Privacy Policy
Effective July 4, 2026 · Document version 2026-07-03-v1
This policy describes what Buoy actually collects and does today — not what a boilerplate template says we might do. It's written to keep the commitments on our Data Promise page. When the product grows, this document changes first, and you'll be asked to accept the new version.
Who we are
Buoy operates buoylist.com and the Buoy app at app.buoylist.com — a free platform for boaters, launching first in Somers Point / South Jersey. For anything in this policy, contact us at hello@buoylist.com.
What we collect
Today, Buoy collects exactly the following:
- Account information. When you create an account: your name, email address, and password. Your password is stored only as a cryptographic hash — never in plain text, and we cannot read it.
- Consent records. When you accept our Terms and this Privacy Policy at signup, we record which document version you accepted, when, and the IP address the acceptance came from. This is how we prove we asked — and how a policy change knows to ask you again.
- Session data. While you're signed in, we keep a session record that includes your IP address and browser user agent. We use it to keep you signed in and to protect accounts from abuse.
- Waitlist signups. If you join the beta waitlist: your email address, and optionally your name, your market, and how you heard about us.
- Business inquiries. If you're a marina or service provider who contacts us through the For Business page: your business name, contact name, email, and optionally a phone number, business category, market, and any notes you include.
What we don't collect
Right now, Buoy has no payment processing (we hold no card or bank details), no advertising, no analytics trackers, and no third-party ad cookies. We don't buy data about you and we don't enrich your profile from outside sources. If any of that changes as the product grows, this policy will be updated and versioned before it does.
The one cookie we set
Buoy sets a single cookie: buoy_session, which keeps you signed in. It's an
HTTP-only cookie (JavaScript on the page can't read it), it lasts up to 30 days and
renews while you're active, and it's removed when you log out. There are no advertising,
analytics, or cross-site tracking cookies on Buoy — that's the whole list.
The weather briefing on our homepage
The live conditions card on our homepage fetches weather, tide, and alert data directly from NOAA's public services. Those requests go straight from your browser to NOAA — they never pass through Buoy's servers, and we receive and store nothing about them.
How we use what we collect
We use your information to run your account and keep you signed in, to invite you to the beta when your market opens, to respond to business inquiries, and to protect the platform from abuse and fraud (which is what the rate limits and session records are for). That's it — there is no marketing use of your data without a separate, specific consent, which the platform checks before every send.
Where your data lives
Buoy's database runs on Neon (managed Postgres) hosted on AWS in the us-east-1 region (Northern Virginia, USA). Our applications are hosted on Railway. Our DNS and CDN are provided by Cloudflare, so traffic to our sites passes through Cloudflare's network. These providers process data on our behalf as infrastructure; none of them receives your data for their own marketing purposes.
What we will never do
These are the commitments from our Data Promise, and they are binding on us here too:
- We never sell your individual data. No lists, no brokers, no exceptions.
- Future advertisers get aggregates only. If Buoy carries advertising one day, partners will be able to reach a segment (say, "boats with insurance expiring soon") — but the matching happens on our servers, and the advertiser never receives your record, your name, or your contact information.
- You can export or delete your data on request. Deletion is honored, with the narrow exception of records the law requires us to keep, which we retain only as required and anonymize where they must persist.
When we share data
We share data only with the infrastructure providers listed above, and where the law genuinely requires it (a valid legal demand). We do not sell, rent, or trade personal information — to anyone, for any price.
Your rights
You can ask us to access, correct, export (in a machine-readable format), or delete the data we hold about you. Email hello@buoylist.com and we'll handle it — no forms, no fees, no runaround. Self-serve export and delete buttons are being built into the account page; until they ship, email works.
Children
Buoy is not directed at children under 13, and we do not knowingly collect personal information from them. If you believe a child under 13 has given us personal information, email us and we will delete it.
Changes to this policy
This policy carries a version (currently 2026-07-03-v1), and your acceptance
is recorded against the version you actually saw. When we make a material change, we
publish a new version, tell you, and — where the change requires it — ask you
to accept again before continuing to use Buoy. We won't quietly swap the terms underneath
you.
Contact
Questions, requests, or concerns: hello@buoylist.com.
This document is pending review by counsel and may be updated.