Hey First MateLog in

Privacy Policy

Effective Date: March 31, 2026

Last Updated: April 3, 2026

This Privacy Policy explains how T & T Educational Support Services, LLC, a West Virginia limited liability company doing business as Hey First Mate (“Hey First Mate,” “we,” “us,” or “our”), collects, uses, shares, stores, and protects personal information when you use the Hey First Mate website, web application, mobile interfaces, and related services (collectively, the “Service”).

Business Contact Information: T & T Educational Support Services, LLC d/b/a Hey First Mate | 252 Garnett Hill Drive, Urbanna, Virginia 23175 | Email: ty@heyfirstmate.com | Phone: (703) 209-0921

This Privacy Policy should be read together with our Terms of Service and our Medical & Maritime Safety Disclaimer.

1. Scope

This Privacy Policy applies to information we collect from you when you access or use the Service, create an account, communicate with us, submit content, or otherwise interact with Hey First Mate.

The Service is intended primarily for adults using a boating and vessel-management product. The Service is not directed to children under 18.

2. Information We Collect

2.1 Information You Provide Directly

We may collect information you provide to us, including:

  • your name, email address, login credentials, and account profile details;
  • vessel information, such as vessel name, type, size, home port, systems, engines, tanks, equipment, inventories, specifications, maintenance details, and related notes;
  • logbook entries, reminders, checklists, maintenance records, trip-related notes, and other structured or unstructured entries;
  • chat messages, prompts, support requests, survey responses, and other communications you send to us;
  • images or files you upload, including photos of equipment, gauges, parts, or vessel conditions;
  • location information you manually enter, such as coordinates, port names, marina names, or route-related notes;
  • feedback ratings and optional comments you provide on AI-generated responses; and
  • extracted contextual memory — the Service may automatically extract and store preferences, plans, and other contextual information from your conversations, such as preferred maintenance intervals, planned voyages, or vessel operating preferences, to provide continuity and personalized, context-aware responses across sessions.

2.2 Voice Inputs

If you use voice features, your spoken audio may be transmitted to third-party speech-to-text providers for transcription so that the Service can process your request. We retain the resulting text transcript as part of your conversation history, but we do not intentionally retain raw voice recordings after transcription except as needed for temporary processing, debugging, legal compliance, or if a feature clearly tells you otherwise.

Illinois biometric disclosure: If you are an Illinois resident, please note that voice inputs are transmitted to third-party speech-processing providers for transcription. We do not intentionally collect, store, or retain voiceprints or biometric identifiers as defined under the Illinois Biometric Information Privacy Act. We retain transcribed text, not voiceprints, as part of conversation history.

2.3 Information Collected Automatically

When you use the Service, we may automatically collect certain technical information, including:

  • IP address;
  • browser type and version;
  • operating system;
  • device type;
  • session and authentication information;
  • timestamps, feature usage, and error logs;
  • analytics and usage data collected through third-party analytics services such as Google Analytics 4, including pages or screens viewed, session timing and duration, navigation paths, feature interactions, browser and device attributes, approximate geolocation derived from IP address, and pseudonymous identifiers such as cookies or similar device or browser identifiers;
  • approximate location inferred from IP address; and
  • performance, stability, crash, and abuse-prevention logs.

2.4 GPS and Location Permissions

If you grant permission, the Service may access your device's more precise location for location-enabled features such as logbook support, map context, or nearby-reference features. You may disable location permissions through your browser or device settings, though some features may work less effectively.

2.5 Cookies, Local Storage, Caching, and Similar Technologies

We use cookies, local storage, and similar technologies for several purposes, including:

(a) Strictly necessary purposes, such as authentication, login persistence, security, fraud prevention, session continuity, and core Service functionality; and

(b) Analytics and measurement purposes, including through Google Analytics 4 (“GA4”), to understand traffic and usage patterns, evaluate feature adoption, diagnose performance issues, improve onboarding and product design, and monitor aggregate engagement with the Service.

GA4 and similar analytics technologies may place or read cookies or similar identifiers on your browser or device and may collect information about your interaction with the Service and related technical data, including pseudonymous identifiers, browser and device information, approximate location derived from IP address, and usage event data.

Where required by applicable law, we will obtain your consent before enabling non-essential analytics cookies or similar technologies. Where made available, you may later manage or withdraw your consent through the cookie preferences mechanism provided in the Service. You may also limit cookies through your browser or device settings, although doing so may affect some functionality of the Service.

