Privacy Policy

Last Updated: November 14, 2025

1) Controller and Scope

This Privacy Policy explains how Seachios Crane Naval e Serviços Marítimos Ltda. (brand Seachios® Marine Services, CNPJ/Tax ID 09.258.299/0001-53) and its affiliates, controlled or controlling entities, and companies in the same economic group (collectively, “Seachios”, “we”, “us”, “our”) collect, use, share, store, protect, and otherwise process personal data in connection with our maritime, port, underwater, technical, and agency-related operations.

Unless expressly stated otherwise in a specific contract or data processing agreement, Seachios acts as Data Controller for the processing described herein. This Policy applies to clients, prospects, suppliers, contractors, agents, representatives, vessel personnel, and visitors who interact with Seachios via websites, forms, email and messaging platforms, phone/VoIP, or operational workflows (including confidential documents and contracts exchanged with Seachios).

• Registered address: 67 Visconde Rio Branco St, Santos, SP BR 11013030.

• Privacy contact: privacy@seachiosbrazil.com

2) Categories of Data

2.1 Data You Provide

• Identification & Contact: name, job title, company, email, phone/WhatsApp, IDs/documents required for port/terminal access, signatures.

• Contract & Finance: RFQs, proposals, purchase orders, contract metadata, billing/remittance details (limited), tax IDs, payment confirmations.

• Operational & Compliance: vessel/IMO, voyage/call details, boarding lists, port/terminal clearances, hot-work and confined-space permits, HSSE acknowledgements, incident registers.

• Communications & Files: contents and attachments of emails and messages (including confidential information, drawings, photos, videos, contracts, legal notices), call notes/recordings where lawful and notified.

2.2 Data Collected Automatically

• Device & Browsing: IP address, device/browser type, timestamps, pages visited, referrers, cookie IDs, approximate geolocation (when enabled).

• Telemetry & Security: application logs, performance metrics, error/crash reports, access and security logs.

2.3 Photos, Video, and Operational Evidence

• Operational evidence created by Seachios for compliance, quality, invoicing proof, HSSE, and dispute defense (e.g., before/after cleaning photos, underwater recordings, time logs, on-site stills).

2.4 Special Categories & Children

We avoid processing special-category data unless required by law/safety (e.g., fitness-to-work confirmations for terminal access) and apply heightened safeguards if such processing is strictly necessary. Our services are B2B; we do not target children.

3) Purposes and Legal Bases

We process personal data for the following purposes, under the legal bases recognized by LGPD, GDPR (EU/UK), and CPRA/CCPA (California):

1. Service Delivery & Operations: scope confirmation, mobilisation, launch/boat logistics, boarding, port/terminal access, HSSE workflows (e.g., NR-29/NR-33/NR-35), operational reporting, invoicing, customer service.
   Bases: contract performance; legal obligation; legitimate interests.

2. Compliance & Legal Duties: tax and audit compliance, sanctions/AML/KYC screening, responses to lawful requests by authorities/port state control/class societies, legal holds.
   Bases: legal obligation; legitimate interests.

3. Safety, Security & Dispute Evidence: fraud/security monitoring, protection of rights, preservation of evidence (photos, videos, logs) for claims and defense.
   Bases: legitimate interests; exercise of rights in proceedings.

4. Sales, Account Management & Marketing: responding to inquiries and RFQs; newsletters and professional updates; event invitations (opt-out available).
   Bases: legitimate interests; consent where required by local law.

5. Product/Website Improvement & Analytics: de-identified analytics, service quality, A/B testing, performance optimization.
   Bases: legitimate interests; consent where cookie/e-privacy rules require.

4) Cookies and Similar Technologies

We use strictly necessary cookies for security, authentication, and session management. With consent where required, we may use analytics/functional/marketing cookies or SDKs. Manage preferences via our cookie banner/manager and your browser settings; blocking some cookies may affect functionality.

5) Sharing and Disclosures

Seachios does not sell personal data. We share data only as needed:

• Processors: cloud/hosting, email/messaging and collaboration tools, analytics, cybersecurity, payment processors, customer support, content delivery networks.

• Operational Partners: vetted launch companies, port service providers, laboratories, surveyors, classification societies, and other contractors necessary to perform services.

• Affiliates/Group Companies: internal administration and service fulfillment.

• Legal/Regulatory: courts, authorities, port state control, Customs, police, or when necessary to protect rights, property, or safety.

• Corporate Transactions: mergers, acquisitions, reorganizations, subject to confidentiality safeguards.

Processors act under contract, on our documented instructions, with confidentiality and security obligations.

6) International Data Transfers

We may transfer data to countries with different protection levels. Where required, we implement Standard Contractual Clauses (SCCs), UK IDTA/Addendum, LGPD international transfer mechanisms, and supplementary safeguards (encryption, access controls, minimization, need-to-know). Transfer risk assessments may be conducted where appropriate.

7) Security Measures

We maintain layered administrative, technical, and physical controls appropriate to risk: governance and access control, authentication, encryption in transit and at rest (where feasible), network segmentation, monitoring/logging, vulnerability and patch management, secure development practices, supplier security due diligence, backup/restore, and staff awareness training. Operational evidence and confidential documents exchanged by email or messaging are treated as business records with restricted access.

