PRIVACY POLICY

Storm Technology Limited
Last Updated: June 2026
Version: 1.0

This Privacy Policy explains how Storm Technology Limited ("Storm Technology", "we", "us", or "our") collects, uses, stores, discloses, and protects personal information in connection with our platforms and services, including SeaRoster.com, SARRoster.com, EMRoster.com, AquaRoster.com, and SeaTrack.io (collectively, the "Services" or individually, each a "Platform"), and any associated mobile applications available on the Apple App Store or Google Play Store.

We are committed to protecting your privacy and handling your personal information responsibly in accordance with the Privacy Act 2020 (New Zealand) and applicable international privacy standards.

Please read this Privacy Policy carefully. By accessing or using our Services, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with this Privacy Policy, please do not use our Services.

1. WHO WE ARE

Storm Technology Limited is a New Zealand-registered company and the data controller responsible for your personal information collected in connection with the Services.

Privacy Officer Contact:
privacy@stormtechnology.io
Storm Technology Limited
Milford, Auckland 0620
New Zealand

If you have any questions, concerns, or requests relating to this Privacy Policy or your personal information, please contact our Privacy Officer at the address above. We will respond to all privacy enquiries within a reasonable timeframe and no later than 20 working days, as required under the Privacy Act 2020.

2. SCOPE OF THIS POLICY

This Privacy Policy applies to:

• All visitors to our Platforms and websites;
• All individuals who register for an Account with any of our Services;
• All Users of our mobile applications (iOS and Android);
• All individuals whose personal information we process in connection with providing our Services (including employees, crew members, volunteers, and operational personnel whose details are managed by an Organisation using our Services); and
• All individuals who communicate with us by any means.

This Policy does not apply to third-party websites, applications, or services that may be linked to or integrated with our Services. We encourage you to review the privacy policies of any third-party services you access through our Platforms.

3. INFORMATION WE COLLECT

We collect personal information in the following categories:

3.1 Account and Registration Information

When you create an Account or register for the Services, we collect:

• Full name
• Email address
• Password (stored in encrypted form — we do not store plaintext passwords)
• Organisation or company name (if applicable)
• Job title or role
• Phone number (optional, for account recovery and notifications)
• Country and region

3.2 Profile and Operational Information

Depending on the Platform you use, we may collect additional operational information, including:

• SeaRoster.com: Seafarer certificates and qualifications, watchkeeping records, vessel assignments, duty schedules, crew ranks and roles, medical certificate expiry dates, port of engagement, and next of kin details (where provided by you or your Organisation).
• SARRoster.com: Volunteer and responder profiles, training records and qualifications, availability schedules, team assignments, incident response records, and emergency contact information.
• EMRoster.com: Personnel records, operational role assignments, training and qualification records, shift schedules, and emergency contact information.
• AquaRoster.com: Instructor and educator profiles, water-safety qualifications and currency, supervision ratios, squad and team assignments, shift schedules, and emergency contact information.
• SeaTrack.io: Vessel identification (IMO number, MMSI, vessel name, flag state), voyage data, position data, AIS data, port calls, cargo type (where provided), and operator contact details.

3.3 Location Data

SeaTrack.io collects real-time and historical vessel position data as a core feature of the platform. This includes GPS coordinates, speed over ground, course over ground, and related navigational data transmitted by or associated with tracked vessels.

Where our mobile applications request access to device location, we will ask for your explicit permission before collecting location data. You may withdraw this permission at any time through your device settings, though this may affect the functionality of certain features.

3.4 Usage and Technical Data

When you access or use the Services, we automatically collect certain technical and usage information, including:

• Device type, operating system, and version
• Browser type and version (for web access)
• IP address
• Mobile device identifiers (device ID, advertising ID — where permitted by your device settings)
• App version
• Pages and features accessed
• Date and time of access
• Referring URLs
• Crash reports and performance data
• Session duration and interaction data

This data is used to operate, maintain, and improve the Services and is not used to identify you individually except where necessary for security or debugging purposes.

