Effective date: May 7, 2026 · Last updated: May 7, 2026
CanalClear ("we," "us," "our") provides maritime compliance software that automates filing and documentation for Panama Canal (VUMPA/PCSOPEP), Suez Canal (SCA/SCNT), and Bosporus Strait (SP-1) transits. Our platform is available at canalclear.org.
For GDPR purposes, CanalClear acts as the data controller for personal data collected through our website and platform. For vessel data processed on behalf of our customers, CanalClear acts as a data processor.
Data Controller Contact:
Email: privacy@canalclear.org
Subject line: "Privacy Inquiry"
We collect the following categories of data:
| Category | Examples | Source |
|---|---|---|
| Account data | Name, email address, company name, phone number | Registration & lead forms |
| Vessel & fleet data | Vessel name, IMO number, flag state, vessel type, cargo class, tonnage, call sign, hull ID | User input during filing |
| Compliance data | VUMPA submissions, PCSOPEP documents, SCA Transit Requirement Sheets, hazmat declarations, ISPS notifications | User input & generated filings |
| Payment data | Billing name, last 4 digits of card, billing address, subscription tier | Stripe (we do not store full card numbers) |
| Usage data | Pages visited, features used, filing activity, error events | Automatic (server logs, analytics) |
| Technical data | IP address (hashed for storage), browser type, device type, session ID | Automatic (HTTP headers) |
| Communication data | Email content when you contact us or respond to product emails | Direct communication |
Note on vessel data: Vessel information (IMO numbers, cargo manifests, VUMPA filings) may constitute commercially sensitive or regulated data. We treat this data with the highest level of confidentiality. It is never shared, sold, or used for advertising.
We do not sell your personal data. We do not use your vessel data or compliance filings to train AI models or share with competitors.
For users in the European Economic Area (EEA), United Kingdom, and Switzerland, we rely on the following legal bases under GDPR Article 6:
| Processing Activity | Legal Basis |
|---|---|
| Delivering the compliance filing service | Performance of a contract (Art. 6(1)(b)) |
| Billing and payment processing | Performance of a contract (Art. 6(1)(b)) |
| Product update emails and filing reminders | Legitimate interests (Art. 6(1)(f)) — keeping subscribers informed about their active filings |
| Marketing emails (newsletter, new features) | Consent (Art. 6(1)(a)) — opt-in at registration |
| Security, fraud prevention, abuse detection | Legitimate interests (Art. 6(1)(f)) |
| Legal obligations and regulatory compliance | Legal obligation (Art. 6(1)(c)) |
| Analytics and platform improvement | Legitimate interests (Art. 6(1)(f)) — aggregate and anonymized |
We use the following third-party services to operate the platform. Each operates under its own privacy policy:
| Service | Purpose | Data Shared |
|---|---|---|
| Stripe | Payment processing & subscription management | Billing name, email, payment card (tokenized), billing address |
| Cloudflare / R2 | Infrastructure hosting, CDN, file storage | Generated documents, uploaded files, network traffic |
| Render | Application hosting and deployment | Server logs, application data at rest |
| Neon / PostgreSQL | Database hosting | All structured user and vessel data |
| Google Analytics | Website traffic analytics | Anonymized page views, device/browser type, geographic region |
| Postmark | Transactional email delivery | Recipient email address and email content |
We do not permit any third-party service to use your personal data for their own marketing, advertising, or analytics purposes beyond what is necessary to provide the service to us.
We retain your data only as long as necessary for the purposes described in this policy, and in accordance with applicable law:
| Data Type | Retention Period |
|---|---|
| Account & profile data | Duration of active subscription + 90 days after account closure |
| Compliance filings & vessel records | 7 years (maritime regulatory record-keeping requirements) |
| Billing records | 7 years (financial/tax compliance) |
| Server & access logs | 90 days |
| Analytics data (anonymized) | 36 months |
| Marketing email preferences | Until opt-out or account deletion |
Deletion requests: You may request deletion of your personal data at any time by emailing privacy@canalclear.org. We will fulfill deletion requests within 30 days, subject to our legal obligation to retain certain compliance records.
Important: Compliance filings (VUMPA, SCA submissions, etc.) may be subject to mandatory retention under maritime regulations. We are required to retain these records for a minimum of 7 years and cannot delete them during this period, even upon request.
If you are located in the EEA, UK, or Switzerland, you have the following rights under GDPR:
Request a copy of the personal data we hold about you.
Request correction of inaccurate or incomplete personal data.
Request deletion of your personal data ("right to be forgotten"), subject to legal retention obligations.
Receive your data in a structured, machine-readable format and transfer it to another controller.
Ask us to pause processing of your data in certain circumstances.
Object to processing based on legitimate interests, including direct marketing.
Withdraw consent at any time where processing is based on consent, without affecting prior processing.
Lodge a complaint with your local data protection authority (e.g., the relevant EU supervisory authority).
To exercise any of these rights, email privacy@canalclear.org with the subject line "GDPR Request." We will respond within 30 days. We may need to verify your identity before fulfilling the request.
We use cookies and similar technologies to operate and improve the platform. Here is what we set:
| Cookie | Purpose | Duration | Type |
|---|---|---|---|
cc_token |
Authentication — keeps you logged in to your account | Session / 30 days | Strictly necessary |
cc_sid |
Anonymous session identifier for usage analytics | 1 year | Analytics (functional) |
cc_utm |
Remembers campaign source (UTM parameters) for referral attribution | 30 minutes | Analytics (functional) |
_ga / _gid |
Google Analytics — anonymized pageview and traffic tracking | 2 years / 24 hours | Analytics (third-party) |
cc_cookie_consent |
Stores your cookie consent choice | 1 year | Strictly necessary |
You can control cookies through your browser settings. Disabling strictly necessary cookies will prevent you from logging in. Disabling analytics cookies will not affect your ability to use the platform.
Google Analytics is configured with IP anonymization enabled. We do not use advertising, targeting, or cross-site tracking cookies.
CanalClear operates with infrastructure hosted primarily in the United States (Render, Neon, Cloudflare). If you are located in the EEA or UK, your data may be transferred to and processed in the United States.
Where we transfer data outside the EEA/UK, we rely on one or more of the following safeguards:
You may request a copy of the relevant transfer safeguards by emailing privacy@canalclear.org.
We implement industry-standard security measures to protect your data:
If you discover a security vulnerability, please report it responsibly to security@canalclear.org. Do not publicly disclose potential vulnerabilities before contacting us.
No system is perfectly secure. If a data breach occurs that affects your personal data, we will notify you and relevant authorities as required by applicable law, typically within 72 hours of becoming aware of the breach (GDPR Art. 33–34).
CanalClear is a professional B2B software platform intended for maritime industry professionals. We do not knowingly collect personal data from individuals under 16 years of age. If you believe a minor has submitted data to us, contact privacy@canalclear.org and we will promptly delete it.
We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email (if you have an account) and update the "Last updated" date at the top of this page. Continued use of the platform after the effective date of any changes constitutes acceptance of the updated policy.
We will not retroactively reduce your rights under this policy without your explicit consent.
For any privacy-related inquiries, rights requests, or complaints:
Email: privacy@canalclear.org
Subject line: "Privacy Inquiry" or "GDPR Request"
Response time: We aim to respond within 5 business days. Rights requests (access, erasure, portability) are fulfilled within 30 days as required by GDPR.
You also have the right to lodge a complaint with a supervisory authority. In the EU, this is the data protection authority in your country of residence. In the UK, this is the Information Commissioner's Office (ICO).