Legal
Privacy Policy
1. Our commitments to your data
Four commitments anchor this policy and apply to every plan tier:
- Encrypted in transit. All web and API traffic to the Platform uses TLS. Data moves between your browser, our servers, and our subprocessors over encrypted connections.
- Encrypted at rest. Sensitive contact fields (such as email address, name, phone, address, and IP), and the integration credentials you connect to your workspace, are stored using AES-256-GCM field-level encryption with keys held outside the application database.
- We do not sell your data. We do not sell, rent, license, or share personal information for cross-context behavioral advertising. There is no “data” revenue line of business at Triton Technical, LLC and there never will be.
- We do not access your data except to operate the Service. We do not read your contact lists, your message content, or your engagement events for any purpose other than providing, securing, supporting, and improving the Service for you, and complying with law. We do not use Customer Data to train our own models, and we do not use it for our own marketing.
These commitments are described in operational detail in the sections that follow.
2. Who we are and how to contact us
YMS360 Engage (the “Service”, “Platform”, “we”, “us”) is operated by Triton Technical, LLC, a Washington limited liability company.
Registered address: 530 Industry Dr, Seattle, WA 98188, United States.
Phone: +1.206.453.6120
General contact: hello@ymsmarketing.com
Privacy and data-rights requests: hello@ymsmarketing.com
For the purposes of the EU General Data Protection Regulation (GDPR), the UK GDPR, and comparable laws, Triton Technical, LLC is the legal entity responsible for the Service.
3. Scope: our two roles (controller and processor)
This Service plays two different legal roles for personal information, and this policy describes both.
2.1 When we act as the controller
We act as the controller for personal information we collect and decide what to do with ourselves. That includes:
- information about visitors to ymsmarketing.com;
- information about people who sign up for, administer, or pay for a workspace on the Platform; and
- information about business contacts and prospects in the yacht-management and superyacht-services sector that we use to market our own products and services.
2.2 When we act as a processor for our customers
When a customer (a “Tenant”) uploads, imports, or otherwise sends personal information about their own recipients (their contacts, leads, subscribers, vessel owners, and so on) through the Platform so the Tenant can run marketing or sales campaigns to those people, the Tenant is the controller of that data and we are the processor. We process that data on the Tenant's documented instructions under our Terms of Service.
If you are a recipient of a campaign sent through the Platform by one of our customers and you have questions about how your personal information is being used, please contact that customer first. We will assist them in responding to your request as described in section 11.
4. Categories of data we collect
4.1 Visitor and site data (we are controller)
- IP address, approximate location derived from IP, user-agent, referrer, pages viewed, and session timing.
- Information you submit through public forms on our marketing site (for example, the “Request access” and “Contact” forms): name, business email, company, vessel/fleet details, and the contents of your message.
4.2 Account, workspace, and billing data (we are controller)
- Account and user-profile information: name, business email, password hash, role/permissions, login timestamps, and audit-log entries about administrative actions.
- Tenant / workspace information: company name, sending domain, plan tier, integration credentials (stored encrypted at rest), and configuration choices.
- Billing information necessary to administer a paid plan (the payment-card data itself is handled by our payment processor; see section 8).
4.3 First-party marketing contact data (we are controller)
- Business-contact information about people we identify as relevant prospects in the yacht-management and superyacht-services sector, such as name, role, employer, business email, business phone, vessel association, and the source from which the contact was obtained.
4.4 Customer-uploaded recipient data (customer is controller; we are processor)
- Contact data uploaded or synced by a Tenant: typically name, business email, role/title, employer, mailing preferences, custom fields the Tenant chooses to maintain, and vessel association.
- Campaign-engagement events generated when those recipients interact with a Tenant's emails: opens, clicks, bounces, complaints, unsubscribes, and form submissions.
- Suppression-list entries (see section 10) generated when a recipient unsubscribes, hard-bounces, or complains.
4.5 Vessel data
- The Platform stores information about vessels that the customer enters or imports — name, IMO, MMSI, type, owner / manager association. AIS vessel-position tracking is opt-in per vessel: position ingestion only runs for vessels whose MMSI has been added to the workspace by the customer. AIS broadcasts are public maritime data about vessels, not direct personal information about identifiable individuals. To the extent vessel data can be linked to a natural person (for example, an owner or captain), that link is treated as personal information.
5. How we collect data and the legal bases we rely on
We collect data three ways:
- Directly from you — when you submit a form, create or sign in to an account, configure a workspace, contact us, or subscribe to our own communications.
- Automatically — when you use the Service or open / click an email we send (see section 6 on tracking).
- From our customers — when a Tenant uploads or syncs their own recipient lists into the Platform.
