Privacy Policy

1. Introduction

Handover is operated by Helmwise (Pty) Ltd, a company registered in South Africa (“Helmwise”, “we”, “us”, “our”). This Privacy Policy explains how we collect, use, store, and protect your personal information when you use the Handover application.

Handover is a voice-first capture and handover reporting tool for superyacht crew. You record voice notes, type text notes, and use guided import workflows for library items. The app organises that information into structured handover reports for your vessel. By using Handover, you agree to the practices described in this policy.

2. Data We Collect

• Account information: your email address, name, and role when you sign up.
• Voice recordings: temporarily uploaded for transcription only. Audio is automatically deleted immediately after transcription completes. We do not store raw audio. See Section 4 for full details.
• Capture content: the text of your notes, including transcribed voice notes, AI-generated classifications, and any metadata you add (department, priority, status).
• Uploaded files and images: documents, screenshots, and photographed cards or notes that you choose to upload for template analysis, library imports, contact extraction, or report customisation.
• Vessel information: vessel name, rotation dates, crew roster, and configuration settings.
• Usage analytics: anonymised product usage data collected via PostHog. No personal data is included in analytics events. See Section 12 for details.

The main handover capture flow does not currently store standalone photo attachments for normal handover items. However, Handover does support camera and image-library imports in specific workflows such as library imports, contact extraction, and report logo upload. For library and contact extraction flows, the selected image is used transiently to extract structured details and is not retained by us as a standalone stored image after extraction.

3. How We Use Your Data

• Transcription: voice recordings are sent to Deepgram for speech-to-text conversion, then immediately deleted.
• AI classification: capture text is sent to OpenAI's API (not the consumer ChatGPT product) to classify captures into departments, priorities, and report sections. OpenAI does not use API data to train its models.
• AI extraction and import: text that you paste, documents that you upload for structure analysis, and images or screenshots that you upload for contact or library import may be sent to OpenAI's API to extract structured fields for review. In current library and contact import flows, those images are processed transiently for extraction and are not retained by us as standalone image files after the extraction request completes.
• Report generation: your captures are assembled into PDF and DOCX handover reports.
• Email delivery: handover reports and account emails (signup confirmation, password reset, invitations) are sent via Resend.
• Product improvement: we use anonymised, aggregated analytics to understand how Handover is used and to improve the product. We never use individual personal data for this purpose.

4. Voice Recordings

Voice recordings are never used for model training, voice profiling, speaker identification, or any purpose other than generating a text transcription of your note. They are never shared with any party beyond the transcription provider (Deepgram), which processes them in real time and does not retain them.

5. Crew Privacy

Crew privacy is a founding principle of Handover. Individual crew identity is protected at all times.

• Handover does not track individual crew performance, productivity, or behaviour.
• All analytics are anonymised and aggregated. We never analyse data at the individual crew member level.
• Vessel admins can see crew names solely for the purpose of handover coordination (e.g. assigning rotations, sending handover reports). This access is limited to what is necessary for operational handover management.
• We will never sell, share, or expose individual crew data to vessel owners, management companies, or any third party for performance evaluation purposes.

6. AI-Processed Content

Capture text, summary prompts, uploaded template documents, pasted library text, and uploaded library import images or screenshots may be processed by OpenAI's API for classification, summary generation, structure extraction, and OCR-style field extraction. Under our API agreement, OpenAI does not use data submitted via the API to train or improve its models.

Text-based AI workflows can be protected by our vessel-level “AI privacy protection” setting, which redacts common personally identifiable information before text is sent to OpenAI. This protection does not mask visible information contained inside uploaded images themselves, so image imports are processed as submitted. In the current library image-import flows, those images are used only to extract fields for review and are not retained by us as standalone stored images after extraction.

Important: AI-generated outputs — including classifications, summaries, and report content — are informational only and do not constitute professional advice. You rely on AI-generated content at your own risk. Users must review all AI-generated content before relying on it or including it in official handover documentation.

7. Data Storage and Security

All data is stored in Supabase (hosted on AWS infrastructure). Access is controlled by row-level security policies scoped to your vessel. Your data is only accessible to authenticated crew members on your vessel.

• All connections use HTTPS/TLS encryption in transit.
• Passwords are securely hashed using industry-standard algorithms.
• Library PIN codes are hashed with bcrypt.
• Row-level security ensures strict data isolation between vessels.

