M•barq

Privacy Policy

Last updated: June 22, 2026

This Privacy Policy explains how M•barq ("we", "us", or "our") collects, uses, stores, and protects your personal information when you use our Service at cruisembarq.com. Please read this policy carefully. If you do not agree, please do not use the Service.

1. Who We Are

M•barq is a cruise tracking and memory journal application. For the purposes of data protection law, M•barq is the data controller for personal information collected through our Service. You may contact us at support@cruisembarq.com for any privacy-related inquiries.

2. Information We Collect

Information you provide directly:

  • Account information: name, email address, username, date of birth, and profile photo
  • Cruise data: cruise line, ship, dates, cabin details, itineraries, ports of call, and travel companions
  • Journal content: day-by-day entries, photos, mood and weather tags
  • Crew records: names, roles, and descriptions of crew members you choose to log
  • Cost data: optional spending records you enter for each cruise
  • Ratings and notes you assign to your cruises
  • Payment information when purchasing a premium subscription (processed directly by Stripe; we do not store card numbers)

Information collected automatically:

  • Authentication tokens and session data (stored in cookies solely to keep you signed in)
  • Basic usage information such as pages visited within the app, used only to improve the Service
  • Device and browser type for compatibility and security purposes
  • IP address, for security and fraud prevention purposes

Information from third parties:

  • If you sign in with Google, we receive your name, email address, and profile picture from Google in accordance with your Google account permissions and Google's privacy policy

3. How We Use Your Information

We use your information to:

  • Create and manage your account and authenticate your identity
  • Provide the core features of M•barq, including cruise logging, stats, badges, and journal functionality
  • Process payments and manage your subscription through Stripe
  • Send transactional emails such as account confirmation, password resets, and important service notifications
  • Generate aggregated, anonymized insights to improve the Service
  • Respond to your support requests and communications
  • Detect, prevent, and address fraud, security breaches, and abuse
  • Comply with legal obligations applicable to us

We do not use your data for advertising. We do not sell, rent, or trade your personal information to any third party.

4. Legal Basis for Processing

European Economic Area and United Kingdom (GDPR / UK GDPR)

If you are located in the EEA or UK, our legal bases for processing are:

  • Contract performance: processing necessary to provide the Service you signed up for (account management, core features, email notifications)
  • Legitimate interests: improving the Service, fraud prevention, and security monitoring, where our interests are not overridden by your rights
  • Legal obligation: where processing is required by applicable law
  • Consent: where you have explicitly opted in to optional features

Australia (Privacy Act 1988)

We collect, hold, use, and disclose personal information in accordance with the Australian Privacy Act 1988 (Cth) and the thirteen Australian Privacy Principles (APPs). We collect personal information only by lawful and fair means, and only where reasonably necessary for our functions and activities.

United States (CCPA / State Privacy Laws)

We collect personal information as described in Section 2. We do not sell or share personal information for cross-context behavioral advertising. California residents and residents of other U.S. states with applicable privacy laws may exercise the rights described in Section 8.

5. Data Storage and Security

Your data is stored using Supabase, a managed PostgreSQL database platform hosted on AWS infrastructure. All data is protected by row-level security (RLS) policies, meaning your data is only accessible to you unless you have explicitly made it visible to others through your privacy settings.

Photos and uploaded images are stored in Supabase Storage with access controls enforced at the storage layer. All data transmission uses HTTPS/TLS encryption. We implement industry-standard security measures including access controls, monitoring, and regular security reviews. While we take every reasonable precaution, no method of transmission or storage is 100% secure.

If we become aware of a data breach that is likely to result in serious harm to you, we will notify you and, where required, the relevant supervisory authority, in accordance with applicable law.

