This Privacy Policy explains how personal data is processed when you visit the website pelyr.com and when you use the PELYR maritime dashboard / web application (together, the "Service"). It is provided in accordance with the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR"), the Austrian Data Protection Act (Datenschutzgesetz, "DSG") and the Austrian Telecommunications Act 2021 (Telekommunikationsgesetz 2021, "TKG 2021").
We have designed the Service to be data-minimal: there is no advertising, no cross-site tracking, no third-party tracking cookies, and no profiling. Because no information requiring consent is stored on or read from your device beyond what is strictly necessary, no cookie consent banner is used (see Section 6).
1. Controller
The controller responsible for data processing within the meaning of Art. 4(7) GDPR is:
Gerichtsstraße 13, 9300 St. Veit an der Glan, Austria
Email: hello@pelyr.com
If you have any questions about data protection or wish to exercise your rights, please contact us using the details above.
2. Data Protection Officer
A statutory Data Protection Officer (Datenschutzbeauftragter) has not been appointed, as the conditions of Art. 37 GDPR (and the corresponding provisions of the DSG) are not met. The controller named in Section 1 is your point of contact for all data protection matters.
3. Categories of data, purposes and legal bases (overview)
We process the following categories of personal data. Details on each are given in the sections that follow.
| Processing activity | Data categories | Legal basis |
|---|---|---|
| Provision of the website & server log files (Sec. 5) | IP address, date/time, requested URL, referrer, user agent | Art. 6(1)(f) GDPR (secure, functioning website) |
| Strictly necessary cookies / local storage (Sec. 6) | Session token, watchlist (vessel IDs) | Art. 6(1)(f) GDPR; § 165(3) TKG 2021 (strictly necessary) |
| Web analytics – Plausible (Sec. 7) | Transient IP (not stored), page, referrer, device/browser type | Art. 6(1)(f) GDPR (reach measurement) |
| User accounts & login (Sec. 8) | Email, display name, password (Argon2id hash), role, timestamps | Art. 6(1)(b) GDPR; Art. 6(1)(f) for account security |
| Abuse / brute-force protection (Sec. 9) | IP address, email used for login | Art. 6(1)(f) GDPR (IT security) |
| Display of vessel (AIS) data (Sec. 10) | Vessel identifiers and positions; personal data only where attributable to a natural person | Art. 6(1)(f) GDPR (publicly broadcast navigation data) |
| Contact by email (Sec. 13) | Email address, message content | Art. 6(1)(b)/(f) GDPR |
Where we rely on legitimate interests (Art. 6(1)(f) GDPR), you have a right to object (see Section 17).
4. Recipients and processors (hosting & infrastructure)
We use the following service providers, who process personal data on our behalf as processors under Art. 28 GDPR (data processing agreements are in place). The links below point to each provider's own privacy terms and data processing addendum (DPA):
| Provider | Role | Location of processing |
|---|---|---|
| Cloudflare, Inc. Privacy policy · DPA | Delivery, CDN and security of pelyr.com (served via Cloudflare Workers); processes visitor IP addresses at the edge | Global edge network / USA (see Sec. 11) |
| netcup GmbH, Karlsruhe, Germany Privacy policy · DPA | Hosting of the application servers (web frontend and app backend) | Germany (EU) |
| STRATO GmbH, Berlin, Germany Privacy policy · DPA | Hosting of our self-hosted Plausible web-analytics instance | Germany (EU) |
| DigitalOcean, LLC Privacy policy · DPA | Managed databases PostgreSQL and Valkey (user accounts, sessions, live state) | EU region (Frankfurt/Amsterdam) |
| Cloudflare R2 (Cloudflare, Inc.) Privacy policy · DPA | Object storage for the historical AIS archive — does not contain personal data of Service users | EU jurisdiction / see Sec. 11 |
We do not sell personal data and do not pass it on to third parties for their own purposes. Disclosure to public authorities occurs only where we are legally obliged to do so.
5. Provision of the website and server log files
When you access the Service, technical connection data is processed so that the website can be delivered to your device and operated securely. This typically includes:
- the IP address of the requesting device,
- the date and time of the request,
- the requested resource (URL) and HTTP status,
- the referrer URL, where transmitted,
- the user agent (browser type/version and operating system).
This data is processed by the website's delivery layer (Cloudflare) and by our application servers and reverse proxy. It is necessary to establish the connection, to ensure system security and stability, and to detect and prevent abuse.
Legal basis: Art. 6(1)(f) GDPR. Our legitimate interest lies in the secure, stable and functional provision of the Service.
Storage period: Server log data is stored only for as long as necessary for the purposes described above — in particular to ensure system security and to investigate technical faults or security incidents — and is deleted or anonymised once it is no longer required for these purposes. We do not use server logs to build user profiles.
