Privacy policy

Privacy Policy — Squid

Last updated: May 20, 2026

Effective date: January 1, 2026

1. Who we are

This privacy policy is published by:

D-ICE Engineering SAS ("D-ICE", "we", "us")
1 rue de la Noë, CS 42103 - 44321 Nantes, France
SIREN 809 273 329 — Share capital €6,000,000 — Publication Director: Sofien Kerkeni
Phone: +33 2 40 37 53 25
Data protection contact / DPO: privacy@dice-engineering.com
General contact: contact@dice-engineering.com

For corporate information, visit https://www.dice-engineering.com.

D-ICE acts as data controller within the meaning of the General Data Protection Regulation 2016/679 (GDPR) and the French Loi Informatique et Libertés no. 78-17.

This policy describes how we collect, use, share, retain and protect personal data when you:

  • visit squid-sailing.com or any of its pages;
  • use the Squid application in all its forms (SquidX, Squid Mobile) and on any platform (web, iOS, Android, PC) (hereinafter "Squid") — including when you choose "Sign in with Google".

This policy is the default reference framework applicable in the absence of any other agreement. It does not prevail over commercial contracts, framework agreements or specific terms negotiated between D-ICE Engineering and its professional clients. This policy applies in full to users of Squid who are not bound to D-ICE by a specific contract.

2. Personal data we collect

2.1 Data you provide to us

Category When Examples
Identity and contact Registration, contact form, account creation First name, last name, email address, phone, company, job title
Authentication Account creation, login Username, hashed password (where applicable), MFA secret
Payment and subscription Subscribing to a paid plan Billing name and address, VAT number, last 4 digits of payment method (full card details remain with Stripe; we never see them)
User content Use of the applications Routes, GPS tracks, polars, vessel data, waypoints, support messages, screenshots
GPS access Active use of a navigation or routing feature Precise GPS position transmitted from your device (after OS permission)
Server requests Any interaction with our cloud services All requests sent to our servers in the course of using the applications
Communication preferences Account settings Language, dark mode, notification opt-in

2.2 Automatically collected data

Category Where Purpose
IP address (truncated for audience measurement; full only in security logs) Web and application server logs Security, fraud prevention, debugging
User agent, OS, application version Logs Compatibility, support
Approximate city-level location (derived from IP) Web logs Aggregated statistics, fraud detection
NMEA data subset Transmitted from the vessel when the connection to our services is active Vessel instrumentation data used for routing, performance analysis, service improvement and, in aggregated and anonymised form, the commercialisation of maritime data (see section 3b)
Diagnostic data (crash reports, metrics) Sentry / our internal logging Incident diagnosis

2.3 Data received from Google (when you choose "Sign in with Google")

The Squid applications offer authentication via "Sign in with Google".

When you activate this option, Google requests your consent and then transmits to us only the data covered by the scopes below. We request no other access to your Google account.

Google scope Data received Why
openid Stable Google identifier (sub), opaque to a human To link your Squid account to your Google account and log you in automatically
email Email address of your Google account and email_verified boolean To create your account, send operational notifications and allow support to contact you
profile First name, last name, locale and (if available) profile photo URL To personalise the interface and display your name in shared spaces

We do not request and do not access: Gmail messages, Google Drive files, Google Calendar events, Google Contacts, Google Photos, YouTube data, Chrome history, Fitness data, Health Connect, or any other Google API.

If we were to add a new scope, we would update this policy before the new consent is deployed and notify you by email.

3. Use of data

3a. Google data — "Limited Use" commitment

D-ICE Engineering's use, and transfer to any other application, of information received from Google APIs is limited to the following purposes:

  1. Providing user features of Squid: creating and maintaining your account, authenticating you, displaying your name and photo, contacting you for transactional messages.
  2. Improving these features, in aggregated form or with your explicit consent for usage measurement.
  3. Complying with the law or a legally binding request.
  4. Investigating security incidents, abuse or violations of our General Terms and Conditions.

With regard to Google data specifically:

  • we do not use Google data for any form of advertising — targeted, personalised or retargeted;
  • we do not sell, rent or transfer Google data to data brokers, information resellers or any third party;
  • we do not use Google data for credit or lending decisions;
  • we do not train, fine-tune or evaluate any artificial intelligence or machine learning model using Google data;
  • we do not transfer or share Google data with any third party outside the cases strictly necessary for the purposes above, a legal obligation, or a restructuring in which the acquirer commits in writing to comply with this policy.

You may revoke access granted to D-ICE at any time at https://myaccount.google.com/permissions. This revocation does not delete your Squid account; to delete it, see § 7.

3b. Aggregated and anonymised data

D-ICE Engineering may use and commercialise aggregated and anonymised data collected through the use of Squid — for example: maritime traffic flows, environmental data, routing or port call statistics.

This data cannot under any circumstances identify a natural person. It cannot under any circumstances identify an individual vessel.

No personal data, no navigation data specific to a particular vessel, and no information from your private content is included in these processing activities.

Should we move towards less aggregated or potentially identifying data, we would inform you in advance and obtain your explicit consent.

