Privacy Policy

Who we are

Our website address is: http://insetta.com.

What personal data we collect and why we collect it

Comments

When visitors leave comments on the site we collect the data shown in the comments form, and also the visitor’s IP address and browser user agent string to help spam detection.

An anonymized string created from your email address (also called a hash) may be provided to the Gravatar service to see if you are using it. The Gravatar service privacy policy is available here: https://automattic.com/privacy/. After approval of your comment, your profile picture is visible to the public in the context of your comment.

Media

If you upload images to the website, you should avoid uploading images with embedded location data (EXIF GPS) included. Visitors to the website can download and extract any location data from images on the website.

Contact forms

Cookies

If you leave a comment on our site you may opt-in to saving your name, email address and website in cookies. These are for your convenience so that you do not have to fill in your details again when you leave another comment. These cookies will last for one year.

If you have an account and you log in to this site, we will set a temporary cookie to determine if your browser accepts cookies. This cookie contains no personal data and is discarded when you close your browser.

When you log in, we will also set up several cookies to save your login information and your screen display choices. Login cookies last for two days, and screen options cookies last for a year. If you select “Remember Me”, your login will persist for two weeks. If you log out of your account, the login cookies will be removed.

If you edit or publish an article, an additional cookie will be saved in your browser. This cookie includes no personal data and simply indicates the post ID of the article you just edited. It expires after 1 day.

Embedded content from other websites

Articles on this site may include embedded content (e.g. videos, images, articles, etc.). Embedded content from other websites behaves in the exact same way as if the visitor has visited the other website.

These websites may collect data about you, use cookies, embed additional third-party tracking, and monitor your interaction with that embedded content, including tracking your interaction with the embedded content if you have an account and are logged in to that website.

Who we share your data with

• Service Providers & Vendors:

   

  • Payment Processors (e.g., Stripe, PayPal): to securely handle your credit/debit card or PayPal transactions.
  • Email Marketing Platforms (e.g., Mailchimp): to send newsletters, promotional updates, or service reminders if you have opted in.
  • Web Hosting & Maintenance Providers: for site performance, backups, security scans, and uptime monitoring.
  • Customer Relationship Management (CRM) Tools: to manage inquiries, quotes, and communications.
  • Analytics Providers (e.g., Google Analytics): to track site usage and performance.

     

• Affiliates & Subsidiaries:
  
  We do not currently have any affiliates or subsidiaries that share data with us. Should this change, any affiliate entity will be bound by confidentiality and data-handling obligations.

   

• Legal & Regulatory Compliance:
  
  We may disclose personal data to comply with applicable laws or legal processes (e.g., in response to a subpoena or court order) or to protect our rights, property, or safety, and those of our visitors.

   

• Business Transfers:
  
  In the event that Insetta Boatworks is acquired, merges with another company, or sells a portion of its assets, user data (including your personal information) may be transferred to the successor entity. We will notify you via email and/or a prominent notice on our website before data is shared or transferred.

   

How long we retain your data

If you leave a comment, the comment and its metadata are retained indefinitely. This is so we can recognize and approve any follow-up comments automatically instead of holding them in a moderation queue.

For users that register on our website (if any), we also store the personal information they provide in their user profile. All users can see, edit, or delete their personal information at any time (except they cannot change their username). Website administrators can also see and edit that information.

What rights you have over your data

If you have an account on this site, or have left comments, you can request to receive an exported file of the personal data we hold about you, including any data you have provided to us. You can also request that we erase any personal data we hold about you. This does not include any data we are obliged to keep for administrative, legal, or security purposes.

Where we send your data

Visitor comments may be checked through an automated spam detection service.

Contact information

(912) 882-5420

sales@insetta.com

119 Industrial Drive

St. Marys, GA 31558

Additional information

This Privacy Policy describes our practices as they apply to Insetta Boatworks’ website and services. It does not cover other sites or services that may be linked from our site. If you follow a link to a third-party website (for example, a supplier’s site, social media platform, or embedded content), please review that site’s privacy policy separately. In some cases, we may update or supplement this Privacy Policy to clarify our practices or reflect new legal requirements. Whenever we make material changes, we will revise the “Last Updated” date at the top and, if required by law, provide notice (for example, a banner on our homepage or an email to registered users). Your continued use of the website or services after those updates take effect constitutes acceptance of the revised policy.

