Logo

privacy policy

How we handle your data. Straight talk, no legalese where we can avoid it.

Last updated: May 2026  ·  Berth Living Ltd, trading as Pumpd

Who we are

Pumpd is operated by Berth Living Ltd, a company registered in England and Wales. We provide marina pump-out booking software to UK marinas, who in turn provide it to their berth holders and visiting boaters.

For privacy questions or any of the data rights described below, contact hello@pumpd.uk.

When are we the controller, and when are we the processor?

Controller (we decide why and how your data is used):

  • Visitors to pumpd.uk who fill in the contact form or request an info pack.
  • Subscribers to our customer (marina) accounts (for the billing relationship).

Processor (the marina is the controller, we just process on their behalf):

  • Berth holders and visitor boaters using Pumpd at a participating marina. Your booking data belongs to the marina you booked with; we hold it under their instructions, governed by a Data Processing Agreement (DPA) with each customer.

What data do we collect?

For berth holders and visitors using the booking service:

  • Name, email address, phone number (optional)
  • Boat name and berth number
  • Booking history (dates, times, marina)
  • Password (stored as a one-way bcrypt hash; we cannot read it)
  • Two-factor authentication setup data (where you have enabled it)

For payments (visitor pump-outs):

  • Card details are not stored by us. They are entered directly into Stripe's payment page and Stripe is the data controller for that information.
  • We record only the booking, the Stripe payment intent ID, and the amount.

We do not collect any special-category personal data (health, religion, political views, biometrics, etc.) and we do not profile you for marketing purposes.

Why do we hold this data?

  • Performance of contract: to actually run the pump-out booking service for the marina and its customers.
  • Legitimate interests: to keep an audit log of bookings for compliance and dispute resolution; to send essential service emails (booking confirmations, cancellations, password resets); to investigate technical errors.
  • Legal obligation: to retain financial records (invoices, VAT receipts) for the period required by UK tax law.
  • Consent: for push notifications, where you have opted in via your browser or phone.

Who do we share it with?

A short list of sub-processors, the third-party services that handle data on our behalf:

  • Vercel Inc. for application hosting (EU / US, GDPR-compliant)
  • Neon / our database provider for encrypted Postgres hosting (EU region)
  • Stripe Payments UK Ltd for visitor payment processing
  • Resend Inc. for transactional email delivery

We do not sell or share your data for marketing or advertising. We do not transfer your data outside the UK/EEA without appropriate safeguards (Standard Contractual Clauses, adequacy decisions).

How long do we keep it?

  • Active accounts: for as long as your marina account remains active.
  • Booking records: 7 years after the booking date (UK tax / dispute resolution requirements).
  • Audit logs: 7 years (compliance + dispute resolution).
  • Deleted accounts: personal data is removed within 30 days of a deletion request; anonymised booking statistics may be retained.
  • Marketing enquiries: 2 years from last contact, unless you ask us to delete sooner.

Your rights

Under UK GDPR, you can ask us to:

  • Access, tell you what data we hold about you
  • Correct, fix anything inaccurate
  • Delete, the “right to be forgotten”. Use the “Request account deletion” option in your dashboard, or email us. We action this within 30 days.
  • Restrict or object, stop or limit how we use your data
  • Port, receive your data in a machine-readable format. Marina operators can do this directly via the “Download CSV export” button in Settings; berth holders can request the same by email.
  • Withdraw consent, for anything we do on the consent basis (push notifications, marketing)

All of these are free. Email hello@pumpd.uk with the request. If you're unhappy with our response you can complain to the UK Information Commissioner's Office at ico.org.uk.

Cookies

We only use strictly-necessary cookies, the ones required to make the service work. We do not use marketing cookies, analytics cookies, or third-party tracking. Under UK PECR, strictly-necessary cookies do not require consent, so you won't see a cookie banner.

The cookies we set:

  • Session cookie (auth), keeps you signed in. Expires after 7 days.
  • 2FA pending cookie, short-lived (10 minutes) while you complete two-factor sign-in.
  • Demo mode cookie, if you try the demo, lets us show the right view. Cleared when you exit.
  • Impersonation cookies, only set when a Pumpd support agent is troubleshooting your account with explicit logging.

Security

We take security seriously. A summary of what we do is on our security page. Highlights: data encrypted in transit (TLS 1.2+) and at rest, passwords stored as bcrypt hashes, two-factor authentication mandatory for platform admins, comprehensive audit logging, EU-hosted infrastructure.

If you spot a security issue, please report it responsibly to hello@pumpd.uk.

Changes to this policy

We may update this policy when our services change. The “Last updated” date at the top tells you when. Material changes will be flagged via email to anyone with an active account.