Privacy Policy for Bay2Bay CRM
Last Updated: March 10, 2026
1. Introduction and Roles
This Privacy Policy explains how Rustam Islanov PR Novi Sad, registered in Serbia (the "Provider", "we", or "us"), processes personal data through the Bay2Bay CRM platform.
Critical Distinction of Roles (GDPR Article 4):
- User (You): The charter agency or skipper using the platform is the Data Controller. You decide whose data to collect and why.
- Provider (Bay2Bay): We are the Data Processor. We provide the infrastructure and process data solely on your instructions.
- End-Customer: The passengers, crew, or charter clients whose data is entered into the system.
2. Data We Collect and Why
2.1. From You (The User)
To provide the service, we collect:
- Account Data: Full name, email address, and password hash.
- Organization Data: Organization name, address, registration number, country of residency. During account creation, your country of residency may be auto-detected via GeoIP lookup based on your IP address. You can review and change this value before completing registration.
- Billing Data: Billing email, billing address, billing country, and VAT number (when provided).
- Telegram Linking: If you choose to link your Telegram account, we store your Telegram Chat ID.
- Google Sign-In Data: If you choose to sign in with Google, we receive your email address and full name from Google. We do not receive or store your Google password. We use this data solely to authenticate you and create or match your account.
- Usage Data: IP addresses, login timestamps, and activity logs for security monitoring.
- Terms Acceptance: Timestamp of your acceptance of Terms & Conditions and DPA.
2.2. On Your Behalf (End-Customer Data)
The system allows you to store:
- Identity Data: First name, last name, nationality, country of residency, and date of birth.
- Travel Documents: Passport numbers, issue/expiry dates, and issuing authorities.
- Contact Data: Phone numbers, email, WhatsApp handle, Telegram handle, and other contact methods.
- Billing Data: Billing email, billing address, billing country, and VAT number.
- Notes: Free-text notes and preferences you enter about your customers.
2.3. Charter Agency Data
If you use the Charter Agency module, the system additionally stores:
- Charter Requests: Client wishes, budget, region preferences, guest count, desired yacht parameters, and dates.
- Yacht Options: Yacht images and specifications provided by the User.
- Financial Records: Transaction amounts, currency, payer/payee names, payment method, dates, and external references.
- Activity Audit Trail: A log of status changes, comments, and actions on charter bookings, including metadata about old/new values. This may include system-generated entries and client-initiated actions.
2.4. Cruises Module Data
If you use the Cruises module, the system additionally stores:
- Crew Data: Captain names, email, phone, date of birth, nationality, license number/type, and license expiry.
- Booking Data: Booking numbers, prices, deposit amounts, payment due dates, accommodation type, and notes.
- Financial Records: Same categories as Charter Agency (Section 2.3).
3. Data Storage and International Transfers
- Primary Location: All personal data is stored on secure servers located in Germany (European Union).
- Encryption: Data is encrypted in transit (TLS 1.2+). Database-level encryption at rest is provided by the hosting infrastructure. Additionally, sensitive fields (passport numbers, passport issuing authorities) are encrypted at the application level using ASP.NET Core Data Protection before being stored in the database.
- Cross-Border Transfer: As the Provider is based in Serbia, data may be accessed by our technical team under strict confidentiality. Serbia is recognized as providing an adequate level of protection for personal data by the EU.
- Third-Country Processing: For specific AI-powered features (e.g., Telegram Bot commands), transient data processing may occur in the United States via our sub-processor OpenRouter. Such transfers are governed by Standard Contractual Clauses (SCCs).
4. Technical Protection (Security)
We implement "Privacy by Design" through:
- Multi-tenancy Isolation: Your data is logically separated from other organizations using strict
OrganizationId filtering at the database level. Every query is scoped to your organization.
- Cookie Security: We use
HttpOnly, Secure, and SameSite=Strict flags to prevent XSS and CSRF attacks.
- Access Control: Only authorized users within your organization (Owner, Manager, Skipper) can access specific datasets. Role-based authorization restricts module-level access.
- Password Security: Passwords are hashed using BCrypt and never stored in plain text.
- Session Validation: Active session cookies are validated against user and organization status with periodic checks.
5. Data Retention and Deletion
- User Control: You are responsible for deleting End-Customer data when it is no longer needed for its original purpose.
