Privacy Policy

Last updated: 15 April 2026. Effective upon publication.

This Privacy Policy (the "Policy") describes what personal data the Shkiper AI service (the "Service", "we", "us") collects and processes, for what purposes, on what legal bases, with whom we share it, how long we keep it, how we protect it, and what rights you have as a data subject. The Policy applies to all users of the Service, including our mobile applications (iOS, Android), web application, and the shkiper.app marketing website, regardless of country of residence.

This Policy is drafted in accordance with the Russian Federal Law No. 152-FZ of 27 July 2006 on Personal Data, Russian Federal Law No. 242-FZ of 21 July 2014, the EU General Data Protection Regulation (GDPR, Regulation (EU) 2016/679), the UK GDPR and the UK Data Protection Act 2018 (DPA 2018), the California Consumer Privacy Act as amended by the CPRA (CCPA/CPRA), and other applicable laws. By using the Service you confirm that you have read this Policy.

1. General provisions and scope

The personal data operator is Individual Entrepreneur Morev Valentin Valentinovich, registered in the Russian Federation (the "Operator"). The Operator acts as a data controller within the meaning of the GDPR and UK GDPR and as a "business" within the meaning of CCPA/CPRA.

The Policy applies to all personal data that we receive from you when you use the Service, contact our support team, interact with marketing materials, or make payments. The Policy does not apply to third-party websites or services that may be linked from within the Service.

We update the Policy as the product evolves and as the law changes. The current version is always available at https://shkiper.app/legal/privacy (Russian) and https://shkiper.app/en/legal/privacy (English). The English version is provided for convenience; in case of any conflict, the Russian version is legally binding for users resident in the Russian Federation, and the English version is legally binding for users in other jurisdictions.

2. Who we are and how to contact us

For general inquiries, write to hello@shkiper.app. For data-protection matters, exercising data-subject rights, and complaints — privacy@shkiper.app. For abuse, copyright (DMCA), and security reports — abuse@shkiper.app. We respond within the timeframes set by applicable law (typically within 30 days of receipt).

Our representative in the European Union pursuant to Article 27 GDPR is [TBD] (to be appointed by [date]). Contact for EEA residents — eu-rep@shkiper.app. A UK Article 27 representative will be appointed if and when our UK presence makes it necessary.

No Data Protection Officer (DPO) has been appointed at the time of publication, as the scope and nature of our processing do not require mandatory appointment under Article 37 GDPR. All data-protection requests are handled via privacy@shkiper.app and processed by the Operator personally.

The Operator's legal address is provided upon official request in accordance with applicable law. We deliberately do not publish the residential address of the sole trader on the internet for personal-safety reasons, which is permissible for individual entrepreneurs.

3. Age restrictions

The Service is intended for users aged 16 and older in all jurisdictions. At signup we ask for a date of birth (neutral age gate) and block account creation for anyone under 16. We do not request parental consent for minors and do not provide the Service to users under 16 even with the consent of a legal representative.

If we learn that a user under 16 has created an account by circumventing the age gate, we will delete that account and associated personal data within 30 days of discovery. See the Children's Privacy Notice at /legal/children for details.

4. What personal data we collect

We follow the data-minimisation principle and collect only the categories necessary for the functioning of the Service, for security, and for compliance with our legal obligations. The categories of personal data we process are:

