Skip to content

Privacy Notice pursuant to EU Regulation 2016/679 (GDPR)

1. DATA CONTROLLER

The Data Controller for personal data collected through the website www.captainsandcrew.co.uk is:

Captains and Crew LTD
2nd Floor, Windsor House
40/41 Great Castle Street
London W1W 8LU
United Kingdom

Data Protection Officer: Mr. Ugo Carsana

Contact:
For all privacy-related inquiries, please visit our contact page

2. TYPES OF DATA COLLECTED

2.1 Data You Provide Voluntarily

We collect the following personal data that you voluntarily provide through contact forms, information requests, or course registrations:

  • Personal information: first name, last name, date of birth
  • Contact details: email address, phone number, postal address
  • Vessel information: boat characteristics, departure/arrival dates and locations (for delivery services)
  • Professional data: nautical experience, certifications held, training objectives
  • Other information: any additional information provided in communications with us

2.2 Data Collected Automatically

During your navigation on the site, we automatically collect:

  • Navigation data: IP address, browser type, operating system, pages visited, visit duration, referrer
  • Cookies: for more information, please see our Cookie Policy

2.3 Sensitive Data

We do not intentionally collect special categories of personal data (sensitive data) under Article 9 GDPR. Should you voluntarily provide such data, processing will only occur with your explicit consent.

3. PURPOSE AND LEGAL BASIS OF PROCESSING

Your personal data is processed for the following purposes:

3.1 Contractual Purposes (legal basis: contract performance – Art. 6.1.b GDPR)

  • Managing yacht delivery quotation requests
  • Organization and management of nautical transfers
  • Managing registrations for Academy training courses
  • Provision of requested services (delivery, yacht owner support, problem solving)
  • Service-related communications (dates, schedules, changes)
  • Administrative and accounting management
  • Compliance with legal obligations (tax, insurance, maritime)

3.2 Consent-Based Purposes (legal basis: consent – Art. 6.1.a GDPR)

  • Sending newsletters and commercial communications
  • Sending information about new courses, events, promotions, and services
  • Direct marketing
  • Requesting feedback and service reviews

Consent may be withdrawn at any time without affecting the lawfulness of processing based on consent before its withdrawal.

3.3 Legitimate Interest Purposes (legal basis: legitimate interest – Art. 6.1.f GDPR)

  • Improving services offered
  • Anonymous statistical analysis of site usage
  • Fraud and abuse prevention
  • Protection of rights in legal proceedings
  • Navigation and user security

4. PROCESSING METHODS

Personal data is processed using electronic and paper-based tools, with logic strictly related to the stated purposes and with adequate security measures to ensure data confidentiality and integrity.

Processing is carried out through:

  • Secure servers located within the European Union
  • Regular and redundant backup systems
  • Encryption protocols for data transmission (SSL/TLS)
  • Access limited to authorized personnel only
  • Documented data management procedures
  • Periodic security audits

5. DATA RECIPIENTS

Your personal data may be communicated to:

5.1 Internal Recipients

  • Authorized personnel of Captains and Crew (captains, instructors, administrative staff, delivery crew)

5.2 External Recipients

  • IT service providers: hosting, website maintenance, server management, cloud services
  • Email marketing service providers (with adequate GDPR safeguards)
  • Insurance companies: for managing insurance coverage related to deliveries
  • Banking institutions: for payment processing
  • Professionals and consultants: accountants, lawyers, maritime consultants
  • Public authorities: when required by law (Coast Guard, Maritime Authorities, Tax Agencies, HMRC, etc.)
  • Commercial partners: shipyards, charter companies, yacht brokers (only with your consent)

All external parties operate as Data Processors or as independent Data Controllers, ensuring adequate levels of data protection in compliance with GDPR.

6. DATA TRANSFERS OUTSIDE THE EU

Given the international nature of our services (ocean deliveries, international training), some data may be transferred to countries outside the EU, including the United Kingdom.

The United Kingdom has been recognized by the European Commission as a country ensuring an adequate level of personal data protection (adequacy decision).

For any other extra-EU transfers, we ensure they occur based on:

  • European Commission adequacy decisions
  • Standard contractual clauses approved by the European Commission
  • Other appropriate safeguards provided by GDPR (Art. 46)

Some services used (e.g., Google Analytics) may involve data transfers to the USA based on the new EU-US Data Privacy Framework.