Where GDPR or UK GDPR applies, the legal bases we rely on are:
- Performance of a contract — to provide the Service to account-holders and Tenants, take steps to enter into a contract, and bill for paid plans.
- Legitimate interests — to operate, secure, debug, and improve the Service; to prevent abuse and protect deliverability; and to run our own B2B marketing to business contacts in the maritime sector, weighed against those contacts' rights and expectations.
- Consent — where required by law (for example, certain marketing communications in jurisdictions that require opt-in, or non-essential cookies / tracking). Consent can be withdrawn at any time.
- Legal obligation — to comply with applicable law, including anti-spam, accounting, and law-enforcement obligations.
When we process customer-uploaded recipient data as processor, the legal basis for processing that data toward the data subjects is the Tenant's responsibility as controller. Our Terms of Service require Tenants to have a lawful basis and proper consent or opt-out mechanism before sending.
6. Tracking technologies
The Platform uses several tracking technologies. Each is described below.
6.1 Cookies and similar technologies
We use only a small number of cookies and local-storage entries that are strictly necessary to make the Service work — to keep you signed in, to remember your workspace selection, and to protect against cross-site request forgery. We do not use third-party analytics cookies, advertising cookies, or any other non-essential tracking cookies on the Platform.
6.2 Email open and click tracking
Emails sent through the Platform may include a 1×1 tracking pixel that records when the message is opened, and links may be rewritten through a tracking redirector that records clicks. These events are stored against the recipient record so the sending Tenant can see engagement on their campaigns. Recipients can suppress further messages from a Tenant using the one-click unsubscribe link in every marketing message (see section 10).
6.3 Lead scoring
The Platform computes a “lead score” for contact records based on signals such as email opens, clicks, form submissions, and recency of activity. Lead scoring runs against contact records owned by the Tenant (when we are processor) or against our own marketing contacts (when we are controller). It is used to prioritize outreach; it is not used to make legally significant automated decisions about a person.
6.4 AIS vessel-position tracking
AIS vessel-position tracking is an opt-in feature that only runs for vessels whose MMSI the customer has explicitly added to their workspace. For those vessels, the Platform subscribes to the public AIS broadcasts and stores the resulting position, speed, and heading against the vessel record. AIS data is broadcast publicly by the vessels themselves using internationally standardised maritime equipment, and is not collected from individuals. We do not enable AIS tracking for vessels the customer has not added, and we do not share the customer's vessel list with anyone other than the AIS subprocessor identified in section 8.
6.5 Do Not Track
Our marketing site honors the “Do Not Track” signal where technically feasible by not loading non-essential analytics for visitors who send the signal.
7. How we use and share data
We use personal information to:
- provide, secure, support, and improve the Service;
- operate accounts and workspaces, and bill for paid plans;
- send transactional communications (security alerts, billing, service notices);
- run our own B2B marketing to business contacts in the maritime sector, subject to applicable law and to your right to opt out;
- detect, investigate, and prevent abuse, spam, and security incidents; and
- comply with our legal obligations and enforce our agreements.
We do not sell, rent, license, or share personal information for cross-context behavioral advertising. We do not run a data-broker business and we do not use Customer Data to train our own AI models.
We do not access Customer Data — the contact records, message content, or engagement events you put into the Platform — except as necessary to operate, secure, support, and improve the Service for you, or to comply with law. Specifically, that means access by a small, audited group of operators only when needed to respond to a support request, investigate a security incident, fix a bug, or follow a binding legal order. We do not look at it for our own marketing, do not sell it, and do not share it with anyone outside the subprocessor list in section 8.
We share personal information only with:
- our subprocessors, listed in section 8, who provide infrastructure or service components on our behalf under written terms;
- the Tenant whose workspace the data belongs to, when we act as processor;
- professional advisors (e.g. lawyers, accountants, auditors) under duties of confidentiality, where reasonably necessary;
- acquirers or successors in connection with a merger, acquisition, financing, or asset sale, subject to confidentiality and to this policy continuing to apply; and
- authorities, when we are required by law to do so or to protect rights, safety, or property.
