Insights

Heidmar believes that trust and strong relationships come through hard work and transparency.

eFleetWatch Privacy Policy

May 28, 2025

eFleetWatch Privacy Policy

Heidmar Inc.

This Privacy Policy describes how Heidmar Inc. (“Heidmar,” “we,” “us,” or “our”) processes personal data in connection with the eFleetWatch™ platform, including the website at www.efleetwatch.com and the associated iOS and Android mobile applications (collectively, the “Platform”).

eFleetWatch is a private, business-to-business platform used to manage commercial maritime operations. Access is restricted to (a) authorised Heidmar personnel and (b) named representatives of organisations with which Heidmar has an established commercial relationship, including charterers, brokers, agents, suppliers, and pool partners. The Platform is not available to the general public, does not allow self-registration, is not directed to consumers, and is not directed to individuals under the age of 18.

In ordinary use the Platform processes a limited set of personal data: the business contact details (name, business email, business phone, employer, role) of the authorised users and of the counterparty representatives recorded against voyages, charters, claims, and similar commercial records. All other information processed by the Platform — such as vessel, voyage, freight, bunker, claims, accounting, and pool data — relates to organisations and assets rather than to identified or identifiable individuals.

1. Controller and Contact

Controller: Heidmar Inc., a corporation organised under the laws of the Republic of the Marshall Islands, with its registered office at Trust Company Complex, Ajeltake Road, Ajeltake Island, Majuro, Marshall Islands, MH96960, having lawfully established an office in Greece at Akti Miaouli 89, Piraeus, Greece, 18538.Heidmar is a wholly-owned subsidiary of Nasdaq-listed Heidmar Maritime Holdings Corp., acts as commercial manager of vessels and has affiliated companies in London, Singapore, Hong Kong and Dubai.

Personal Data: Any information relating to an identified or identifiable natural person.

Privacy contact: email: , postal address: Akti Miaouli 89, Piraeus, Greece, 18538.

2. Scope and Applicable Law

This Policy applies to Personal Data processed through the Platform. It does not cover the underlying commercial agreements between Heidmar and the organisations whose representatives use the Platform, nor third-party sites or services linked from the Platform.

The Platform and its production data are hosted on infrastructure located in the European Union. Where the European Union General Data Protection Regulation (Regulation (EU) 2016/679, the “GDPR”) applies to the processing described here, including by virtue of Article 3(1) GDPR, this Policy is intended to give effect to the information requirements of Articles 13 and 14 GDPR.

3. Who Uses the Platform

Internal users: Heidmar employees and contractors operating in Operations, Claims, Accounting, Chartering, and supporting administrative or technical functions.

External users: Named representatives of charterers, brokers, agents, suppliers, and pool partners to whom access has been expressly granted.

Access is provisioned, reviewed, and revoked under Heidmar’s identity and access management procedures. Authentication is performed by a Heidmar-operated identity service. The Platform does not federate with social identity providers and does not integrate with advertising, marketing, or behavioural-tracking services. The Platform does not allow self-registration; accounts are issued only by Heidmar.

4. Personal Data We Process

The categories of personal data processed through the Platform are intentionally limited.

4.1 Business contact data

Full name;
Employer organisation and role/title;
Business email address;
Business telephone number.

4.2 Account and authentication data

Username and unique user identifier issued by the Heidmar identity service;
Authentication credentials in salted, hashed form (plaintext passwords are never stored);
Multi-factor authentication metadata, where MFA is enabled;
Role and permission assignments and the history of changes to them;
Password reset tokens and account-recovery metadata;
On mobile devices, the active session token is stored in local storage so that the user remains signed in between sessions.

4.3 Technical and security data

IP address used to access the Platform and approximate location derived from it;
Device, operating system, browser, and mobile application version information;
Session identifiers, login and logout timestamps, and session duration;
A platform indicator (web or mobile) included in each API request so that Heidmar can support and operate the relevant client;
Application, access, and security logs recording actions taken in the Platform (for example, records created, modified, or exported) with timestamps;
A single authentication cookie on the web Platform, and functionally equivalent on-device storage in the mobile applications, used to maintain a signed-in session.