7. RETENTION PERIOD

Personal data is retained for the time strictly necessary to achieve the purposes for which it was collected:

  • Contractual data (delivery, courses): for the entire duration of the contractual relationship and for 10 years thereafter (tax and civil statute of limitations)
  • Insurance data: for the terms provided by applicable insurance and maritime regulations
  • Marketing data: until consent is withdrawn or for a maximum of 24 months from the last interaction
  • Navigation data and logs: up to 12 months
  • Analytics cookies: up to 26 months
  • Data necessary for legal obligations: for the time required by applicable regulations (UK and Italy)
  • Litigation-related data: until the dispute is resolved and appeal deadlines expire

After these periods, data will be deleted or anonymized irreversibly.

8. DATA SUBJECT RIGHTS

Under Articles 15-22 of GDPR, you have the right to:

8.1 Right of Access (Art. 15)

Obtain confirmation that processing of your personal data is underway and, if so, obtain access, a copy, and information about the processing.

8.2 Right to Rectification (Art. 16)

Obtain without undue delay the rectification of inaccurate data or the completion of incomplete data.

8.3 Right to Erasure – “Right to be Forgotten” (Art. 17)

Obtain erasure of personal data, unless there are legitimate grounds for their retention (legal obligations, defense in legal proceedings, etc.).

8.4 Right to Restriction (Art. 18)

Obtain restriction of processing when one of the cases provided by Art. 18 GDPR applies (e.g., contesting data accuracy, objecting to processing).

8.5 Right to Data Portability (Art. 20)

Receive the personal data concerning you in a structured, commonly used, and machine-readable format, and transmit it to another controller without hindrance.

8.6 Right to Object (Art. 21)

Object at any time, for reasons related to your particular situation, to processing of personal data based on legitimate interest or for direct marketing purposes.

8.7 Right to Withdraw Consent (Art. 7)

Withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.

8.8 Right Not to Be Subject to Automated Decision-Making (Art. 22)

Not be subject to a decision based solely on automated processing, including profiling, which produces legal effects or significantly affects you.

8.9 Right to Lodge a Complaint

Lodge a complaint with a competent supervisory authority.

9. HOW TO EXERCISE YOUR RIGHTS

To exercise your rights or for any request related to the processing of your personal data, you can contact us through our contact page or:

Mail:
Captains and Crew LTD
2nd Floor, Windsor House
40/41 Great Castle Street
London W1W 8LU
United Kingdom

Data Protection Officer: Mr. Ugo Carsana

We will respond within 30 days of your request, providing all necessary information. In cases of particular complexity, the deadline may be extended by an additional 60 days, with prior notice and explanation.

10. COMPLAINTS TO SUPERVISORY AUTHORITIES

You have the right to lodge a complaint with Data Protection Supervisory Authorities if you believe that the processing of your data violates GDPR:

For the United Kingdom:
Information Commissioner’s Office (ICO)
Wycliffe House, Water Lane
Wilmslow, Cheshire SK9 5AF
Tel: +44 303 123 1113
Web: www.ico.org.uk

For Italy:
Garante per la protezione dei dati personali
Piazza Venezia, 11 – 00187 Roma
Tel: +39 06 696771
Web: www.garanteprivacy.it

11. CHANGES TO THIS PRIVACY POLICY

We reserve the right to modify or update this Privacy Policy at any time to reflect changes in our services, applicable regulations, or data processing practices.

Changes will be posted on this page with an indication of the last update date. We invite you to periodically consult this page to stay informed about how we protect your personal data.

In case of substantial changes, we will inform you through a notice on the site or via email, if we have your address.

12. COOKIES AND TRACKING TECHNOLOGIES

Our site uses cookies and similar technologies. For detailed information on cookie usage, types used, and how to manage them, please see our Cookie Policy.

13. DATA SECURITY

The security of your personal data is our absolute priority. We adopt adequate technical and organizational security measures to protect your personal data from unauthorized access, loss, destruction, alteration, or accidental disclosure.

