Privacy Policy
Last updated: 12 July 2026. · Croatian version: Hrvatski
1. Who we are
SailorLoop is a service operated by Digital Loop d.o.o., Croatia ("SailorLoop", "we"). For any data-protection questions, contact info@digitalloop.hr.
2. Our role: controller and processor
Our role depends on whose data we process:
- Charter guest data (phone number, name, WhatsApp message content) — here the charter company is the controller and SailorLoop acts as a processor on its behalf, under a data processing agreement. If you are a guest and want to exercise your rights, you may contact your charter or us directly.
- Sign-up and marketing-contact data — here Digital Loop d.o.o. is the controller.
3. What data we collect
3.1. Charter company sign-ups
- company name, contact name, email, phone (optional);
- fleet size and current booking system (optional).
3.2. Charter guests (via the WhatsApp assistant)
- phone number (WhatsApp);
- name (from the booking or the WhatsApp profile);
- conversation content — the messages a guest sends and the assistant's replies. A transcript is personal data because it can contain a name, boat, location and anything else the guest types.
- preferences and conversation summaries (assistant memory) — durable notes the assistant derives from conversations for personalization (e.g. preferred language, dietary preferences, a summary of a previous charter). We do not store special-category data (health, religion, politics), payment data, or third-party data.
4. Purposes and legal basis
| Purpose | Legal basis (Art. 6 GDPR) |
|---|---|
| Providing the WhatsApp concierge service to charter guests | Performance of the contract with the charter / the charter's legitimate interest in supporting its guests (Art. 6(1)(b) / (f)) |
| Processing a sign-up and contacting a prospective partner | Consent and/or pre-contractual steps (Art. 6(1)(a) / (b)) |
| Security, abuse prevention, error diagnostics | Legitimate interest (Art. 6(1)(f)) |
5. Recipients and sub-processors
We use carefully selected providers (sub-processors) to deliver the service, under data processing agreements:
| Provider | Purpose | Location |
|---|---|---|
| Supabase | database, authentication, storage | EU (Frankfurt) |
| 360dialog / Meta (WhatsApp) | sending & receiving WhatsApp messages | EU (Frankfurt) |
| Anthropic, OpenAI, Google | AI processing of messages (language, replies, translation) | US — under SCCs, see §6 |
| Vercel | hosting the website and admin app | EU (Frankfurt) |
| Fly.io | hosting the bot and integration services | EU (Frankfurt) |
| Sentry | error monitoring | EU |
| Resend | sending email notifications | EU (Ireland) |
6. International transfers
Message content is sent to AI providers (Anthropic, OpenAI, Google) to generate replies. These providers also process data in the US. Transfers rely on Standard Contractual Clauses (SCCs) and other appropriate safeguards. We require AI providers not to use API data to train their models and use the business (paid) service tiers that guarantee this.
7. Retention periods
- Conversation transcripts: deleted after 90 days.
- Assistant memory: invalidated notes are deleted after 90 days; all of a guest's notes are deleted on an erasure request (§8) and on automatic anonymization of an inactive guest.
- Guest identifiers (number, name, email): automatically anonymized after 730 days of inactivity, or immediately on an erasure request (Art. 17).
- Message-routing audit log: 90 days.
- Booking-system sync log: 365 days.
- Sign-up data: for as long as there is an interest in working together, or until consent is withdrawn.
8. Your rights
Under the GDPR you have the right to:
- access your data (Art. 15);
- rectify inaccurate data (Art. 16);
- erasure ("right to be forgotten", Art. 17) — on request we permanently delete your identifiers and redact the content of your messages;
- restriction (Art. 18), portability (Art. 20), and to object (Art. 21).
Send a request to info@digitalloop.hr. If you are a charter guest, you may also contact your charter.
9. Right to complain
You have the right to lodge a complaint with a supervisory authority — in Croatia this is the Personal Data Protection Agency (AZOP), azop.hr.
10. Cookies
We load analytics cookies (Google Analytics) only after your consent via the cookie banner. The IP address is anonymized. You can withdraw consent at any time.
11. Changes
We may update this policy from time to time. The date of the last change is shown at the top of the page.
12. Contact
Digital Loop d.o.o. · info@digitalloop.hr