Privacy Policy
Last updated: 2026-04-05
Important: This is a working draft that has not yet been reviewed by a qualified lawyer. It must be reviewed by legal counsel before being relied upon in a production environment.
1. Who We Are
MyVSSL Pty Ltd ("MyVSSL", "we", "us", "our") operates the MyVSSL platform, a marine services marketplace available at app.myvssl.com and this website at myvssl.com.
We are the data controller for personal information collected through the Platform and this website. Our privacy contact is privacy@myvssl.com.
This policy explains how we handle personal information in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).
2. Scope of This Policy
This policy applies to personal information we collect about:
- Vessel owners (B2C users) who use the platform to manage their vessel and book services
- Marine professionals and their team members (B2B users) who use the platform to manage clients, vessels, and jobs
- Clients of marine professional organisations whose data is entered by a professional on their behalf
- Visitors to the myvssl.com website
It does not apply to information that has been de-identified or aggregated so that individuals cannot be identified.
3. What Personal Information We Collect
Account and identity information
- Name (first name, last name)
- Email address
- Password (stored as a hash -- we never store your plaintext password)
- Profile photo (optional)
- User role (vessel owner, professional, platform admin)
- Date and time of account creation and terms acceptance
Organisation and business information (B2B users)
- Organisation name, display name, and type
- Business address and operating locations
- Phone number and email address
- ABN / tax identification number
- Bank account details (name, account number, routing/BSB code, SWIFT/BIC) - stored for invoicing and payment setup
- Business licence details
- Logo and branding assets
Vessel information
- Vessel details: name, type, make, model, hull identification number (HIN), dimensions, year
- Vessel location (home port or mooring address)
- Vessel photos
- Component details (engines, rigging, electronics, etc.)
- Service history and survey records
Client information (entered by marine professionals)
When a marine professional adds a client to the platform, they may provide us with:
- Client name and contact details (email, phone, address)
- Client vessel details (same as above)
- Survey and inspection records
- Job and service history
If you are a client of a marine professional using MyVSSL and you have questions about how your information is used, you should contact that professional directly. They are responsible for ensuring they have the right to share your information with us.
Booking, quote, and invoice data
- Service requests, booking details, and status history
- Quote line items, pricing, and acceptance records
- Invoice details, payment amounts, and payment status
- Transaction references (Airwallex payment intent IDs)
Communications
- Messages and notes exchanged between users on the platform
- Email communications sent via the platform (e.g. quote emails, invoice emails)
- Feedback and support requests submitted through the app
Technical and usage data
- IP address and approximate location (used for geo-detection and access control)
- Browser type and version, device type, operating system
- Pages visited, features used, session duration
- Error logs and crash reports
- Security audit events (login, failed login, account changes)
Information from third-party sign-in
If you sign in using Google or Apple, we receive your name and email address from those providers. We do not receive or store your Google or Apple password.
4. How We Collect Personal Information
We collect personal information in the following ways:
- Directly from you when you register, complete your profile, add a vessel, create a booking, or contact us
- From marine professionals who add you as a client or enter vessel data on your behalf
- From third-party sign-in providers (Google, Apple) when you use social login
- From payment processing via Airwallex when you set up payment processing or pay an invoice
- Automatically through your use of the platform (usage data, logs, device information)
- From optional AI data enrichment where you request vessel data to be populated from public sources (e.g. USCG HIN records, manufacturer data)
We will always tell you if collecting your information is optional and what the consequence of not providing it is. Most account information is required to use the platform; vessel details beyond the basics are optional.
