 The Icelandic Coast Guard

Navoa has entered into a direct-alert agreement with the Icelandic Coast Guard (Landhelgisgæsla Íslands) under which SOS signals from the Services are routed directly to the Coast Guard. When you activate an SOS, your vessel information, GPS coordinates, trip route, and emergency details are transmitted to the Coast Guard so that they can coordinate a response.

5.3 Nearby Vessels

In SOS situations, we may notify other registered Navoa vessels within 30 nautical miles of your location to facilitate potential rescue assistance. These notifications include your vessel name, location coordinates, and basic emergency information.

5.4 Service Providers (Subprocessors)

We engage the following third-party service providers, who process personal data on our behalf under written data processing agreements:

• Amazon Web Services, Inc. (AWS): Hosting of the application server and database. Servers are located in the EU (eu-west-1, Ireland).
• Twilio, Inc.: SMS message delivery for emergency alerts and operational messages.
• Resend, Inc.: Transactional email delivery (account verification, password resets, and similar).
• Google LLC (Firebase Cloud Messaging): Push notification delivery to iOS and Android devices.
• OpenStreetMap Foundation: Map tiles rendered in the Website's live map and the Mobile Application. Only the map viewport is requested; no personal data is sent to OpenStreetMap.

All subprocessors are contractually obligated to protect your data and to use it only for the purposes specified by Arctic Applications.

5.5 Legal Requirements and Law Enforcement

We may disclose personal data when required by law, including:

• In response to valid legal process (court orders, subpoenas, search warrants)
• To comply with statutory obligations under Icelandic or EU law
• To protect the rights, property, or safety of Arctic Applications, our users, or the public
• In connection with the investigation of suspected criminal activity

5.6 Business Transfers

In the event of a merger, acquisition, reorganization, bankruptcy, or sale of assets, your personal data may be transferred to the successor entity, subject to the same privacy protections outlined in this Policy.

6. Data Storage, Retention, and Deletion

6.1 Storage Location

Personal data is stored on our application server hosted in AWS's eu-west-1 region (Ireland), within the European Economic Area. Some subprocessors (Twilio, Resend, Google FCM) may process data outside the EEA in the course of delivering messages or notifications; see Section 10 for details on international transfers.

6.2 Retention Periods

We retain personal data only for as long as necessary to fulfill the purposes outlined in this Privacy Policy:

• Account Data: retained for the duration of your active account and deleted within 30 days of account deletion, subject to legal-hold and backup exceptions described below.
• Vessel Registration Data: retained while the vessel remains registered to your account.
• Active Session Data: retained during use and for a limited period thereafter to support trip history and reliability features.
• GPS Location Data: retained for the duration that your account remains active.
• SOS Emergency Records: retained for up to five (5) years to comply with maritime safety record- keeping requirements and to support potential investigations or legal proceedings. May be retained longer where required by law or by the Icelandic Coast Guard.
• System Logs: retained for up to 90 days for security, troubleshooting, and operational purposes.
• Backup Copies: retained for up to 30 days in encrypted form before being overwritten in the normal rotation.

Data may be anonymized or aggregated for analytical and service-improvement purposes, in which case it is no longer treated as personal data.

6.3 Data Deletion Procedures

Upon account deletion, we will:

• Immediately cease GPS tracking and active data collection associated with your account
• Disable account access and authentication credentials
• Delete or anonymize personal data within 30 days, subject to legal obligations and the backup-rotation described above
• Retain SOS emergency records as described in Section 6.2 above

You can delete your account directly in the Mobile Application (Settings → Account → Delete account) or by emailing contact@arcticapplications.com from the address on the account.

7. Data Security Measures

We implement industry-standard technical and organizational measures to protect personal data against unauthorized access, alteration, disclosure, or destruction:

• Encryption in Transit: All data transmitted between your device and our servers is encrypted using TLS 1.2 or higher.
• Encryption at Rest: Production databases are encrypted at rest. Backups are encrypted before storage.
• Password Hashing: Passwords are stored only as salted hashes using a modern password-hashing algorithm; we never store or log plaintext passwords.
• Authentication: Account sessions are managed using short-lived RS256-signed JSON Web Tokens with rotating refresh tokens.
• Access Controls: Role-based access controls limit employee and system access to personal data on a need-to-know basis.
• Monitoring and Incident Response: We monitor production systems for security incidents and maintain documented procedures for responding to suspected data breaches, including notifying affected users and the Icelandic Data Protection Authority within 72 hours where required by GDPR Article 33.

No system is completely secure. You are responsible for securing your device and access credentials, and should notify us immediately of any suspected unauthorized access at contact@arcticapplications.com.

8. Your Rights Under GDPR and Icelandic Law

As a data subject under GDPR, you have the following rights regarding your personal data:

8.1 Right of Access (GDPR Art. 15)

You have the right to obtain confirmation of whether we process your personal data and to receive a copy of such data in a structured, commonly used, and machine-readable format.