• Identification and registration data. Email address, name (optional), chosen interface language, user identifier (UUID). If you register with email and password, the password is stored solely as an irreversible cryptographic hash (bcrypt/Argon2) and is not accessible to Operator personnel.
• External authentication (OAuth) data. When you sign in with Apple, Google, or Yandex, we receive from the provider your email, display name, and provider-specific user identifier. If you choose "Hide My Email" with Apple, we receive a relay address of the form @privaterelay.appleid.com.
• Learning data. Topic progress, mock-exam results, history of mastered concepts, spaced-repetition marks, chosen certification track (ISSA, RYA, IYT, etc.), preferred learning language.
• Conversation content with the AI tutor. The text of your questions, within-session conversational context, model-generated answers, and any thumbs-up/-down or "helpful/inaccurate" flags you set. We retain this so you can revisit explanations and so we can improve answer quality.
• Voice input (when used). If you ask a question by voice, the audio fragment is transmitted to the server, transcribed to text, and discarded immediately. Audio is not persisted to disk. Transcription is performed by OpenAI (see section 9); voice streams are not sent for model training.
• Subscription and payment data. Plan tier (Free, Course Pass, Monthly, Annual), status, start and end dates, Apple App Store / Google Play transaction identifiers. Card-payment details never pass through our systems — they are handled entirely by the app stores. Separate disclosures will apply to web payments once introduced.
• Technical and diagnostic data. Device model, OS version, app version, install identifier, time zone, system language, network type, IP address (truncated to /24 in long-term logs), request timestamps, crash identifiers (crash reports without user content).
• Session identifiers and tokens. A device identifier that Amazon Cognito binds to issued access and refresh tokens. Used solely to manage your authenticated session and to protect against unauthorised token reuse.
• Support communications. Content of emails, tickets, and support-chat messages, including any attachments. Retained as necessary to resolve the inquiry and for subsequent quality analysis.

We do not collect special categories of personal data (racial or ethnic origin, political opinions, religious beliefs, biometrics, health data, sexual orientation) and do not ask you to provide them. If such information happens to appear in the text of a question you send to the AI, it will be processed as part of a regular request and is not treated as a separate category.

5. Sources of data

We receive personal data from the following sources:

• Directly from you — at signup, when you fill in your profile, when interacting with the AI, and when contacting support.
• Automatically from your device and client application — technical and diagnostic data.
• From OAuth providers (Apple, Google, Yandex) — when you choose to sign in through them.
• From the app stores (App Store, Google Play) — subscription status and transaction details.
• From our security and anti-fraud vendors — signals about suspicious activity associated with your account.

6. Purposes of processing and legal bases

We process personal data only for specific, pre-declared, and lawful purposes. The legal basis for each purpose under Article 6 GDPR and the corresponding provisions of 152-FZ is shown below:

• Providing and operating the Service (AI responses, progress saving, device sync, content delivery) — performance of a contract (Art. 6(1)(b) GDPR; Part 5 Art. 6 of 152-FZ).
• Account creation, maintenance, and authentication — performance of a contract (Art. 6(1)(b) GDPR).
• Personalisation of learning, study-plan construction, spaced repetition — performance of a contract and our legitimate interest in offering a high-quality product (Art. 6(1)(b) and 6(1)(f) GDPR).
• Security, fraud prevention, protection against automated scraping, incident logging — legitimate interest (Art. 6(1)(f) GDPR) and compliance with legal obligations (Art. 6(1)(c) GDPR).
• Payment processing, invoicing, accounting and tax records — performance of a contract and compliance with legal obligations (Art. 6(1)(b), 6(1)(c) GDPR).
• Product improvement and AI-model improvement — legitimate interest on de-identified and aggregated data (Art. 6(1)(f) GDPR). Your prompts are not passed to third-party models for training (see section 7).
• Marketing communications (newsletters, announcements) — consent (Art. 6(1)(a) GDPR; Part 1 Art. 6 of 152-FZ). You may withdraw consent at any time by clicking "Unsubscribe" in an email or writing to privacy@shkiper.app.

In the Russian Federation, processing is also based on the subject's consent (Part 1 Art. 6 of 152-FZ), performance of the contract to which the subject is a party (para 5 Part 1 Art. 6 of 152-FZ), and achievement of the Operator's legitimate interests subject to the rights and freedoms of the subject (para 7 Part 1 Art. 6 of 152-FZ).

7. How we use artificial intelligence

The core feature of the Service is an AI tutor that answers your yachting-related questions. Technically this is implemented as a call to a large language model (LLM) through the API of OpenAI, Inc. (USA). Before the request leaves our infrastructure, our backend strips identifying data from it (email, name, user identifier, IP address). Only the question text, a short context from previous turns in the current session, and service metadata (language, chosen track) are sent.

