Effective date: April 20, 2026

Privacy Policy

This Privacy Policy describes the information that ChartNav ("we", "us", "the Service") processes when you access or use the Service, the purposes of that processing, the legal bases relied upon, and the rights available to you. This document also contains specific sections for Users located in the European Economic Area, the United Kingdom, Brazil, and the United States.

Owner and Data Controller

ChartNav operates this Service and acts as the Data Controller for any Personal Data processed through it. Owner contact email: privacy@chartnav.ai.

Types of Data collected

Among the types of Personal Data that the Service collects, by itself or through third parties, there are:

• Usage Data — including IP address, User-Agent, Referer, requested URL, timestamp, and standard HTTP diagnostic information recorded in server logs.
• Approximate geographic position — only when a User voluntarily enables browser geolocation to center the chart on their location. The position is processed on the User's device and is not transmitted to or stored by ChartNav servers.
• Locally stored preferences — including fleet vessel selections, user-entered notes, saved routes, anchor alarm settings, and interface preferences. These are written to the browser's localStorage on the User's device and are not transmitted to ChartNav servers.

ChartNav does not require registration and does not collect names, email addresses, postal addresses, phone numbers, payment information, biometrics, or account credentials. Any Personal Data either provided directly by the User or otherwise indicated as mandatory may prove to be necessary for the Service to provide its operation. If the User refuses to communicate such Data, it may be impossible for the Service to provide certain functionality.

Users are responsible for any third-party Personal Data obtained, published, or shared through the Service and confirm that they have the right to communicate or broadcast it, relieving the Owner of any liability towards third parties.

AIS and Vessel Data

All vessel position and identification data displayed on ChartNav originates from AIS (Automatic Identification System) radio transmissions broadcast over VHF frequencies in accordance with International Maritime Organization (IMO) regulations and the International Telecommunication Union (ITU) Radio Regulations. AIS transmissions are, by regulatory design, public broadcasts intended for reception by any capable receiver to support maritime safety. ChartNav does not collect AIS data from private or restricted sources, and does not associate AIS data with natural-person identifiers.

Mode and place of processing the Data

Methods of processing

The Owner takes appropriate security measures to prevent unauthorized access, disclosure, modification, or unauthorized destruction of the Data. Data processing is carried out using computers and IT-enabled tools, following organizational procedures strictly related to the purposes indicated. In addition to the Owner, the Data may be accessible to specific types of persons involved with the operation of the Service (administration, system administration) or to external parties (such as technical service providers, hosting providers, IT companies, or communications agencies) appointed, when necessary, as Data Processors by the Owner.

Place

The Data is processed at the Owner's operating offices and in any other places where the parties involved in the processing are located. Depending on the User's location, data transfers may involve transferring the User's Data to a country other than their own. To find out more about the place of processing of such transferred Data, Users can contact the Owner at the email address provided above.

Retention time

Server-side access logs are retained only as long as operationally necessary for security, abuse prevention, and diagnostics, and are purged on a rolling schedule. Data stored in the User's browser via localStorage remains on the User's device until the User clears it through browser settings. Personal Data processed for a specific purpose is retained only for as long as necessary to fulfill that purpose, or as required by applicable law.

The purposes of processing

The Data concerning the User is processed for the following purposes: providing the Service and its core features; hosting and backend infrastructure; security, abuse prevention, and rate limiting; diagnostics and performance monitoring; and complying with legal obligations.

Detailed information on the processing of Personal Data

Hosting and backend infrastructure

This type of service has the purpose of hosting Data and files that enable the Service to run and be distributed. Data processed: Usage Data. Processing occurs in the Owner's hosting environment; Personal Data processed in this context is limited to what is strictly necessary to deliver the page or tile requested.