3.5 Payment and Billing Information

We do not store your full payment card details. Payment processing is handled by our third-party payment processor(s) (such as Stripe or equivalent). We receive and retain only:

• Billing name and address
• Payment method type (e.g., Visa, Mastercard)
• Last four digits of card number (for display purposes only)
• Transaction reference numbers and amounts
• Subscription status and history

You should refer to your payment processor's privacy policy for information about how your full payment details are handled.

3.6 Communications Data

When you contact us or communicate through the Services, we collect:

• The content of your messages, support requests, or enquiries
• Email correspondence
• In-platform messaging or notification interactions
• Survey or feedback responses (where provided)

3.7 Information from Third Parties

We may receive information about you from third parties in the following circumstances:

• Where your employer or Organisation registers you as a User and provides your details;
• From third-party single sign-on providers (such as Google or Microsoft) if you choose to use SSO to access our Services;
• From maritime data sources (such as AIS providers) in connection with SeaTrack.io vessel tracking functionality; and
• From analytics or error-reporting services we use to operate and improve the Services.

3.8 Information You Provide About Others

If you provide us with personal information about other individuals (such as crew members, team members, or emergency contacts), you are responsible for ensuring that you have the authority to do so and that those individuals have been informed of and have consented (where required) to this sharing. Please share this Privacy Policy with any individuals whose details you provide to us.

4. HOW WE USE YOUR INFORMATION

We use the personal information we collect for the following purposes:

4.1 Providing and Operating the Services

The primary purpose for which we collect and use personal information is to provide, operate, maintain, and improve our Services. This includes:

• Creating and managing your Account;
• Providing the scheduling, rostering, tracking, and operational features of the relevant Platform;
• Processing your subscription and payments;
• Providing technical support and customer service;
• Communicating service-related information (account confirmations, receipts, technical notices, security alerts, and administrative messages); and
• Ensuring the security and integrity of the Services.

4.2 Transactional Communications

We send transactional communications that are necessary to provide the Services and manage your account. These include:

• Account creation and verification emails;
• Password reset and account security notifications;
• Subscription confirmation, renewal, and payment receipts;
• Billing and invoice communications;
• Service availability notices and scheduled maintenance alerts;
• Operational alerts and notifications generated by the Platform in connection with your use of the Services (such as roster reminders, expiry alerts, or vessel tracking notifications); and
• Responses to your direct enquiries or support requests.

Transactional communications are necessary to provide the Services and are not subject to marketing opt-out preferences, although you may manage notification preferences within your Account settings where available.

4.3 Marketing Communications (Opt-In Only)

With your express consent, we may send you marketing communications about:

• New features, products, or enhancements to the Services you use;
• Other Storm Technology platforms that may be relevant to your operational context;
• Webinars, guides, industry updates, and educational content directly related to the Services; and
• Promotional offers relating to our Services.

We will only send you marketing communications if you have actively opted in to receive them. You may withdraw your consent and unsubscribe from marketing communications at any time by:

• Clicking the "unsubscribe" link in any marketing email;
• Updating your communication preferences in your Account settings; or
• Contacting us at privacy@stormtechnology.io.

Withdrawal of consent will not affect the lawfulness of any processing carried out before withdrawal, and will not affect your receipt of transactional communications necessary to operate your Account.

We do not send unsolicited marketing communications and we do not sell, rent, or share your personal information with third parties for their own marketing purposes.

4.4 Analytics and Service Improvement

We use aggregated and, where practicable, anonymised usage data to:

• Understand how users interact with the Services;
• Identify and fix bugs and performance issues;
• Develop new features and improve existing functionality;
• Produce internal analytics and reporting; and
• Train and improve AI-powered features within the Services (using anonymised or de-identified data only — see clause 4.5).

4.5 AI and Machine Learning Features

Where the Services incorporate artificial intelligence or machine learning features, personal information may be processed as part of those features to provide functionality such as intelligent scheduling suggestions, anomaly detection, or operational insights. We do not use your identifiable personal information to train AI models that are shared with or made available to third parties.