8) Confidential Information (Mutual Protection)

Emails, messages, proposals, contracts, drawings, technical notes, operational plans, and other materials exchanged with Seachios may contain confidential information of both the Client and Seachios. Each party shall: (i) protect the other’s confidential information at least to the standard applied to its own; (ii) use it solely for the agreed business purpose; (iii) restrict access to a need-to-know basis under confidentiality; and (iv) refrain from disclosure to third parties except to authorized processors/partners bound by confidentiality or where disclosure is legally required. Where compelled disclosure is required, the receiving party will, where lawful, give prompt notice and limit disclosure to the minimum necessary.

9) Data Retention

We retain personal data only for as long as necessary for the stated purposes and to comply with legal, tax, audit, or litigation-hold requirements. Typical ranges:

• Contract/operational files and evidence media: 5–10 years (longer if legally required or while a dispute is pending).

• Accounting/tax records: statutory periods.

• Marketing contacts: until opt-out or defined inactivity threshold.

• Access/boarding lists: per port/authority rules and necessity.
  At end of retention, data is deleted, anonymized, or securely archived where a legal duty applies.

10) Your Rights

Depending on your jurisdiction:

• LGPD (Brazil): confirmation, access, correction, anonymization/blocking/deletion of excessive data, portability, information on sharing and consent, withdraw consent, review of automated decisions.

• GDPR (EU/UK): access, rectification, erasure, restriction, portability, objection, withdraw consent, not to be subject to solely automated decisions with legal/similar effects.

• CPRA/CCPA (California): know (categories/specific pieces), correct, delete, opt-out of sale/sharing (we do not sell personal data), limit use of sensitive personal information, non-discrimination.

How to exercise: email privacy@seachiosbrazil.com stating your full name, relationship to Seachios (client, supplier, visitor, etc.), and request type. We may verify identity and scope. We aim to respond within the applicable statutory timeframe (e.g., 15 days—LGPD; one month—GDPR; 45 days—CPRA), extendable where permitted.

You may lodge a complaint with your local supervisory authority (e.g., Brazil’s ANPD, your EEA authority, the UK ICO, or California AG).

11) Business Communications & Marketing

We may send operational/service communications (e.g., safety notices, policy updates, operational alerts). For marketing (newsletters, maritime insights, event invitations), we rely on legitimate interests in B2B contexts or consent where required. You can unsubscribe at any time via the link provided or by emailing privacy@seachiosbrazil.com.

12) Messaging Platforms and Call Recording

Operational coordination may occur via WhatsApp/Teams/Telegram or similar platforms. We treat such content as business records subject to this Policy to the extent feasible; platform providers may process data as independent controllers under their own privacy terms. Where calls are recorded (e.g., operations or quality monitoring), we provide notice and rely on contract/legitimate interests and applicable telecom rules.

13) CCTV and Physical Access

At Seachios facilities or host terminals, CCTV and access systems may capture images/access logs for security, fraud prevention, incident investigation, and regulatory compliance. Retention generally ranges 15–90 days, unless an incident or legal duty requires longer retention.

14) Sanctions, AML/KYC, and Denied Parties

To comply with OFAC/UN/EU/UK/Brazil sanctions and AML/KYC obligations, Seachios may screen counterparties and vessels against public or paid lists and request documentary evidence. If a match or material risk is identified, Seachios may decline, suspend, or terminate services or disclosures and, where appropriate, report to competent authorities.

15) Automated Decision-Making

We do not make decisions solely by automated means that produce legal or similarly significant effects about individuals. If such features are introduced, Seachios will provide a specific notice and enable applicable rights (including human review).

16) Changes to This Policy

We may update this Policy to reflect changes in processing or law. We will post the new effective date and, where material, provide prominent notice. Continued interaction with our services after an update indicates acknowledgment.

Annex — Privacy Enforcement, Governance, and Contractual Alignment

A) Binding Effect, Precedence, Acceptance by Conduct

1. Binding Effect. This Privacy Policy (including this Annex) is contractually binding between Seachios and any party that: (i) uses Seachios’ websites, systems, or services; (ii) exchanges emails/messages or files with Seachios; or (iii) receives/provides confidential information or operational evidence to/from Seachios.

2. Precedence. In case of conflict between this Policy and any external privacy notice, PO, agency instruction, or third-party template, this Policy prevails to the maximum extent permitted by applicable law.

3. Acceptance by Conduct. Accessing Seachios’ sites/systems, exchanging emails/messages, or sharing/receiving personal or confidential data with Seachios constitutes full, unconditional acceptance of this Policy.

B) Roles, Instructions, and DPAs

1. Controller vs Processor. Unless otherwise defined in a contract or Data Processing Agreement (DPA), Seachios acts as Controller. Where Seachios acts as Processor for a Client-Controller, processing is performed only on documented instructions and consistent with the DPA.