4.4 Mobile crash diagnostics data

When the mobile application crashes, a crash report containing the stack trace and basic device metadata (device model, operating system version, application version) is sent to Sentry for the sole purpose of diagnosing application stability issues. Sentry is operated by Functional Software, Inc. (dba Sentry) and Heidmar uses the EU region of the Sentry service, so crash diagnostics described here are entirely processed within the European Economic Area. Heidmar does not use crash diagnostics for any other purpose.

4.5 Counterparty contact details recorded in commercial records

Commercial records in the Platform (voyages, charters, claims, invoices, and similar) frequently list the business contact details of counterparty representatives — for example, the operator, broker, agent, or supplier contact for a particular voyage. Heidmar processes those details as part of operating the commercial relationship.

4.6 Support communications

Support requests, helpdesk tickets, and related correspondence between users and Heidmar.

Beyond the categories above, the Platform processes commercial and operational information relating to organisations, vessels, voyages, and transactions. That information is not personal data and is processed under the underlying commercial agreements between Heidmar and the relevant counterparty organisation.

The Platform does not process special categories of personal data (Article 9 GDPR) and does not process criminal-offence data (Article 10 GDPR). Users should not enter such data into Platform fields.

5. Personal Data We Do Not Collect

To make the scope of the Platform explicit, Heidmar confirms that the Platform does not:

Access device GPS or other location data;
Access the device camera, microphone, photo library, contacts, calendar, health, motion, or biometric sensors;
Collect or use advertising identifiers (such as Apple’s IDFA or Android’s Advertising ID);
Use behavioural-advertising, marketing, or cross-app or cross-site tracking technologies;
Use third-party analytics SDKs to profile individual users. Google Analytics is disabled in the mobile applications.

Where map functionality is used in the Platform, maps are centred on vessel positions; the Platform does not request, display, or transmit the user’s own device location.

6. Sources of Personal Data

Directly from the user when an account is provisioned and through their use of the Platform;
From the user’s employer when nominating individuals for access;
Automatically from devices and browsers used to access the Platform (technical and security data);
From counterparty organisations or their representatives, when they identify a contact person for a commercial matter recorded in the Platform.

7. Purposes and Legal Bases

Heidmar processes personal data for the purposes set out below. Where the GDPR applies, the relevant legal bases are indicated.

7.1 Operating the Platform and managing access

Purpose: Provisioning and revoking accounts, authenticating users, delivering Platform functionality, and supporting users.

Legal basis: Performance of, and steps prior to, the contract under which the user’s organisation has access (Art. 6(1)(b) GDPR); and Heidmar’s legitimate interest in operating the Platform on behalf of its group and its counterparties (Art. 6(1)(f) GDPR).

7.2 Conducting the commercial relationship recorded in the Platform

Purpose: Maintaining and acting on commercial records relating to voyages, charters, claims, invoices, freight, bunkers, and pool participation, including by contacting the named business contacts of counterparties about those matters. Such records are handled in accordance with the master service agreement between Heidmar and the relevant counterparty organisation.

Legal basis: Heidmar’s legitimate interest in conducting and administering the commercial relationship with the counterparty organisation (Art. 6(1)(f) GDPR).

7.3 Security, integrity, and abuse prevention

Purpose: Detecting, investigating, and preventing unauthorised access, fraud, misuse, and other security incidents; maintaining audit and access logs.

Legal basis: Legitimate interest in protecting the Platform, its users, and Heidmar’s business (Art. 6(1)(f) GDPR); and, where applicable, compliance with a legal obligation (Art. 6(1)(c) GDPR).

7.4 Legal and regulatory compliance

Purpose: Complying with applicable laws and regulations to which Heidmar and the wider group are subject, including financial reporting, tax, sanctions screening, anti-money-laundering, maritime, and audit requirements, and responding to lawful requests from competent authorities.

Legal basis: Compliance with a legal obligation (Art. 6(1)(c) GDPR) and legitimate interest in maintaining accurate records (Art. 6(1)(f) GDPR).

7.5 Maintaining and improving the Platform

Purpose: Diagnosing and fixing application defects (including using crash diagnostics on the mobile applications) and understanding how the Platform performs in order to maintain stability and develop functionality. Where practicable, this is done with aggregated and de-identified data.

