Privacy Policy

01Who We Serve

This Privacy Policy applies to:

• Visitors to our website
• Registered platform users
• Shipowners
• Charterers
• Ship brokers
• Enterprise customers
• Business partners
• API users
• Individuals interacting with ShipLinker AI Agents

Where a corporate client uploads or manages data within ShipLinker, that client remains the controller (or, under the PDPA, the organisation that has effective control) of its own commercial and operational data, while ShipLinker acts as a technology platform, data intermediary, and service provider that processes such data on the client's behalf in accordance with our written agreement.

02Information We Collect

2.1Information You Provide

When you use ShipLinker, we may collect:

Account & Business Information

• Name
• Company name
• Job title
• Business email
• Phone number
• Country and region

Commercial & Maritime Data

• Vessel details
• Cargo details
• Voyage information
• Fixture data
• Port information
• Chartering requirements
• Counterparty information
• Commercial negotiations
• RFQs and quotations
• Recap documents
• Q88 and operational documents

AI Agent Interactions

• AI prompts
• Chat history
• Uploaded files
• Instructions submitted to AI Agents
• AI-generated outputs and recommendations

Billing Information

• Subscription information
• Invoice details
• Payment metadata

ShipLinker does not store full payment card details directly.

2.2Information Collected Automatically

We may automatically collect:

• IP address
• Browser type
• Device information
• Operating system
• Session activity
• Feature usage
• Error logs
• Search behavior
• Performance metrics
• Approximate geographic location

2.3AIS & Maritime Intelligence Data

ShipLinker processes maritime intelligence datasets including:

• AIS vessel tracking data
• Port call information
• Voyage histories
• Vessel particulars
• Market intelligence
• Freight-related analytics
• Weather and routing data

AIS data originates from public maritime transmissions broadcast under international maritime regulations and from licensed third-party data providers. Such data is generally not personal data, but where it relates to identifiable individuals (for example, small craft owners), we treat it as personal data under this Policy.

03How We Use Information

We use data, in line with the PDPA Purpose Limitation Obligation and equivalent purpose-limitation principles under applicable law, only for the purposes notified to you, including to:

• Operate and secure the platform
• Deliver AI-powered chartering recommendations
• Match vessels and cargo
• Improve chartering efficiency
• Enable negotiations and workflows
• Support customer accounts
• Process subscriptions and payments
• Improve AI models and platform performance (subject to Section 5)
• Detect fraud and security threats
• Comply with legal, regulatory, sanctions, tax and audit obligations
• Provide customer support
• Personalize platform experiences
• Develop new AI-driven features and maritime intelligence products

We will not collect, use or disclose personal data for any new purpose that has not been notified to you (or to which fresh consent has not been obtained), except where the PDPA or other applicable law permits us to do so without consent.

04Legal Bases for Processing

We process personal data only where we have a valid legal basis. Depending on the context and applicable law, we rely on one or more of the following:

• Consent and deemed consent under the PDPA — including consent given expressly, deemed consent by conduct (Section 15 PDPA), deemed consent by contractual necessity (Section 15(8) PDPA), and deemed consent by notification (Section 15A PDPA) where the requirements are satisfied.
• Legitimate interests exception under the PDPA — where the legitimate interests of ShipLinker or a third party outweigh any adverse effect on the individual, and a documented assessment has been conducted (First Schedule, Part 3 PDPA).
• Business improvement exception under the PDPA — to improve, enhance and develop our Services, where the requirements of the First Schedule, Part 5 PDPA are met.
• Legal or regulatory obligation — including responding to lawful requests from public authorities, sanctions compliance, and tax/accounting obligations.
• Performance of a contract — to provide the Services you or your organisation have requested.
• Vital interests — including in maritime safety or emergency situations.
• GDPR-equivalent bases — where you are located in the EU/UK or another GDPR-aligned jurisdiction, we rely on the corresponding lawful bases under Article 6 GDPR (and Article 9 where applicable to special-category data).

Where we rely on consent, you may withdraw consent at any time as described in Section 13. Withdrawal will not affect the lawfulness of processing carried out before withdrawal and may affect our ability to continue providing the Services.

05AI Agent & Machine Learning Policy

ShipLinker is an AI-first platform. Our AI Agents use machine learning, automation, and data intelligence to assist maritime commercial workflows.

