This is the privacy statement that applies to the platform known as Crewdentials for Crew (the Platform) and relates to the personal data collected by Crewdentials Limited, a company registered in Guernsey with company number 67547 and registered office at Victoria House, 29-31 High Street, St Peter Port, Guernsey, GY1 2JX (Crewdentials) when you sign up to a Crewdentials account and store your data in that account.
Crewdentials is the data controller in respect of certain aspects of your data, and a processor in respect of other aspects. The terms and conditions that apply when you create and operate your account also act as a "data processing agreement" which sets out what we can and cannot do with the data stored in your account. In relation to that data we will only act on your instructions.
Crewdentials is registered with Office of the Data Protection Authority of Guernsey. The nominated data protection officer is Ellen Armsden contactable on +44 (0) 1481 524 524 or via our contact form.
The protection and security of your personal information is of vital importance to us. Our business model is not in any way based on the sale of your personal data and we pride ourselves on this.
Crewdentials provides the tools to allow you to store the documents, certificates and information you choose and allows you to choose which of those to share. You can choose to share with any person, including recruiters, managers and employers (we will call these recipients Managers for the purposes of this statement). We will never make these decisions on your behalf. However in order to provide the Platform to you we are required to share your data with some of our service providers. Further details on this can be found at Data Sharing below.
Crewdentials has a separate statement that applies to personal data collected when a Manager uses Crewdentials for Managers and a separate statement which applies to those who contact Crewdentials via the website (e.g. for marketing purposes or to hear about Crewdentials products and services). For residents of California, please see our additional statement in compliance with the California Data Protection law.
Changes to this privacy statement will be published on www.crewdentials.com and will be available when you next log in. Where appropriate or necessary any changes will be notified to you by email. By continuing to maintain an account or by logging on you will be deemed to have accepted the updated privacy statement.
The date of this privacy statement is 4 April 2022.
Your data
You must only upload your own personal data other than your emergency contact details. You undertake that you have permission from your emergency contact(s) to provide their details. Please make them aware of this privacy statement.
Subject to a few exceptions referred to below, we do not collect personal data on you from third party sources. Therefore all personal data that we collect is provided by you and can be summarised as follows. Other than registration details no fields are mandatory and you can choose how much information to include.
Data controller activities
1. Registration details
(name, email address, mobile phone number)
- Purpose: to enable Crewdentials to establish your account
- Lawful Basis: contract
- Purpose: to manage our relationship with you including providing updates on Crewdentials' privacy statement and terms and conditions
- Lawful Basis: contract
- Purpose: to assist you with troubleshooting any access or account issues
- Lawful Basis: contract
- Purpose: to provide marketing emails and updates to you
- Lawful Basis: consent
- Purpose: to inform you of new products, services or features
- Lawful Basis: contract
2. Device and usage data
- Purpose: in order to provide a PWA (Progressive Web App) service to you
- Lawful Basis: legitimate interests
- Purpose: to provide support services such as troubleshooting and assessing which features of Crewdentials are popular and how people are navigating around the Platform
- Lawful Basis: legitimate interests
Data processing activities
1. Personal details
(including contact details)
- Nature and Purposes of the Processing: to provide our services to you and to store your data
2. Financial details
- Nature and Purposes of the Processing: to provide our services to you and to store your data
3. Emergency contact(s)
- Nature and Purposes of the Processing: to provide our services to you and to store your data
4. Documents
*(including the data extracted or data you type into the fields provided)*
- Nature and Purposes of the Processing: to provide our services to you and to scan, extract and store the data from the documents
- Nature and Purposes of the Processing: to allow you to share such data with Managers
- Nature and Purposes of the Processing: to notify you that your documents may be reaching an expiry date
5. Certificates
(including the data extracted or data you type into the fields provided)
- Nature and Purposes of the Processing: to provide our services to you and to scan, extract and store the data from the documents
- Nature and Purposes of the Processing: to allow you to share such data with Managers
- Nature and Purposes of the Processing: to notify you that your qualifications may be reaching an expiry date
Where we are the data controller we must have a lawful basis on which to process your data which we have set out above.
We have provided further details on the lawful bases as follows:
Contract
We can rely on this basis where we need to process your data in order to deliver contractual services to you, (ie your Crewdentials for Crew account). In using this basis we only process what is necessary and in a way which is the least intrusive to your rights.
Legitimate interests
We can rely on this basis where we are using your data in a way which you would reasonably expect and which have a minimal privacy impact. We have undertaken an exercise to identify our and others’ legitimate interests in processing the data and balance that against your rights and freedoms. You have the right to object to our processing based on legitimate interest.