We do not currently use GA4 through the Service for third-party advertising, cross-context behavioral advertising, or remarketing unless and until we separately disclose that practice and provide any rights or choices required by law.

We may also use server-side logs and infrastructure telemetry to understand reliability, abuse patterns, performance, and safety-related feature stability.

Depending on your browser, device, or operating system, some limited session, preference, or cached content may remain stored locally on your device until it expires automatically or is cleared by you. You can generally clear locally stored site or app data through your browser or device settings, by logging out, or by uninstalling and reinstalling the app where applicable. We do not guarantee that local caches maintained by your own browser, operating system, or device vendors can be remotely cleared by us.

2.6 Payment Information

We do not directly store full payment card numbers. Payments are processed by a third-party payment processor. We may receive limited billing and transaction information such as billing status, card brand, last four digits, renewal status, billing ZIP code, and transaction identifiers.

3. How We Use Information

3.1 To Provide the Service

We use your information to create and manage accounts, authenticate users, store vessel information, maintain logs and reminders, provide AI-powered responses, retrieve relevant context, support voice and image features, and otherwise operate the Service.

3.2 To Personalize Responses

We use conversation history, stored preferences, extracted contextual memory items, vessel data, and related account information to provide context-aware responses and continuity across sessions.

3.3 To Process Payments and Manage Subscriptions

We use billing and transaction information to activate paid plans, renew subscriptions, detect billing errors, and provide customer support related to purchases and account status.

3.4 To Maintain, Secure, and Improve the Service

We use data to debug errors, detect abuse, improve reliability, improve product features, and monitor safety-related system behavior.

In addition to server-side logs and infrastructure telemetry, we may use Google Analytics 4 and similar measurement tools to understand how users interact with the Service, identify which pages and features are most used, diagnose performance and usability issues, evaluate aggregate engagement, and improve reliability, onboarding, and product design. Where required by applicable law, we rely on your consent for non-essential analytics processing. In other cases, we may rely on our legitimate interests in operating, securing, analyzing, and improving the Service, subject to applicable law.

We also continue to rely on server-side performance, crash, reliability, and abuse-prevention data from our infrastructure providers to monitor service stability and improve safety-related features.

3.5 To Communicate With You

We may send you transactional and service-related messages, such as account notices, password resets, billing messages, policy updates, support responses, security notices, and product announcements. We may also send marketing or promotional emails where allowed by law and subject to your preferences.

3.6 To Comply With Law and Protect Rights

We may process information as needed to comply with legal obligations, enforce our Terms, respond to legal process, investigate security incidents, and protect the rights, safety, and property of Hey First Mate, our users, and others.

4. AI, Speech, Image, and Context Processing

4.1 AI Processing Overview

Hey First Mate uses artificial intelligence and related machine-learning systems to generate responses and product functionality. To do this, we may transmit portions of your input and relevant context to third-party providers that help us operate the Service.

4.2 Categories of Data Potentially Sent for Processing

Depending on the feature used, we may transmit some or all of the following:

  • your current prompt or message;
  • relevant prior conversation history;
  • vessel data relevant to the request;
  • user-entered notes, logs, reminders, or maintenance context;
  • uploaded images submitted for analysis;
  • text needed for text-to-speech generation;
  • audio submitted for speech-to-text transcription; and
  • analytics, usage, device, and interaction data sent to our analytics providers.

4.3 Current Third-Party Processing Roles

Based on our current stack, service providers may include:

  • Anthropic, PBC for primary conversational model processing;
  • OpenAI, LLC for certain speech, vision, embedding, and fallback processing;
  • Deepgram, Inc. for speech-to-text transcription;
  • Google LLC for web analytics (Google Analytics 4) and certain maps and geolocation-related services;
  • Supabase, Inc. for database, authentication, storage, and backend support;
  • Vercel Inc. for hosting and application delivery;
  • [Payment processor — to be confirmed] for subscription billing; and
  • [Email provider — to be confirmed] for transactional or support email.

Information collected through Google Analytics 4 may be processed by Google subject to Google's applicable terms, technical documentation, and privacy practices. For that reason, some analytics-related processing may be governed not only by our instructions to vendors, but also by Google's platform rules and policies applicable to GA4.

4.4 AI Training Policy

We do not use your identifiable User Content to train or fine-tune third-party foundational AI models.