How we protect your data

1. Encryption in Transit and at Rest

    

   • Whenever you submit sensitive information (such as payment details, login credentials, or personal data) through our website, that data is encrypted using industry-standard SSL/TLS protocols. You can verify that encryption is active when you see “https://” and a lock icon in your browser’s address bar.
   • Where feasible, we also encrypt stored personal data at rest (for example, customer account data or uploaded files) on our servers and backups.

      

2. Access Controls and Authentication

    

   • Access to any system or database containing personal data is restricted to authorized personnel only. We employ role-based access controls, unique user IDs, and strong-password enforcement.
   • All employees and contractors who require system access must complete security training and sign confidentiality agreements.

      

3. Secure Hosting & Firewalls

    

   • Our website and databases are hosted with a reputable provider that maintains robust physical security (data center access controls, surveillance) as well as logical security (firewalls, intrusion detection/prevention systems).
   • Regular vulnerability scans and penetration tests are conducted to identify and remediate security gaps.

      

4. Regular Security Audits & Patch Management

    

   • We perform periodic security audits—both internally and via third-party security firms—to verify compliance with best practices.
   • Software dependencies, web applications, and server operating systems are updated promptly when critical patches or security updates become available.

      

5. Employee Training & Awareness

    

   • All staff members attend mandatory security and privacy training at onboarding and receive annual refresher courses.
   • We maintain clear incident-response procedures so that if a potential vulnerability is identified, it is escalated and addressed immediately.

      

6. Data Minimization & Retention Policies

    

   • We collect only the minimum data necessary to provide our products and services.
   • Data retention schedules ensure that personal data is not kept longer than needed (see “How Long We Retain Your Data” in the main policy). Once the retention period expires, we securely delete or anonymize the data.

      

What data breach procedures we have in place

1. Incident Detection & Initial Assessment

    

   • We continuously monitor network traffic, server logs, and system alerts for suspicious activity. Should an anomaly or unauthorized access attempt occur, our security team is notified immediately.
   • An initial triage is performed within hours to determine whether a breach has actually occurred, what systems or data may be involved, and the scope of potential exposure.

      

2. Containment & Remediation

    

   • If a breach is confirmed, we isolate affected systems (for example, take compromised servers offline or revoke access credentials) to prevent further unauthorized access.
   • We deploy a coordinated remediation plan that may include patching vulnerabilities, updating firewall rules, rotating encryption keys, and resetting passwords for affected accounts.

      

3. Investigation & Forensic Analysis

    

   • A thorough forensic analysis is conducted—either by our internal security team or a third-party cybersecurity firm—to identify root causes, timelines, and any data exfiltration.
   • Findings are documented in detail, and evidence is preserved in case of legal or regulatory inquiries.

      

4. Notification of Affected Parties

    

   • If personal data has been exposed, we notify affected individuals without undue delay and in accordance with applicable regulations (for example, within 72 hours under GDPR, or as specified by state breach-notification laws).

      

   • Notifications will include:

      

     • A description of the nature of the breach (types of data involved).
     • Approximate date or timeframe of the breach.
     • Remedial actions we have taken.
     • Recommendations for individuals to protect themselves (e.g., changing passwords, monitoring financial statements).

        

   • Where required, we also notify relevant regulatory authorities (such as data protection agencies) and, if applicable, consumer reporting agencies.

      

5. Post-Incident Review & Policy Updates

    

   • After containment and notification, we conduct a “lessons learned” review to identify gaps in our security posture or incident-response procedures.
   • Based on the review, we update our security controls, revise internal policies, and retrain staff to prevent similar incidents in the future.
   • We maintain an incident log with details, chronology, and evidence for at least two years after the event.

      

What third parties we receive data from

1. Payment Processors (Stripe, PayPal, etc.)

    

   • When you complete an online payment, our payment processor provides us with transaction confirmation details: your name, billing amount, partial account information (e.g., last four digits of your card), and transaction ID. We do not receive or store full card numbers—those remain with the payment processor.
   • We use this information to reconcile invoices, generate receipts, and update your service records.

      

2. Email Marketing & CRM Platforms (Mailchimp, HubSpot, etc.)

    

   • If you subscribe to our newsletter or promotional emails, your name, email address, and any segmentation tags (e.g., “Interested in Custom Builds” or “Maintenance Only”) are shared from our CRM to the email platform.
   • We receive open and click-through metrics (aggregated or pseudonymized) back to our CRM so we can measure campaign performance.