4.6 Legal and Safety Purposes

We may use personal information where necessary to:

• Comply with applicable laws, regulations, and legal obligations;
• Respond to lawful requests from courts, regulators, or law enforcement agencies;
• Enforce our Terms of Use and other agreements;
• Protect the rights, property, or safety of Storm Technology, our Users, or third parties; and
• Detect, prevent, or investigate fraud, security breaches, or other harmful activity.

5. LEGAL BASIS FOR PROCESSING

Where applicable law requires us to identify a legal basis for processing personal information, we rely on the following:

• Contract performance: Processing necessary to provide the Services under our Terms of Use, including managing your Account, processing payments, and delivering platform functionality.
• Legitimate interests: Processing for our legitimate business interests, including improving the Services, ensuring security, and sending transactional communications, where those interests are not overridden by your rights.
• Consent: Processing for marketing communications and, where required, certain uses of cookies or tracking technologies, based on your freely given, specific, and informed consent.
• Legal obligation: Processing required to comply with applicable law.

Under the Privacy Act 2020 (New Zealand), we collect, use, and disclose personal information in accordance with the Information Privacy Principles set out in that Act.

6. HOW WE SHARE YOUR INFORMATION

We do not sell, rent, or trade your personal information to third parties for their own commercial purposes. We share personal information only in the following circumstances:

6.1 Within Your Organisation

Where you access the Services as a User within an Organisation Account, certain information in your profile (such as your name, role, qualifications, and schedule) will be visible to Administrators and other authorised Users within your Organisation, as appropriate to the functionality of the Platform.

6.2 Service Providers

We engage trusted third-party service providers who process personal information on our behalf in order to operate the Services. These providers are contractually required to process personal information only as instructed by us and to implement appropriate security measures. Categories of service providers include:

• Cloud hosting and infrastructure providers (for data storage and computing)
• Payment processors (for subscription billing and payment processing)
• Email and communications platforms (for sending transactional and marketing communications)
• Analytics and monitoring services (for platform performance and error tracking)
• Customer support software providers (for managing support enquiries)
• Identity and authentication providers (for single sign-on functionality)
• Maritime data providers (for AIS and vessel data in connection with SeaTrack.io)

We will update our list of key service providers upon request. Please contact privacy@stormtechnology.io.

6.3 Business Transfers

If Storm Technology is involved in a merger, acquisition, sale of assets, restructuring, or other corporate transaction, your personal information may be transferred to the acquiring entity as part of that transaction. We will notify you by email or by prominent notice on the applicable Platform before your personal information becomes subject to a materially different privacy policy.

6.4 Legal Requirements

We may disclose personal information where we are required to do so by law, court order, or other governmental or regulatory authority, or where we believe disclosure is necessary to protect our rights, enforce our Terms of Use, or protect the safety of Users or the public.

6.5 With Your Consent

We may share personal information with third parties in other circumstances where we have obtained your prior express consent to do so.

7. WE DO NOT SELL YOUR PERSONAL INFORMATION

Storm Technology does not sell, rent, lease, or otherwise provide your personal information to third parties in exchange for money or other valuable consideration.

Your personal information is used solely to:

(a) operate, provide, maintain, and improve the Services;
(b) send you transactional communications necessary to manage your Account and use of the Services; and
(c) send you marketing communications about our Services, but only where you have expressly opted in to receive them.

8. INTERNATIONAL DATA TRANSFERS

Storm Technology is based in New Zealand. Your personal information may be stored and processed in New Zealand or in other countries where our service providers operate, including countries in the Asia-Pacific region and potentially the United States or Europe.

Where we transfer personal information outside New Zealand, we take steps to ensure that appropriate safeguards are in place to protect your information and that the transfer complies with the Privacy Act 2020, including by ensuring that overseas recipients are subject to comparable privacy protections.

If you would like more information about our international data transfer practices, please contact our Privacy Officer.

