CrewPass Limited (we, us, our or CrewPass) is committed to protecting your personal data and respecting your privacy. This policy explains how we collect, use, share and protect personal data in connection with the CrewPass platform and services.
This policy applies to:
- the CrewPass website at www.crewpass.co.uk (the Hosted Site);
- the CrewPass web application at dashboard.crewpass.co.uk (the Web Platform);
- the CrewPass mobile application previously distributed on the Apple App Store and Google Play Store (the Legacy App), which has been withdrawn from new download but may remain installed on existing devices; and
- any services accessible through any of the above (the Services).
The Services are intended for users aged 18 and over. We do not knowingly collect data relating to children. The CrewPass platform is used by maritime crew members, recruitment agencies, vessel management companies, captains and yachts to facilitate background checks, identity verification, compliance management and crew employment.
If you have any questions about this policy, please contact dpa@crewpass.co.uk.
1. Important information and who we are
CrewPass Limited is the controller responsible for your personal data when you use the Services.
- Legal entity: CrewPass Limited
- Registered number: 10842250 (England & Wales)
- Registered office: F1 Adanac North, Adanac Drive, Southampton, Hampshire, England SO16 0BT, United Kingdom
- Data-protection contact: dpa@crewpass.co.uk
- General contact: customerservice@crewpass.co.uk
You have the right at any time to lodge a complaint with the Information Commissioner's Office (ICO), the UK regulator for data protection (www.ico.org.uk). We would, however, appreciate the opportunity to address your concerns first.
Changes to this policy
We keep this policy under regular review. Where we make material changes, we will post the updated policy on this page and, where appropriate, notify you by email, by SMS or when you next sign in to the Services. You should keep your contact details with us up to date.
2. The data we collect about you
We may collect, use, store and transfer the following categories of personal data about you:
- Identity Data — first name, last name, maiden name, username, marital status, title, date of birth, gender.
- Contact Data — billing address, delivery address, email address and telephone numbers.
- Financial Data — bank account and payment card details (processed by our payment processor; we do not store full card numbers).
- Transaction Data — details of payments to and from you, orders for verification checks, subscription and renewal records.
- Criminal Convictions Data — information about any criminal convictions, cautions or legal proceedings you have been involved with, collected for employment eligibility purposes under the lawful bases described below and in Schedule 1.
- Identity Verification Data — passport details, biometric data, identity document images and verification results, collected through our identity verification provider.
- Background Check Data — results, supporting documentation and audit data from our background screening providers.
- Profile Data — username and password, unique CrewPass ID, qualifications, certificates, work history, references, biography, preferences and feedback.
- Compliance Data — uploaded certificates, expiry dates, training records, medical certificates (where relevant) and other compliance-related documents.
- Content Data — information you upload to your CrewPass profile or share with employers and agencies.
- Device Data — type of device, device identifiers, browser type and version, operating system, IP address and time-zone setting.
- Usage Data — information about how you use the Services, including pages visited, features used and traffic data.
- Marketing and Communications Data — your preferences in receiving marketing from us and our partners, and your communication preferences.
Where you upload Special Categories of Personal Data (for example health information attached to a medical certificate), we process it only to the extent necessary for the Services and in accordance with Schedule 1.
3. How we collect personal data
We collect personal data:
- Directly from you — when you register for an account, complete forms, upload documents, communicate with us, raise a support request, or otherwise use the Services.
- Automatically — when you interact with the Services, we collect Device, Usage and Content Data, using cookies and similar technologies, as described below.
- From third parties and public sources, including:
- identity verification providers (such as Veriff);
- background screening and criminal records providers (such as Veremark);
- payment processors (such as Stripe);
- agencies, vessel managers, captains and other CrewPass Participants who interact with your profile;
- sanctions and adverse media screening databases;
- publicly available registries and sources.
During identity verification, our identity verification provider collects and shares with us personal information, document details, biometric information, contact details, technical and machine-readable data, metadata, device and network information, photographs and videos. The provider's own privacy notice describes how they use that data.
