Privacy Policy
Last updated: 2026-04-23
1. Who we are
DockWalker is operated by Nautalink Technologies, Inc., 1111B S Governors Ave #48504, Dover, DE 19904, USA. We are the data controller for personal data collected through the DockWalker application at dockwalker.io.
2. Data we collect
| Data | Purpose | Legal basis |
|---|---|---|
| Email, password | Authentication | Contract |
| Display name, deck name, nationality, visa status | Identity in app; employer review | Contract / Consent |
| Profile photo (avatar) | Identity | Consent |
| Certifications declared | Job matching; cert-gating permanent applications | Consent |
| Role, department specialisations | Job matching | Consent |
| Vessel experience history (including IMO) | Employer review | Consent |
| Sea time (days at sea, nautical miles) | Experience display | Consent |
| Shore-based experience | Alternative background for employer review | Consent |
| Location preference (region, city, port) | Job matching | Consent |
| Availability dates and career status | Daywork and permanent matching | Consent |
| Application and engagement history | Service operation and dispute resolution | Contract |
| Chat messages | Communication between parties | Contract |
| Shared documents | Document exchange (48-hour expiry) | Contract |
| Voice call metadata (duration only) | Call record | Contract |
| Engagement ratings | Internal quality signal — never shown to other users | Legitimate interest |
| Device token (push notifications) | Push delivery | Consent |
| Device fingerprint (one-way hash) | Abuse detection after deletion | Legitimate interest |
| Notification preferences | Channel control | Consent |
| WhatsApp number (optional) | WhatsApp notification opt-in | Consent |
| Subscription data | Billing via Stripe | Contract |
| Docky AI conversations and usage count | AI career guidance; free tier enforcement | Consent / Contract |
3. Data we do not collect
- Precise GPS location (we use port/marina selection only)
- Browsing activity outside DockWalker
- Voice call audio — calls are peer-to-peer WebRTC, never recorded or transcribed
- Payment details between crew and employers
- Social media accounts or contacts
- Biometric data
We do not sell personal data to third parties. We do not use personal data for advertising.
4. Who can see your data
- Your profile (name, role, certifications, experience): visible to other authenticated users
- Your applications: only you and the posting employer
- Your chat messages: only the two parties in the engagement
- Shared documents: only the two parties, and expire after 48 hours
- NDA vessel identity (including IMO): hidden from crew until daywork acceptance or permanent selection
- Engagement ratings: DockWalker internal only — never shown to other users
- Availability and salary information: visible to authenticated users so matching can work
5. Third-party services
| Service | Purpose | Data shared |
|---|---|---|
| Supabase | Database, auth, file storage, Realtime | All application data |
| Google (OAuth) | Sign in with Google (optional) | Email, display name, profile picture URL (only if you choose to sign in with Google) |
| Vercel | Web hosting, serverless functions | HTTP request logs |
| Stripe | Subscription billing | Email, plan, payment method (Stripe-side) |
| Resend | Transactional email | Email address, notification content |
| Anthropic (Claude) | AI advisor (Docky) | Messages and crew context — not retained by Anthropic beyond processing |
| OpenAI | Document embeddings for MCA corpus only | Public regulatory text — no personal data |
| Expo Push / Apple APNs / Google FCM | Push notification delivery | Device token, notification payload |
| Twilio | WhatsApp notifications (opt-in) | Phone number, notification content |
| Upstash Redis | Rate limiting | Request metadata (IP, user ID) |
| Sentry | Error tracking (conditional) | Error context, user ID, stack traces |
| Vercel Analytics and Speed Insights | Anonymous usage and performance metrics | Page view data, Web Vitals |
6. AI advisor (Docky)
Docky is powered by Anthropic's Claude API. When you use Docky:
- Your messages are sent to Anthropic for processing.
- Crew context (role, certifications, experience bracket, vessel size exposure) is included to personalise responses.
- Your salary, contact details, and private engagement content are not sent to the AI.
- Anthropic does not retain API inputs or outputs beyond processing, per their API terms.
- Docky responses are informational. We do not guarantee the accuracy of AI-generated career advice.
- Free tier allows a limited number of questions per calendar month. Pro tier raises that limit.
7. Voice calls
- Available for permanent position engagements only.
- Peer-to-peer WebRTC. Audio travels directly between browsers, not through DockWalker servers.
- TURN relay credentials are issued for NAT traversal; signalling uses Supabase Realtime.
- No audio is recorded, stored, or transcribed. Only a system chat message noting the call duration is kept.
8. Document sharing
- Users can share documents (PDF or image) within an engagement chat.
- Documents are stored in a private Supabase storage bucket, accessible only to the two parties.
- Documents expire after 48 hours. The storage object is removed and the database record is soft-deleted.
- File size and type are validated server-side. DockWalker does not read or process the document contents.
9. Your rights (GDPR)
- Access— use “Export my data” in Settings for a JSON export of your personal data.
- Rectification — edit your profile at any time.
- Erasure— use “Delete account” in Settings. Data is retained for 30 days, then scrubbed.
- Portability — the export feature is a standard JSON file.
- Object / Restrict processing — contact admin@nautalink.io.
- Withdraw consent — deactivate the account or change notification preferences.
10. Data retention
- Active account data is kept for the life of the account.
- Deactivated account personal data is scrubbed after 30 days via an append-only PERSON.DATA_SCRUBBED event.
- Event structure is retained indefinitely (anonymised) for audit integrity.
- Device fingerprint hashes are kept for 12 months after deletion to support abuse detection.
- Chat messages are retained indefinitely (append-only) and are anonymised on data scrub.
- Shared documents expire after 48 hours.
12. Security
- Row Level Security is enforced on every database table.
- JWT authentication with automatic token refresh.
- Rate limiting on API routes. Body size limits on writes.
- Avatar and document uploads validate file type and size server-side.
- HTTPS enforced end-to-end. Standard security headers are set on the origin.
13. International transfers
Data may be processed in EU (Frankfurt) (primary database) and in the United States (for hosting, billing, email, AI, and push providers). Standard Contractual Clauses or equivalent safeguards apply where required by GDPR for transfers outside the EEA.
14. Age restriction
DockWalker is intended for users aged 18 and over. Maritime employment requires adult status in virtually all jurisdictions. We do not knowingly collect data from minors.
15. Changes to this policy
We will notify you of material changes by email or in-app notification. Continued use after notification constitutes acceptance.
16. Contact
- Data Protection Officer: admin@nautalink.io
- General support: admin@nautalink.io
- Postal: 1111B S Governors Ave #48504, Dover, DE 19904, USA