OpenAI processes API requests under terms where API data is not used to train OpenAI models by default. OpenAI may temporarily retain requests and responses for up to 30 days for abuse monitoring. See the OpenAI API data usage policy for details. We have a Data Processing Addendum in place with OpenAI.

AI responses are automatically generated texts that may contain inaccuracies and factual errors (so-called "hallucinations"). The Service is an educational tool and does not replace professional advice; for critical decisions, verify against primary sources. The Service is not a real-time navigation aid and must not be used as the sole source of information when operating a vessel.

We do not pass your personal data (email, name, identifiers) to third-party models, do not use the content of your conversations for external ad targeting, and do not sell it. For our own product-metric and heuristic improvements, we may analyse de-identified and aggregated conversation samples with all user identifiers removed.

8. Automated decision-making and profiling

The Service does not take automated decisions that produce legal effects or similarly significantly affect you within the meaning of Article 22 GDPR. The AI tutor produces study recommendations and explanations, but the final decisions (whether you are ready for the exam, which course to choose, how to answer an exam question) are yours. Mock-exam results are indicative and do not constitute an official certificate.

We apply personalisation algorithms (topic selection, repetition scheduling, content ranking). You may at any time request an explanation of the logic behind a recommendation, request human review, or opt out of personalisation by writing to privacy@shkiper.app. In line with CPRA ADMT requirements effective 1 January 2026, we do not use automated decision-making in the contexts enumerated in ADMT pre-use notices (employment, educational opportunities, lending, housing, etc.).

We use automated anti-fraud mechanisms to protect the Service (suspicious-login detection, rate limiting, bot-activity detection). If your account is blocked, you will be notified and have the right to request manual review of the decision.

9. Sub-processors and recipients of data

We do not sell or share your personal data with third parties for advertising or commercial purposes. To run the Service we engage the following sub-processors under contracts with data-protection obligations:

All sub-processors are bound by contracts requiring a level of data protection equivalent to ours and prohibiting use of the data for their own purposes beyond providing services to the Operator. The list of sub-processors may be updated; material changes will be notified in accordance with section 20.

10. International data transfers

Our infrastructure is hosted in the AWS eu-central-1 region (Frankfurt, Germany). Some sub-processors are located outside the EEA, the UK, and the Russian Federation. For such transfers we rely on the following safeguards:

• For transfers out of the EEA to countries without an adequacy decision — the European Commission's Standard Contractual Clauses 2021/914 in the relevant modules, supplemented by a transfer impact assessment (TIA) and, where necessary, supplementary measures.
• For transfers out of the UK — the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU SCCs.
• For transfers out of the Russian Federation — cross-border transfer is carried out with notification to Roskomnadzor in accordance with Part 3 Art. 12 of 152-FZ (as amended effective 1 March 2023), and only to countries that ensure adequate protection, or where we have the subject's written consent or a contractual necessity.
• For our work with OpenAI, SCCs apply and the API is configured in a no-training-on-data mode.

Copies of the SCCs we use and our Roskomnadzor cross-border transfer notice are available upon request at privacy@shkiper.app.

11. Retention periods

We retain personal data only for as long as necessary for the purposes for which it was collected and for the periods required by law. Concrete retention periods by category:

• Account and profile data — for as long as the account is active. After self-deletion or 24+ months of inactivity — irreversible deletion within 30 days, except for data for which the law sets a longer period.
• AI conversation history and learning progress — while the account is active, plus up to 12 months after deletion to resolve potential disputes. You may delete conversation history manually at any time.
• Voice fragments — not stored; discarded immediately after transcription.
• Payment records — 5 years as required by Russian accounting and tax law.
• Security and diagnostic logs — up to 90 days; the truncated IP address (/24) in long-term logs — up to 13 months.
• Database backups — 35 days with automatic rotation and overwrite.
• Support communications — 24 months from ticket closure.

After the applicable period expires, the data is either deleted irreversibly or anonymised so that re-identification of a specific subject is impossible.