Breach notification. In the event of a security breach that compromises your personal information, we will notify the Information Regulator (South Africa) and affected users as soon as reasonably possible after becoming aware of the breach, in accordance with Section 22 of the Protection of Personal Information Act (POPIA).

While we implement reasonable technical and organisational measures to protect your personal information, no method of transmission over the internet or electronic storage is completely secure, and we cannot guarantee absolute security. You acknowledge that the provision of the Handover service necessarily involves the transmission of your data to the sub-processors listed in Section 9, and that you accept this as an inherent and necessary part of the service.

8. Data Retention

• Captures: retained for as long as your account is active and your vessel continues using the service.
• Voice recordings: not retained. Audio is deleted immediately after transcription (see Section 4).
• Uploaded import images: screenshots and images from the camera or photo library that are sent for contact or library extraction are processed transiently for the request and are not retained by us as standalone import files after extraction, unless you separately save the resulting structured content in the product.
• Account data: deleted upon request. You may request deletion of your account and all associated data at any time by contacting hello@thehandover.app. After account closure, personal data is deleted within 30 days, except where we are required or permitted to retain it under applicable law, for example, to comply with a legal or regulatory obligation, to establish, exercise, or defend a legal claim, or to resolve an outstanding billing dispute. Where retention is required, we retain only the minimum data necessary for that purpose and for no longer than is necessary.
• Backups: database backups are rotated according to Supabase's standard backup and retention policy.

9. Third-Party Sub-processors

We use the following third-party services to operate Handover:

10. Data Sharing

We do not sell, rent, or trade your personal data to any third party. Your data is shared only with the sub-processors listed in Section 9, solely for the purposes described in this policy.

We may disclose your information if required to do so by law, court order, or other legal process, or if we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others.

11. International Transfers

Your data may be processed outside of South Africa by our sub-processors, as indicated in Section 9. Where data is transferred internationally, we ensure that appropriate safeguards are in place to protect your data in accordance with applicable data protection laws, including the Protection of Personal Information Act (POPIA).

12. Cookies and Tracking

• Essential cookies: Handover uses essential authentication cookies (Supabase session tokens) required for the application to function. These cannot be disabled.
• Analytics: we use PostHog for anonymous product analytics. No personal data is included in analytics events. No individual users are identified or tracked.
• No advertising cookies: Handover does not use any advertising, marketing, or third-party tracking cookies.

13. Children's Privacy

Handover is not directed at children under 18 years of age. We do not knowingly collect personal information from minors. If we become aware that we have collected data from a child under 18, we will take steps to delete that information promptly.

14. Your Rights

Under the Protection of Personal Information Act (POPIA) and, where applicable, the General Data Protection Regulation (GDPR), you have the following rights regarding your personal data:

• Access: request confirmation of whether we hold personal data about you, and a copy of that data.
• Rectification: request correction of inaccurate, misleading, or incomplete personal data.
• Erasure: request deletion of your personal data.
• Portability: request a machine-readable copy of your data.
• Objection: object to the processing of your personal data on reasonable grounds, including the right to object at any time to the processing of your personal data for the purposes of direct marketing.
• Automated decision-making: request that you not be subject to a decision based solely on automated processing that has legal or similarly significant effects on you. Handover uses AI to classify and summarise captures, but these outputs are informational and are not used to make decisions of this kind.

To exercise any of these rights, contact our Information Officer, Charl Dettmer, at hello@thehandover.app.

15. POPIA Compliance

Helmwise (Pty) Ltd is committed to compliance with the Protection of Personal Information Act, 2013 (POPIA).

• Our registered Information Officer is Charl Dettmer.
• We process personal information on a lawful basis, including consent and legitimate interest in providing the Handover service.
• Data subject requests are honoured within 30 days of receipt.

16. Changes to This Policy

We may update this policy from time to time. The “last updated” date at the top will reflect any changes. Material changes will be communicated via email to the address associated with your account. Continued use of Handover after changes constitutes acceptance of the updated policy.

17. Contact

Information Officer: Charl Dettmer
Email: hello@thehandover.app

If you are unsatisfied with our response to a privacy concern, you have the right to lodge a complaint with the Information Regulator (South Africa):

Information Regulator (South Africa)
Website: inforegulator.org.za