Privacy Policy
Effective date: 19 April 2026
This policy describes how DeepRegatta ("we", "us") collects and processes personal data in connection with the DeepRegatta website (deepregatta.com) and the OSCAR application (oscar.deepregatta.com). It is written to satisfy Articles 13 and 14 of the EU General Data Protection Regulation (Regulation 2016/679, "GDPR").
Commercial features such as paid subscriptions are not currently live. We do not currently process payment-card or recurring-billing data for end users. If paid plans are introduced in the future, this policy will be updated before launch to describe the relevant billing and payment processing.
1. Data controller
The data controller responsible for processing personal data is:
Davi Silva de Vasconcellos, operating DeepRegatta.
Address: Paris, France. Full postal address available upon legitimate request by email.
Contact for privacy matters: contact@deepregatta.com.
We have not appointed a Data Protection Officer because our processing activities do not meet the thresholds in GDPR Article 37(1). You may still contact us at the address above for any question relating to your personal data.
2. Categories of personal data we process
2.1. Account data (users of OSCAR)
When you create an OSCAR account, we process:
- Email address, display name, profile picture URL (if provided by Google Sign-In);
- The authentication provider you chose (Google or email + password);
- A unique account identifier issued by Firebase Authentication;
- Your IP address at sign-in time, processed by Firebase for abuse prevention.
Legal basis: performance of a contract, GDPR Article 6(1)(b) — providing you with the OSCAR service you signed up for.
2.2. Boat, upload and routing data
If you add a boat to your account or upload a polar file, instrument log, route or sail plan, we process:
- Boat name, sail number, MMSI, boat type and rig configuration you entered;
- The file contents you uploaded (may contain GPS tracks, timestamps, instrument readings);
- Processing-job metadata (timings, status, error messages);
- An optional "share with fleet" flag you set when uploading.
Legal basis: performance of a contract, GDPR Article 6(1)(b).
2.3. Contact data
If you contact us by email, we process your email address, the contents of your message, and any related follow-up correspondence.
Legal basis: our legitimate interest in responding to enquiries and handling support, or taking steps at your request before entering into a contract, GDPR Articles 6(1)(f) and 6(1)(b).
2.4. Third-party sailors in public race data
OSCAR analyzes public offshore sailing races. To do so, we ingest race tracker feeds published by race organisers (see §3 below). Those feeds contain personal data about sailors who are not OSCAR users — typically: their name, the boat they sailed on, their class, their GPS positions during the race, and their finish time. This information is already made public by the race organiser before we process it.
Legal basis: our legitimate interest in publishing post-race sports analytics, GDPR Article 6(1)(f). The balancing test weighs our interest (and that of the sailing community) in analysing public sporting events against the minor privacy impact of redisplaying race data that is already public. Sailors who object to their data being processed by OSCAR can request erasure or anonymisation at any time — see §7 below.
3. Where the data comes from
Account, boat and upload data comes directly from you. Third-party race data is ingested from the following public race-tracker services operated by race organisers:
- YB Tracking (United Kingdom)
- Ocean Tracking (France)
- Suiviregate (Switzerland)
- Geovoile (France)
We do not buy personal data from data brokers.
4. Sub-processors and recipients
We use the following service providers to operate the service:
| Sub-processor | Purpose | Location |
|---|---|---|
| Google LLC / Firebase | Authentication (email + Google sign-in) | United States |
| Supabase, Inc. | Application database (PostgreSQL) and user storage | United States (AWS) |
| Cloudflare, Inc. | Website hosting, edge functions, R2 object storage for uploaded files, aggregate server-side analytics | Global edge network |
We do not sell personal data. We do not share personal data with advertising networks. We do not currently use Google Analytics, Meta Pixel, or similar advertising trackers.
5. International transfers
Some of our service providers process personal data in the United States or in other countries outside the European Economic Area. Where data is transferred outside the EEA, we rely on the provider's applicable transfer mechanisms, which may include an adequacy decision, certification under the EU-US Data Privacy Framework, and/or the European Commission's Standard Contractual Clauses, as appropriate to the provider and transfer path. You may request more information about the safeguards relevant to your data by emailing contact@deepregatta.com.
6. Retention
- Account data is retained for as long as your account is active. If you ask us to close or delete your account, we aim to erase account data within 30 days, except where we are legally required to keep records.
- Uploads and processing-job records are retained while your account is active and are removed when the associated upload or account is deleted, subject to backup and legal-retention constraints.
- Contact emails are retained for as long as needed to handle your enquiry and keep necessary business records.
- Public race data (including third-party sailors' names and positions) is retained indefinitely as part of the OSCAR public archive, because it documents historical sporting events. Individual sailors may request erasure — see §7.
- Server logs with IP addresses are retained by Cloudflare for up to 30 days for security and abuse prevention.
7. Your rights under the GDPR
You have the following rights regarding your personal data:
- Right of access (Article 15) — obtain a copy of the personal data we hold about you;
- Right to rectification (Article 16) — correct inaccurate data;
- Right to erasure / "right to be forgotten" (Article 17);
- Right to restriction of processing (Article 18);
- Right to data portability (Article 20) — receive your data in a machine-readable format;
- Right to object (Article 21) — in particular, object to processing based on our legitimate interest;
- Right to withdraw consent at any time (where processing is based on consent);
- Right to lodge a complaint with a supervisory authority (Article 77), including the authority in the EU/EEA country where you live, work, or believe an infringement occurred.
To exercise any of these rights, email contact@deepregatta.com. We will respond within 30 days, as required by GDPR Article 12(3). OSCAR users can also delete their account directly from the account menu inside the application; this removes profile, boat, upload and routing data from our systems.
If you are a sailor whose name appears in OSCAR race analysis and you are not an OSCAR user, you have the same rights. Write to the same address; we may ask for information reasonably necessary to confirm your identity before acting on the request.
8. Cookies and local storage
OSCAR does not use tracking cookies. We use browser localStorage for the following strictly-necessary and functional purposes:
| Storage key | Purpose | Category |
|---|---|---|
| Firebase auth token | Keep you signed in between sessions | Strictly necessary |
| Supabase session | Authenticate API requests | Strictly necessary |
oscar-routing:<user>:<boat>:<race> | Save your routing drafts locally so they survive a page reload | Functional |
The DeepRegatta landing page currently uses Cloudflare Web Analytics in its cookie-free mode to count aggregate visits. Based on Cloudflare's product documentation, this analytics mode does not rely on cookies or local storage for measurement. If we later add cookies or similar tracking technologies that require consent, we will update this notice and request consent where required.
9. Security
We protect personal data with industry-standard measures: TLS in transit, database encryption at rest, row-level security on user data in Supabase, OAuth/PKCE for authentication, and access controls on administrative interfaces. In case of a personal-data breach likely to result in a risk to your rights, we will notify the competent supervisory authority within 72 hours (GDPR Article 33) and you personally if the risk is high (Article 34).
10. Children
OSCAR is not directed at children under 16. We do not knowingly collect personal data from children under 16. If you believe we have, contact us and we will delete it.
11. Automated decision-making
OSCAR does not perform automated decision-making with legal or similarly significant effects on you within the meaning of GDPR Article 22. The analytics OSCAR produces are informational and advisory only.
12. Changes to this policy
We may update this policy as the service evolves. The "Effective date" at the top reflects the most recent revision. For material changes, we may also provide an additional notice on the website or inside OSCAR where reasonably practical.
13. Contact
Questions, requests or complaints: contact@deepregatta.com.