Cookies and similar technologies
We use cookies and similar technologies on the Hosted Site and Web Platform. The categories we use are:
- Strictly necessary cookies — required for the Services to function (for example, authentication, session management, security and load balancing). These cookies do not require your consent.
- Performance and analytics cookies — help us understand how the Services are used so that we can improve them. We seek your consent before setting these cookies.
- Functionality cookies — remember choices you make and personalise your experience (for example, language and locale preferences).
You can manage your preferences via the cookie banner shown on first visit and via the cookie preferences link on our website. Where consent is required, you may withdraw it at any time. Disabling certain cookies may affect the functionality of the Services. For a current list of the specific cookies in use, please contact dpa@crewpass.co.uk.
4. How we use personal data
We use personal data only where the law allows us to. The lawful bases we rely on are:
- Consent — where you have given clear consent for a specific purpose;
- Contract — where processing is necessary to provide the Services or to take steps at your request;
- Legitimate interests — where processing is necessary for our legitimate interests (or those of a third party) and your fundamental rights do not override those interests; and
- Legal obligation — where processing is necessary to comply with a legal or regulatory obligation, including our obligations as a UK data controller.
For Criminal Convictions Data and Special Categories of Personal Data, we additionally rely on the conditions set out in Schedule 1 to the Data Protection Act 2018, including the substantial public interest condition relating to employment, social security or social protection.
Typical purposes and lawful bases include:
| Purpose | Lawful basis |
|---|---|
| Creating and managing your CrewPass account | Contract |
| Carrying out identity verification | Contract, legitimate interests, legal obligation |
| Carrying out background and criminal records checks for employment eligibility | Contract, legal obligation, substantial public interest (Schedule 1, DPA 2018) |
| Sharing your verification status with agencies, vessels and managers you have authorised | Consent or contract |
| Processing payments and collecting Fees | Contract, legal obligation |
| Providing customer support | Contract, legitimate interests |
| Detecting fraud, abuse, sanctions exposure and security incidents | Legitimate interests, legal obligation |
| Improving the Services, including via aggregated analytics | Legitimate interests |
| Marketing communications | Consent or legitimate interests (with right to object) |
5. Disclosures of personal data
We share personal data with the following categories of recipient, in each case under appropriate contractual and legal safeguards:
- CrewPass Participants to whom you have granted access to your profile, including recruitment agencies, vessel managers, captains and other authorised users;
- Identity verification providers for the purposes of identity and biometric verification (such as Veriff);
- Background screening and criminal records providers for the purposes of employment eligibility checks (such as Veremark);
- Payment processors for the purposes of billing and Fee collection (such as Stripe);
- Cloud infrastructure and hosting providers for the purposes of operating the Services (such as Google Cloud and MongoDB Atlas);
- Communications providers for the purposes of email, SMS and customer communications (such as Brevo);
- Analytics, monitoring and security providers for the purposes of operating and securing the Services;
- Professional advisers acting as processors or joint controllers, including lawyers, bankers, auditors and insurers;
- Regulators, law enforcement and other authorities where required by law; and
- Acquirers or successors in connection with any sale, merger or reorganisation of our business.
A current list of named sub-processors is available on request from dpa@crewpass.co.uk. Where we engage a new sub-processor that involves a material change in the way your personal data is processed, we will notify users where required to do so.
6. International transfers
Some of our service providers are based outside the United Kingdom, which means their processing of your personal data may involve a transfer of data outside the UK. Where we transfer personal data outside the UK we ensure a similar degree of protection is afforded to it by relying on one or more of the following safeguards:
- transfer to a country which has been deemed to provide an adequate level of protection for personal data (an adequacy decision under UK or EU law);
- the UK International Data Transfer Agreement (IDTA) issued by the ICO, or the UK Addendum to the EU Standard Contractual Clauses (in force since 21 March 2022); and/or
- the EU Standard Contractual Clauses in Commission Implementing Decision (EU) 2021/914, where the transfer is also subject to EU law.
We do not rely on the 2004 Standard Contractual Clauses, which have been repealed. If you would like more information about the specific safeguards used for a particular transfer, please contact dpa@crewpass.co.uk.