6. Cookies and local storage
Storing information on, or reading information from, your device is governed by § 165(3) TKG 2021. This requires your consent unless the storage/access is strictly necessary to provide a service that you have expressly requested. The Service relies only on strictly necessary storage and therefore does not display a consent banner.
a) Session cookie op_session (dashboard login only)
Set only after you log in to the dashboard. It contains a randomly generated session token (no personal data is stored in the cookie itself). Properties: HttpOnly, SameSite=Lax, Secure (over HTTPS), path /, lifetime up to 14 days (sliding window). It is strictly necessary to keep you logged in and is deleted when you log out. Legal basis: Art. 6(1)(f) GDPR / § 165(3) TKG 2021 (strictly necessary).
b) Local storage – "watchlist"
If you actively add vessels to your watchlist, the corresponding vessel identifiers (MMSI numbers, up to 25) are stored in your browser's local storage under the key op:watchlist:v1. This data remains on your device, is not transmitted to us, contains no personal data about you, and exists only to provide the watchlist feature you requested. You can delete it at any time by clearing your browser storage. Legal basis: § 165(3) TKG 2021 (strictly necessary for a feature you requested).
c) Cloudflare security cookies (where applicable)
For protection against automated abuse, Cloudflare may set a strictly necessary security cookie (e.g. __cf_bm). This serves IT security only and is not used for tracking. Legal basis: Art. 6(1)(f) GDPR / § 165(3) TKG 2021.
We do not use advertising cookies, marketing cookies, or third-party tracking cookies.
7. Web analytics with Plausible (self-hosted)
To understand how our website is used and to improve it, we use Plausible Community Edition, a privacy-friendly web analytics tool that we host ourselves on our own infrastructure at STRATO GmbH in Germany (EU). The analytics script and the event endpoint are served first-party from pelyr.com.
Plausible is cookieless and does not store any information on your device. It does not track you across websites and does not create cross-site or long-term user profiles. To count visits, Plausible processes your IP address and user agent transiently to generate a rotating, daily-changing hash; the IP address itself is not stored and the hash is discarded at the end of the day. The metrics collected are aggregated (e.g. page views, referrer source, country, device/browser type).
Because the data is held on our own infrastructure and no information is stored on your device, this processing does not require consent.
Legal basis: Art. 6(1)(f) GDPR. Our legitimate interest lies in the statistical, privacy-preserving analysis of website usage. You can object at any time (see Section 17).
8. User accounts, login and access control
The dashboard offers an optional login for operators and administrators. The public map and public vessel data can be viewed without an account. If an account is created for you, we process:
- your email address (required; used as your login identifier),
- your display name (optional),
- your password, stored exclusively as a salted Argon2id hash — we never store your password in plain text,
- your role (e.g. viewer, operator, admin) for access control (RBAC),
- account status and timestamps (created/updated).
This data is stored in our PostgreSQL database (DigitalOcean, EU region). To keep you signed in, a session record (session token → user ID) is stored in our Valkey store for up to 14 days (sliding window) and is removed on logout.
Legal basis: Art. 6(1)(b) GDPR for establishing and managing the user relationship, and Art. 6(1)(f) GDPR for the security of the login mechanism.
Note: For technical reasons, other active sessions may remain valid until they expire after a password change; the session in use can always be ended by logging out.
9. Protection against misuse (rate limiting)
To protect login from brute-force and credential-stuffing attacks, we temporarily record failed login attempts per combination of IP address and the email address used. After several failed attempts within a short window, further attempts are blocked (HTTP 429). These counters are stored in our Valkey store with a short time-to-live of 15 minutes and are then automatically deleted.
Legal basis: Art. 6(1)(f) GDPR. Our legitimate interest lies in protecting accounts and IT systems against unauthorised access.
10. Display of vessel and AIS data
The Service displays maritime traffic data based on the Automatic Identification System (AIS), an international standard under the IMO/SOLAS framework that vessels broadcast publicly. This includes, for example, the vessel's MMSI, name, call sign, IMO number, type, position, course, speed, navigational status and self-reported destination.
AIS data primarily relates to vessels, not to identified natural persons, and contains no information about crew or passengers. However, where a vessel can be attributed to a natural person (for instance a small privately owned boat), the associated AIS data may constitute personal data in individual cases. Insofar as this is the case, we process such publicly broadcast navigation data to provide the maritime intelligence service.
Legal basis: Art. 6(1)(f) GDPR. Our legitimate interest lies in providing, analysing and displaying publicly broadcast maritime navigation data for operational situational awareness; this is balanced against the limited and public nature of the data.
The AIS feed is obtained from the external data source aisstream.io. Live data is held in our Valkey store, sampled positions and statistics in PostgreSQL, and the raw historical archive in Cloudflare R2; retention periods are set out in Section 12. If you believe that AIS data displayed in the Service relates to you and you wish to object, please contact us (Section 17).
11. Maps and external map services
The map view uses map and nautical data from the following sources: OpenFreeMap / OpenStreetMap (base map), the Overpass API (harbour basins, anchorages and seamarks), OpenSeaMap (seamark overlay) and MapToolkit (nautical vector tiles).