3c. Contextual advertising

We may display advertisements or sponsored content within our applications, through our own advertisers. These advertisements may be contextualised based on your in-app usage only — for example, the type of navigation practised or the features used — in order to present you with relevant content.

  • we do not use data from sources outside our applications for advertising purposes;
  • we do not use data received from Google APIs for advertising purposes;
  • we do not sell your personal data to third-party advertisers.

4. Purposes and legal bases (GDPR art. 6)

Purpose Legal basis
Creation and management of your Squid account Performance of a contract (art. 6.1.b)
Authentication and security Performance of contract + legitimate interest (art. 6.1.b and 6.1.f)
Billing and subscription management Performance of a contract (art. 6.1.b)
Provision of routing, navigation and analysis features Performance of a contract (art. 6.1.b)
Collection of NMEA data during connection Performance of a contract (art. 6.1.b)
Operational and security logging Legitimate interest (art. 6.1.f): fraud prevention, diagnostics, service security
Service emails (transactional) Performance of a contract (art. 6.1.b)
Marketing emails (newsletter, product updates) Consent (art. 6.1.a), revocable via the unsubscribe link
Audience measurement / product analytics Consent (art. 6.1.a) or legitimate interest (art. 6.1.f) subject to CNIL exemption criteria
Contextual in-app advertising Legitimate interest (art. 6.1.f) or consent (art. 6.1.a) depending on implementation
Use of aggregated and anonymised data Legitimate interest (art. 6.1.f) — anonymised data falls outside the scope of the GDPR
Legal obligations (accounting, tax) Legal obligation (art. 6.1.c)

5. Our technical service providers

We do not sell your personal data. Certain technical service providers process personal data in the course of providing Squid. Each is bound by a GDPR-compliant data processing agreement.

Provider Role Location
Amazon Web Services Hosting and infrastructure France (Paris)
Stripe Payment and billing Ireland
PrestaShop Online store and subscription management EU
Google Authentication EU / United States (SCCs)
Sentry Diagnostics and error reporting EU
Apple / Google Play Mobile distribution and push notifications EU / United States (SCCs)

6. International transfers

Some providers host data outside the European Union. Each transfer is governed by the Standard Contractual Clauses approved by the European Commission (decision 2021/914) and, where applicable, the recipient's EU-US Data Privacy Framework certification.

7. Retention and deletion

Category Retention period
Account identity (email, name, Google sub) Duration of account + 3 years after closure
Invoices and accounting records 10 years (French tax law)
Authentication logs 12 months
Application logs containing IP addresses 12 months
NMEA data and server requests 12 months
User content (routes, GPS tracks, polars) Duration of account; deletion within 30 days of closure
Proof of marketing consent 3 years from last contact
Cookies and trackers 13 months maximum
Support tickets 3 years from closure
Diagnostic / crash data 90 days

Account deletion. You may request the deletion of your account at any time by writing to privacy@dice-engineering.com or support@squid.fr, or via the dedicated button in the application. Deletion is confirmed within 30 days. Certain data may be retained beyond this period solely to comply with a legal obligation.

8. Your rights

Under articles 15 to 22 of the GDPR, you have the following rights:

  • Access to your personal data (art. 15);
  • Rectification of inaccurate data (art. 16);
  • Erasure (right to be forgotten) (art. 17);
  • Restriction of processing (art. 18);
  • Objection to processing based on legitimate interest (art. 21);
  • Portability: receive your data in a machine-readable format (art. 20);
  • Withdrawal of consent at any time, without affecting prior processing.

To exercise these rights, write to privacy@dice-engineering.com. We respond within one month. You may also lodge a complaint with the CNIL, 3 place de Fontenoy, 75007 Paris — https://www.cnil.fr.

9. Security

We implement appropriate technical and organisational measures to protect data against unauthorised access, alteration, disclosure or destruction, including:

  • HTTPS throughout (preloaded HSTS);
  • Encryption at rest for databases and object storage;
  • Identity federation via our self-hosted Keycloak, mandatory MFA for staff with production access;
  • Role-based access control, audit logging;
  • Regular penetration testing and dependency vulnerability analysis;
  • Staff bound by confidentiality obligations and trained in data protection.

Report any security incident to security@dice-engineering.com.

10. Cookies and trackers

The squid-sailing.com website uses cookies and similar identifiers. Strictly necessary cookies are placed without consent; all others (audience measurement, embedded media) require your consent, given via the banner on first visit. You may change your preferences at any time via the "Cookie preferences" link in the footer. Cookies have a maximum lifetime of 13 months, in line with CNIL recommendations.

11. Minors

Squid is not intended for persons under 16 years of age. We do not knowingly collect personal data relating to minors. If you believe a minor has provided us with data, write to privacy@dice-engineering.com: we will proceed with its deletion.

12. Changes

We may update this policy from time to time. The "Last updated" date at the top of the page indicates the latest revision. Any material change will be notified to you by email before it takes effect.

13. Contact

Data Protection Officer (DPO): privacy@dice-engineering.com

Post:
D-ICE Engineering SAS — DPO
1 rue de la Noë, CS 42103 - 44321 Nantes, France