5.1AI Processing

Information submitted to ShipLinker AI Agents may be processed to generate:

• Vessel recommendations
• Cargo matches
• Voyage insights
• Draft communications
• Operational summaries
• Market intelligence
• Workflow automation outputs

5.2Client Data Protection

ShipLinker does NOT use client commercial data, fixtures, negotiations, or private AI conversations to train public AI models or third-party foundation models.

Your proprietary commercial information remains confidential.

5.3Internal AI Improvements

We may use aggregated or anonymized usage patterns, in reliance on the PDPA business improvement exception and equivalent global principles, to:

• improve system accuracy,
• optimize recommendations,
• enhance workflow automation,
• and improve platform reliability.

No confidential client information is sold or exposed publicly.

5.4Human Oversight & Automated Decisions

AI-generated outputs may contain inaccuracies or incomplete information.

Users remain responsible for validating commercial decisions, chartering terms, counterparties, and operational actions before execution.

The Services do not, by default, make decisions producing legal or similarly significant effects on you based solely on automated processing without meaningful human review. Where applicable law (including the GDPR) gives you a right not to be subject to a solely-automated decision with significant effects, that right is preserved.

ShipLinker AI outputs are decision-support tools and do not constitute legal, financial, compliance, or brokerage advice.

06Confidentiality & Commercial Data Protection

ShipLinker is built with confidentiality as a core principle.

We understand that chartering, freight negotiations, cargo positions, and vessel availability are commercially sensitive.

Therefore:

• Private postings remain private
• Anonymous workflows preserve market confidentiality
• Access controls restrict unauthorized visibility
• Commercial negotiations are protected
• Internal client data is compartmentalized
• Data access follows strict need-to-know principles

ShipLinker employees and service providers are bound by written confidentiality and data-protection obligations consistent with the PDPA Accountability and Protection Obligations.

07Data Sharing

ShipLinker does not sell personal data.

We only share information with:

• Cloud infrastructure providers
• Payment processors
• Security providers
• Analytics providers
• Authentication providers
• AI infrastructure partners
• Legal and compliance advisors
• Affiliates within the ShipLinker group
• Acquirers and their advisors in the event of a corporate transaction
• Government authorities, regulators or courts where required by law

All providers operate as our data intermediaries (under Section 4(2) PDPA) or sub-processors (under equivalent global laws) under written contracts that require confidentiality, purpose limitation, data security, breach notification, audit rights, and return or deletion of data on termination.

08International Data Transfers

ShipLinker operates globally. Your information may be processed in Singapore and other jurisdictions where our infrastructure or partners operate.

In line with Section 26 of the PDPA and the Personal Data Protection Regulations 2014, we will transfer personal data outside Singapore only where the recipient is bound by legally enforceable obligations to provide a standard of protection comparable to the PDPA. We achieve this through one or more of the following:

• contractually-binding data-protection clauses (including ASEAN Model Contractual Clauses or industry equivalents),
• intra-group data-transfer agreements,
• transfers to jurisdictions which the PDPC or relevant authority recognizes as providing comparable protection,
• EU/UK Standard Contractual Clauses or equivalent transfer mechanisms where the GDPR or UK GDPR applies, and
• other safeguards required or permitted by applicable law.

You may contact our Data Protection Officer (Section 18) to obtain further information on the safeguards used for any specific transfer.

09Data Retention

In line with the PDPA Retention Limitation Obligation (Section 25 PDPA) and equivalent storage-limitation principles under applicable law, we retain personal data only for as long as necessary to:

• provide services,
• maintain platform operations,
• comply with legal, tax, accounting, sanctions and audit obligations,
• resolve disputes,
• enforce agreements,
• and improve system integrity.

When personal data is no longer required for any legal or business purpose, it is securely deleted, anonymized (so that re-identification is no longer reasonably possible), or archived under appropriate access controls.

10Security

In line with the PDPA Protection Obligation (Section 24 PDPA), ShipLinker implements industry-standard technical and organizational safeguards including:

• Encryption in transit and at rest
• Access control systems
• Authentication protections (including multi-factor authentication where appropriate)
• Security monitoring
• Infrastructure segmentation
• Logging and audit controls
• Internal access management
• Regular system testing and vulnerability assessments
• Personnel training on data protection

While no system is completely immune from risk, we continuously work to protect customer information and platform integrity.