Importantly, these services are not contacted directly by your browser. All requests to these third parties are routed server-side through our own server (a first-party proxy). As a result, these external providers receive only our server's IP address and the requested map tile coordinates — your IP address is not transmitted to them.
Legal basis: Art. 6(1)(f) GDPR (legitimate interest in providing map functionality while protecting your IP address from third parties).
12. Storage periods
We store personal data only for as long as necessary for the respective purpose or as required by statutory retention obligations.
| Data | Storage period |
|---|---|
| User account data (email, name, password hash, role) | Until the account is deleted or you request erasure |
| Session records (Valkey) | Up to 14 days (sliding); deleted on logout |
| Failed-login counters incl. IP (Valkey) | 15 minutes |
| Watchlist (local storage on your device) | Until you clear it; not stored by us |
| Server log files | Only as long as needed for security and operations, then deleted or anonymised |
| Plausible analytics | Aggregated statistics retained; IP address not stored |
| AIS live positions (Valkey) | Short-lived (approx. 24 hours, TTL-based) |
| AIS 10-minute position samples (PostgreSQL) | Approx. 30 days |
| AIS daily static vessel snapshot (PostgreSQL) | Approx. 15 days |
| AIS raw historical archive (Cloudflare R2) | Configurable; contains no user personal data |
13. Contact by email
If you contact us by email (e.g. hello@pelyr.com), we process the data you provide (your email address and the content of your message) in order to handle your request. Legal basis: Art. 6(1)(b) GDPR where your request relates to a (pre-)contractual matter, otherwise Art. 6(1)(f) GDPR (legitimate interest in responding to enquiries). This data is deleted once your request has been fully dealt with and no statutory retention obligations apply.
14. International data transfers
Our managed databases (PostgreSQL, Valkey) and our application servers are located within the EU (DigitalOcean EU region; netcup, Germany), so your account data is processed within the EEA. Some providers are part of US-based groups:
- Cloudflare, Inc. delivers the website and processes visitor IP addresses at its edge network, which may include locations outside the EEA.
- DigitalOcean, LLC is a US company, even though our data is stored in its EU region.
Where personal data is transferred to a third country (in particular the USA), the transfer is safeguarded by the EU–U.S. Data Privacy Framework (for providers certified under it) and/or by the European Commission's Standard Contractual Clauses pursuant to Art. 46 GDPR, supplemented by appropriate additional safeguards. The EU–U.S. Data Privacy Framework adequacy decision remains in force (confirmed by the EU General Court in September 2025; an appeal is pending). You may request a copy of the relevant safeguards using the contact details in Section 1.
15. Data security
We use appropriate technical and organisational measures to protect your data, including: encrypted transport via HTTPS/TLS; storage of passwords only as Argon2id hashes; HttpOnly, Secure and SameSite session cookies; cryptographically secure session tokens; rate limiting against brute-force attacks; and role-based access control. These measures are reviewed and adapted in line with the state of the art.
16. No automated decision-making
We do not use automated decision-making, including profiling, that produces legal effects concerning you or similarly significantly affects you within the meaning of Art. 22 GDPR.
17. Your rights
Under the GDPR you have the following rights regarding your personal data:
- Right of access (Art. 15) — to obtain confirmation and a copy of your data;
- Right to rectification (Art. 16) — to have inaccurate data corrected;
- Right to erasure (Art. 17) — the "right to be forgotten";
- Right to restriction of processing (Art. 18);
- Right to data portability (Art. 20) — to receive your data in a structured, commonly used, machine-readable format;
- Right to object (Art. 21) — you may object, on grounds relating to your particular situation, to processing based on Art. 6(1)(f) GDPR, including the analytics and AIS-data processing described above;
- Right to withdraw consent (Art. 7(3)) — where processing is based on consent, you may withdraw it at any time with effect for the future.
To exercise any of these rights, please contact us using the details in Section 1. Exercising your rights is free of charge.
18. Right to lodge a complaint
Without prejudice to any other remedy, you have the right to lodge a complaint with a supervisory authority if you consider that the processing of your personal data infringes the GDPR. The competent authority in Austria is:
Barichgasse 40–42, 1030 Vienna, Austria
Phone: +43 1 52 152-0 · Email: dsb@dsb.gv.at
Web: www.dsb.gv.at
You may also contact the supervisory authority of your habitual residence or place of work.
19. Obligation to provide data
You are not legally or contractually obliged to provide personal data to browse the public parts of the Service. If you choose to create an account, providing an email address and password is necessary to set up and use that account; without them, an account cannot be created.
20. Changes to this Privacy Policy
We may update this Privacy Policy to reflect changes to the Service or to legal requirements. The current version is always available on this page; the date at the top indicates when it was last revised.
This Privacy Policy concerns data protection only. A separate legal notice (Impressum / disclosure under the Austrian E-Commerce Act and Media Act) is provided separately.