12. Security measures

We implement technical and organisational measures proportionate to the risks of processing, including:

• Encryption in transit (TLS 1.2+) and at rest (AES-256) via AWS-native services.
• Storage of passwords only as irreversible cryptographic hashes (bcrypt/Argon2).
• Least-privilege access: employees and contractors receive access only to the data needed for their role.
• Two-factor authentication for administrative accounts and logging of administrative actions.
• Network segmentation, private VPCs, security groups, and AWS IAM policies.
• Regular backups and restore testing; backup rotation.
• Security monitoring, incident response, and periodic review of the security policy.

Despite these measures, absolute security on the internet is unattainable. If we detect an incident likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority within 72 hours of discovery (where applicable) and, in case of high risk, will notify you without undue delay in accordance with Articles 33-34 GDPR and applicable provisions of 152-FZ.

13. Your rights

Regardless of the jurisdiction in which you reside, we recognise the following rights (their scope and procedure may vary with applicable law):

• Right to information about what personal data we process and for what purposes.
• Right of access to your personal data and to obtain a copy.
• Right to rectification (correction) of inaccurate or incomplete data.
• Right to erasure ("right to be forgotten") where there is no lawful ground for further retention.
• Right to restrict processing in specified circumstances (e.g., while you contest the accuracy of the data).
• Right to object to processing based on legitimate interests and to object to direct-marketing use.
• Right to data portability in a structured, commonly used, machine-readable format.
• Right to withdraw previously given consent at any time without affecting the lawfulness of processing prior to withdrawal.

To exercise any of these rights, write to privacy@shkiper.app from the email address you registered with. We may request additional information to verify your identity. We respond within the period set by applicable law: generally within 30 days (GDPR, 152-FZ) or 45 days (CCPA, with a possible 45-day extension up to 90 days).

If you believe we have violated your rights, you may lodge a complaint with a supervisory authority: in the Russian Federation — Roskomnadzor (rkn.gov.ru); in the EEA — the supervisory authority of your country of residence or work; in the UK — the Information Commissioner's Office (ico.org.uk); in California — the California Privacy Protection Agency (cppa.ca.gov) or the State Attorney General. We ask you to contact us first — it usually resolves the issue faster.

14. Russian Federation residents (152-FZ and 242-FZ)

For users who are citizens of the Russian Federation or are physically located in the Russian Federation, processing of personal data is carried out in accordance with Federal Law No. 152-FZ of 27 July 2006 on Personal Data. You have the rights provided for in Article 14 of that law, including the right to require clarification, blocking, or destruction of your data.

In relation to Federal Law No. 242-FZ of 21 July 2014 on localisation of personal data of Russian citizens, the initial recording of personal data is currently performed on AWS servers in the eu-central-1 region (Frankfurt, Germany). The question of relocating the primary record to the Russian Federation is under evaluation. Russian citizens who do not wish to use foreign infrastructure may choose not to use the Service; in that case their data will be deleted upon request.

The Roskomnadzor notification of personal-data processing has been filed / is in the process of being filed; registration number — [TBD]. The cross-border transfer notification has been submitted in accordance with Part 3 Art. 12 of 152-FZ.

Consent to the processing of personal data is provided by you by ticking the consent box at signup and by continuing to use the Service. You may withdraw consent at any time by written notice to privacy@shkiper.app; upon withdrawal we will cease processing and delete the data, except where law permits or requires continued processing (e.g., to meet tax obligations).

15. California residents (CCPA/CPRA)

This section applies to residents of the State of California, USA, and supplements the rest of the Policy in accordance with the California Consumer Privacy Act as amended by the CPRA and the regulations effective 1 January 2026.

We do not sell or "share" your personal information. We do not engage in "sales" of personal information within the meaning of the CCPA and do not "share" it for cross-context behavioural advertising. We have no ad SDKs, social-media pixels, or other tools that could qualify as "sale" or "sharing." We honour the Global Privacy Control (GPC) browser signal and treat it as an opt-out request for sale/sharing.