7. Data security
All information you provide to us is stored on our secure servers and protected by appropriate technical and organisational measures, including encryption in transit (TLS), encryption at rest, role-based access controls, network segmentation, logging and monitoring, regular vulnerability testing and personnel training.
Payment transactions are processed by our payment provider using encrypted HTTPS connections; we do not store full card numbers on our systems.
Where you have chosen (or been given) a password, you are responsible for keeping it confidential. We ask you not to share a password with anyone, and to notify us immediately of any suspected compromise.
We have procedures in place to deal with any suspected personal data breach and will notify you and any applicable regulator where we are legally required to do so.
8. Data retention
We retain personal data for as long as is necessary to provide the Services to you and for the period required by law. In particular:
- Account, identity and verification data is retained for the duration of your relationship with CrewPass and for a reasonable period thereafter to allow for re-engagement, dispute resolution and regulatory inquiries.
- Transaction, billing and tax records are retained for a minimum of seven (7) years after the end of the tax year to which they relate, in line with HMRC requirements.
- Background check and criminal records data is retained only for as long as is necessary for the purposes for which it was collected, and is reviewed in accordance with the data retention schedule in Schedule 1.
- Aggregated and anonymised data may be retained indefinitely, since it cannot identify you.
You may request earlier deletion of your data in certain circumstances — see Section 9.
9. Your legal rights
Under UK data-protection law you have the following rights in relation to your personal data:
- Right of access — to obtain a copy of the personal data we hold about you and check that we are lawfully processing it.
- Right to rectification — to have inaccurate or incomplete data corrected.
- Right to erasure — to ask us to delete personal data where there is no good reason for us to continue processing it. We may not be able to comply in full where we have an overriding legal obligation to retain data (for example tax or anti-fraud obligations).
- Right to object — to processing carried out on the basis of legitimate interests, where you have a particular reason for objecting, and to direct marketing at any time.
- Right to restrict processing — in certain circumstances, including where you contest the accuracy of data.
- Right to data portability — to receive personal data in a structured, commonly used and machine-readable format, and to have it transferred to a third party where technically feasible.
- Right to withdraw consent — where we rely on consent, you can withdraw it at any time without affecting the lawfulness of processing before the withdrawal.
- Right to lodge a complaint with the ICO.
You can exercise any of these rights by contacting dpa@crewpass.co.uk.
10. Automated decision-making and AI processing
We use automated processing and AI-assisted tooling to support certain CrewPass services, including:
- automated parsing, classification and validation of certificates and compliance documents;
- automated identity and document verification by our identity verification provider;
- automated risk scoring used to support manual review by our team and our screening providers; and
- automated routing and prioritisation of workflows within the verification pipeline.
These tools are used to support, not replace, decisions made by qualified personnel. Our verification workflow is designed so that a suitable member of our team (or our screening provider) reviews outcomes that affect your CrewPass Accreditation before they take effect. This means our checks involve meaningful human involvement and are not "based solely on automated processing".
Where we do make a significant decision about you that is based solely on automated processing (a decision producing a legal effect, or a similarly significant effect, taken without meaningful human involvement), we comply with the safeguards required by Articles 22A to 22D of the UK GDPR, as inserted by the Data (Use and Access) Act 2025 (in force from 5 February 2026). In that case we will:
- notify you that such a decision has been made;
- give you meaningful information about the decision and the main factors that influenced it;
- enable you to make representations about the decision;
- provide human intervention on our part, so that a suitable person reviews the decision; and
- enable you to contest the decision.
We do not carry out solely automated decision-making that has legal or similarly significant effects using Special Categories of Personal Data (such as health or biometric data) or Criminal Convictions Data unless we have your explicit consent, or another condition permitted by law applies, together with the additional safeguards the law requires.
To exercise any of these rights, or to request human review of a verification outcome, please contact dpa@crewpass.co.uk. We will provide a human review of any verification outcome on reasonable request, and a summary of our automated-decision safeguards procedure (including who carries out the review and how to contest an outcome) is available on request.
