How we handle your data.

Who this policy applies to

This policy covers personal data processed by BlueBay Solutions in the following contexts:

• Visitors to bluebaysolutions.com and any subdomains we operate (such as documentation or product portals)
• Prospective customers who contact us through forms, email, or scheduled meetings
• Customers using our software products, including GIMS (Global Inventory Management System)
• Authorized users of customer-deployed instances (where the customer is the data controller and we act as a data processor)

Information we collect

2.1 Information you provide directly

• Contact information — name, work email, company, role, phone (when you submit forms or correspond with us)
• Account information — username, encrypted password, role assignments, organizational unit (when you have a GIMS account)
• Communications — emails, support requests, meeting notes, contracts, and other correspondence
• Operational data — within a GIMS deployment: asset records, transfer requests, audit logs, attached photos and documents (entered by you or your colleagues)

2.2 Information collected automatically

• Technical data — IP address, browser type, device type, operating system, screen resolution, language preference
• Usage data — pages viewed, features used, click patterns, session duration, referring URLs
• Authentication data — login timestamps, IP of last login, session tokens, OTP verification events

2.3 Information from third parties

• Information from analytics providers (e.g. Google Analytics) about how visitors interact with our website
• Information from authentication providers if you log in via single sign-on
• Information from your employer or organization when they grant you access to a GIMS deployment they license

How we use information

We use the information we collect for purposes that are reasonably consistent with the context in which it was provided. Specifically:

• Service delivery — to operate, maintain, and improve our software and websites
• Customer support — to respond to your inquiries, troubleshoot issues, and provide technical assistance
• Authentication & security — to verify your identity, maintain audit trails, detect suspicious activity, and protect against unauthorized access
• Communication — to send service-related notifications, security alerts, and (where you've consented or there is legitimate interest) occasional updates about our products
• Analytics — to understand how our website and products are used in aggregate, so we can improve them
• Legal & compliance — to comply with applicable laws, respond to lawful requests, and enforce our terms

We do not sell your personal information. We do not use your operational data inside GIMS for advertising, marketing to third parties, or training general-purpose AI models.

Legal basis for processing (GDPR & similar)

Where you are located in the European Economic Area, the United Kingdom, or another jurisdiction with similar laws, we rely on the following legal bases:

• Contract — to provide the services you've requested or that your organization has licensed
• Legitimate interests — for security, fraud prevention, service improvement, and limited B2B communications, where these don't override your rights
• Consent — for marketing emails, non-essential cookies, and similar discretionary processing
• Legal obligation — when we're required by law to process or retain certain information

Sharing & third parties

We share information only when necessary, and only with parties bound by appropriate confidentiality and data protection obligations.

5.1 Service providers

• Cloud infrastructure — Amazon Web Services (AWS), where GIMS instances and our backend services are hosted
• Email & communication — providers we use for transactional and customer communication
• Analytics — providers that help us understand website usage in aggregate
• Customer support tools — ticketing and helpdesk platforms used by our team

5.2 Insurance partners (only with consent)

Where a customer has explicitly authorized read-only access for their marine insurer, P&I club, or claims adjuster, we facilitate that access through scoped, audited API endpoints. The customer remains the data controller; the insurer becomes a recipient under the customer's instruction. We do not initiate or share data with insurers without explicit customer authorization.

5.3 Legal disclosures

We may disclose information when required by valid legal process, to protect our rights or the safety of others, or in connection with a corporate transaction (merger, acquisition, etc.) — with notice to affected parties where legally permitted.

Data security

We apply technical and organizational measures designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. These include:

• Encryption in transit — TLS 1.3 (or current best practice) for all web traffic and API calls
• Encryption at rest — AES-256 encryption for stored data, with KMS-managed keys
• Access controls — role-based access control (RBAC) with location-scoped permissions and OTP-based authentication for privileged accounts
• Audit logging — immutable change logs for every action affecting customer data
• Backups — automated, encrypted backups with point-in-time recovery
• Network security — segregated VPCs, security group restrictions, and intrusion monitoring on AWS infrastructure
• Personnel — background checks for staff with production data access, mandatory security training, and least-privilege access policies

Data retention

We retain personal information only as long as necessary for the purposes described in this policy, or as required by law. Specific retention periods:

• Website contact form submissions — 24 months from last interaction, unless you become a customer
• Customer account & operational data — for the duration of the customer agreement plus 90 days, after which data is exported and deleted (or earlier on customer instruction)
• Audit logs & security records — minimum 12 months for compliance and security investigation purposes
• Financial & contractual records — 7 years, as required by US tax and accounting regulations
• Marketing communications — until you unsubscribe, plus a short retention period to prevent re-subscription errors

Your rights

Depending on your jurisdiction, you may have the following rights regarding personal data we hold about you:

• Access — request a copy of the personal data we hold about you
• Correction — request that we correct inaccurate or incomplete data
• Deletion — request deletion of personal data, subject to legal and contractual obligations
• Restriction — request that we limit how we process your data
• Portability — request a structured, machine-readable copy of data you've provided
• Objection — object to processing based on our legitimate interests
• Withdraw consent — where processing is based on consent, withdraw it at any time
• Lodge a complaint — with your local data protection authority

To exercise any of these rights, contact us at privacy@bluebaysolutions.com. We will respond within 30 days, or notify you if we need a reasonable extension.

8.1 California residents (CCPA/CPRA)

California residents have specific rights under the California Consumer Privacy Act, including the right to know what personal information is collected, the right to delete it, the right to correct inaccurate information, and the right to limit the use of sensitive personal information. We do not sell personal information as that term is defined under California law.

Cookies & tracking

Our website uses a small number of cookies and similar technologies, in three categories:

• Strictly necessary — required for core functionality (session management, security). These cannot be disabled without breaking the site.
• Analytics — help us understand aggregate usage. You can decline these via your browser settings or our cookie banner where displayed.
• Preferences — remember your settings (e.g., dismissed banners). Optional.

We do not use advertising cookies, cross-site tracking pixels, or third-party advertising networks on our marketing website.

International data transfers

BlueBay Solutions is based in the United States. Where we transfer personal data from the EEA, UK, or other jurisdictions to the US (or to other countries through our service providers), we rely on appropriate safeguards including Standard Contractual Clauses, adequacy decisions where applicable, and supplementary technical measures. Customers with strict data-residency requirements should discuss deployment options with us before purchase.

Children's privacy

Our products and websites are not directed to children under 16, and we do not knowingly collect personal information from children. If you believe we have inadvertently collected information from a child, please contact us so we can remove it.

Changes to this policy

We may update this policy to reflect changes in our practices, services, or applicable law. The "Last Updated" date at the top of this page indicates when the most recent revision took effect. For material changes, we will provide additional notice — typically by email to active customers and a prominent banner on this site. Continued use of our services after notice constitutes acceptance of the revised policy.

Contact us

For privacy-related questions, requests, or complaints, please reach out to us directly. We aim to acknowledge requests within 5 business days and resolve them within 30 days.

If you are in the EU/EEA and prefer to contact a representative within the EU, please email us at the privacy address above and we will route your request appropriately.