In the preceding 12 months we collected the following categories of personal information within the meaning of the CCPA:

• Identifiers: name, email, user identifier, IP address, device identifiers.
• Customer records under Cal. Civ. Code §1798.80(e): name, email, payment details.
• Commercial information: subscription and transaction history.
• Internet and network activity: Service usage logs, feature interactions.
• Geolocation (approximate, at the country/region level derived from IP).
• Audio information: voice prompts (not retained after transcription).
• Professional / educational information: learning progress, mock-exam results.

As a California resident you have the following rights:

• Right to Know the categories and specific pieces of personal information we have collected about you in the past 12 months, the sources, purposes, and recipients.
• Right to Delete the personal information we have collected, subject to statutory exceptions.
• Right to Correct inaccurate personal information.
• Right to Opt-Out of Sale/Sharing — automatically effective as we do not engage in such operations; the GPC signal is additionally honoured.
• Right to Limit Use of Sensitive Personal Information. We do not use sensitive data for purposes beyond providing the services you request.
• Right to Non-Discrimination — you will not receive lower service quality for exercising these rights.

The "Shine the Light" right under Cal. Civ. Code §1798.83 (information about disclosures for third-party direct marketing) does not apply, as we do not make such disclosures.

To exercise CCPA rights, submit a verifiable request to privacy@shkiper.app with the subject line "CCPA Request". You may appoint an authorised agent; we may require written proof of authorisation. We respond within 45 days, extendable by another 45 days.

16. Residents of other US states

If you reside in Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), or another state with a comprehensive privacy law in force, you have rights similar to those described in section 13, including the rights to access, delete, correct, port, and opt out of "sales," "targeted advertising," and "profiling" with legal or similarly significant effects. We satisfy these rights through a single unified procedure (see section 13). Published universal opt-out mechanisms, including GPC, are recognised and honoured.

17. Children

The Service is not intended for anyone under 16. We do not knowingly collect personal data from such users and do not direct marketing to them. Personal information of persons under 16 is treated as sensitive under the CPRA; because we do not permit such users to register, we do not process their sensitive data.

For details on our age policy, the procedure for deleting children's accounts, and parental rights, see the Children's Privacy Notice.

18. Cookies and tracking technologies

We use a limited set of cookies and local storage to maintain sessions, remember language preferences, and run anonymous product analytics. We do not use advertising trackers or social-media pixels. A full description, including the cookie list, retention periods, and opt-out controls, is available in the Cookie Policy.

19. Data-breach notification

If we detect a breach or other incident likely to create a risk to the rights and freedoms of data subjects, we notify the competent supervisory authority (Roskomnadzor for the RF, the relevant EEA authorities, the ICO for the UK, State Attorneys General in the US where applicable) within the statutory timeframes and, where the risk is high, we notify affected subjects without undue delay by the email on file or by another available means. The notice sets out the nature of the incident, Operator contacts, likely consequences, and measures taken.

20. Changes to this Policy

We may update this Policy as the Service evolves, the law changes, or our sub-processors change. The current version is always published on this page; the "Last updated" line at the top reflects the date of the latest revision. For material changes we will notify you by email and/or in-app at least 14 days before they take effect. Continued use of the Service after the effective date constitutes acceptance of the new version; if you disagree, you may stop using the Service and request deletion of your data.

21. How to contact us by jurisdiction

Use the channel that matches your request:

• Russian Federation (152-FZ): privacy@shkiper.app with the subject "152-FZ".
• European Union / EEA (GDPR, Article 27 representative): eu-rep@shkiper.app. A representative will be appointed by [date].
• United Kingdom (UK GDPR, DPA 2018): privacy@shkiper.app with the subject "UK GDPR".
• USA (CCPA/CPRA and other state laws): privacy@shkiper.app with the subject "CCPA Request" or the name of the applicable state statute.
• Abuse, copyright (DMCA), security incidents: abuse@shkiper.app.

22. Related documents

This Policy forms part of the Service's legal documentation. See also:

• Terms of Service
• Cookie Policy
• End User License Agreement (EULA)
• Children's Privacy Notice
• DMCA and Copyright Notice Policy
• Acceptable Use Policy
• Refund and Cancellation Policy
• Impressum / Legal Notice