1. Who We Are
- This Privacy Policy is issued by Maritime Passport Operations Ltd, a company incorporated in England and Wales with company number 16616425, whose registered office is at 67 Westow Street, London, England, SE19 3RW (“Maritime Passport”, “we”, “us”, or “our”).
- Maritime Passport is the data controller for the personal data described in this Privacy Policy. We are registered with the UK Information Commissioner’s Office (ICO). Our registration number is [ICO registration number].
- We operate a digital identity and credential management platform for the global maritime industry. This Privacy Policy explains how we collect, use, share, and protect your personal data in connection with the Platform.
- Contact: If you have any questions or concerns about this Privacy Policy or how we handle your personal data, please contact our Data Protection Lead at: privacy@maritime-passport.com, or write to us at the registered office address above.
2. Scope of This Policy
- This Privacy Policy applies to personal data we collect from seafarers, maritime professionals, and other individuals who register for or use the Maritime Passport Platform, including when you visit our website, create an Account, or interact with us.
- This Policy does not cover the data processing activities of Digidentity B.V., our identity verification partner, or of Verifiers who receive credential data from the Platform at your direction. Each of these is an independent data controller and operates under their own privacy arrangements.
- Digidentity’s privacy statement is available at digidentity.eu/en/documentation.
3. Personal Data We Collect
We collect the following categories of personal data:
Identity and Contact Data
- Full name and previous names
- Date and place of birth
- Gender
- Nationality
- Email address
- Mobile phone number
Identity Verification Data
- Identity document photographs (front and back of passport, seafarer identity document, or other government-issued ID)
- Identity document number and expiry date
- Biometric data: facial images (selfies) used for liveness detection and face comparison against identity documents
- Results of document validation checks
Credential and Professional Data
- Maritime certificates of competency and endorsements
- Flag state certifications
- Digital logbook and discharge book records
- Other professional credentials you upload or that are issued via the Platform
Account and Technical Data
- Account login credentials (held in encrypted/hashed form)
- Account pseudonym and identifiers
- Device information and IP address
- Platform usage data and activity logs
- Communication records (including support correspondence
Where we process biometric data (facial images for identity verification), we do so based on your explicit consent, in accordance with Article 9(2)(a) UK GDPR. You may withdraw this consent at any time; however, withdrawal may mean we are unable to continue providing Platform services to you.
We do not intentionally collect or process special category data beyond biometric data used for identity verification purposes.
4. How We Collect Your Personal Data
We collect personal data in the following ways:
- Directly from you when you register for an Account, complete identity verification, upload credentials, or contact us;
- Through Digidentity, who collects and processes your identity document and biometric data on our behalf as part of the identity proofing process;
- Automatically when you use the Platform, including device and usage data collected via cookies and similar technologies;
- From flag states, shipping companies, or other maritime authorities who issue or endorse credentials on the Platform.
5. How We Use Your Personal Data
- We process your personal data for the following purposes and on the following legal bases under UK GDPR:
| Purpose | Legal Basis |
| To create and manage your Account | Performance of a contract with you (Article 6(1)(b) UK GDPR) |
| To perform identity verification and proofing, including document validation and biometric comparison, via Digidentity | Performance of a contract; explicit consent for biometric data (Article 6(1)(b); Article 9(2)(a)) |
| To store, manage, and enable you to share your maritime credentials with authorised Verifiers | Performance of a contract (Article 6(1)(b)) |
| To enable flag states and other Verifiers to verify your credentials at your direction | Performance of a contract; legitimate interests in supporting secure maritime operations (Article 6(1)(b)(f)) |
| To communicate with you about your Account, including security notifications and service updates | Performance of a contract; legitimate interests (Article 6(1)(b)(f)) |
| To prevent fraud, detect unauthorised access, and maintain platform security | Legitimate interests; legal obligations (Article 6(1)(c)(f)) |
| To comply with applicable laws and regulations, including maritime law, anti-money laundering obligations, and data protection law | Legal obligation (Article 6(1)(c)) |
| To improve and develop the Platform through anonymised analytics | Legitimate interests (Article 6(1)(f)) |
| To respond to your enquiries and support requests | Legitimate interests; performance of a contract (Article 6(1)(b)(f)) |
We will not use your personal data for purposes incompatible with those for which it was collected, without first seeking your consent or establishing another lawful basis.
6. Sharing Your Personal Data
We share your personal data with third parties only where necessary and permitted under applicable law. The categories of recipients are:
Digidentity B.V.
Our identity verification partner, engaged to perform identity proofing, document validation, liveness detection, and biometric face comparison. Digidentity is an independent data controller for the data it processes and operates under its own terms and privacy statement.
Verifiers
Flag states, shipping companies, port authorities, and other authorised maritime organisations who verify your credentials at your explicit direction. When you share a credential with a Verifier, that Verifier receives the relevant credential data and becomes an independent data controller for that data.
Technology and Infrastructure Providers
Third-party providers who support the operation of the Platform, including cloud hosting and data storage providers. These providers act as data processors under our instruction and are bound by appropriate data processing agreements.
Professional Advisers and Regulators
Legal advisers, auditors, regulators, law enforcement agencies, or other public authorities where we are required or permitted to do so by law.