Legal basis: Legitimate interest in maintaining and improving the Platform (Art. 6(1)(f) GDPR).

7.6 Operational communications and push notifications

Purpose: Sending operational and security notifications, service announcements, scheduled maintenance notices, and policy updates, including via push notifications on the mobile applications where the user has enabled them. Heidmar does not use the Platform for marketing communications.

Legal basis: Performance of contract (Art. 6(1)(b) GDPR) and legitimate interest in operating the Platform reliably (Art. 6(1)(f) GDPR).

8. Cookies and Equivalent Technologies

The web Platform sets a single authentication cookie that is strictly necessary to keep a user signed in during a session. The mobile applications use functionally equivalent on-device storage for the same purpose.

Because this cookie is strictly necessary to deliver a service that the user has expressly requested, consent is not required under Article 5(3) of Directive 2002/58/EC (the ePrivacy Directive) as transposed into national law.

The Platform does not use advertising cookies, analytics cookies, cross-site tracking, or third-party tracking pixels.

9. Who Sees Personal Data

Personal data processed through the Platform is disclosed only as follows.

9.1 Within the Heidmar and its affiliated companies

Authorised Heidmar personnel and affiliated entities access personal data on a need-to-know basis to operate, administer, and secure the Platform and to act on the commercial records it contains.

9.2 Visibility between counterparties

The Platform is partitioned so that an external user organisation sees only the records that relate to that organisation. By way of illustration:

A pool partner sees its own vessels’ contribution to the pools in which it participates and the aggregate totals for those pools; it does not see records, contributions, or contact details of other pool participants.
A pool partner does not see, and cannot access, pools in which it does not participate.
Charterers, brokers, agents, and suppliers see only the records and contact information that relate to their own engagement with Heidmar.

Heidmar personnel see records across counterparties to the extent necessary to perform their role.

9.3 Service providers (processors and sub-processors)

Heidmar engages third-party service providers acting on its instructions, including:

EU-based cloud hosting and infrastructure providers;
Email delivery and notification providers;
Backup, disaster recovery, and archiving providers;
Application logging, observability, and security monitoring providers;
Mapping and map-tile providers used to render maps centred on vessel positions in the Platform.

For the mobile applications specifically, Heidmar uses uses Functional Software, Inc. (dba Sentry) — to receive crash reports (stack trace and basic device metadata, as described in Section 4.4) for diagnosing application stability issues. The EU region of the Sentry service is used so that crash diagnostics are processed within the European Economic Area.

Each service provider engaged by Heidmar to process personal data on Heidmar’s behalf is engaged under a written data processing agreement that satisfies Article 28 GDPR and imposes confidentiality, security, and processing restrictions consistent with this Policy.

9.4 Professional advisers and auditors

Personal data may be disclosed to Heidmar’s auditors, legal advisers, insurers, and similar professional advisers, where necessary for legal, regulatory, insurance, audit, compliance or business purposes under appropriate duties of confidentiality and data protection.

9.5 Authorities and legal disclosures

Personal data may be disclosed to courts, regulators, law enforcement, and other public authorities where required by law, court order, or other binding legal process, including in connection with the reporting and audit obligations applicable to the Heidmar group.

9.6 Corporate transactions

In the event of a merger, acquisition, financing, reorganisation, sale of assets, or insolvency, personal data may be transferred to the relevant counterparty subject to appropriate confidentiality and data protection obligations.

Heidmar does not sell personal data and does not disclose personal data for advertising or marketing purposes.

10. International Data Transfers

The Platform and its production data are hosted in the European Union. Heidmar does not, in the ordinary course, transfer personal data processed through the Platform outside the European Economic Area.

Send crash reports to Sentry (EU region) when the application crashes, containing the stack trace and basic device metadata, as described in Section 4.4;
Do not send push notifications and do not collect a push notification token;
Do not access device location, the camera, the photo library contacts, the microphone, or other sensors;
Do not use advertising identifiers and do not integrate with third-party advertising or analytics SDKs.