5. Why We Use Your Personal Information
| Purpose | Categories of data used | Can you opt out? |
|---|---|---|
| Provide and operate the platform (account, vessels, bookings, quotes, invoices) | Account, vessel, booking, invoice data | No -- core service |
| Process payments via Airwallex | Account, invoice, banking data | No -- required for payment features |
| Send transactional emails (booking confirmations, quotes, invoices, notifications) | Name, email, booking/invoice details | No -- core service; you can turn off non-essential notifications |
| Verify your identity and prevent fraud | Account, IP address, login events | No |
| Provide customer support | Account, booking, and support request data | No |
| Comply with legal obligations (tax records, NDB scheme, court orders) | Invoice, identity, and transaction data | No |
| Improve the platform (aggregate usage analytics, error monitoring) | Usage and error data (anonymised or aggregated where possible) | Limited -- contact us |
| Geo-detection to show correct jurisdiction, currency, and compliance settings | IP address (not stored beyond the session) | No |
| Optional: MYOB accounting integration (if you connect MYOB) | Invoice, contact, and accounting data | Yes -- revoke via MYOB settings |
| Optional: AI vessel data enrichment (if you request it) | Vessel HIN, make/model | Yes -- feature is opt-in |
We do not use your personal information for advertising, sell it to third parties, or share it for marketing purposes.
6. Legal Basis for Processing
Under the Australian Privacy Principles, we collect and use personal information only where we have a legitimate reason to do so. Our legal bases are:
- Contract performance: To provide the platform services you have signed up for (core account, vessel, booking, invoicing features)
- Legal obligation: To comply with applicable law (e.g. retaining tax records for 7 years under Australian tax law, notifiable data breach reporting)
- Consent: For optional features such as MYOB integration, AI vessel enrichment, and marketing communications -- you can withdraw consent at any time
- Legitimate interests: For security monitoring, fraud prevention, and platform improvement, where these interests are not overridden by your privacy rights
8. Third-Party Processors
The following processors handle personal information on our behalf. Each is contractually bound to protect your data and use it only as directed by us.
| Processor | Purpose | Data shared | Location |
|---|---|---|---|
| Google Firebase / Google Cloud | Authentication, database (Firestore), file storage, hosting, Cloud Functions | All platform data at rest and in transit | Australia and global Google Cloud regions; data residency for Firestore can be set to australia-southeast1 |
| Airwallex Pty Ltd | Payment processing for invoices; connected account onboarding (KYC/KYB) | Name, email, business details, invoice amounts, bank account details (for connected accounts) | Australia (Airwallex AU entity); some processing may occur in other Airwallex data centres |
| MYOB (optional) | Accounting integration: syncing invoices and contacts to your MYOB file | Invoice data, client contact details, line items | Australia (MYOB data centres); only if you connect your MYOB account |
| Brevo (formerly Sendinblue) | Transactional email delivery (booking confirmations, invoices, notifications) | Recipient email address, name, and email body content | EU / global; Brevo is EU GDPR-compliant |
| Google (sign-in) | Google Sign-In authentication | Name and email address returned from Google OAuth | Google global infrastructure |
| Apple (sign-in) | Apple Sign In authentication | Name and email address (or private relay email) returned from Apple OAuth | Apple global infrastructure |
When you use Airwallex or MYOB features, you enter a direct relationship with those providers and their terms and privacy policies also apply to you. Links to those policies are in our Terms and Conditions.
9. International Transfers
Some of our processors (including Google Firebase, Brevo, and others) operate infrastructure outside Australia. When personal information is transferred internationally, we take reasonable steps to ensure it receives equivalent protection to that required under the Australian Privacy Principles, including by:
- Entering into data processing agreements with processors that include appropriate security and privacy obligations
- Selecting processors that operate under equivalent privacy frameworks (e.g. EU GDPR-compliant processors for Brevo)
- Using Google Cloud regions in Australia where available for primary data storage
By using the platform, you acknowledge that some data may be transferred internationally as described above.
10. Data Retention
We retain personal information for as long as necessary to provide the service, comply with legal obligations, and resolve disputes. The table below summarises our retention periods.
| Data category | Retention period | Reason |
|---|---|---|
| Account and profile data | Duration of account, plus 30 days after account deletion (to allow for recovery requests) | Service provision |
| Vessel and component data | Duration of account (deleted with account unless shared with another user) | Service provision |
| Invoices and financial records | 7 years from the invoice date | Australian tax law (Tax Administration Act 1953) |
| Booking and quote records | 3 years after completion or cancellation | Dispute resolution and legal claims |
| Security and audit logs | 13 months | MYOB Security Requirement; security incident investigation |
| Email delivery logs | 90 days | Deliverability troubleshooting |
| Anonymised usage analytics | Indefinite (no personal data retained) | Product improvement |
After the applicable retention period, personal information is securely deleted or de-identified. Financial records (invoices) are anonymised -- the financial data is retained but identifying information (names, addresses) is removed after 7 years unless required for ongoing legal proceedings.
