Privacy Policy

Effective July 4, 2026 · Document version 2026-07-03-v1

This policy describes what Buoy actually collects and does today — not what a boilerplate template says we might do. It's written to keep the commitments on our Data Promise page. When the product grows, this document changes first, and you'll be asked to accept the new version.

Who we are

Buoy operates buoylist.com and the Buoy app at app.buoylist.com — a free platform for boaters, launching first in Somers Point / South Jersey. For anything in this policy, contact us at hello@buoylist.com.

What we collect

Today, Buoy collects exactly the following:

  • Account information. When you create an account: your name, email address, and password. Your password is stored only as a cryptographic hash — never in plain text, and we cannot read it.
  • Consent records. When you accept our Terms and this Privacy Policy at signup, we record which document version you accepted, when, and the IP address the acceptance came from. This is how we prove we asked — and how a policy change knows to ask you again.
  • Session data. While you're signed in, we keep a session record that includes your IP address and browser user agent. We use it to keep you signed in and to protect accounts from abuse.
  • Waitlist signups. If you join the beta waitlist: your email address, and optionally your name, your market, and how you heard about us.
  • Business inquiries. If you're a marina or service provider who contacts us through the For Business page: your business name, contact name, email, and optionally a phone number, business category, market, and any notes you include.

What we don't collect

Right now, Buoy has no payment processing (we hold no card or bank details), no advertising, no analytics trackers, and no third-party ad cookies. We don't buy data about you and we don't enrich your profile from outside sources. If any of that changes as the product grows, this policy will be updated and versioned before it does.

The one cookie we set

Buoy sets a single cookie: buoy_session, which keeps you signed in. It's an HTTP-only cookie (JavaScript on the page can't read it), it lasts up to 30 days and renews while you're active, and it's removed when you log out. There are no advertising, analytics, or cross-site tracking cookies on Buoy — that's the whole list.

The weather briefing on our homepage

The live conditions card on our homepage fetches weather, tide, and alert data directly from NOAA's public services. Those requests go straight from your browser to NOAA — they never pass through Buoy's servers, and we receive and store nothing about them.

How we use what we collect

We use your information to run your account and keep you signed in, to invite you to the beta when your market opens, to respond to business inquiries, and to protect the platform from abuse and fraud (which is what the rate limits and session records are for). That's it — there is no marketing use of your data without a separate, specific consent, which the platform checks before every send.

Where your data lives

Buoy's database runs on Neon (managed Postgres) hosted on AWS in the us-east-1 region (Northern Virginia, USA). Our applications are hosted on Railway. Our DNS and CDN are provided by Cloudflare, so traffic to our sites passes through Cloudflare's network. These providers process data on our behalf as infrastructure; none of them receives your data for their own marketing purposes.

What we will never do

These are the commitments from our Data Promise, and they are binding on us here too:

  • We never sell your individual data. No lists, no brokers, no exceptions.
  • Future advertisers get aggregates only. If Buoy carries advertising one day, partners will be able to reach a segment (say, "boats with insurance expiring soon") — but the matching happens on our servers, and the advertiser never receives your record, your name, or your contact information.
  • You can export or delete your data on request. Deletion is honored, with the narrow exception of records the law requires us to keep, which we retain only as required and anonymize where they must persist.

When we share data

We share data only with the infrastructure providers listed above, and where the law genuinely requires it (a valid legal demand). We do not sell, rent, or trade personal information — to anyone, for any price.

Your rights

You can ask us to access, correct, export (in a machine-readable format), or delete the data we hold about you. Email hello@buoylist.com and we'll handle it — no forms, no fees, no runaround. Self-serve export and delete buttons are being built into the account page; until they ship, email works.

Children

Buoy is not directed at children under 13, and we do not knowingly collect personal information from them. If you believe a child under 13 has given us personal information, email us and we will delete it.

Changes to this policy

This policy carries a version (currently 2026-07-03-v1), and your acceptance is recorded against the version you actually saw. When we make a material change, we publish a new version, tell you, and — where the change requires it — ask you to accept again before continuing to use Buoy. We won't quietly swap the terms underneath you.

Contact

Questions, requests, or concerns: hello@buoylist.com.

This document is pending review by counsel and may be updated.