9. DATA RETENTION

We retain personal information for as long as necessary to fulfil the purposes set out in this Privacy Policy, unless a longer retention period is required or permitted by law.

The factors we consider in determining retention periods include:

• Whether you have an active Account with us (we retain account data for the life of the Account plus a reasonable period thereafter);
• Our legal and regulatory obligations (certain records may need to be retained for specified periods under applicable law);
• Whether retention is necessary to resolve disputes or enforce our agreements; and
• Applicable industry standards and operational best practices.

When personal information is no longer required, we will securely delete or anonymise it in accordance with our data retention practices.

Deletion requests: You may request deletion of your personal information by contacting privacy@stormtechnology.io. We will respond to deletion requests within 20 working days. Please note that we may not always be able to delete all information, for example where retention is required by law or where information is necessary to fulfil contractual obligations.

10. YOUR PRIVACY RIGHTS

Subject to applicable law, you have the following rights in relation to your personal information:

10.1 Right of Access

You have the right to request access to the personal information we hold about you. We will provide this information within 20 working days of receiving a verified request, subject to any lawful basis for withholding information.

10.2 Right to Correction

If you believe that any personal information we hold about you is inaccurate, incomplete, or out of date, you have the right to request that we correct it. You may also update much of your information directly through your Account settings.

10.3 Right to Deletion

You may request that we delete your personal information. We will comply with such requests where we are not legally required or otherwise permitted to retain the information.

10.4 Right to Withdraw Consent

Where we process your personal information based on your consent (such as for marketing communications), you have the right to withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing prior to withdrawal.

10.5 Right to Complain

If you are not satisfied with how we handle your personal information or respond to a privacy request, you have the right to lodge a complaint with the Office of the Privacy Commissioner (New Zealand) at www.privacy.org.nz. We encourage you to contact us first so we have the opportunity to address your concerns directly.

How to Exercise Your Rights

To exercise any of the above rights, please contact our Privacy Officer at privacy@stormtechnology.io. We may need to verify your identity before processing your request. We will respond to all requests within 20 working days.

11. COOKIES AND TRACKING TECHNOLOGIES

We and our service providers use cookies, web beacons, and similar tracking technologies on our web-based Platforms to:

• Maintain your login session and authentication state;
• Remember your preferences and settings;
• Analyse usage patterns and improve the Services;
• Measure the effectiveness of our communications; and
• Provide security features.

Types of cookies we use:

• Strictly necessary cookies: Required for the Services to function. These cannot be disabled as they are essential to providing the service you have requested.
• Functional cookies: Enable enhanced functionality and personalisation, such as remembering your preferences.
• Analytics cookies: Help us understand how you interact with the Services, used in aggregate and anonymised form.

We do not use advertising cookies or share cookie data with advertising networks.

Where required by law, we will ask for your consent before setting non-essential cookies. You may manage cookie preferences through your browser settings, though disabling certain cookies may affect the functionality of the Services.

Our mobile applications do not use browser cookies but may use equivalent device-based identifiers as described in section 3.4.

12. SECURITY

We implement appropriate technical and organisational security measures to protect your personal information against unauthorised access, loss, destruction, or alteration. These measures include:

• Encryption of data in transit (TLS/HTTPS) and at rest;
• Secure password hashing;
• Access controls and role-based permissions;
• Regular security assessments and monitoring;
• Incident response procedures; and
• Staff training on data protection obligations.

No method of transmission over the internet or electronic storage is completely secure. While we take all reasonable steps to protect your personal information, we cannot guarantee absolute security. In the event of a data breach that is likely to cause serious harm, we will notify affected individuals and the Office of the Privacy Commissioner as required under the Privacy Act 2020.

13. CHILDREN'S PRIVACY

Our Services are not directed at children under the age of 13, and we do not knowingly collect personal information from children under 13 without verifiable parental or guardian consent. If you believe that we have inadvertently collected personal information from a child under 13, please contact us at privacy@stormtechnology.io and we will take steps to delete that information promptly.

