Chartera
Legal

Privacy Policy

Last updated: March 24, 2026

1. Introduction

Chartera ("we", "us", "our") provides software for maritime operations teams — automating voyage execution workflows by processing shipping emails, documents, and operational correspondence. This Privacy Policy explains what data we collect, how we use it, and how you can control it.

By using Chartera, you agree to the practices described here. If you do not agree, please do not use our services. Our Terms of Service govern your use of the platform.

2. Information we collect

Account data

When you sign up, we collect your email address, display name, and authentication provider (Google or Microsoft). If you connect via Telegram, we also store your Telegram user ID.

Email data

Chartera processes maritime shipping emails to extract operational data. There are two ingestion methods:

  • OAuth sync (Gmail or Outlook) — read-only access to your inbox.
  • Email forwarding — you forward or BCC emails to a dedicated Chartera inbound address.

For each email, we extract and store:

  • Subject line, body (plain text and HTML), sender address and name
  • Recipients (To, CC), thread and message identifiers
  • Received timestamp and email provider details
  • Attachments — filename, type, size, and binary content (PDFs, spreadsheets, Word documents, images)

Gmail OAuth scopes

When you connect a Gmail account, we request:

  • gmail.readonly — read-only access to your inbox
  • userinfo.email — your authenticated email address
  • userinfo.profile — your display name

What we do NOT do

  • We do not modify, delete, or send emails via your account
  • We do not change email labels or folders
  • Access is strictly read-only (OAuth) or receive-only (forwarding)

Operational data

From your emails and attachments, we derive structured operational records: charter party contracts, voyage records, movement orders, parsed noon reports (speed, consumption, position, weather), fixture recaps, NOR/SOF timelines, alerts, hire payment schedules, and claims with confidence scores.

3. How we use your data

  • Email classification — automatically categorize incoming emails by intent (noon report, fixture recap, port notification, etc.)
  • Document parsing — extract structured data from charter party documents, noon reports, and other maritime correspondence
  • Voyage tracking — build and maintain voyage timelines, movement orders, and operational dashboards
  • Alert generation — flag signals like ETA changes, consumption deviations, and laytime triggers using deterministic, rule-based logic
  • Copilot chat — provide conversational access to contract summaries, recent reports, and active alerts

We do not sell your data. Ever.

4. AI and LLM processing

Email content and document text are sent to external AI providers for classification and extraction. Here is exactly what gets sent and to whom:

PurposeWhat's sentProvider
Email classificationSubject, body text, sender, attachment filenamesGoogle Gemini
Document parsingFull document textGoogle Gemini / OpenAI (fallback)
Copilot chatContract summary, recent noon reports, active alerts, recent email excerpts, chat historyGoogle Gemini

PII handling

Chartera supports optional PII stripping before content reaches any LLM. When enabled, the following is removed:

  • Bank account numbers (IBAN, SWIFT/BIC)
  • Phone numbers (excluding IMO/MMSI vessel identifiers)
  • Email addresses in signature blocks

Vessel names, company names, port names, person names, fixture rates, and monetary amounts are preserved — they are essential for maritime operations extraction.

No model training

Neither Google Gemini nor OpenAI uses data sent via their APIs for model training. This is contractual per both providers' API terms. Chartera selects the AI provider — users do not choose at launch.

5. Google API Services — Limited Use disclosure

Chartera's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

6. Third-party sub-processors

We use the following services to operate Chartera. Each is contractually required to protect your data and process it only for its stated purpose.

ServicePurposeData receivedRegion
SupabaseDatabase, authentication, file storageAll user data, emails, contracts, attachmentsAWS
Google GeminiPrimary LLM — email classification and document parsingEmail content, document textGoogle Cloud (US)
OpenAIFallback LLM for document parsingDocument text (fallback only)US
RenderApplication hosting (backend, workers, cache)All operational data in transitSingapore
SentryError monitoring and performanceError stacktraces, request metadata (no user PII)US
Gmail APIEmail inbox read accessOAuth tokens; reads emails from your inboxGoogle Cloud
Microsoft GraphOutlook inbox read accessOAuth tokens; reads emails from your inboxMicrosoft Azure
ResendEmail forwarding serviceInbound maritime emailsUS
TelegramOperator chat botChat messages, bot commands, Telegram user IDGlobal

7. Data retention

Data typeDefault retentionConfigurable?
Raw email bodies90 daysYes (7–365 days)
Processed documents and artifactsIndefiniteYes (configurable days)
Operational logs90 daysYes (30–365 days)
OAuth tokensUntil you disconnectN/A
AttachmentsDeleted with parent emailN/A

Emails older than your configured retention period are automatically deleted. Attachments are deleted along with their parent email.

8. Your rights and controls

You can:

  • Disconnect email accounts at any time — this revokes the sync and clears OAuth tokens
  • Switch to forwarding — use a dedicated inbound address instead of OAuth sync
  • Configure retention — set how long raw emails are kept (7–365 days, default 90)
  • Request full data deletion — email hello@chartera.io or use the in-app purge function to revoke tokens and delete all emails, attachments, and connected accounts
  • Access your data — all your data is visible in the app, scoped to your account
  • Stop forwarding — simply stop sending emails to the inbound address

9. Security

  • All connections use HTTPS/TLS encryption in transit
  • Database encryption at rest
  • Data isolation per account — you can only access your own data
  • OAuth tokens protected by encryption and access controls
  • No passwords stored — authentication is OAuth-only
  • Inbound email webhooks cryptographically verified
  • Error monitoring configured to exclude user PII from reports

For security questions or to report a vulnerability, contact hello@chartera.io.

10. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or an in-app notice. The "Last updated" date at the top reflects the most recent revision.

11. Contact

For privacy inquiries, data deletion requests, or questions about this policy:

hello@chartera.io