Your consent
We only rely on your consent where there is no other lawful basis for our processing. Consent means offering individuals real choice and control. Where we rely on your consent to process your data, you may withdraw your consent at any point.
Certain categories of personal data are considered to be “special category data” and attract further protections under the law. By inputting your health details, medical fitness certificates or other medical records or certificates into the Platform you are explicitly acknowledging and consenting to the fact that such information will be stored in the Platform. We will never share this information with anyone unless you choose to do so in accordance with Data Sharing below.
We may use some anonymised and aggregated data of our users. For example we may use certificate type and date of expiry so that we may provide information on trends and potential demand for certain qualifications or we may aggregate your usage data to calculate the percentage of users accessing a specific feature. Anonymous data is not personal data for the purposes of the data protection law as this data will not directly or indirectly reveal your identity. However, if we combine or connect aggregated data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this privacy statement.
Your data rights
Under certain circumstances you have the following rights under data protection laws in relation to your personal data:
- Request access to your personal data
- Request correction of your personal data
- Request erasure of your personal data
- Object to processing of your personal data
- Request restriction of processing your personal data
- Request transfer of your personal data
- Right to withdraw consent
You also have the right to ask us not to continue to process your personal data for marketing purposes.
You can exercise any of these rights at any time by contacting us via our contact form or mailing us at Victoria House, 29-31 High Street, St Peter Port, Guernsey, GY1 2JX. You may also contact the Office of Data Protection in Guernsey using the contact details at this link https://www.odpa.gg/information-hub/information-rights.
Data sharing and data processing
Guernsey is not in the EEA, but the European Commission has deemed that Guernsey provides an adequate level of protection for personal data. In order to provide the Platform to you, we may need to transfer your personal data and such transfers may be to third parties also outside of the EEA. These third parties may be processors (where we are data controller) or sub-processors (where we are processor). You consent to us engaging such sub-processors, details of which are available on request.
Whenever we transfer your data to third parties, we will ensure that the necessary contractual provisions are in place to protect your rights by way of a processing or sub-processing agreement. In addition where we transfer your data to a third party outside of the EEA, we ensure that a similar degree of protection is afforded to it by ensuring the appropriate safeguards are implemented:
Please contact us if you would like any further information about how we transfer your data out of the EEA.
You choose whether you want to use Crewdentials to share your information with other companies. When you elect to share any of the data stored in the Platform with a Manager, a secure link is sent to the Manager’s email address that you provide. In order to access the link, the Manager will need the email and the password provided in the email. The link can be revoked at any point. Once the Manager has the information and data you have provided, Crewdentials is not responsible for how the Manager deals with that information and data.
You can view a log of all data you have shared, and who it was shared with in the Share section of your Account.
Managers using Crewdentials for Managers may send you a connection request. These will appear under the Connections section of your account. You will receive a system notification and email for each new Connection. By default your Connections will not have access to any part of your account until you grant access to them. If you grant access, Connections will have view only access to your profile section and the certificates and documents you choose to share with them. They cannot edit your profile details, instead they will have an editable copy to enable them to fulfil their contractual or legitimate interests with you.
An instant messaging channel will be created for each new Connection, which will be accessible under the Inbox section of your account. You will receive a system notification and email whenever a new message is received.
There are limited circumstances in which Crewdentials may share your personal data, such as suspected or confirmed identity fraud or other offences, valid and legally binding requests for information from third parties.
We do not sell your personal data to any person, including but not limited to managers, employers, recruiters, training centres or advertisers.
Data security
All information you provide to us is stored on secure third party servers located in the EU. We have built multi-factor authentication into the Platform to improve the security of your account. You are responsible for keeping your password confidential. We ask you not to share a password with anyone. PWAs are served via HTTPS so all data will automatically undergo end to end encryption.
As part of the PWA functionality your browser will collect and store personal data on your device using browser web storage. You may have the option within your browser settings to choose not to store such data automatically. We only store data on our device for performance and offline functionality.
Once we have received your information, we will use strict procedures and security features to try to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way.
We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator when we are legally required to do so.
Account closure and inactive accounts
If you wish to close your account, you may do so by contacting us via our contact form Your data will be deleted within 30 days unless we are obliged to keep it for legal or regulatory purposes (such as an ongoing investigation). We may also be required to keep basic information about our customers for legal, regulatory or tax purposes.
We will monitor account activity such as frequency of log ins. Where a user has not accessed their Crewdentials account for 2 years or more we will email you to request that you actively confirm you still want your account. If you do not confirm, we will delete your account and all data and information stored.
In some circumstances we will anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes, in which case we may use this information indefinitely without further notice to you.