Terms and Conditions for Bay2Bay CRM (Free "As-Is" Edition)
Last Updated: March 10, 2026
These Terms and Conditions (the "Agreement") constitute a legally binding agreement between Rustam Islanov PR Novi Sad, registered in Serbia (the "Provider"), and any individual or legal entity utilizing the Bay2Bay CRM platform (the "User").
1. Free "As-Is" Service Provision
- Nature of Service: Bay2Bay CRM is provided as a free Software-as-a-Service (SaaS) platform for technical management of yachting cruises, including scheduling and document generation.
- No Professional Advice: The Service is a technical management tool only; the Provider does not provide legal, maritime, insurance, or safety advice.
- "As-Is" Basis: The Service is provided on an "AS-IS" and "AS-AVAILABLE" basis without any warranties of any kind, either express or implied.
- Right to Modify or Discontinue: The Provider reserves the right, at its sole discretion, to modify, suspend, or terminate the Service or any of its features at any time without prior notice or liability to the User.
- Third-Party Integrations and External Data: The Service may include features that integrate with or display data from third-party platforms. The Provider does not control, and is not responsible for, the accuracy, completeness, timeliness, or availability of such external data. The User acknowledges that any reliance on information obtained through third-party integrations is at their own risk, and the Provider shall not be liable for any discrepancies, errors, or service interruptions originating from these external providers.
2. Allocation of Data Protection Roles (GDPR Compliance)
- User as Data Controller: The User acts as the Data Controller and is solely responsible for determining the purpose and legal basis for collecting personal data from their customers (the "End-Customers").
- Provider as Data Processor: The Provider acts as the Data Processor, providing the technical infrastructure for data storage and processing solely under the User's instructions.
- Consent Warranty: The User warrants that they have obtained explicit, informed consent from all End-Customers to process and transfer their personal data (including passport details) to the Provider's servers.
- Sensitive Data Prohibition: The User is strictly prohibited from entering "Special Categories of Data" (e.g., medical information, allergies, health status) into the Service without obtaining the separate, explicit written consent required by Article 9 of the GDPR.
- Free-Text Fields Disclaimer: The Service includes free-text fields (e.g., "Notes", "Client Wishes") where the User may enter arbitrary information about End-Customers. If the User chooses to record Special Categories of Data (such as food allergies, health conditions, or dietary requirements) in these fields — even for legitimate safety reasons — the User assumes sole responsibility as Data Controller for obtaining the necessary explicit consent from the End-Customer under Article 9 GDPR. The Provider processes such data solely as instructed and bears no liability for the User's failure to secure adequate legal basis.
- Technical Isolation: The Provider implements multi-tenancy isolation to prevent unauthorized cross-organization data access, but the User remains responsible for their own account security.
3. Maximum Limitation of Liability
- Liability Cap: To the maximum extent permitted by applicable law, the Provider's total cumulative liability for any claims arising out of this Agreement shall be limited to 1.00 EUR (one Euro) or the equivalent in Serbian Dinars.
- Exclusion of Damages: The Provider shall not be liable for any direct, indirect, incidental, or consequential damages, including but not limited to loss of data, loss of business, or errors in maritime documents (e.g., Crew Lists) generated by the system.
- Operational Risks: The User acknowledges that as a free service, the Provider is not liable for system downtime, data corruption, or the failure of the system to meet specific business requirements.
4. User Indemnification
- Defense of Provider: The User agrees to indemnify, defend, and hold harmless the Provider (Rustam Islanov PR) from any third-party claims, government fines (including GDPR penalties), or legal costs resulting from the User's breach of data protection laws or this Agreement.
- Third-Party Disputes: The Provider is not a party to, and shall have no liability regarding, disputes between the User and their End-Customers, charter companies, or port authorities.
5. Security and Data Retention
- Data Deletion: The Provider offers an "Auto-delete after trip" feature for sensitive passport data.
- Retention Risk: If the User chooses to disable automatic deletion, the User assumes all legal and financial risks associated with the continued storage of sensitive End-Customer data.
- Account Security: The User is solely responsible for protecting their login credentials and ensuring the security of session cookies.
6. Jurisdiction and Governing Law
- Governing Law: This Agreement is governed by and construed in accordance with the laws of the Republic of Serbia.
- Dispute Resolution: Any disputes arising from the use of the Service shall be subject to the exclusive jurisdiction of the courts of Novi Sad, Serbia.