Business Transfers
In the event of a sale, merger, or acquisition of Maritime Passport, your personal data may be transferred to the relevant third party as part of that transaction, subject to appropriate confidentiality arrangements.
We do not sell your personal data to third parties. We do not share your Credentials with any Verifier without your explicit direction.
7. International Transfers
- Maritime Passport processes personal data primarily within the United Kingdom and the European Economic Area (EEA). Where personal data is transferred outside the UK or EEA (for example, to technology providers located in other jurisdictions), we ensure that appropriate safeguards are in place in accordance with UK GDPR requirements.
- Appropriate safeguards may include: UK adequacy regulations; standard contractual clauses approved by the ICO; or other legally recognised transfer mechanisms.
- You may request details of the safeguards in place for any specific transfer by contacting us at privacy@maritime-passport.com.
8. Data Retention
- We retain your personal data only for as long as necessary for the purposes for which it was collected, or as required by law. Our standard retention periods are:
| Category of Data | Retention Period |
| Account and identity data (verified) | Retained while your Account is active; archived for 7 years after Account deletion or closure |
| Identity verification records and reports | Retained while your Account is active; archived for 7 years after Account deletion or closure |
| Biometric data (identity document photographs and selfies submitted for verification) | Deleted within 45 days of submission |
| Credential records (digital logbook, discharge book, certificates) | Retained while your Account is active; archived for 7 years after Account deletion or closure |
| Account activity and platform usage logs | Up to 2 years from last activity, then deleted |
| Incomplete or inactive accounts (no service purchased, or no login in 24 months) | Deleted after 45 days of inactivity or non-completion |
| Support correspondence | 1 year after resolution of the relevant query |
| Compliance and audit records | As required by applicable law, up to 7 years |
After the applicable retention period, data is securely deleted or anonymised so that it can no longer be linked to you.
Where we are required to retain data for legal or regulatory reasons (for example, maritime record-keeping obligations), we may retain it for longer than the periods above. We will inform you if this applies.
9. Security
- Maritime Passport takes the security of your personal data seriously. We have implemented technical and organisational measures to protect your data against unauthorised access, loss, alteration, or disclosure, including:
- ISO 27001:2022 certified information security management system;
- Encryption of personal data in transit and at rest;
- Pseudonymisation of account identifiers;
- Role-based access controls limiting staff access to personal data;
- Annual independent penetration testing;
- Incident response and breach notification procedures.
- You are responsible for keeping your own Account credentials and authentication data secure. You should use a strong, unique password and protect any device through which you access the Platform. If you believe your Account has been compromised, you must notify us immediately at support@maritime-passport.com.
- In the event of a personal data breach that is likely to result in a high risk to your rights and freedoms, we will notify you without undue delay and will notify the ICO within 72 hours of becoming aware of the breach, where required by law.
10. Cookies and Similar Technologies
- We use cookies and similar technologies to operate and improve the Platform. Strictly necessary cookies are required for the Platform to function and cannot be disabled. We use analytics cookies to understand how users interact with the Platform, which helps us improve it; these are activated only with your consent.
- You can manage your cookie preferences through your browser settings or through the cookie preference centre in the Platform.
- For full details of the cookies we use, please see our Cookie Policy at maritime-passport.com/cookies.
11. Your Rights
Under UK GDPR, you have the following rights in relation to your personal data:
| Right | What It Means |
| Right of access | You can request a copy of the personal data we hold about you (a ‘subject access request’). |
| Right to rectification | You can ask us to correct any inaccurate or incomplete personal data. |
| Right to erasure | You can ask us to delete your personal data in certain circumstances, including where it is no longer necessary for the purposes for which it was collected. |
| Right to restriction of processing | You can ask us to pause processing of your personal data in certain circumstances. |
| Right to data portability | Where processing is based on consent or contract, you can ask us to provide your personal data in a structured, machine-readable format. |
| Right to object | You can object to processing based on legitimate interests, including profiling. |
| Right to withdraw consent | Where processing is based on your consent (including for biometric data), you may withdraw consent at any time. This will not affect the lawfulness of processing prior to withdrawal. |
| Rights relating to automated decision-making | You have the right not to be subject to decisions based solely on automated processing (including profiling) that produce significant effects on you. We use automated identity verification decisions, all of which are subject to human review for rejections. |
To exercise any of these rights, please contact us at privacy@maritime-passport.com. We may need to verify your identity before processing your request. We will respond within one month of receipt, or within three months for complex requests (and will let you know within one month if an extension is needed).
You also have the right to lodge a complaint with the UK Information Commissioner’s Office (ICO) if you believe we have not handled your personal data lawfully. The ICO can be contacted at: www.ico.org.uk, or by telephone on +44 (0)303 123 1113.
12. Children
The Platform is intended for use by adults aged 18 and over. We do not knowingly collect personal data from children under 18. If you believe we have inadvertently collected data from a child, please contact us immediately at privacy@maritime-passport.com and we will take steps to delete that data.
13. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, the Platform, or applicable law. We will notify you of material changes by email or via an in-platform notification at least 30 days before they take effect.
The current version of this Privacy Policy is always available at maritime-passport.com/privacy. The date at the top of the Policy indicates when it was last updated.