This Privacy Policy describes how Strelux Corp. ("Strelux", "we", "us") collects, uses, shares, and protects personal data when you visit our website at strelux.com (the "Site") or use the Strelux platform and related services (the "Service").
Strelux is a vessel sanctions screening platform. Our customers are businesses, not individual consumers. Most data we process is vessel-related and does not constitute personal data. This policy covers the limited personal data we do handle — primarily account and contact information of our business customers' representatives.
1. Data controller
The data controller for the purposes of the EU General Data Protection Regulation ("GDPR") and UK GDPR is:
Strelux Corp.254 Chapman Rd, Ste 208 #27314
Newark, Delaware 19702
United States
Email: privacy@strelux.com
Where Strelux processes personal data on behalf of a customer (for example, if vessel ownership records submitted by a customer contain names of natural persons), Strelux acts as a data processor. That processing is governed by our Data Processing Agreement.
2. Personal data we collect
2.1 Data you provide to us
- Account information. Name, business email address, organization name, job title, and phone number provided during account registration or demo requests.
- Billing information. Company billing address, VAT/tax identification numbers, and payment details. Payment card data is collected and processed by our payment processor — Strelux does not store card numbers.
- Communications. Content of emails, support requests, and other correspondence you send us.
- Customer Data. Data you submit to the Service for screening. This typically consists of vessel identifiers (IMO numbers, vessel names, flag states) and may occasionally include names of natural persons associated with vessel ownership.
2.2 Data collected automatically
- Usage data. Features accessed, screening queries run, timestamps, Evidence Files generated.
- Device and log data. IP address, browser type and version, operating system, referring URL, pages visited, and session duration.
- Cookies and similar technologies. See section 7.
3. How we use personal data
We use personal data for the following purposes:
| Purpose | Legal basis (GDPR) |
|---|---|
| Provide, operate, and maintain the Service | Performance of a contract (Art. 6(1)(b)) |
| Process payments and manage billing | Performance of a contract |
| Send transactional communications (account confirmations, security alerts, service updates) | Performance of a contract |
| Respond to support requests | Performance of a contract / legitimate interest |
| Improve and develop the Service (aggregated analytics) | Legitimate interest (Art. 6(1)(f)) |
| Detect and prevent fraud, abuse, and security incidents | Legitimate interest |
| Comply with legal obligations (e.g., tax, sanctions, anti-money-laundering) | Legal obligation (Art. 6(1)(c)) |
| Send product updates and marketing communications (only with consent where required) | Consent (Art. 6(1)(a)) or legitimate interest |
We do not use personal data for profiling or automated decision-making that produces legal or similarly significant effects.
4. How we share personal data
We do not sell personal data. We share personal data only in the following circumstances:
- Service providers and sub-processors. We use third-party providers to host infrastructure, process payments, deliver email, and provide analytics. Each sub-processor is contractually bound to protect personal data. A current list is available at strelux.com/sub-processors.
- Professional advisors. Lawyers, auditors, and accountants as necessary for our business operations, under confidentiality obligations.
- Legal requirements. When required by law, regulation, legal process, or enforceable governmental request.
- Business transfers. In connection with a merger, acquisition, or sale of assets, personal data may be transferred to the successor entity. We will notify you of any such change.
- With your consent. Where you have given explicit consent for a specific disclosure.
5. International data transfers
Strelux is based in the United States. If you are located in the European Economic Area ("EEA"), United Kingdom, or Switzerland, your personal data will be transferred to and processed in the United States.
We rely on the following transfer mechanisms to ensure adequate protection:
- EU-U.S. Data Privacy Framework (and UK and Swiss extensions), where applicable.
- Standard Contractual Clauses (SCCs) approved by the European Commission, as a supplementary or alternative safeguard.
Details of transfer safeguards are set out in our Data Processing Agreement.
6. Data retention
We retain personal data only as long as necessary for the purposes described in this policy:
- Account information: retained for the duration of the customer relationship, then deleted within ninety (90) days of account termination, unless a longer retention period is required by law.
- Billing records: retained for the period required by applicable tax and accounting laws (typically seven years).
- Usage and log data: retained for up to twenty-four (24) months in identifiable form, then aggregated or deleted.
- Support correspondence: retained for up to thirty-six (36) months after resolution.
7. Cookies and tracking technologies
The Site uses a limited set of cookies:
| Cookie | Type | Purpose | Duration |
|---|---|---|---|
| Session cookie | Strictly necessary | Maintains authenticated session | Session |
| Preference cookie | Functional | Stores display and locale preferences | 1 year |
| Analytics | Performance | Aggregated usage analytics (privacy-respecting, no cross-site tracking) | 13 months |
We do not use third-party advertising cookies or cross-site tracking pixels. You can control cookies through your browser settings. Disabling strictly necessary cookies may prevent the Service from functioning.
8. Your rights
Depending on your jurisdiction, you may have the following rights:
8.1 Under GDPR / UK GDPR
- Access — request a copy of personal data we hold about you.
- Rectification — request correction of inaccurate data.
- Erasure — request deletion of personal data where there is no compelling reason to continue processing.
- Restriction — request that we restrict processing in certain circumstances.
- Portability — receive your personal data in a structured, commonly used, machine-readable format.
- Objection — object to processing based on legitimate interest, including direct marketing.
- Withdraw consent — where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing.
To exercise any of these rights, contact us at privacy@strelux.com. We respond within thirty (30) days (or within the period required by applicable law).
You also have the right to lodge a complaint with your local supervisory authority.
8.2 Under the California Consumer Privacy Act (CCPA/CPRA)
California residents have the right to know what personal information we collect and how we use it, request deletion, and opt out of any "sale" or "sharing" of personal information. Strelux does not sell or share personal information as those terms are defined under the CCPA.
To exercise your rights, email privacy@strelux.com.
9. Security
We implement administrative, technical, and organizational safeguards designed to protect personal data, including encryption in transit (TLS 1.2+) and at rest (AES-256), role-based access controls, audit logging, and regular security assessments. For Enterprise-tier customers, we offer customer-managed encryption keys and dedicated tenant deployment.
No system is perfectly secure. In the event of a personal data breach, Strelux will notify the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by GDPR Article 33. Affected customers will be notified without undue delay where the breach is likely to result in a high risk to the rights and freedoms of natural persons, in accordance with GDPR Article 34. Notifications will include the nature of the breach, categories and approximate number of affected data subjects, likely consequences, and measures taken or proposed.
10. Children's privacy
The Service is designed for business use and is not directed at individuals under the age of eighteen (18). We do not knowingly collect personal data from children. If we learn that we have collected personal data from a child, we will delete it promptly.
11. Changes to this policy
We may update this Privacy Policy from time to time. We will post the updated version on this page and update the "Last updated" date. For material changes, we will provide at least thirty (30) days' notice by email or through the Service before the change takes effect.
12. Contact us
If you have questions about this Privacy Policy or wish to exercise your data rights, contact us at:
Strelux Corp.254 Chapman Rd, Ste 208 #27314
Newark, Delaware 19702
United States
Email: privacy@strelux.com