      

3. Analytics Providers (Google Analytics, etc.)

    

   • Google Analytics supplies us with anonymized usage data, such as pageviews, session duration, bounce rates, and general geographic insights. We do not receive any personally identifiable information from Google Analytics unless you explicitly submit it (e.g., via a contact form).
   • Our analytics provider may also perform device and browser fingerprinting for session tracking; however, we have enabled IP anonymization to avoid storing full IP addresses.

      

4. Social Media Platforms (Facebook, Instagram, YouTube, etc.)

    

   • When you interact with our social media posts (for example, liking a boat-design video on YouTube or commenting on our Instagram feed), those platforms share engagement metrics with us (e.g., view count, number of comments, demographic breakdown).
   • We do not receive your personal social media profile data directly—only aggregated insights provided by the platform’s analytics dashboard.

      

5. Third-Party Vendors & Suppliers

    

   • If you purchase OEM parts or aftermarket accessories through our online store, the vendor or supplier may share shipping and order-fulfillment updates with us (for instance, tracking numbers, delivery status) so we can relay accurate information to you.
   • We also receive API-driven inventory data from certain boat-equipment suppliers to display real-time availability on our site.

      

6. Financial Institutions (Bank, Accounting Software Providers)

    

   • For direct-deposit refunds or payments, your bank’s routing and account information (provided by you via secure forms) is forwarded to our accounting software. We receive confirmation of successful or failed transactions but not full banking credentials.

      

What automated decision making and/or profiling we do with user data

1. Spam Detection for Comments

    

   • We use an automated spam-filtering service (e.g., Akismet) to analyze comment content, IP address, and user agent string. This helps us identify and quarantine spam or malicious submissions before they appear publicly. The service returns a “spam score” or flag, and we review borderline cases manually.

      

2. Behavioral Segmentation for Marketing

    

   • We employ basic profiling of website visitors based on non-identifiable factors (e.g., pages viewed, products clicked, time spent) to group users into segments such as “Custom Build Leads,” “Maintenance Package Inquiries,” or “Accessory Interest.”
   • These segments drive which marketing emails or targeted website banners you may see next (for example, highlighting our latest maintenance bundle for visitors who previously viewed service-plan pages). Profiles are built using anonymized identifiers (cookie or session ID) rather than personally identifiable information, and no decisions (such as denying service) are made solely on this profiling.

      

3. Automated Recommendation Widgets

    

   • On product pages, we include a “You Might Also Like” carousel that uses an algorithm to suggest related boats, parts, or service plans. Recommendations are based on aggregate purchase patterns (e.g., “Customers who purchased a 25-ft fishing boat often also choose our premium sonar package”).
   • These recommendations are purely informational and do not affect your ability to complete a purchase or request a service estimate.

      

4. No Credit or Risk Scoring

    

   • We do not perform any automated credit-scoring, risk-assessment, or background checks on visitors or customers. All financing options (if applicable) are handled through our third-party finance partner, who conducts their own risk and credit evaluations separately.

      

Industry regulatory disclosure requirements

1. California Consumer Privacy Act (CCPA)

    

   • If you are a California resident, you have the right to:

      

     • Know: Request disclosure of the categories and specific pieces of personal data collected, sold, or shared in the past 12 months.

        

     • Delete: Request deletion of your personal data, subject to certain exceptions (for example, fulfilling contractual obligations or legal compliance).
     • Opt-Out of Sale or Sharing: If we were to sell or share personal data (we do not currently do so), you would have the right to opt out.
     • Non-Discrimination: We will not discriminate against you for exercising any CCPA rights.

        

   • To submit a verifiable request, please email us at sales@insetta.com or call (123) 456-7890. We will authenticate your identity before fulfilling requests.
     

      

2. Children’s Online Privacy Protection Act (COPPA)

    

   • Our services and site are not directed to children under 16, and we do not knowingly collect personal information from them.
   • If we discover any personal data has been collected from a child under 16, we will delete it immediately and notify the parent or guardian if we can identify one.

      

3. Payment Card Industry Data Security Standard (PCI DSS)

    

   • Though we never store full credit card numbers on our servers, any service provider that handles payment card data on our behalf must be PCI DSS compliant.
   • We require our payment processors (such as Stripe or PayPal) to adhere to all relevant PCI DSS requirements to ensure cardholder data is protected.

      

4. California “Shine the Light” Law (Civil Code Section 1798.83)

    

   • California residents may request information about how we share certain categories of personal data with third parties for marketing purposes during the prior calendar year.
   • To request this information, please email us at sales@insetta.com. We will provide the list of categories and names of third parties (if any) to whom data was disclosed.