Certain Platforms (including SARRoster.com, EMRoster.com, and AquaRoster.com) may be used by organisations that include junior or cadet volunteers who may be under 18. Where an Organisation registers individuals under the age of 18, the Organisation is responsible for ensuring it has the necessary consents and authorisations from parents or guardians as required by applicable law.

14. THIRD-PARTY LINKS AND INTEGRATIONS

Our Services may contain links to third-party websites or integrate with third-party services. This Privacy Policy does not apply to those third-party services, and we are not responsible for their privacy practices. We encourage you to review the privacy policies of any third-party services you access through our Platforms.

15. MOBILE APPLICATIONS — APP STORE SPECIFIC DISCLOSURES

The following disclosures are provided in connection with our mobile applications available on the Apple App Store and Google Play Store.

15.1 Data Collected by Our Mobile Apps

Our mobile applications may collect the following categories of data:

15.2 Data Linked to Your Identity

The following data collected by our apps may be linked to your identity:

• Contact information (name, email)
• Identifiers (user ID)
• User content (data you enter into the app)
• Usage data (where associated with your Account)

15.3 Data Not Linked to Your Identity

The following data may be collected but is not linked to your identity:

• Anonymised diagnostics and crash reports
• Aggregated analytics data

15.4 Data Sharing

We do not share data collected through our mobile apps with third parties for advertising or marketing purposes. Data may be shared with our service providers as described in section 6.2, solely to operate the Services.

15.5 Data Deletion

You may request deletion of data associated with your Account at any time by contacting privacy@stormtechnology.io or through your Account settings. Upon deletion of your Account, we will delete or anonymise your personal information within a reasonable timeframe, subject to any legal retention requirements.

15.6 Permissions

Our mobile applications may request the following device permissions:

• Location: Used by SeaTrack.io for vessel position features. You may deny or revoke this permission at any time in your device settings.
• Notifications (Push): Used to deliver operational alerts, roster reminders, and transactional notifications. You may manage notification permissions in your device settings.
• Camera / Photo Library: Only where you use features that allow photo uploads (e.g., profile photo, document upload). Not accessed without your initiation.
• Biometrics: Used for convenient re-authentication (Face ID / fingerprint login) if you enable this feature. Biometric data is processed by your device OS and is not transmitted to or stored by Storm Technology.

We only request permissions that are necessary for specific features you use. You can revoke any permission at any time through your device operating system settings.

16. CHANGES TO THIS PRIVACY POLICY

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by:

• Posting the updated Privacy Policy on the applicable Platform with a revised "Last Updated" date;
• Sending an email notification to the address associated with your Account (for material changes); and/or
• Displaying an in-app notice (for mobile application users).

We encourage you to review this Privacy Policy periodically. Your continued use of the Services after the effective date of any changes constitutes your acceptance of the updated Privacy Policy. If you do not agree with the updated Privacy Policy, you must cease using the Services and may request deletion of your Account.

17. GOVERNING LAW

This Privacy Policy is governed by the laws of New Zealand. Any disputes relating to this Privacy Policy shall be subject to the jurisdiction of the courts of New Zealand.

18. CONTACT US

For any questions, concerns, or requests relating to this Privacy Policy or our privacy practices, please contact:

Privacy Officer
Storm Technology Limited
Milford, Auckland 0620
New Zealand

Email: privacy@stormtechnology.io

We are committed to working with you to resolve any privacy concerns. If you are not satisfied with our response, you may contact the Office of the Privacy Commissioner (New Zealand):

Office of the Privacy Commissioner
PO Box 10094
Wellington 6143
New Zealand
www.privacy.org.nz
Phone: 0800 803 909

APPENDIX A — SUMMARY OF DATA PRACTICES

This summary is provided for convenience. The full Privacy Policy above governs in all cases.

This Privacy Policy was last updated in June 2026. Storm Technology Limited reserves the right to update this Policy at any time in accordance with section 16.

© 2026 Storm Technology Limited. All rights reserved.