- Auto-Delete After Trip: The platform provides an automatic passport data cleanup feature. By default, this feature is enabled with a 7-day retention period for all organizations. Once the configured number of days elapses after a cruise ends and the customer has no upcoming cruises, their passport data (number, issuing authority, issue date, and expiry date) is automatically and irreversibly deleted. Organization owners can adjust the retention period (0–365 days) or disable this feature entirely in Organization Settings.
- Account Termination: When you delete your account, all associated data is removed immediately within the same operation. If you are the sole user of your organization, the entire organization and all its data (customers, bookings, transactions, charter bookings, boats, routes, cruises, tasks, and all related records) are permanently deleted. Financial records are included in this deletion.
- Customer Data: You may delete individual customer records at any time through the platform interface.
6. Third-Party Services and Sub-Processors
We use the following sub-processors to provide platform functionality:
| Sub-Processor |
Purpose |
Data Shared |
Location |
| Hetzner |
Server hosting |
All platform data (encrypted at rest) |
Germany, EU |
| Alibaba Cloud |
Secure traffic routing and reverse proxy services |
IP addresses, HTTP request metadata (headers, URLs). Traffic passes through Alibaba Cloud before reaching our servers. |
Germany, EU |
| Resend |
Transactional email delivery (email verification codes during registration and password recovery) |
Email address and first name of the user (included in the email body). No End-Customer data is shared. |
USA (API) |
| OpenRouter |
AI processing (see Section 7) |
User-provided text commands and yacht-related data for structured analysis. |
USA (API) |
| Telegram Bot API |
Optional Telegram integration for CRM operations |
Telegram Chat IDs of linked users; customer names and booking data when initiated by the user via bot commands |
International |
| Google LLC |
Optional Google Sign-In authentication |
Email address and display name of the authenticating user, transmitted during the OAuth 2.0 flow. No End-Customer data is shared. |
USA |
- No Advertising: We do not sell, rent, or share personal data with third parties for advertising or marketing purposes.
7. AI Processing Disclosure
The platform uses AI (large language models via OpenRouter) for automated processing. The scope of data shared depends on the features you use:
- Telegram Bot Integration (Optional): If you choose to link your Telegram account and use the bot for CRM operations (e.g., creating customers or booking records via text or voice commands), the natural language input is processed by AI to extract intent and entities. This means any end-customer personal data (names, phone numbers, etc.) you include in your bot commands will be transmitted to our AI provider (OpenRouter) for text analysis.
Important: We use API endpoints where inputs are transient. Data sent to our AI providers is used strictly for fulfilling the immediate request, is cached in-memory only, and is not used to train their AI models.
8. Rights of Data Subjects (End-Customers)
Since we are the Processor, any End-Customer seeking to exercise their rights (access, deletion, correction) must contact You (the Controller) directly. If we receive such a request, we will forward it to you without undue delay.
Your obligations as Controller:
- Respond to data subject requests within 30 days (GDPR Art. 12).
- Ensure you have a lawful basis for processing each End-Customer's data.
- Delete passport/travel document data when no longer needed for the booking purpose.
9. Cookies and Tracking Technologies
We use cookies to ensure the proper functioning of the Bay2Bay CRM platform. We categorize cookies as follows:
9.1. Strictly Necessary (Always Active)
These cookies are essential for authentication and security. Without them, you cannot log in or use the service.
- Purpose: Session management, CSRF protection, Load balancing.
- Examples:
.AspNetCore.Identity.Application, __Host-spa.
- Legal Basis: Legitimate Interest (GDPR Art. 6(1)(f)). You cannot opt-out of these.
9.2. Analytics (Optional)
These cookies help us understand how you use the platform (e.g., which pages are visited most often) so we can improve the user experience.
- Tooling: We may use internal logging or privacy-focused analytics.
- Status: Disabled by default. Activated only if you click "Accept All" or enable them in Settings.
- Legal Basis: Consent (GDPR Art. 6(1)(a)).
9.3. Managing Your Preferences
You can change your cookie settings at any time by clicking the "Cookie Preferences" button in the dashboard sidebar or the footer of the login page.
10. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated through the platform interface. Continued use of the service after changes constitutes acceptance of the updated policy.
11. Contact Information
For any privacy-related inquiries, contact:
Rustam Islanov PR Novi Sad
Email: rislanov@gmail.com
Novi Sad, Serbia.