6. Data Sharing and Disclosure

We do not sell or share your personal data with third parties for their marketing or commercial purposes. We share your information only in these limited circumstances:

  • Service providers: Supabase (database and authentication), Vercel (hosting), Resend (transactional email), Google (OAuth sign-in), and Stripe (payment processing). These vendors process your data only as directed by us under appropriate data processing agreements and in accordance with applicable law.
  • Legal requirements: if required by law, court order, or governmental authority, or to protect the rights, property, or safety of M•barq, our users, or the public.
  • Business transfers: in the event of a merger, acquisition, or sale of assets, your data may be transferred. We will notify you before your data becomes subject to a different privacy policy.
  • With your consent: in any other circumstance, only with your explicit consent.

7. International Data Transfers

M•barq is operated from the United States. Your information may be transferred to, stored, and processed in the United States or other countries where our service providers operate. These countries may have data protection laws different from those in your country.

For transfers from the EEA or UK, we rely on appropriate safeguards such as Standard Contractual Clauses (SCCs) as approved by the European Commission, or equivalent mechanisms under UK law. For Australian users, we take reasonable steps to ensure that overseas recipients handle your personal information in accordance with the APPs or a substantially similar standard.

8. Your Privacy Rights

Depending on your location, you have the following rights regarding your personal data. You can exercise most of these directly from your Settings page:

  • Access: request a copy of the personal data we hold about you
  • Correction: request that we correct inaccurate or incomplete data
  • Deletion: request that we delete your personal data (right to erasure / right to be forgotten)
  • Portability: receive your data in a structured, machine-readable format
  • Restriction: request that we limit how we process your data
  • Object: object to processing based on legitimate interests
  • Withdraw consent: where processing is based on consent, withdraw it at any time without affecting prior processing
  • No automated decisions: not to be subject to solely automated decisions that significantly affect you

California (CCPA): you have the right to know what personal information is collected, used, and disclosed; the right to delete your information; the right to correct inaccurate information; the right to opt out of the sale or sharing of personal information (we do not sell or share); and the right not to be discriminated against for exercising these rights.

Australia: you may request access to, and correction of, personal information we hold about you under the Privacy Act 1988.

To submit a request, contact us at support@cruisembarq.com. We will respond within 30 days (or within 45 days for complex requests, with notice). We may need to verify your identity before processing certain requests.

Right to complain: If you are in the EEA, you have the right to lodge a complaint with your local data protection supervisory authority. UK residents may contact the ICO. Australian residents may contact the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.

9. Cookies

M•barq uses only essential session cookies required to keep you securely signed in. We do not use advertising cookies, analytics cookies that identify you personally, or any third-party tracking cookies. Because we use only strictly necessary cookies, no cookie consent banner is required under EU law. For full details, see our Cookie Policy.

10. Data Retention

We retain your personal data for as long as your account is active or as needed to provide the Service. If you delete your account, we will permanently delete your personal data from our active systems within 30 days. Residual data in encrypted backups will be purged within 90 days. We may retain certain information longer if required by law, to resolve disputes, or to enforce our agreements.

11. Children's Privacy

M•barq is not directed at children under the age of 13 (or 16 in certain EEA member states). We do not knowingly collect personal information from children below these ages. If you believe a child has provided us with personal information without appropriate consent, please contact us at support@cruisembarq.com and we will promptly delete the information.

12. Accessibility

We are committed to making our privacy information accessible to all users. If you need this Privacy Policy in an alternative format, please contact us at support@cruisembarq.com. For more information about our accessibility commitment, see our Accessibility Statement.

13. Changes to This Policy

We may update this Privacy Policy periodically. When we make material changes, we will update the "Last updated" date at the top of this page and notify you by email where required by law. We encourage you to review this policy periodically. Your continued use of M•barq after changes are posted constitutes your acceptance of the updated policy, to the extent permitted by applicable law.

14. Contact and Complaints

For questions, concerns, or requests regarding this Privacy Policy or how we handle your data, contact us at: support@cruisembarq.com

We will acknowledge your request promptly and respond within 30 days. If you are not satisfied with our response, you may have the right to contact your local data protection or privacy authority.