- Governing Language: This Agreement is drafted in the English language. If this Agreement or the Privacy Policy is translated into any other language for convenience, the English language text shall prevail in all cases of conflict, ambiguity, or dispute.
Annex A: Data Processing Agreement (DPA) – Article 28 GDPR
This Annex forms an integral part of the Agreement and fulfils the requirements of Article 28(3) GDPR.
1. Definitions
Terms such as "Personal Data", "Processing", "Controller", "Processor", "Data Subject", "Personal Data Breach" shall have the meaning given in GDPR.
2. Subject Matter, Nature and Purpose
- Subject: Provision of Bay2Bay CRM SaaS platform.
- Duration: For the term of the main Agreement.
- Nature and Purpose: Storage and technical processing of personal data entered by the User for yacht cruise management (scheduling, document generation).
- Types of Personal Data: Names, contact details, passport/ID data, travel details of End-Customers.
- Categories of Data Subjects: End-Customers (passengers and crew).
3. Obligations of the Processor (Provider)
The Processor shall:
- Process Personal Data only on documented instructions from the Controller (User), including transfers.
- Ensure persons authorised to process Personal Data are committed to confidentiality.
- Implement appropriate technical and organisational measures (multi-tenancy isolation, encryption in transit/rest where implemented, access controls).
- Not engage sub-processors without prior specific or general written authorisation from the Controller. By accepting this Agreement, the Controller grants general written authorisation for the use of the sub-processors listed below. The Processor shall inform the Controller of any intended changes to the list and provide the Controller with an opportunity to object.
Current sub-processors:
| Sub-Processor |
Purpose |
Location |
| Hetzner |
Server hosting and data storage |
Germany, EU |
| Alibaba Cloud |
Secure traffic routing and reverse proxy services |
Germany, EU |
| Resend |
Transactional email delivery (email verification codes during registration) |
USA |
| OpenRouter |
AI-powered text analysis (see Section 5 below) |
USA |
| Telegram Bot API |
Optional Telegram integration for CRM operations |
International |
| Google LLC |
Optional Google Sign-In authentication (OAuth 2.0) |
USA |
- Assist the Controller with data subject requests, breach notifications, DPIAs, and prior consultations, taking into account the nature of processing and information available.
- Notify the Controller without undue delay after becoming aware of a Personal Data Breach.
- At Controller's choice, delete or return all Personal Data at termination (except where required by law to retain).
- Make available to the Controller all information necessary to demonstrate compliance and allow for audits (at Controller's expense, max once per year, with reasonable notice).
4. Obligations of the Controller (User)
The Controller warrants that it has lawful basis for all processing and has provided required notices/consents to Data Subjects.
5. Data Transfers
Personal Data is stored on servers in the EU (Germany). By accepting this Agreement, the Controller provides general written authorisation for the following cross-border transfers necessary for platform operation:
- Resend (USA): During registration, the User's email address and first name are transmitted to Resend's API to deliver a one-time verification code. The email address is used for delivery, and the first name is included in the email body greeting. No End-Customer data, passwords, or other personal data is transmitted. Resend processes data transiently for email delivery only and does not retain message content beyond delivery. This transfer is governed by Resend's Data Processing Agreement.
- OpenRouter (USA): Transient processing of user-provided text commands for AI-powered features (e.g., Telegram Bot intent parsing, charter option parsing). Data is transmitted via API, processed in memory only, and is not used to train AI models. This transfer is governed by Standard Contractual Clauses (SCCs) between the Provider and OpenRouter.
- Alibaba Cloud (Germany, EU): HTTP traffic metadata (IP addresses, request headers) passes through Alibaba Cloud's infrastructure for secure traffic routing and reverse proxy services. All processing occurs within the EU (Germany).
- Telegram Bot API (International): When the User voluntarily links their Telegram account, Telegram Chat IDs and user-initiated CRM data are exchanged with Telegram's servers.
- Google LLC (USA): If the User chooses to sign in via Google, their email address and display name are received from Google's OAuth 2.0 API during authentication. No End-Customer data is transmitted. Google's processing is governed by Google's Privacy Policy.
No other transfers outside the EEA shall occur without the Controller's prior consent and adequate safeguards.
6. General
- This DPA is governed by Serbian law.
- Liability remains as limited in Section 3 of the main Agreement to the maximum extent permitted by law.
- In case of conflict, this Annex prevails regarding data protection obligations.
7. Acceptance Record
The User acknowledges that acceptance of this Agreement is logged electronically with a timestamp for compliance and audit purposes.