Privacy
How we handle your data.
Last updated June 2026. Shipmate is built by Envision Labs Ltd, a company registered with RAK Digital Assets Oasis in Ras Al Khaimah, United Arab Emirates. This page covers what Shipmate collects, why, who we share it with, and how to get it deleted. It covers both the captains who run Shipmate and the customers who message them.
Captain accounts
Captains sign up at app.shipmate.chat/login with an email address and a one-time code sent to that address. There is no password to store. Once you're in, we hold your account details, your business and boat information, and your booking-page setup (trip types, prices, availability, deposit rules). When you connect a messaging channel, we store the access token for that channel encrypted in a secrets vault, so Shipmate can read and reply to messages on your behalf. Tokens are never exposed in plain text.
Customer messages
When a customer messages a captain through a connected channel (Instagram DM, WhatsApp, SMS, email, or Facebook), that message flows into the captain's Shipmate inbox. We read the message so we can draft a reply in the captain's voice, and we store the conversation along with the customer's contact details (name, handle, phone, or email, depending on the channel) so the captain keeps a record of every thread. The customer is messaging the captain. Shipmate is the tool the captain uses to keep up.
How drafts are written
Replies are drafted automatically by an AI model (Anthropic Claude), tuned on the captain's own past replies so the wording sounds like them. By default every draft waits for the captain to approve or edit it before anything is sent. A captain can switch specific message types to autopilot once they trust the drafts, and from then on those replies send without per-message approval. The captain can turn autopilot off at any time. This is automated processing of message content, and we want to be plain about that: customer messages and the captain's past replies are sent to the AI model to generate each draft.
Payments and deposits
When a captain takes a deposit or payment through Shipmate, the payment is processed by Stripe (via Stripe Connect). Where available, PayPal and manual external payment are offered as alternatives. Shipmate does not store full card numbers. Card data is handled by Stripe, which is built for exactly that. We keep a record of the booking and the payment status (such as paid, pending, or refunded) so the captain can see what's been collected.
Customer reviews
After a trip, a customer can leave an optional review, a rating and a short note about how it went. The review form includes a consent checkbox. If the customer ticks it, the captain may show that review publicly. If they don't, the review stays private to the captain. Leaving a review is always the customer's choice.
Emails we send captains
We send captains transactional emails (sign-in codes, booking alerts, account notices) and a weekly digest summarizing what's happened in the inbox and the booking calendar. Every digest includes an unsubscribe link. The transactional emails are part of running the account, so those keep coming while the account is open.
Importing past messages
When a captain connects a channel, they can choose to import roughly the last 90 days of past customer messages: Instagram, Gmail, and Outlook import automatically, and for WhatsApp the captain uploads a chat export. This is opt-in. The point is to learn the captain's writing style from real conversations so the first drafts already sound like them. If a captain skips the import, Shipmate just learns from messages going forward.
Who we share data with
We use a small set of service providers (sub-processors) to run Shipmate, each handling data only for the job it does:
- Stripe, for payments and deposits.
- Meta and Twilio, for the messaging channels (Instagram, Facebook, WhatsApp, SMS).
- Resend, for sending email.
- Supabase, for the database and storage.
- Anthropic, for drafting replies.
- Vercel, for web hosting.
- PostHog, for product analytics and session replay, so we can see where captains get stuck and fix it.
- Sentry, for catching errors so we can fix what breaks.
We don't sell personal data. We don't hand captain or customer data to marketing partners or booking platforms.
Analytics
On the public landing page we use Vercel Analytics and Vercel Speed Insights to see how many people visit and how quickly the page loads. Both are privacy-respecting: no cookies, no cross-site tracking, no personally identifying information. They tell us things like “500 visitors this week, 75% from mobile,” nothing about who you specifically are.
Inside the captain app we use PostHog to understand how captains use Shipmate, so we can fix the rough edges. It's tied to your account id, never your name, your customers, or what's in your messages. This includes session replay (a playback of how the screens were used) with every text field and message masked, so customer details are never recorded. You can turn all of this off any time in Settings, and we'll stop. On the public landing pages PostHog runs without cookies.
We also use Sentry to catch errors, so we can fix what breaks before it costs a captain a booking. Sentry records the technical details of an error and your account id, never your name or your customers' details. It follows the same off switch in Settings.
Cookies
We don't set advertising or cross-site tracking cookies. The site and app use minimal functional storage for things like keeping a captain signed in. No third-party advertising cookies.
How long we keep data
We keep account data, conversations, bookings, and reviews while the captain's account is open, because that's the record the captain relies on. When an account closes, or when someone asks us to delete their data, we remove it. We keep what we're legally required to keep (for example, payment records Stripe needs for tax and accounting) for as long as the law requires, and no longer.
Deletion and your rights
Captains can ask us to delete their account and the data tied to it. Customers who messaged a captain can ask to have their contact details and conversation removed. Either way, email miles@shipmate.chat and we'll handle it. If you reached a captain through Instagram or Facebook, Meta's data-deletion request flow also reaches us: we've built the callback that lets Meta tell us to delete your data, and we act on it. If you're in the EU or UK this is your right under GDPR. If you're in California this is your right under CCPA. We honor it for everyone, whatever the jurisdiction.
Changes to this policy
If anything material changes about how we handle data, we'll update this page and let captains know before the change takes effect. For non-material changes (typo fixes, clarifications) we'll just update the date at the top.
Questions
Email miles@shipmate.chat and Miles will reply.