Limited transfers may occur and are addressed by appropriate safeguards under Chapter V GDPR:

Ad-hoc transfers necessary to provide remote support to an authorised user located in a third country, or to comply with a binding legal obligation. Heidmar relies on adequacy decisions where available and Standard Contractual Clauses where required.

Information about the safeguards used in a particular case is available on request from the contact in Section 1.

11. Retention

Heidmar retains personal data only for as long as is necessary for the purposes set out in this Policy. In particular:

Account data: for the duration of the user’s authorisation and for a reasonable period thereafter for audit, dispute, and access-revocation purposes;
Counterparty contact details recorded in commercial records: for as long as required to administer the underlying commercial relationship and to meet the accounting, tax, audit, and maritime record-keeping obligations applicable to Heidmar;
Authentication and security logs: for a period proportionate to the security and compliance purposes for which they are kept;
Mobile session tokens and push notification tokens: held while a device remains enrolled and removed on sign-out, on token refresh, or when the application is uninstalled;
Crash reports: retained in accordance with the retention periods applied by Google Firebase Crashlytics;
Support communications: for as long as needed to resolve the matter and as required by applicable law.

We may retain personal data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation.

When personal data is no longer required, Heidmar deletes it or anonymises it. Where deletion is not technically feasible, isolates it from further processing until deletion is possible.

12. Security

Heidmar operates an information security programme aligned with recognised standards, including ISO/IEC 27001 principles. Technical and organisational measures include role-based access control, multi-factor authentication, encryption in transit, application and infrastructure logging and monitoring, vulnerability and patch management, backup and recovery, supplier risk management, and security awareness training.

No system can be guaranteed to be fully secure. Users are required to keep their authentication credentials confidential, to use multi-factor authentication where it is offered, and to notify Heidmar without undue delay of any suspected compromise or unauthorised access.

13. Your Rights

Subject to applicable law, individuals whose personal data is processed through the Platform have the following rights:

To be informed about the processing of their personal data (Art. 13–14 GDPR);
To access their personal data and obtain a copy (Art. 15 GDPR);
To request rectification of inaccurate or incomplete data (Art. 16 GDPR);
To request erasure, subject to applicable retention obligations and other exemptions (Art. 17 GDPR);
To request restriction of processing (Art. 18 GDPR);
To object to processing carried out on the basis of legitimate interests (Art. 21 GDPR);
To data portability where the conditions of Art. 20 GDPR are met;
where we are relying on consent to process personal data, to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal
To lodge a complaint with a supervisory authority, including, in particular, the Hellenic Data Protection Authority (HDPA) (dpa.gr) or the supervisory authority of the individual’s habitual residence or place of work.

Requests should be sent to the privacy contact in Section 1. Heidmar may need to verify the requester’s identity before responding. Where personal data is processed by Heidmar in the context of the requester’s employment, certain requests may need to be directed in the first instance to the employer organisation, and Heidmar will inform the requester accordingly.

14. Automated Decision-Making

The Platform does not make decisions producing legal effects, or similarly significantly affecting individuals, on the basis of solely automated processing within the meaning of Article 22 GDPR.

15. Mobile Applications

Heidmar provides iOS and Android mobile applications that connect to the same backend service as the web application. The mobile applications:

Use on-device storage equivalent to the web authentication cookie to keep a user signed in;
Send push notifications via Google Firebase Cloud Messaging, where the user has enabled push notifications. Push notifications are used for operational events only and can be disabled at any time in the device settings;
Send crash reports to Google Firebase Crashlytics when the application crashes, containing the stack trace and basic device metadata for diagnostic purposes only;
Do not access device location, the camera, the photo library, contacts, the microphone, or other sensors;
Do not use advertising identifiers and do not integrate with third-party advertising or analytics SDKs (the bundled Google Analytics SDK is disabled).

Where the user later chooses to disable push notifications at the operating system level, no further push notification tokens are processed for that device.

16. Changes to This Policy

Heidmar may update this Policy from time to time. The “Effective Date” above indicates when the current version took effect. Where changes are material — for example, the activation of a mobile feature that requires access to a device permission not previously used — authorised users will be notified through the Platform or by another appropriate means before the changes take effect.

— End of Policy —

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.