8.2 Right to Rectification (GDPR Art. 16)

You may request correction of inaccurate or incomplete personal data. You can update most information directly through your account settings in the Mobile Application.

8.3 Right to Erasure / "Right to be Forgotten" (GDPR Art. 17)

You may request deletion of your personal data, subject to exceptions for legal obligations to retain emergency records, ongoing legal proceedings, or legitimate interests in fraud prevention.

8.4 Right to Restriction of Processing (GDPR Art. 18)

You may request that we limit the processing of your personal data in certain circumstances, such as when contesting data accuracy or objecting to processing.

8.5 Right to Data Portability (GDPR Art. 20)

You have the right to receive personal data you have provided to us in a portable format and to transmit that data to another controller without hindrance.

8.6 Right to Object (GDPR Art. 21)

You may object to processing based on legitimate interests or for direct marketing purposes. We will cease such processing unless we demonstrate compelling legitimate grounds that override your interests.

8.7 Right to Withdraw Consent (GDPR Art. 7(3))

Where processing is based on consent, you have the right to withdraw that consent at any time, including through your device or app settings. Withdrawal does not affect the lawfulness of processing conducted prior to withdrawal.

8.8 Right to Lodge a Complaint (GDPR Art. 77)

You have the right to lodge a complaint with the Icelandic Data Protection Authority (Persónuvernd) if you believe we have violated your data protection rights:

Persónuvernd
Rauðarárstígur 10
105 Reykjavík, Iceland
Website: www.personuvernd.is
Email: postur@personuvernd.is

To exercise any of these rights, contact us at contact@arcticapplications.com. We will respond to your request within 30 days as required by GDPR Article 12(3).

9. Children's Privacy

The Services are not intended for use by individuals under the age of 18 (or any higher minimum age set under applicable law in your jurisdiction). We do not knowingly collect personal data from children below this age. If we become aware that we have inadvertently collected personal data from a child below this age without verifiable parental consent, we will take steps to delete such information as soon as reasonably practicable.

If you are a parent or guardian and believe your child has provided us with personal data, please contact us at contact@arcticapplications.com.

10. International Data Transfers

Our primary application server and database are located within the European Economic Area (AWS eu-west-1, Ireland). Certain subprocessors (Twilio, Resend, Google FCM) operate from the United States and may process limited personal data — typically the contents of an SMS, email, or push notification, including the recipient's address and the message body — outside the EEA. All such transfers are conducted in accordance with GDPR Chapter V requirements, including:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Adequacy decisions where applicable
• Supplementary technical and organizational measures to ensure data protection equivalent to EU standards

We periodically review the data protection practices of our subprocessors to ensure ongoing compliance with GDPR and Icelandic law.

11. Automated Decision-Making and Profiling

The Services employ certain automated processes, including:

• Nearby Vessel Identification: Automated calculation of registered vessels within 30 nautical miles during SOS emergencies.
• Operational Health Alerts: Automated monitoring of the system itself for connectivity and service-availability purposes.

These automated processes do not involve profiling or decision-making that produces legal effects, or similarly significantly affects you, within the meaning of GDPR Article 22. All critical safety decisions (including whether to activate an SOS alert) remain under your direct control.

12. Cookies and Similar Technologies

The Website uses only the following types of storage and tracking technologies:

• Essential Cookies: Strictly necessary for authentication and core functionality. These cannot be disabled without preventing use of the Website.
• Local Storage: Browser-side storage used for session tokens and application state.

We do not currently use any third-party cookies, though we may add cookies for analytical purposes in the future.

13. Changes to This Privacy Policy

We may modify this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or operational needs. Material changes will be communicated via:

• Email notification to the address associated with your account
• An in-app notice within the Mobile Application
• An updated "Last Updated" date at the top of this Privacy Policy

Continued use of the Services following notification of changes constitutes acceptance of the revised Privacy Policy. If you do not agree, you must discontinue use and may request deletion of your account.

14. Contact Information

For questions, concerns, or requests regarding this Privacy Policy or our data protection practices, please contact:

Arctic Applications ehf.
Geitlandi 41, 108 Reykjavík, Iceland
Email: contact@arcticapplications.com
Website: https://navoa.is

15. Additional Provisions

15.1 Severability

If any provision of this Privacy Policy is found to be invalid, illegal, or unenforceable, the remaining provisions shall continue in full force and effect.

15.2 Governing Law and Jurisdiction

This Privacy Policy is governed by the laws of Iceland. Any disputes arising from this Privacy Policy shall be subject to the exclusive jurisdiction of the Icelandic courts.

15.3 Language

This Privacy Policy is provided in English. In the event of any conflict between the English version and any translation, the English version shall prevail.