Technical measures:

  • SSL/TLS encryption (HTTPS) for all communications
  • Advanced firewalls and intrusion detection systems
  • Constantly updated antivirus and anti-malware software
  • Regular secure data backups with geographic redundancy
  • Protected servers with authenticated and logged access
  • Timely security updates

Organizational measures:

  • Data access policies based on the “need to know” principle
  • Continuous staff training on data protection and IT security
  • Documented procedures for data and incident management
  • Confidentiality agreements with all authorized personnel
  • Periodic security audits and Data Protection Impact Assessments (DPIA)
  • Data breach management procedures compliant with Art. 33 GDPR

In case of a personal data breach that poses a high risk to your rights and freedoms, we will inform you without undue delay, as required by Art. 34 GDPR.

14. MINORS

Our professional delivery and consulting services are not intended for individuals under 18 years of age.

Regarding Academy training courses, we accept registrations from minors under 18 only with explicit and verifiable consent from parents or those exercising parental responsibility, in accordance with Art. 8 GDPR.

If we become aware that we have collected personal data from a minor without appropriate parental consent, we will take immediate steps to delete such information.

15. LINKS TO THIRD-PARTY SITES

Our site may contain links to third-party websites. We are not responsible for the privacy practices of such external sites. We encourage you to read the privacy policies of each website you visit.

16. SOCIAL MEDIA

We use social media (Facebook, Instagram, LinkedIn) to communicate with our customers and promote our services. When you interact with us through social media, your information is subject to the privacy policies of the relevant social platform.

17. SPECIFIC PROCESSING

17.1 Yacht Deliveries

For yacht delivery services, we may collect additional data relating to:

  • Vessel technical characteristics
  • Nautical and insurance documentation
  • Geolocation data during transfer (for safety and tracking)
  • Weather and sea conditions and navigation logs
  • Any incidents or issues during delivery

This data is processed exclusively for service execution, navigation safety, and insurance and legal compliance.

17.2 Academy Training Courses

For training courses, we may collect:

  • Nautical experience level and certifications held
  • Medical documents (physical fitness certificate)
  • Data relating to performance during courses (for training purposes only)
  • Photos and videos during educational activities (only with explicit consent)

17.3 Newsletter and Marketing Communications

If you subscribe to our newsletter, we will use your email address exclusively to send you:

  • Updates on new services and courses
  • Special offers and promotions
  • News from the yachting world

You can unsubscribe at any time by clicking the “unsubscribe” link in every email.

18. LEGAL BASIS OF PROCESSING – SUMMARY

PurposeLegal BasisGDPR Article
Management of delivery and course contractsContract performanceArt. 6.1.b
Tax and legal complianceLegal obligationArt. 6.1.c
Newsletter and marketingConsentArt. 6.1.a
Service improvement and analyticsLegitimate interestArt. 6.1.f
Security and fraud preventionLegitimate interestArt. 6.1.f
Protection of rights in legal proceedingsLegitimate interestArt. 6.1.f

19. CONSENT AND INFORMATION

19.1 Method of Obtaining Consent

Consent is obtained through:

  • Specific checkbox selections in contact forms
  • Explicit acceptance during course registration
  • Opt-in for newsletter and commercial communications
  • Cookie banner for non-essential cookies

19.2 Characteristics of Valid Consent

The consent we request is:

  • Freely given: you can refuse without negative consequences
  • Specific: separate for each purpose
  • Informed: preceded by this notice
  • Unambiguous: requires explicit positive action
  • Revocable: you can easily withdraw it at any time

20. CONTACT AND INFORMATION

For any questions, clarification, or requests related to this Privacy Policy or the processing of your personal data, please contact us:

Captains and Crew LTD
2nd Floor, Windsor House
40/41 Great Castle Street
London W1W 8LU
United Kingdom

Data Protection Officer: Mr. Ugo Carsana

Contact: https://www.captainsandcrew.co.uk/contact/

Website: www.captainsandcrew.co.uk

Last updated: February 2, 2026

Captains and Crew LTD
Registered in England and Wales

APPENDIX – DEFINITIONS

Personal data: any information relating to an identified or identifiable natural person.

Processing: any operation or set of operations performed on personal data (collection, recording, organization, storage, consultation, use, communication, deletion, etc.).

Data Controller: the natural or legal person who determines the purposes and means of processing personal data.

Data Processor: the natural or legal person who processes personal data on behalf of the controller.

Data Subject: the natural person to whom the personal data relates.

Consent: any freely given, specific, informed, and unambiguous indication of the data subject’s wishes by which they agree to the processing of their data.

GDPR: Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data.