8. Subprocessors
The following third parties process personal information on our behalf to deliver the Service. We require each subprocessor to provide a level of protection consistent with this policy.
| Subprocessor | Purpose | Entity & processing location |
|---|---|---|
| Amazon Web Services, Inc. (Amazon SES) | Outbound email delivery for campaigns, transactional notifications, and password resets. | Amazon Web Services, Inc., 410 Terry Avenue North, Seattle, WA 98109, USA. Processing region: US East (N. Virginia, us-east-1). |
| Resend (Plus Five Five, Inc.) | Legacy outbound email delivery and engagement webhooks; in active migration to Amazon SES. | Plus Five Five, Inc., 2261 Market Street #5039, San Francisco, CA 94114, USA. Processing region: United States. |
| Anthropic, PBC | Optional generative-AI assistance inside the Platform (drafting, summarization, suggestions). Anthropic's commercial terms state that “Anthropic may not train models on Customer Content from Services.” | Anthropic, PBC, 548 Market St, PMB 90375, San Francisco, CA 94104, USA. Processing region: United States. |
| AISStream | AIS vessel-position data ingestion for vessels the customer has explicitly added to their workspace. We send AISStream the list of MMSI numbers the customer wants to track; AISStream returns the public AIS position broadcasts for those vessels. No personal contact data is sent to this provider. | AISStream (operator entity not publicly disclosed; operator footer indicates Ontario, Canada). |
| IONOS Inc. (1&1 IONOS) | Server hosting for the application and the application database (the database runs on the same host; no separate managed-database vendor is used today). | IONOS Inc., United States. Processing region: United States. |
We will give Tenants reasonable advance notice of material changes to this list (such as adding a new subprocessor or changing the processing region of an existing one) so Tenants have an opportunity to evaluate the change.
9. International data transfers
The Platform is operated from the United States, and several subprocessors listed in section 8 are based in the United States. If you access the Service from the European Economic Area, the United Kingdom, or another jurisdiction with data-export rules, your personal information may be transferred to and processed in the United States.
Where required, we rely on the European Commission Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914, Module Two controller-to-processor) and, for transfers subject to UK GDPR, the UK International Data Transfer Addendum to those clauses, to provide an appropriate safeguard for these transfers. We apply supplementary measures — including the encryption-at-rest and encryption-in-transit measures described in sections 1 and 12 — to reduce the risk associated with transfers to jurisdictions with broad government-access regimes.
10. Retention
We keep personal information for as long as we need it for the purpose for which it was collected, plus any period required by law, after which we delete or anonymize it. In particular:
- Account and workspace data is retained for the life of the workspace plus a reasonable wind-down period after termination. Tenants can request earlier deletion subject to legal-hold requirements.
- Audit and security logs are retained for a period proportionate to investigation and compliance needs.
- Suppression-list entries — addresses that have unsubscribed, hard-bounced, or complained — are retained indefinitely on the workspace so we can continue to honor the opt-out. Removing a suppression record would re-expose the recipient to messages they have already opted out of, which is exactly the harm anti-spam laws are designed to prevent.
- Campaign-engagement events (opens, clicks) are retained for as long as needed to support a Tenant's reporting and lead-scoring, and may be aggregated or anonymized over time.
11. Your rights and how to exercise them
Depending on where you live, you may have the right to access, correct, delete, restrict, port, or object to our processing of your personal information, and to withdraw consent you have previously given. To exercise any of these rights, email hello@ymsmarketing.com. We may need to verify your identity before acting on a request.
If you are a recipient of a campaign sent through the Platform by one of our customers, the customer is the controller of that data and is the right first stop for an access, correction, or deletion request. If you are unable to identify or reach the relevant customer, contact us and we will route the request to them and support them in responding.
If you are in the EEA or the United Kingdom, you also have the right to lodge a complaint with your national data-protection authority.
12. Security
We apply administrative, technical, and physical safeguards intended to protect personal information against loss, misuse, and unauthorized access or disclosure. Current measures include:
- TLS in transit for all production web and API traffic;
- field-level AES-256-GCM encryption at rest for sensitive contact fields (such as email address, name, phone, address, and IP address) and for integration credentials, using keys held outside the application database;
- password hashing with bcrypt, server-issued session cookies, configurable session lifetimes, and per-tenant data isolation;
- role-based access control, least-privilege internal access, audit logging of administrative actions, and bounce / complaint circuit-breakers to protect deliverability;
- regular dependency updates and review of subprocessors.
No system is perfectly secure. We do not represent that the Service is immune from compromise. If we learn of a personal-data breach that affects you, we will notify you and the relevant authorities to the extent required by law.
13. Children's data
The Service is a business-to-business product for the maritime industry. It is not directed to children under 16, we do not knowingly collect personal information from children, and we do not provide accounts to children. If you believe a child has provided us with personal information, please contact hello@ymsmarketing.com and we will take appropriate steps to delete it.
14. Changes to this policy
We may update this policy from time to time. When we do, we will revise the “Last updated” date at the top of this page. For material changes, we will give reasonable advance notice — for example, by posting a notice on the marketing site, sending an email to workspace administrators, or both — before the changes take effect. Continued use of the Service after a change becomes effective constitutes acceptance of the updated policy.
Governing law for this policy follows the choice of law set out in our Terms of Service: the laws of the State of Washington, United States, with venue in King County, Washington.