This privacy statement applies to individuals who are:
- completing a workflow created by one of our Customers and powered by Crewdentials
- creating or using a Crewdentials Profile;
Crewdentials is the data controller of some of your personal data and a processor of other parts of your data. This privacy statement deals with our role as data controller. For information about our role as data processor, you should look at the terms here, or speak to the organisation (such as a recruiter or manager who you are connected with or completing a workflow for).
Crewdentials is a company registered in Guernsey with registration number 67547 and is registered with the Office of the Data Protection Authority of Guernsey. The nominated data protection officer is Ellen Armsden, contactable on +44 (0)1481 524 524 or hello@crewdentials.com or you can write to us at PO Box 215, St Peter Port, Guernsey GY1 3NL.
The protection and security of your personal information is of vital importance to us. Our business model is not in any way based on the sale of your personal data and we pride ourselves on this.
Crewdentials provides the tools to allow you to store the documents, certificates and information you choose and allows you to choose which of those to share. You can choose to share with any person, including recruiters, managers and employers (we will call these recipients “Organisations”). We will never make these decisions on your behalf.
Changes to this privacy statement will be published on crewdentials.com and will be available when you next log in. Where appropriate or necessary any changes will be notified to you by email. By continuing to maintain an account or by logging on you will be deemed to have accepted the updated policy. The date of this policy is 20 February 2024.
Your data
Most of the data that we hold as controller comes from you and not from third party sources. Any exceptions are noted below.
Not all of the following types of data will necessarily be collected from you but this is the full scope of data that we collect. We must have a lawful basis on which to process your data which we also set out below.
Data controller activities
Category of Data: Registration Details
Personal Data collected: name and email address
1. Purposes
- to enable Crewdentials to establish your Profile and authenticate your email address
- to manage our relationship with you in accordance with our terms and conditions
- to assist you with troubleshooting any access or Profile issues
- internal record keeping
- to inform you of new products, services or features
Lawful Basis: Contract
If you link, connect, or log in to Crewdentials through a third party service (eg Google, Facebook, Apple) you direct that service to send us information such as your name, email address, language preference and profile picture) controlled by that service or as authorised by you via your privacy settings at that service.
2. Purpose: to provide marketing emails and updates to you
Lawful Basis: Consent
Category of Data: Device and usage data
Personal Data collected: IP address, browser type and version, operating system and platform, how you use our products and services
1. Purpose
In order to provide a PWA (progressive web app) service to you, including performance and offline functionality.
Lawful Basis: Contract
2. Purpose
Assessing which features of Crewdentials are popular and how people are navigating around the Platform
Explanation: When you visit our site, we will store: the website from which you visited us from, the parts of our site you visit, the date and duration of your visit, your anonymised IP address, information from the device (device type, operating system, screen resolution, language, country you are located in, and web browser type) you used during your visit, and more. We process this usage data in Matomo Analytics for statistical purposes, to improve our site and to recognise and stop any misuse.
Lawful Basis: Legitimate Interests
Category of Data: Customer Support Data
Personal data (IP address, browser type and version, operating system and platform, how you use our products and services, feedback)
1. Purpose: Email or live support, including troubleshooting access or account issues
Lawful basis: Contract
2. Purpose: to gather feedback about features and experiences from our users and to understand what features our users would like the Platform to offer
Lawful basis: Consent
Category of Data: Qualification Data
Purpose: to maintain databases of qualifications and issuers
Lawful basis: Legitimate interests
Where a certificate is not recognised by our scanner, or a new issuer needs to be added to our database in order for our verification tools to operate, we may be given a copy of a certificate that belongs to you. This certificate would come from a user of our Business Workspace to whom you have given your certificates. We only use the certificate for the purpose of maintaining or updating our databases and strictly for no other purpose.
Lawful Basis: Further Information
Contract
We can rely on this basis where we need to process your data in order to deliver contractual services to you, (ie your Crewdentials Profile). In using this basis we only process what is necessary and in a way which is the least intrusive to your rights.
Legitimate interests
We can rely on this basis where we are using your data in a way which you would reasonably expect and which have a minimal privacy impact. We have undertaken an exercise to identify our and others’ legitimate interests in processing the data and balance that against your rights and freedoms. You have the right to object to our processing based on legitimate interest.
