Privacy Policy

Effective date: 25 April 2026

1. Who we are

Yuzu (“we”, “us”, “our”) operates the orderyuzu.com platform — a B2B provisioning marketplace that connects superyacht crew and procurement officers with vetted marine suppliers worldwide. This policy explains what personal data we collect when you use Yuzu, how we use it, and your rights over it.

For questions about this policy, contact us at privacy@orderyuzu.com.

2. Data we collect

We collect the following categories of personal data:

Account dataName, email address, password (hashed — never stored in plain text), account creation date.

Vessel dataVessel name, IMO number, your role on board (e.g. Chief Stewardess, Bosun), and any crew you invite.

Order & quote dataProducts ordered, quantities, prices, delivery addresses, order status and history, budget codes assigned to orders.

Payment dataInvoiced amounts, payment method type (card or bank transfer). Full card numbers are handled solely by Stripe and are never stored on our servers.

Usage dataPages visited, search queries, actions taken within the app, browser/device type, IP address. Used to improve the platform.

Location dataIf you use the map view, your approximate device location (with your permission) is used only to orient the map. We do not store or log your GPS coordinates.

CommunicationsEmails we send you (order confirmations, quotes, invoices) and any support messages you send us.

3. How we use your data

We use your data to:

Create and manage your account and vessel profile.
Process quotes, orders, and payments between you and suppliers.
Send transactional emails — order updates, quote notifications, invoices, and delivery confirmations. These are not marketing emails and cannot be unsubscribed from while your account is active.
Display relevant suppliers near your vessel using approximate location (only when you grant permission).
Detect and prevent fraud, abuse, and security incidents.
Meet our legal obligations (tax records, financial regulations).
Improve and develop the platform using aggregated, anonymised analytics.

We do not sell your personal data. We do not use your data for advertising or profiling outside of Yuzu.

4. Legal basis for processing (GDPR)

If you are in the European Economic Area, UK, or Switzerland, we process your personal data under the following legal bases:

Contract performanceProcessing your orders, managing your account, sending transactional communications.

Legitimate interestsPlatform security, fraud prevention, product analytics, improving our services.

Legal obligationRetaining financial records and complying with applicable law.

ConsentLocation access for map features (you can withdraw at any time in your device settings).

5. Who we share your data with

We share data only with third parties necessary to operate the platform. All sub-processors are contractually bound to protect your data.

Suppliers on YuzuWhen you submit a quote request or place an order, the relevant supplier receives your name, vessel name, delivery address, and order details. They receive no other personal data.

StripePayment processing. Stripe stores and processes card data under their own privacy policy. We only receive a payment status and last-four digits of the card. stripe.com/privacy

Brevo (Sendinblue)Transactional email delivery. Your email address and name are passed to Brevo to send order and account emails. brevo.com/legal/privacypolicy

CloudinaryImage hosting for product photos uploaded by suppliers. We do not send your personal data to Cloudinary. cloudinary.com/privacy

AlgoliaProduct search index. Search queries may be transmitted to Algolia. We do not associate searches with named individuals. algolia.com/policies/privacy

RailwayCloud infrastructure hosting our API and database. Data is stored on Railway's EU-region servers. railway.app/legal/privacy

We may disclose your data to law enforcement or regulatory authorities if required by law.

6. Data retention

We retain your data for as long as your account is active, plus:

Order & financial records7 years — required by financial regulations in most jurisdictions.

Account dataDeleted within 30 days of a verified account deletion request, except where retention is legally required.

Usage logsRolling 90-day window, then automatically purged.

Email logs12 months, then automatically purged.

7. Your rights

Depending on your location, you may have some or all of the following rights:

Access — request a copy of the personal data we hold about you.
Rectification — ask us to correct inaccurate data.
Erasure — request deletion of your data (subject to legal retention obligations).
Portability — receive your data in a structured, machine-readable format.
Objection — object to processing based on legitimate interests.
Restriction — ask us to pause processing while a dispute is resolved.
Withdraw consent — where processing is based on consent (e.g. location), you may withdraw at any time without affecting the lawfulness of prior processing.

To exercise any right, email privacy@orderyuzu.com. We will respond within 30 days. You also have the right to lodge a complaint with your local data protection authority.

8. Cookies & tracking

Yuzu uses a single session cookie (yuzu_session) to keep you logged in. It is an httpOnly, secure, first-party cookie and is deleted when you sign out or after 7 days of inactivity. We do not use advertising cookies, third-party tracking pixels, or fingerprinting.

9. Children

Yuzu is a B2B platform intended for professional use by adults. We do not knowingly collect personal data from anyone under 18. If you believe a minor has created an account, please contact us and we will delete it promptly.

10. Changes to this policy

We may update this policy from time to time. When we make material changes, we will notify you by email and update the effective date above. Continued use of Yuzu after the effective date constitutes acceptance of the revised policy.

11. Contact

All privacy enquiries should be directed to: privacy@orderyuzu.com.

Yuzu • orderyuzu.com