Privacy Policy

Effective date: 6 June 2026

1. Who we are

ORDER YUZU LTD, trading as yuzu (“yuzu”, “we”, “us” or “our”), operates the orderyuzu.com platform — a B2B provisioning marketplace that connects superyacht crew and procurement officers with vetted marine suppliers worldwide. This policy explains what personal data we collect when you use yuzu, how we use it, and your rights over it.

ORDER YUZU LTD is the controller of the personal data described in this policy. It is registered in England and Wales (company number 15051969) and its registered office is at 6 Fleet Street, Brighton, BN1 4GS.

For questions about this policy, contact us at privacy@orderyuzu.com.

2. Data we collect

We collect the following categories of personal data:

Account dataName, email address, password (hashed — never stored in plain text), account creation date.

Vessel dataVessel name, IMO number, your role on board (e.g. Chief Stewardess, Bosun), and any crew you invite.

Order & quote dataProducts ordered, quantities, prices, delivery addresses, order status and history, budget codes assigned to orders.

Payment dataInvoiced amounts, payment method type (card or bank transfer). Full card numbers are handled solely by Stripe and are never stored on our servers.

Usage dataPages visited, search queries, actions taken within the app, browser/device type, IP address. Used to improve the platform.

Location dataIf you use the map view, your approximate device location (with your permission) is used only to orient the map. We do not store or log your GPS coordinates.

CommunicationsEmails we send you (order confirmations, quotes, invoices) and any support messages you send us.

3. How we use your data

We use your data to:

Create and manage your account and vessel profile.
Process quotes, orders, and payments between you and suppliers.
Send transactional emails — order updates, quote notifications, invoices, and delivery confirmations. These are not marketing emails and cannot be unsubscribed from while your account is active.
Display relevant suppliers near your vessel using approximate location (only when you grant permission).
Detect and prevent fraud, abuse, and security incidents.
Meet our legal obligations (tax records, financial regulations).
Improve and develop the platform using aggregated, anonymised analytics.

We do not sell your personal data. We do not use your data for advertising or profiling outside of yuzu.

4. Legal basis for processing (GDPR)

If you are in the European Economic Area, UK, or Switzerland, we process your personal data under the following legal bases:

Contract performanceProcessing your orders, managing your account, sending transactional communications.

Legitimate interestsPlatform security, fraud prevention, product analytics, improving our services.

Legal obligationRetaining financial records and complying with applicable law.

ConsentLocation access for map features (you can withdraw at any time in your device settings).

5. Who we share your data with

We share data only with third parties necessary to operate the platform. All sub-processors are contractually bound to protect your data.

Suppliers on yuzuWhen you submit a quote request or place an order, the relevant supplier receives your name, vessel name, delivery address, and order details. They receive no other personal data.

StripePayment processing. Stripe stores and processes card data under their own privacy policy; we only receive payment status and the last four digits of the card. stripe.com/privacy

Brevo (Sendinblue)Outbound transactional email. Your email address and name are passed to Brevo to send order, quote and account emails. brevo.com/legal/privacypolicy

PostmarkInbound email processing. If you reply to an order email, that message (sender, subject and body) is received and parsed via Postmark so it can be linked to your order. postmarkapp.com/eu-privacy-policy

Anthropic (Claude)AI text extraction and translation. When you import a list or document (photo, CSV, Excel or PDF), or when a supplier email needs translating, the content — which may contain names, addresses and order details — is sent to Anthropic’s API to extract structured items or translate text, and is used only to process that request. anthropic.com/legal/privacy

CloudinaryImage and document hosting. Files you upload — product images, delivery-confirmation photos, issue-report photos and vessel/compliance documents — are stored on Cloudinary. cloudinary.com/privacy

AlgoliaProduct search index. Search queries and the product catalogue are transmitted to Algolia; buyer searches are not associated with named individuals. algolia.com/policies/privacy

Google / FirebasePush notifications, maps and address lookup. Mobile device push tokens are processed via Firebase Cloud Messaging; the in-app map loads tiles from Google Maps; and address autocomplete sends the address text you type to Google Places. policies.google.com/privacy

ExpoMobile push delivery and app updates. Notifications to the mobile app are routed through Expo’s push service using your device push token. expo.dev/privacy-explained

RailwayCloud infrastructure hosting our API and database, on EU-region servers. railway.com/legal/privacy

VercelHosting and content delivery for our web apps. Requests to the web apps (including your IP address) pass through Vercel’s servers. vercel.com/legal/privacy-policy

SentryError monitoring. When an error occurs, diagnostic context — which may include your IP address, device/browser type and the action that failed — is sent to Sentry so we can fix it. sentry.io/privacy

Some of these sub-processors are located outside the European Economic Area (for example in the United States). Where personal data is transferred internationally, we rely on appropriate safeguards such as the European Commission’s Standard Contractual Clauses.

We may disclose your data to law enforcement or regulatory authorities if required by law.

6. Data retention

We retain your data for as long as your account is active, plus:

Order & financial records7 years — required by financial regulations in most jurisdictions.

Account dataDeleted within 30 days of a verified account deletion request, except where retention is legally required.

Usage logsRolling 90-day window, then automatically purged.

Email logs12 months, then automatically purged.

7. Your rights

Depending on your location, you may have some or all of the following rights:

Access — request a copy of the personal data we hold about you.
Rectification — ask us to correct inaccurate data.
Erasure — request deletion of your data (subject to legal retention obligations).
Portability — receive your data in a structured, machine-readable format.
Objection — object to processing based on legitimate interests.
Restriction — ask us to pause processing while a dispute is resolved.
Withdraw consent — where processing is based on consent (e.g. location), you may withdraw at any time without affecting the lawfulness of prior processing.

To exercise any right, email privacy@orderyuzu.com. We will respond within 30 days. You also have the right to lodge a complaint with your local data protection authority.

8. Cookies & tracking

yuzu uses a single session cookie (yuzu_session) to keep you logged in. It is an httpOnly, secure, first-party cookie and is deleted when you sign out or after 7 days of inactivity. We do not use advertising cookies, third-party tracking pixels, or fingerprinting.

9. Children

yuzu is a B2B platform intended for professional use by adults. We do not knowingly collect personal data from anyone under 18. If you believe a minor has created an account, please contact us and we will delete it promptly.

10. Changes to this policy

We may update this policy from time to time. When we make material changes, we will notify you by email and update the effective date above. Continued use of yuzu after the effective date constitutes acceptance of the revised policy.

11. Contact

All privacy enquiries should be directed to: privacy@orderyuzu.com.

yuzu • orderyuzu.com