We may use de-identified or aggregated service data, reliability data, error logs, and product feedback to maintain, secure, and improve the Service, provided that such use does not reasonably identify you.

If we ever materially change our AI training or reuse practices, we will update this Privacy Policy and provide any notice or consent required by law before doing so.

4.5 Sensitive Information Warning

You should not submit highly sensitive information through the Service unless it is clearly necessary and appropriate. For example, avoid entering Social Security numbers, driver's license numbers, financial account credentials, or detailed medical records into chat or uploads.

5. How We Share Information

We do not sell your personal information for money. We do not knowingly share personal information for cross-context behavioral advertising.

5.1 Service Providers and Subprocessors

We share information with vendors that process data on our behalf to operate the Service, including AI providers, speech processors, database and hosting vendors, maps providers, email providers, storage providers, and payment processors. This may include analytics and measurement vendors, such as Google where we use Google Analytics 4, to help us understand Service traffic, feature usage, reliability, and product performance.

Where legally required, we maintain or seek to maintain appropriate data-processing agreements or equivalent contractual safeguards with service providers that process personal information on our behalf.

5.2 Legal Compliance and Protection

We may disclose information where we believe disclosure is necessary to comply with law, legal process, governmental request, or regulatory obligation, or to protect the rights, property, safety, or security of Hey First Mate, our users, or others.

5.3 Business Transfers

If Hey First Mate is involved in a merger, acquisition, financing, restructuring, or sale of assets, user information may be transferred as part of that transaction, subject to appropriate protections and notice where required by law.

5.4 With Your Direction or Consent

We may share information where you instruct us to do so or where you explicitly consent.

5.5 De-Identified or Aggregated Information

We may use and disclose de-identified or aggregated information that cannot reasonably be used to identify you.

6. Data Retention

We retain personal information only as long as reasonably necessary for the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law.

Our current intended retention approach is:

  • Account information: for the life of the account and approximately 90 days after account closure for recovery, fraud prevention, and support handling;
  • Conversation history, vessel data, logs, and reminders: until you delete them or close your account, then deleted from active systems within approximately 30 days unless retention is required by law;
  • Uploaded images: until you delete them or close your account, then deleted from active systems within approximately 30 days unless retention is required by law;
  • Raw voice audio: not intentionally retained beyond temporary transcription processing, except where required for short-lived technical handling, security investigation, or legal compliance;
  • Billing and transaction records: up to 7 years or as otherwise required by tax, accounting, or legal obligations;
  • Residual backup copies: purged in the ordinary backup rotation cycle, generally within approximately 90 days after deletion from active systems;
  • Analytics event data, cookie identifiers, and similar measurement records: retained for the period configured in our analytics settings and in vendor systems, currently 2 months for event-level data and 14 months for user-level data, unless a longer period is reasonably necessary for security, fraud prevention, dispute resolution, or legal compliance; and
  • Anonymized response feedback: after account deletion, anonymized response feedback, including ratings and optional comments that no longer identify you, may be retained for ongoing safety, reliability, and quality analysis.

If you request account deletion, we will delete or anonymize personal information from active systems within a commercially reasonable period, subject to legal, fraud-prevention, dispute-resolution, and backup limitations.

7. Your Rights and Choices

Depending on your jurisdiction, you may have rights regarding your personal information. These may include the right to access personal information we hold about you, correct inaccurate information, delete certain personal information, receive a portable copy of certain information, object to or restrict certain processing, withdraw consent where processing is based on consent, and opt out of marketing communications.

Where we rely on consent for analytics cookies or similar technologies, you may withdraw that consent at any time through the cookie preferences tool we make available in the Service, where available, or through your browser or device settings. Withdrawal of consent will not affect the lawfulness of processing that occurred before the withdrawal became effective.

You may exercise requests by contacting us at ty@heyfirstmate.com. We may need to verify your identity before completing a request.

Where required by applicable law, we will respond to verifiable privacy-rights requests within the legally required period, which is generally 30 days unless an extension is permitted or reasonably necessary. Where no specific statutory deadline applies, we will respond within a commercially reasonable time.

7.1 California Privacy Rights

If you are a California resident, you may have rights under California privacy law, including the right to know, access, correct, delete, and opt out of certain sale or sharing of personal information, plus the right not to be discriminated against for exercising applicable privacy rights.

At this time, we do not knowingly sell personal information for money or share personal information for cross-context behavioral advertising. If that changes, we will update this Privacy Policy and provide any rights mechanism required by law, including a Do Not Sell or Share My Personal Information mechanism if applicable.