If you close your account, most of your data is deleted within 30 days. Invoice and transaction data is retained in anonymised form for the required period above.
11. Your Rights
Under the Australian Privacy Principles, you have the following rights regarding your personal information:
Access
You have the right to request a copy of the personal information we hold about you. We will respond within 30 days. We may charge a reasonable fee for access requests that require significant effort to compile.
Correction
If any information we hold about you is inaccurate, incomplete, or out of date, you can correct most of it directly in the app (profile settings, vessel details). For information you cannot edit yourself, contact us and we will correct it within 30 days.
Deletion (right to erasure)
You can request deletion of your account and personal information at any time. You can initiate this from the account settings page in the app, or by emailing privacy@myvssl.com. On deletion:
- Your account, profile, and vessel data will be deleted within 30 days
- Invoice and financial records will be anonymised (PII removed) but retained for the legally required 7-year period
- Any active Airwallex connections will be disconnected
- Shared data (e.g. vessels shared with a marine professional) may remain in that professional's records in anonymised form
Withdraw consent
Where we rely on your consent (e.g. for MYOB integration, AI data enrichment), you can withdraw consent at any time from the relevant settings section in the app, without affecting the lawfulness of prior processing.
Opt out of non-essential communications
You can opt out of non-essential notifications (e.g. marketing updates, product news) via your notification preferences in the app. You cannot opt out of transactional emails that are necessary to operate the service (e.g. invoice emails, booking confirmations).
How to exercise your rights
To exercise any of the rights above, contact us at privacy@myvssl.com. We will acknowledge your request within 5 business days and respond within 30 days. We may need to verify your identity before fulfilling a request.
12. How We Protect Your Information
We implement security measures proportionate to the sensitivity of the data we hold, including:
- Encryption in transit: All data between your device and our servers is encrypted using TLS 1.2 or higher
- Encryption at rest: Sensitive data stored in our databases and file storage is encrypted at rest
- Access controls: Role-based access controls (RBAC) ensure users only access data appropriate to their role; organisation data is isolated per tenant
- Authentication: Password hashing, optional multi-factor authentication (MFA), and secure OAuth flows for third-party sign-in
- Token security: OAuth refresh tokens for integrations (e.g. MYOB) are encrypted with AES-256 before storage; encryption keys are stored separately in a secure key management service
- Security monitoring: Audit logging of key security events; anomaly detection via Firebase security rules
- Secure development: Code practices aligned to OWASP Top 10
No system is completely secure. If you believe your account has been compromised, contact us immediately at privacy@myvssl.com.
Data breach notification
If we become aware of a data breach that is likely to result in serious harm to individuals, we will notify affected individuals and the Office of the Australian Information Commissioner (OAIC) in accordance with the Notifiable Data Breaches (NDB) scheme under the Privacy Act 1988. We aim to do so within 30 days of becoming aware of the breach.
13. Children's Privacy
The platform is intended for users aged 18 and over. We do not knowingly collect personal information from children under 18. If you believe we have inadvertently collected information from a child, please contact us at privacy@myvssl.com and we will delete it promptly.
15. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will post the updated policy on this page, update the "Last updated" date, and where reasonably practicable notify you by email or in-app notification at least 14 days before the changes take effect.
Your continued use of the platform after the effective date of an updated policy constitutes acceptance of the changes.
16. Contact Us and Complaints
Privacy contact
MyVSSL Pty Ltd
Privacy enquiries: privacy@myvssl.com
How to make a complaint
If you believe we have breached the Australian Privacy Principles or mishandled your personal information, please contact us first at privacy@myvssl.com. We will acknowledge your complaint within 5 business days and aim to resolve it within 30 days.
If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC):
- Website: oaic.gov.au
- Phone: 1300 363 992
- Post: GPO Box 5218, Sydney NSW 2001