Displaying content from external platforms

This type of service allows the Service to display content hosted on external platforms directly from the pages of the Service and to interact with them. Such services are often referred to as CDNs. The following third parties may, in the normal course of delivering requested resources, receive the User's IP address and standard HTTP headers (User-Agent, Referer):

• Carto (CARTO) — basemap tile delivery. Personal Data processed: IP address, HTTP headers. Place of processing: United States / European Union.
• OpenStreetMap Foundation — underlying geographic data used in basemaps. Personal Data processed: as applicable to the specific tile source.
• Google Fonts (Google LLC) — delivery of typefaces (Inter, JetBrains Mono). Personal Data processed: IP address, HTTP headers. Place of processing: United States.
• unpkg / CDN providers — delivery of open-source JavaScript libraries such as MapLibre GL. Personal Data processed: IP address, HTTP headers.
• Wikimedia Commons / Wikipedia (Wikimedia Foundation) — vessel photographs and reference data. Personal Data processed: IP address, HTTP headers. Place of processing: United States.
• NOAA / National Weather Service — nautical chart ENC data, weather alerts, radar imagery, tide and current predictions, and buoy observations. Personal Data processed: IP address, HTTP headers. Place of processing: United States.

Each of the above providers operates under its own privacy policy. ChartNav does not control their collection or retention practices.

System logs and maintenance

For operation and maintenance purposes, the Service and any third-party services may collect files that record interaction with the Service (System logs) or use other Personal Data (such as the IP Address) for this purpose. Such logs are used only to diagnose problems, protect against abuse, and comply with legal obligations, and are not combined with any other data to profile Users.

Device permissions for Personal Data access

Depending on the User's specific device, the Service may request certain permissions that allow it to access the User's device Data as described below. By default, these permissions must be granted by the User before the respective information can be accessed. Once the permission has been given, it can be revoked by the User at any time through the device settings or browser permissions.

• Precise location permission (non-continuous) — used when the User chooses to center the chart on their current position or to enable on-device navigation features. The position is processed entirely on the User's device and is not transmitted to ChartNav servers.
• Orientation and motion sensors — used only on supported devices and only when the User enables heading-based features such as chart rotation or the augmented-reality lookout view. Sensor data is processed on-device.

The exact procedures for controlling app permissions may depend on the browser, operating system, and device in use.

Client-side storage

ChartNav uses the browser's localStorage API to persist preferences and functionality on the User's device. Stored values include fleet vessel selections and associated notes, saved routes and waypoints, anchor-alarm configuration, chart and overlay preferences, and general interface state. This data is stored entirely within the User's browser and is not transmitted to or accessible by ChartNav servers. Users may clear this data at any time through their browser's site-data settings. See the Cookie Policy for details.

Cookies and Trackers

ChartNav does not set first-party cookies and does not employ analytics, tracking pixels, advertising networks, behavioral profiling, or fingerprinting of any kind. Third-party providers whose resources are loaded by the Service may set their own cookies or Trackers in accordance with their respective policies. See the Cookie Policy for a complete list.

Further information for Users

Legal basis of processing

The Owner may process Personal Data relating to Users if one of the following applies:

• Users have given their consent for one or more specific purposes;
• provision of Data is necessary for the performance of an agreement with the User and/or for any pre-contractual obligations thereof;
• processing is necessary for compliance with a legal obligation to which the Owner is subject;
• processing is related to a task that is carried out in the public interest or in the exercise of official authority vested in the Owner;
• processing is necessary for the purposes of the legitimate interests pursued by the Owner or by a third party (such as maintaining the security and integrity of the Service).

Further information about retention time

Unless specified otherwise in this document, Personal Data shall be processed and stored for as long as required by the purpose they have been collected for and may be retained for longer due to applicable legal obligation or based on the User's consent.

The rights of Users based on the General Data Protection Regulation (GDPR)

Users may exercise certain rights regarding their Data processed by the Owner. In particular, Users have the right to do the following, to the extent permitted by law:

• Withdraw their consent at any time for processing previously based on consent.
• Object to processing of their Data when processing is based on a legal basis other than consent.
• Access their Data and learn how it is processed.
• Verify and seek rectification. Users may verify the accuracy of their Data and ask for it to be updated or corrected.
• Restrict the processing of their Data in certain circumstances.
• Have their Personal Data deleted or otherwise removed.
• Receive their Data and have it transferred to another controller (data portability), where technically feasible.
• Lodge a complaint with their competent data protection authority.

Users are also entitled to learn about the legal basis for Data transfers abroad, including to any international organization governed by public international law or set up by two or more countries, such as the UN, and about the security measures taken by the Owner to safeguard their Data.

Details about the right to object to processing

Where Personal Data is processed for a public interest, in the exercise of an official authority vested in the Owner, or for the purposes of the legitimate interests pursued by the Owner, Users may object to such processing by providing a ground related to their particular situation to justify the objection.