11Data Breach Notification

In compliance with the PDPA Data Breach Notification Obligation (Part 6A PDPA, in force from 1 February 2021) and equivalent breach-notification laws under the GDPR and other applicable regimes, ShipLinker maintains a documented data-breach response plan. Where a notifiable data breach occurs, we will:

• notify the Personal Data Protection Commission of Singapore (PDPC) as soon as practicable, and in any case no later than 3 calendar days after we have determined that the breach is notifiable;
• notify affected individuals as soon as practicable, where the breach is likely to result in significant harm to those individuals (subject to permitted exceptions);
• notify other supervisory authorities and affected individuals within the timeframes required by applicable law (including, where the GDPR applies, within 72 hours of becoming aware of the breach); and
• cooperate with our clients to support any breach notifications they are required to make where ShipLinker acts as their data intermediary.

12Cookies & Website Technologies

ShipLinker uses cookies and similar technologies to:

• operate the website,
• improve user experience,
• analyze traffic,
• maintain sessions,
• measure performance,
• and support platform functionality.

Where required by law, we obtain consent for non-essential cookies through our cookie banner. Users may control cookies through browser settings or, where available, the cookie preference centre on our website.

13Your Rights

Subject to applicable law, you have the following rights in respect of your personal data:

• Access — request a copy of personal data we hold about you, and information on how it has been used and disclosed in the past year (PDPA Access Obligation, Section 21).
• Correction — request that we correct inaccurate or incomplete personal data (PDPA Correction Obligation, Section 22).
• Withdrawal of consent — withdraw any consent you previously gave us, on reasonable notice (PDPA Section 16).
• Deletion — request deletion of personal data, subject to our legal and contractual retention obligations.
• Restriction of processing
• Objection to direct marketing — see Section 14.
• Data portability — receive certain personal data in a structured, commonly used and machine-readable format, where this right applies under the PDPA (when in force) or applicable global law.
• Lodge a complaint — with the Personal Data Protection Commission of Singapore (PDPC) at www.pdpc.gov.sg, or with another competent supervisory authority where you reside or work.

We will respond to verifiable access and correction requests as soon as reasonably possible and, in any event, within 30 days of receiving the request (or such other timeframe required by applicable law). Where we cannot meet this timeframe, we will notify you of the reason and the expected response time. We may charge a reasonable fee for access requests, in accordance with the PDPA.

To exercise your rights, contact info@shiplinker.co. We may need to verify your identity before responding. Where you are an individual whose personal data was provided by an enterprise client, please contact that client first; we will support them in responding to your request.

14Marketing & Do Not Call

We will only send you marketing communications where permitted by applicable law and, where required, with your consent.

• You can opt out of marketing emails at any time using the unsubscribe link or by contacting info@shiplinker.co.
• For Singapore telephone numbers, ShipLinker complies with the Do Not Call (DNC) Provisions of the PDPA (Part 9). We will check the relevant DNC registers before sending specified messages and will respect any opt-out you communicate to us.
• Transactional, security and service-related communications will continue to be sent as part of our provision of the Services.

15Third-Party Services

ShipLinker may integrate with third-party platforms including:

• AIS providers
• Port databases
• Mapping services
• Payment gateways
• ERP systems
• Email systems
• Messaging tools

Third-party services operate under their own privacy policies and terms. We encourage you to review them before connecting any third-party service to ShipLinker.

16Children's Privacy

ShipLinker is designed for business and professional users and is not intended for individuals under 16 years old. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will take appropriate steps to delete it.

17Policy Updates

We may update this Privacy Policy periodically to reflect:

• platform enhancements,
• AI developments,
• legal or regulatory requirements (including amendments to the PDPA or guidance issued by the PDPC),
• operational changes,
• or security improvements.

Updated versions will be published on our website with a revised "Last updated" date. Where changes are material, we will provide additional notice through the Services or by other reasonable means.

18Contact Us & Data Protection Officer

In line with the PDPA Accountability Obligation (Section 11(3) PDPA), ShipLinker has appointed a Data Protection Officer (DPO) responsible for ensuring our compliance with the PDPA and equivalent global laws.

You can contact our DPO and the privacy team at:

ShipLinker (Singapore) Pte. Ltd.
Attn: Data Protection Officer
Email: info@shiplinker.co
Website: https://www.shiplinker.co