11. Third-party links
The Services may from time to time contain links to and from third-party websites, products or services. These third-party services have their own privacy policies. We do not accept responsibility or liability for these policies or for any personal data that may be collected through them.
12. Glossary
Consent — processing personal data where you have signified your agreement by a statement or clear opt-in. Consent must be freely given, specific, informed and unambiguous, and may be withdrawn at any time.
Contract — processing where it is necessary to perform a contract to which you are a party or to take steps at your request before entering into such a contract.
Legitimate interests — the interests of our business in operating it efficiently and securely, balanced against your rights.
Legal obligation — processing necessary to comply with the law.
UK GDPR — the retained EU law version of the General Data Protection Regulation ((EU) 2016/679), as amended, including by the Data Protection Act 2018 and the Data (Use and Access) Act 2025.
DPA 2018 — the Data Protection Act 2018.
SCHEDULE 1 — APPROPRIATE POLICY DOCUMENT FOR PROCESSING CRIMINAL CONVICTIONS DATA AND SPECIAL CATEGORIES OF PERSONAL DATA
This Schedule is the "appropriate policy document" required under the Data Protection Act 2018 where we process Criminal Convictions Data or Special Categories of Personal Data in reliance on a Schedule 1 condition.
Definitions
Controller, Data Subject, Processing and Special Categories of Personal Data have the meanings given in the UK GDPR.
Criminal Convictions Data means personal data relating to criminal convictions and offences, including personal data relating to criminal allegations and proceedings.
DPIA means a Data Protection Impact Assessment.
Why we process Criminal Convictions Data and Special Categories of Personal Data
We process this data for the following purposes:
- assessing applicants' and existing crew members' suitability and fitness to work on a maritime vessel;
- complying with health and safety obligations;
- complying with the Equality Act 2010 and other anti-discrimination obligations;
- checking applicants' and crew members' right to work; and
- verifying that candidates are suitable for employment or continued employment.
Lawful bases and Schedule 1 conditions
We rely on the following lawful bases under Article 6 of the UK GDPR:
- compliance with a legal obligation;
- performance of a contract;
- legitimate interests of CrewPass and of vessel operators, managers and recruitment agencies in operating compliant crewing arrangements; and
- consent, where given.
For Special Categories of Personal Data and Criminal Convictions Data we also rely on conditions in Schedule 1 to the DPA 2018, including:
- Paragraph 1(1)(a) — processing necessary for performing or exercising obligations or rights in connection with employment, social security or social protection;
- Substantial public interest conditions in Schedule 1, including employment, social security and social protection, and the prevention or detection of unlawful acts; and
- Paragraph 8 — equality of opportunity or treatment.
Compliance with the data protection principles
We apply the six UK GDPR principles in Article 5(1) to all processing of this data:
- Lawfulness, fairness and transparency — we document the lawful basis and Schedule 1 condition for each processing activity, and provide clear, accessible information to data subjects through this Privacy Policy.
- Purpose limitation — we use this data only for the employment-eligibility and compliance purposes set out above.
- Data minimisation — we collect only the data necessary for the relevant purpose.
- Accuracy — we maintain procedures to keep this data accurate and up to date.
- Storage limitation — we retain this data only for as long as is necessary for the relevant purpose, in line with the retention rules in Section 8.
- Integrity and confidentiality — we maintain appropriate technical and organisational security measures.
We also comply with the accountability principle by maintaining records of processing, carrying out DPIAs for high-risk processing, providing training to personnel, and reviewing this Schedule and the Privacy Policy at regular intervals.
Retention, review and destruction
Criminal Convictions Data and Special Categories of Personal Data are retained only for so long as they are necessary for the purposes set out above. Once no longer required they are deleted or anonymised. We maintain a retention schedule recording the retention period applicable to each category of data, and review this Schedule and our processing arrangements at regular intervals. This Schedule is retained for the duration of any processing of Criminal Convictions Data and for a minimum of six (6) months after the processing has ceased.
A copy of this Schedule will be provided to the ICO on request, free of charge.