We do not currently use Google Analytics 4 through the Service for cross-context behavioral advertising, third-party ad targeting, or remarketing unless and until we separately disclose that practice. If our use of analytics technologies materially changes in a way that constitutes a “sale” or “sharing” of personal information under applicable California law, we will update this Privacy Policy and provide any notice and opt-out mechanism required by law.

7.2 Virginia Privacy Rights

If the Virginia Consumer Data Protection Act or similar Virginia privacy law applies to our processing activities, Virginia residents may have rights to confirm whether we are processing personal data, access personal data, correct inaccuracies, delete personal data, obtain a portable copy of personal data, and opt out of targeted advertising, sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects.

Because the VCDPA applies only when statutory thresholds are met, availability of these rights may depend on whether the law applies to our business at the relevant time.

7.3 EEA, UK, and Swiss Privacy Rights

If you are located in the EEA, UK, or Switzerland, you may have rights under applicable data protection law, including rights of access, rectification, erasure, portability, restriction, objection, and the right to lodge a complaint with a supervisory authority.

Where applicable, our primary legal bases for processing may include performance of a contract; compliance with legal obligations; legitimate interests in operating, securing, and improving the Service; and consent, where legally required.

We do not use solely automated decision-making to make decisions that produce legal or similarly significant effects about you without human involvement.

8. Cookies, Consent, and Browser Controls

We use cookies and similar technologies for both essential and non-essential purposes. Essential technologies help the Service function, including for login, authentication, security, fraud prevention, billing continuity, and core performance. Non-essential technologies may include analytics and measurement tools such as Google Analytics 4 (“GA4”), which help us understand traffic, feature use, engagement patterns, and product performance.

Where required by applicable law, we will not enable non-essential analytics cookies or similar technologies unless and until you provide the required consent. Where available, you may manage your preferences through the cookie preferences tool presented in the Service. You may also control cookies through your browser or device settings, although disabling essential cookies may prevent the Service from functioning properly.

Disabling analytics cookies does not prevent us from using strictly necessary cookies or certain server-side logs needed for authentication, security, fraud prevention, subscription management, and core Service operations.

We do not use third-party advertising cookies or cross-context behavioral advertising trackers.

We currently do not make any representation about responding to browser Do Not Track signals or Global Privacy Control signals unless and until that behavior is verified and implemented consistently.

9. Security and Breach Notification

We use reasonable administrative, technical, and organizational safeguards designed to protect personal information. These may include encrypted transmission, authentication controls, access restrictions, logging, and cloud-infrastructure safeguards.

No system is perfectly secure, and we cannot guarantee absolute security.

If we discover a qualifying security incident involving personal information, we will investigate and provide notices as required by applicable law.

For residents of Virginia, we will provide breach-related notice as required by Virginia Code section 18.2-186.6.

As a West Virginia registered entity, we also comply with West Virginia Code section 46A-2A-101 et seq. and will provide notice as required by that law, including without unreasonable delay where applicable.

10. International Data Transfers

Hey First Mate is operated in the United States. If you use the Service from outside the United States, your information may be transferred to, processed in, and stored in the United States and other countries where our service providers operate.

Those countries may have data-protection laws that differ from the laws in your country.

Where required, we will rely on appropriate transfer mechanisms, such as Standard Contractual Clauses or other lawful safeguards, for international transfers.

11. Children's Privacy

The Service is not directed to children under 18, and we do not knowingly collect personal information from children under 18.

If you believe a child under 18 has provided personal information to us, contact us at ty@heyfirstmate.com, and we will take appropriate steps to investigate and delete the information where required.

12. Third-Party Services

This Privacy Policy does not govern the privacy practices of third-party products or services that are not controlled by Hey First Mate. Third-party services integrated with or linked from the Service may have their own privacy notices and terms.

We encourage you to review the privacy notices of relevant third parties, including AI providers, cloud providers, payment processors, mapping providers, and analytics providers.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. If we make material changes, we will provide notice in the Service, by email, or by other legally sufficient means before the updated policy becomes effective.

The Last Updated date at the top of this Privacy Policy reflects the latest revision date.

14. Contact Us

T & T Educational Support Services, LLC d/b/a Hey First Mate
252 Garnett Hill Drive
Urbanna, Virginia 23175
Email: ty@heyfirstmate.com
Phone: (703) 209-0921