How to exercise these rights

Any requests to exercise User rights can be directed to the Owner through the contact details provided in this document. These requests can be exercised free of charge and will be addressed by the Owner as early as possible and always within one month, providing Users with the information required by law.

Further information for Users in Brazil

This section of the document integrates with and supplements the information contained in the rest of this Privacy Policy and is provided by the entity running the Service and, if applicable, its parent, subsidiaries and affiliates (referred to in this section as "we", "us", "our"). This section applies to all Users in Brazil, according to the "Lei Geral de Proteção de Dados" (LGPD), and for such Users, these provisions supersede any other possibly divergent or conflicting provisions contained in this Privacy Policy.

The grounds on which we process your personal information

We can process your personal information solely if we have a legal basis for such processing. Legal bases are as follows:

• your consent to the relevant processing activities;
• compliance with a legal or regulatory obligation that lies with us;
• the carrying out of public policies provided in laws or regulations or based on contracts, agreements and similar legal instruments;
• studies conducted by research entities, preferably carried out on anonymized personal information;
• the carrying out of a contract and its preliminary procedures, in cases where you are a party to said contract;
• the exercising of our rights in judicial, administrative or arbitration procedures;
• protection or physical safety of yourself or a third party;
• the protection of health — in procedures carried out by health entities or professionals;
• our legitimate interests, provided that your fundamental rights and liberties do not prevail over such interests;
• credit protection.

Your Brazilian privacy rights

You have the right to:

• obtain confirmation of the existence of processing activities on your personal information;
• access your personal information;
• have incomplete, inaccurate or outdated personal information rectified;
• obtain the anonymization, blocking or elimination of your unnecessary or excessive personal information, or of information that is not being processed in compliance with the LGPD;
• obtain information on the possibility to provide or deny your consent and the consequences thereof;
• obtain information about the third parties with whom we share your personal information;
• upon your explicit request, have your personal information transferred to another service or product provider, provided that our commercial and industrial secrets are safeguarded;
• have your personal information that is processed in breach of the LGPD deleted;
• revoke your consent at any time;
• lodge a complaint related to your personal information with the ANPD (the National Data Protection Authority) or with consumer protection bodies;
• oppose processing activities in cases where the processing is carried out in non-compliance with the LGPD;
• request clear and adequate information regarding the criteria and procedures used for automated decision; and
• request the review of decisions made solely on the basis of the automated processing of your personal information that affect your interests.

How to file your request

You can file your express request to exercise your rights free from any charge, at any time, by using the contact details provided in this document, or via your legal representative.

Further information for Users in the United States

This section of the document integrates with and supplements the information contained in the rest of the privacy policy and is provided by the business running the Service and, if the case may be, its parent, subsidiaries and affiliates (for the purposes of this section referred to collectively as "we", "us", "our"). This section applies to all Users (Users are referred to below, simply as "you", "your", "yours") who are consumers residing in the states of California, Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, Iowa, Delaware, Nebraska, New Hampshire, New Jersey, Tennessee, Minnesota, Maryland, Indiana, Kentucky, and Rhode Island, according to applicable state consumer privacy laws. For such consumers, these provisions supersede any other possibly divergent or conflicting provisions contained in this privacy policy.

Notice at collection

The following table, required under California and similar state laws, details the categories of personal information that we collect, use, and disclose. You can read below further information in the sections following this table.

Identifiers

• Personal information categories collected: IP address, and standard HTTP diagnostic information recorded in server logs.
• Purpose of processing: delivery of the Service, security, and operational diagnostics.
• Retention period: only as long as operationally necessary.

Internet or other electronic network activity information

• Personal information categories collected: Usage Data (requested URL, User-Agent, Referer, timestamp).
• Purpose of processing: delivery of the Service, security, and operational diagnostics.
• Retention period: only as long as operationally necessary.

Geolocation data

• Personal information categories collected: approximate geographic position only when voluntarily enabled by the User through browser geolocation. Precise location is processed entirely on the User's device and is not transmitted to ChartNav servers.
• Purpose of processing: chart centering and on-device navigation features.
• Retention period: not retained server-side.

