Skip to main content
TideLab

Privacy Policy

Last updated: May 2026

This policy explains how TideLab handles your personal data when you use tidelab.io. We aim to collect the minimum we need, hold it only as long as we need to, and never sell it to anyone.

Who we are

TideLab operates the tidelab.io platform — interactive sailing education, simulators, crew tools, and resources. Our sister site eliosail.com handles charter and is governed by a separate privacy policy.

For data-protection questions, contact us at privacy@tidelab.io (update this address with your real contact before launch).

What we collect

If you create an account, we collect:

  • Email address — for sign-in and to contact you about your account.
  • Name and profile picture — when you sign in with Google, we receive these from Google.
  • Password hash (if you use email/password sign-in instead of Google) — stored as a one-way bcrypt hash; we never see your actual password.
  • Quiz history and progress— your scores, the quizzes you've taken, and your study activity.

If you use the platform without signing in, we still collect:

  • Server logs — IP address, browser and OS, timestamps, the URLs you visit. Hosted by Vercel and retained per their defaults.
  • localStorageon your device — quiz progress and UI preferences. This stays on your device; we don't read it server-side unless you sign in and choose to sync.

Why we use it

  • Account services — authentication, your dashboard, syncing your progress across devices.
  • Improving the platform — understanding which quizzes are taken, which courses are read.
  • Security and abuse prevention — detecting brute-force attempts, blocking spam.

Under GDPR, our legal bases are: contract (we need your email to give you an account), legitimate interest (security, basic analytics), and consent (for any non-essential cookies we add in future — see the cookie policy).

Who we share it with

We use these third-party services as “processors”:

  • Vercel — hosting and request logs.
  • MongoDB Atlas — database where your account and progress are stored.
  • Google — OAuth sign-in (only if you choose Google sign-in).

Each has its own privacy notice and is bound by data-processing agreements. We do not sell your data, ever.

How long we keep it

  • Account data — for as long as you keep your account. Delete it from your dashboard or by emailing us.
  • Server logs— per Vercel's retention (30 days at the time of writing).
  • Backups — Atlas backups may retain account snapshots for up to 30 days after deletion.

Your rights (GDPR)

If you're in the EU, UK, or Switzerland, you have the right to:

  • Access the personal data we hold about you
  • Have inaccurate data corrected
  • Have your data deleted (“right to be forgotten”)
  • Receive a copy of your data in a portable format
  • Restrict or object to how we process your data
  • Lodge a complaint with your local data-protection authority

To exercise any of these, email privacy@tidelab.io. We'll respond within 30 days.

Cookies

We use a session cookie for signed-in users (NextAuth) and a preference cookie for your locale choice. Neither is used for tracking. We'll ask for consent before adding any non-essential cookies — see the cookie policy for details.

Changes to this policy

We'll update this page if our practices change. The “Last updated” date at the top reflects the most recent change.

Draft notice: this policy is a starting template, not vetted by a lawyer. Before launch, replace the contact address, confirm processor list against reality, and consider a legal review — especially if you process data of EU residents at scale.
We use a small set of cookies to keep you signed in and remember your preferences. We don't use third-party analytics by default — when we do, you'll be asked again. Cookie policy.