2. DPA Terms. A DPA may define: subject matter, duration, nature and purpose; data types and subjects; confidentiality; sub-processor onboarding and flow-down; data-subject rights assistance; deletion/return at end of service; and audit cooperation as limited by Section G.

3. Unlawful/Sanctioned Instructions. Seachios may suspend processing that, in good-faith judgment, appears to violate data protection or sanctions laws.

C) International Transfers and Sanctions Gate

1. Transfers. Cross-border transfers rely on recognized safeguards (SCCs, UK IDTA/Addendum, LGPD mechanisms) and supplementary measures.

2. Sanctions. Data will not be transferred to or processed for sanctioned/denied parties. Seachios may decline, suspend, or terminate processing that would contravene sanctions; costs already incurred remain due.

D) Security Baseline and Evidence Handling

1. Security Framework. Seachios maintains layered technical/organizational measures: role-based access, authentication, encryption in transit/at rest (where feasible), network segmentation, monitoring/logging, vulnerability management, supplier due diligence, backups, and awareness training.

2. Operational Evidence. Photos, videos, logs, and other operational media are controlled records, watermarked or hashed where applicable, and retained per Section 9.

3. Confidential Exchanges. Emails/messages, proposals, contracts, drawings, technical notes, and legal correspondence are treated as confidential business records; disclosure is limited to authorized recipients, processors, or lawful requests.

E) Incident Response and Notification

1. Response Process. Seachios operates an incident response process to detect, triage, contain, investigate, and remediate security events.

2. Notification. Where a personal-data incident likely creates risk to individuals, Seachios will notify impacted Controllers/clients without undue delay after confirmation and cooperate on regulatory notifications and data-subject communications, consistent with applicable law.

F) Data-Subject Requests and Legal Hold

1. Requests. Seachios supports rights requests via Section 10. Identity verification is required; responses follow statutory timelines.

2. Legal Hold. During disputes, audits, or lawful requests, relevant records (including emails/messages/media) may be preserved beyond normal retention until release of hold.

G) Audits and Certifications (Processor Context)

1. Audit Satisfaction. Where Seachios acts as Processor, audit rights are satisfied by: (i) up-to-date third-party assurance reports/certifications (where available), (ii) written security responses, and (iii) one (1) focused assessment per year (remote, questionnaire-based), subject to confidentiality and reasonable notice.

2. Limitations. Audits shall not disrupt operations or expose other clients’ data, threat intelligence, or proprietary security designs; on-site access is exceptional, NDA-bound, and subject to cost reimbursement.

H) Confidentiality and Mutual Protection

1. Mutual Duty. Each party protects the other’s confidential information at least to its own standard, uses it solely for the agreed purpose, and restricts access to a need-to-know basis under confidentiality obligations.

2. Compelled Disclosure. If disclosure is legally mandated, the receiving party will, where lawful, provide prior notice and limit the disclosure to what is strictly necessary.

I) Indemnity, Liability, and No Third-Party Approval Condition

1. Client Indemnity (Processor Context). Client-Controller shall indemnify Seachios for reasonable losses arising from Client’s unlawful instructions, lack of lawful basis, or sanctioned/denied-party engagement, except where caused by Seachios’ failure to follow the DPA or by Seachios’ willful misconduct.

2. Limitation of Liability. To the maximum extent permitted by law, Seachios shall not be liable for indirect, consequential, special, punitive, or exemplary damages; and Seachios’ aggregate liability for privacy claims connected to a service shall not exceed the fees paid for that service during the 12 months preceding the event giving rise to the claim, this limitation not applying where prohibited by mandatory data-protection law.

3. No Third-Party Approval Condition. Privacy/security obligations are not conditioned on approvals or payments by charterers, P&I, terminals, or any other third parties.

J) Time Bar and Forum

1. Time Bar (15 + 30). Any privacy-related claim must be notified in writing within 15 (fifteen) days of the date the claimant became or should reasonably have become aware of the facts giving rise to the claim; any legal or arbitral proceedings must then be commenced within 30 (thirty) days thereafter. Failure to meet either period renders the claim time-barred and irrevocably waived, except where a longer mandatory period is prescribed by applicable data-protection law.

2. Governing Law and Forum. Subject to mandatory local data-protection rights, Brazilian law governs; exclusive forum is Santos, State of São Paulo, Brazil, or arbitration at Seachios’ election, without prejudice to data-subjects’ right to lodge complaints with their competent data-protection authority.

K) Changes, Survival, Non-Waiver, Severability

1. Versioning and Notice. Seachios may amend this Policy/Annex; material changes will be noticed prominently with an updated effective date.

2. Survival. Confidentiality, security, sanctions gate, incident cooperation, legal hold, indemnity/limitation, time bar, governing law, and audit limits survive termination of services or relationships.

3. Non-Waiver & Severability. No failure or delay in exercising any right constitutes a waiver; if any provision is held invalid, the remainder remains in full force and effect.

17. Contact Information

For rights requests or inquiries, please contact our Data Protection Officer (DPO):

Ms. Letycia Hanaoka
📧 Email: letycia@seachiosbrazil.com
📞 Phone: +55 11 3042-0019