We do not collect sensitive personal information, biometric information, or information about minors as defined by applicable state laws. We do not sell personal information, do not share it for cross-context behavioral advertising, and do not engage in targeted advertising or profiling.

What are the sources of the personal information we collect?

We collect the above-mentioned categories of personal information, either directly or indirectly, from you when you use the Service. For example, you directly provide your personal information when you enable browser geolocation. You also indirectly provide personal information when you navigate the Service, as personal information about you is automatically observed and collected in the form of server logs.

Your privacy rights under United States state privacy laws

You may, subject to applicable law, exercise any of the following rights:

• Right to know and right to access. You have the right to request that we disclose to you the personal information we collect, use, or disclose, and information about our data practices.
• Right to correct. You have the right to correct inaccuracies in your personal information.
• Right to delete. You have the right to delete your personal information that we collected or maintain.
• Right to data portability. You have the right to obtain a copy of your personal information in a portable and, to the extent technically feasible, readily usable format.
• Right to non-discrimination. We will not discriminate against you for exercising your rights.

Additional rights for Users residing in California

In addition to the rights listed above, California residents have the right to opt out of the sale or sharing of personal information and the right to limit the use or disclosure of sensitive personal information. Because we do not sell or share personal information and do not collect sensitive personal information, these rights are honored by default.

How to exercise your privacy rights under United States state privacy laws

To exercise the rights described above, you or — in certain states — your authorized agent may submit a verifiable request by contacting us through the details provided in this document. For us to respond to your request, we must verify your identity. We will only use the personal information provided in the request to verify your identity, without compromising your privacy or security.

How and when we are expected to handle your request

We will respond to your request without undue delay, but in all cases and depending on the applicable state privacy law, within the legally required timeframe. Should we fail to respond within such timeframe, you have the full right to appeal our decision and/or start a procedure with the appropriate authority of your state.

Additional information about Data collection and processing

Legal action

The User's Personal Data may be used for legal purposes by the Owner in Court or in the stages leading to possible legal action arising from improper use of the Service or the related Services. The User declares to be aware that the Owner may be required to reveal personal data upon request of public authorities.

Information not contained in this policy

More details concerning the collection or processing of Personal Data may be requested from the Owner at any time. Please see the contact information at the top of this document.

Changes to this privacy policy

The Owner reserves the right to make changes to this privacy policy at any time by notifying its Users on this page and possibly within the Service. It is strongly recommended to check this page often, referring to the date of the last modification listed at the top. Should the changes affect processing activities performed on the basis of the User's consent, the Owner shall collect new consent from the User, where required.

Definitions and legal references

Personal Data (or Data)

Any information that directly, indirectly, or in connection with other information — including a personal identification number — allows for the identification or identifiability of a natural person.

Usage Data

Information collected automatically through the Service (or third-party services employed in the Service), which can include: the IP addresses or domain names of the computers utilized by the Users who use the Service, the URI addresses (Uniform Resource Identifier), the time of the request, the method utilized to submit the request to the server, the size of the file received in response, the numerical code indicating the status of the server's answer (successful outcome, error, etc.), the country of origin, the features of the browser and the operating system utilized by the User, the various time details per visit (e.g., the time spent on each page within the Service) and the details about the path followed within the Service with special reference to the sequence of pages visited, and other parameters about the device operating system and/or the User's IT environment.

User

The individual using the Service who, unless otherwise specified, coincides with the Data Subject.

Data Subject

The natural person to whom the Personal Data refers.

Data Processor (or Processor)

The natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Controller, as described in this privacy policy.

Data Controller (or Owner)

The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data, including the security measures concerning the operation and use of the Service. The Data Controller, unless otherwise specified, is the Owner of the Service.

Service

The service provided by the Owner as described in the relative terms (if available) and on this site.

Tracker

Tracker indicates any technology — e.g., cookies, unique identifiers, web beacons, embedded scripts, e-tags and fingerprinting — that enables the tracking of Users, for example by accessing or storing information on the User's device.

Cookie

Cookies are Trackers consisting of small sets of data stored in the User's browser.

Legal information

This privacy policy has been prepared based on provisions of multiple legislations, including Art. 13/14 of Regulation (EU) 2016/679 (General Data Protection Regulation), the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), and the Lei Geral de Proteção de Dados Pessoais (LGPD). Unless otherwise specified, this privacy policy concerns only the Service.