← Back to OBEDIO
Privacy Policy - Obedio Mobile
Effective Date: June 15, 2026
Last Updated: June 15, 2026
Obedio d.o.o. ("Obedio," "we," "us," "our," or "Company") operates the Obedio mobile applications for iOS and Android (collectively, the "Apps"). The Apps are professional yacht-crew communication software designed for crew members to receive and respond to guest service requests, make crew-to-crew calls, manage on-duty status, and provision smart buttons over Bluetooth.
This Privacy Policy explains what information we collect, why we collect it, how we use it, who we share it with, and your rights regarding your data.
1. Data We Collect
1.1 Account & Authentication
- What: Username and password
- Why: To authenticate you to the Obedio backend and create a secure session
- How Collected: You provide these at login
- Recipient: Obedio backend (your yacht operator's server - on the vessel's local network or a dedicated cloud server)
- Storage on Device: Login credentials (JWT tokens + refresh tokens) are encrypted on-device - iOS: stored in Keychain; Android: stored in DataStore via Android Keystore
1.2 Crew Identity
- What: Crew member ID, display name, role
- Why: To identify you in the system, route messages to you, and display crew roster
- How Collected: Provided during crew provisioning or imported from backend
- Recipient: Obedio backend; transmitted over WebSocket for real-time operations
1.3 Device Identifiers
- What: iOS - Identifier for Vendor (IDFV), transmitted as
ios-phone-<IDFV>, plus device name, model, and OS version. Android - Device ID
- Why: To associate your device with your account, enable push notifications, and distinguish devices in multi-device scenarios
- How Collected: Automatically read from device OS at first registration
- Recipient: Obedio backend
1.4 Push Notification Tokens
- What: iOS - Apple Push Notification service (APNs) token. Android - Google Firebase Cloud Messaging (FCM) token
- Why: To deliver incoming service requests, crew messages, and call notifications to you in real-time
- How Collected: Automatically generated by Apple / Google and shared with Obedio backend
- Recipient: iOS - Apple and Obedio backend. Android - Google Firebase and Obedio backend
1.5 Location (Android Only)
- What: Precise GPS coordinates (latitude, longitude)
- Why: To fetch localized weather data for the crew dashboard widget
- How Collected: One-shot location read when you request weather information
- Recipient: Open-Meteo (third-party weather API: api.open-meteo.com)
- Note: iOS does NOT collect or transmit location data.
1.6 Microphone & Voice Data
- What: Audio of voice messages and live crew calls
- Why: To enable voice messaging and real-time voice communication between crew
- How Collected: You initiate voice recording or call
- Recipient: Voice messages - Obedio backend. Live calls - LiveKit (third-party call infrastructure)
1.7 Text Messages & Chat Content
- What: Text content of crew-to-crew and crew-to-system messages
- Why: To deliver messages and maintain crew communication logs
- How Collected: You compose and send
- Recipient: Obedio backend
1.8 Photos & Files
- What: Images and files you upload (crew photos, guest reference images, etc.)
- Why: To display guest information, crew roster photos, and shared reference materials
- How Collected: You select and upload via the app
- Recipient: Obedio backend
1.9 Guest Information (Received from Backend)
- What: Guest name, preferred name, photo, cabin assignment, status, and dietary restrictions, allergies, and medical notes
- Why: To provide crew with service context and ensure guest safety (e.g., allergy awareness)
- How Collected: Retrieved from the yacht management system and transmitted to your device for display
- Recipient: Displayed on your device for in-app context; this information includes special-category health data and is used solely for crew service operations
- On-Device Retention: Transient - not persisted long-term to device storage; cleared on logout or app termination
2. Third-Party Data Processors
We rely on the following third-party service providers:
| Service | Purpose | Data Shared | Region |
| Open-Meteo | Weather API (Android only) | GPS coordinates | EU-based |
| LiveKit | Voice call routing & streaming | Audio stream; crew caller ID | Operated by/for the yacht operator |
| Google Firebase Cloud Messaging | Push notification delivery (Android) | FCM token; notification content | Google Cloud |
| Apple Push Notification Service | Push notification delivery (iOS) | APNs token; notification content | Apple |
Obedio Backend: Self-hosted on the yacht's local area network (LAN) or a dedicated cloud server operated by/for the yacht operator. This is first-party infrastructure operated by Obedio and/or the yacht operator.
3. Security & Encryption
- In Transit: All communications between the app and backend use HTTPS/WSS with TLS 1.2 or higher.
- At Rest (Device): Authentication tokens (JWT, refresh tokens) are encrypted using device-native secure storage - iOS: Keychain encryption; Android: DataStore encryption via Android Keystore.
- Non-Sensitive Data: Crew ID, display name, and other non-authentication data may be stored in app preferences in plain text for performance (e.g., to avoid repeated lookups).
We do not use third-party crash reporting or analytics SDKs. iOS does not use the Firebase SDK (a GoogleService-Info.plist configuration file may exist but Firebase Analytics is not linked).
4. Data Retention & Deletion
- On Device: Credentials and crew identity data persist until you sign out or unpair the device.
- On Backend: The authoritative copy of all data is retained on the Obedio backend according to the yacht operator's data governance policy.
- Deletion: To delete your account and associated data: (1) unpair your device via the app (clears local credentials); (2) request account deletion via the Obedio backend administrator or contact info@obedio.de; (3) the yacht operator may retain operational logs as required by maritime regulations or internal policy.
5. Children
The Obedio Apps are not directed to, marketed to, or intended for use by children under 13 (or the applicable age of digital consent in your jurisdiction). If you believe a child has provided information through the app, contact us immediately at info@obedio.de.
6. Your Privacy Rights
6.1 GDPR (European Users)
If you are located in the European Union or United Kingdom:
- Access: You have the right to request a copy of personal data we hold about you
- Correction: You may request correction of inaccurate data
- Erasure: You may request deletion ("right to be forgotten"), subject to operational and regulatory retention requirements
- Portability: You may request your data in a portable format
- Objection: You may object to processing of your data
6.2 CCPA (California Users)
If you are a California resident:
- Access: You have the right to know what personal information we collect and how it is used
- Deletion: You may request deletion of personal information (subject to exceptions for necessary business operations)
- Opt-Out: You may opt out of any "sale" or "sharing" of personal information for cross-context behavioral advertising (Obedio does not engage in such practices)
- Non-Discrimination: We will not discriminate against you for exercising your CCPA rights
6.3 General
To exercise any of these rights, contact info@obedio.de. We will respond to verified requests within 30 days (45 days for GDPR if necessary).
7. Special-Category Health Data
Guest dietary restrictions, allergies, and medical notes are classified as special-category personal data under GDPR Article 9. We process this data only for the legitimate purpose of crew service operations and guest safety. This data is accessed solely by authorized crew members on an as-needed basis and is not shared with external parties beyond the yacht operator's internal system.
8. Changes to This Policy
We may update this Privacy Policy periodically. Material changes will be communicated in-app or via email to registered account holders. Your continued use of the App after changes constitutes acceptance of the updated policy.
9. Contact Us
For privacy inquiries, data requests, or concerns:
Data Controller: Branko Blagojević PR Obedio
Email: info@obedio.de
Website: https://obedio.de/privacy
Registered Address: 26340 Bela Crkva, Republic of Serbia
Company Registration No.: 68322260 (APR, Republic of Serbia)
Tax ID (PIB): 115381541