Your consent
We only rely on your consent where there is no other lawful basis for our processing. Consent means offering individuals real choice and control. Where we rely on your consent to process your data, you may withdraw your consent at any point.
Certain categories of personal data are considered to be “special category data” and attract further protections under the law. By inputting your health details, medical fitness certificates or other medical records or certificates into the Platform you are explicitly acknowledging and consenting to the fact that such information will be stored in the Platform. We will never share this information with anyone unless you choose to do so in accordance with Data Sharing below.
We may use some anonymised and aggregated data of our users. For example we may use certificate type and date of expiry so that we may provide information on trends and potential demand for certain qualifications or we may aggregate your usage data to calculate the percentage of users accessing a specific feature. Anonymous data is not personal data for the purposes of the data protection law as this data will not directly or indirectly reveal your identity. However, if we combine or connect aggregated data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this privacy statement.
Your data rights
Under certain circumstances you have the following rights under data protection laws in relation to your personal data:
- Request access to your personal data
- Request correction of your personal data
- Request erasure of your personal data
- Object to processing of your personal data
- Request restriction of processing your personal data
- Request transfer of your personal data
- Right to withdraw consent
You also have the right to ask us not to continue to process your personal data for marketing purposes.
You can exercise any of these rights at any time by contacting us at via our contact form or mailing us at PO Box 215, St Peter Port, Guernsey GY1 3NL.
If you are not satisfied with our response, you may also contact the Office of Data Protection in Guernsey using the contact details at this link https://www.odpa.gg/information-hub/information-rights.
We do not collect any special category data such as medical details, religious or philosophical beliefs.
We will only use your data for the purpose for which we have collected it unless we believe that any additional purpose is compatible with the original purpose. We will happily give an explanation as to the compatibility should you wish.
Data sharing and data processing
Guernsey is not in the EEA, but the European Commission has deemed that Guernsey provides an adequate level of protection for personal data. In order to provide the Platform to you, we may need to transfer your personal data and such transfers may be to third parties also outside of the EEA. These third parties may be processors (where we are data controller) or sub-processors (where we are processor).
We keep any data sharing to a minimum but there are certain elements of our service and product provision that mean data sharing is necessary (for example the providers of certain software components within the Platform such as the multi factor authentication). We may need to share data with other service providers, our employees, agents and any relevant authorities.
Whenever we transfer your data to third parties, we will ensure that the necessary contractual provisions are in place to protect your rights by way of an agreement containing processing or sub-processing clauses if necessary
In addition where we transfer your data to a third party outside of the EEA, we ensure that a similar degree of protection is afforded to it by ensuring there is an appropriate safeguard in place Please contact us if you would like any further information about how we transfer your data out of the EEA.
There are limited circumstances in which Crewdentials may share your personal data, such as suspected or confirmed identity fraud or other offences, valid and legally binding requests for information from third parties.
We do not sell your personal data to any person.
In accordance with our terms and conditions, you choose whether you want to use Crewdentials to share your information with other companies. We will never make this decision on your behalf
Data security
All information you provide to us is stored on secure third party servers located in the EU. We have built security protocols into the Platform but you are responsible for keeping your account and log in credentials secure. PWAs are served via HTTPS so all data will automatically undergo end to end encryption.
As part of the PWA functionality your browser will collect and store personal data on your device using browser web storage. You may have the option within your browser settings to choose not to store such data automatically. We only store data on our device for performance and offline functionality.
Once we have received your information, we will use strict procedures and security features to try to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way.
We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator when we are legally required to do so.
Account closure and inactive accounts
If you wish to close your account, you may do so by contacting us via our contact form Your data will be deleted within 30 days unless we are obliged to keep it for legal or regulatory purposes (such as an ongoing investigation). We may also be required to keep basic information about our customers for legal, regulatory or tax purposes.
We will monitor account activity such as frequency of log ins. Where a user has not accessed their Crewdentials account for 2 years or more we will email you to request that you actively confirm you still want your account. If you do not confirm, we will delete your account and all data and information stored.
In some circumstances we will anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes, in which case we may use this information indefinitely without further notice to you.