This is the privacy statement that applies to the Crewdentials Workspace (the Platform) and relates to the personal data collected by Crewdentials where, as a Customer, you sign up to a Workspace or a User Account is created for you by one of our Customers.
Crewdentials Limited, a company with these corporate details (Crewdentials) is registered with Office of the Data Protection Authority of Guernsey. The nominated data protection officer is Ellen Armsden, contactable via our contact form or you can write to us at PO Box 215, St Peter Port, Guernsey GY1 3NL.
A Crewdentials Workspace provides the tools to allow you to store data, documents, certificates and information and collaborate with your Clients and Crew Members. In relation to that service, Crewdentials acts as data processor, or data sub-processor and our Workspace terms act as a data processing agreement compliant with the various data protection laws and standards.
This privacy statement applies to the limited data that we collect in relation to the provision of your Account and our Customer relationship – for example your name, your contact details, your IP address and your usage of the Platform. The protection and security of your personal information and the personal information of your Clients and associated Crew is of vital importance to us. Our business model is not in any way based on the sale of your personal data and we pride ourselves on this.
Changes to this privacy statement will be published on crewdentials.com and will be available when you next log in to the Platform. Where appropriate or necessary any changes will be notified to you by email. By continuing to maintain an account or by logging on you will be deemed to have accepted the updated statement. The date of this policy is 20 February 2024
Your data
Personal Data means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).
Most of the data that we collect about you is provided by you, or on your behalf (for example by your employer). Limited data comes from third parties which we describe below.
Data controller activities
Not all of the following types of data will necessarily be collected from you but this is the full scope of data that we collect. We must have a lawful basis on which to process your data which we also set out below.
Category of Data: Registration Details
Personal Data collected: name and email address
1. Purposes
- to enable Crewdentials to establish your User Account and authenticate your email address
- to manage our relationship with you in accordance with our terms and conditions
- to assist you with troubleshooting any access or User Account issues
- internal record keeping
- to inform you of new products, services or features
Lawful Basis: Contract
If you link, connect, or log in to Crewdentials through a third party service (eg Google, Facebook, Apple) you direct that service to send us information (such as your name, email address, language preference and profile picture) controlled by that service or as authorised by you via your privacy settings at that service.
2. Purpose: to provide marketing emails and updates to you
Lawful Basis: Consent
Category of Data: Device and Usage Data
Personal Data collected: IP address, browser type and version, operating system and platform, how you use our products and services
1. Purpose
In order to provide a PWA (progressive web app) service to you, including performance and offline functionality.
Lawful Basis: Contract
2. Purpose
Assessing which features of Crewdentials are popular and how people are navigating around the Platform
Explanation: When you visit our site, we will store: the website from which you visited us from, the parts of our site you visit, the date and duration of your visit, your anonymised IP address, information from the device (device type, operating system, screen resolution, language, country you are located in, and web browser type) you used during your visit, and more. We process this usage data in Matomo Analytics for statistical purposes, to improve our site and to recognise and stop any misuse.
Lawful Basis: Legitimate Interests
Category of Data: Customer Support Data
Personal data (IP address, browser type and version, operating system and platform, how you use our products and services, feedback)
1. Purpose: Email or live support, including troubleshooting access or account issues
Lawful basis: Contract
2. Purpose: to gather feedback about features and experiences from our users and to understand what features our users would like the Platform to offer
Lawful basis: Consent
Category of Data: Payment Details (applicable only where you are the Customer)
Personal data: bank details and payment history (including billing and collection)
Purpose: To enable us to invoice you and collect payment
We have provided further details on the lawful bases as follows:
Contract
We can rely on this basis where we need to process your data in order to deliver contractual service to you (ie your Crewdentials Workspace). In using this basis we only process what is necessary and in a way which is the least intrusive to your rights.
Legitimate interests
We can rely on this basis where we are using your data in a way which you would reasonably expect and which have a minimal privacy impact. We have undertaken an exercise to identify our and others’ legitimate interests in processing the data and balance that against your rights and freedoms. You have the right to object to our processing based on legitimate interest.
Your consent
We only rely on your consent where there is no other lawful basis for our processing. Consent means offering individuals real choice and control. Where we rely on your consent to process your data, you may withdraw your consent at any point.
Your data rights
Under certain circumstances you have the following rights under data protection laws in relation to your personal data:
- Request access to your personal data.
- Request correction of your personal data.
- Request erasure of your personal data.
- Object to processing of your personal data.
- Request restriction of processing your personal data.
- Request transfer of your personal data.
- Right to withdraw consent.
You also have the right to ask us not to continue to process your personal data for marketing purposes.
You can exercise any of these rights at any time by contacting us at via our contact form or mailing us at PO Box 215, St Peter Port, Guernsey GY1 3NL.
If you are not satisfied with our response, you may also contact the Office of Data Protection in Guernsey using the contact details at this link https://www.odpa.gg/information-hub/information-rights.
We do not collect any special category data such as medical details, religious or philosophical beliefs.
We will only use your data for the purpose for which we have collected it unless we believe that any additional purpose is compatible with the original purpose. We will happily give an explanation as to the compatibility should you wish.
Data sharing and data processing
Guernsey is not in the EEA but the European Commission has deemed that Guernsey provides an adequate level of protection for personal data. In order to provide the Platform to you, we may need to transfer your personal data and such transfers may be to third parties also outside of the EEA. These third parties may be processors (where we are data controller).
We keep any data sharing to a minimum but there are certain elements of our service and product provision that mean data sharing is necessary (for example the providers of certain software components within the Platform such as the multi factor authentication). We may need to share data with other service providers, our employees, agents and any relevant authorities.
Whenever we transfer your data to third parties, we will ensure that the necessary contractual provisions are in place to protect your rights by way of an agreement containing processing or sub-processing clauses if necessary
In addition where we transfer your data to a third party outside of the EEA, we ensure that a similar degree of protection is afforded to it by ensuring there is an appropriate safeguard in place Please contact us if you would like any further information about how we transfer your data out of the EEA.
There are limited circumstances in which Crewdentials may share your personal data, such as suspected or confirmed identity fraud or other offences, valid and legally binding requests for information from third parties.
We do not sell your personal data to any person.
Data security
All information you provide to us is stored on secure third party servers located in the EU. We have built security protocols into the Platform but you are responsible for keeping your account and log in credentials secure. PWAs are served via HTTPS so all data will automatically undergo end to end encryption.
As part of the PWA functionality your browser will collect and store personal data on your device using browser web storage. You may have the option within your browser settings to choose not to store such data automatically. We only store data on our device for performance and offline functionality.
Once we have received your information, we will use strict procedures and security features to try to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way.
We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator when we are legally required to do so.
Data retention
We have contracted with the Customer to provide the Platform to you and the Customer has established your Account and is responsible for closing your account. Should you wish to close your Account you can do so by asking our Customer.
If you are a Customer in your own right, you can close your Account in accordance with the Workspace Terms and Conditions.
Upon closure of your Account, we may still be required to keep some or all of your personal data for legal or regulatory purposes (such as an ongoing investigation). We may also be required to keep basic information about our customers for legal, regulatory or tax purposes.
We will monitor account activity such as frequency of log ins.
In some circumstances we will anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes, in which case we may use this information indefinitely without further notice to you.