CREWPASS® PRIVACY POLICY

Introduction

CrewPass Ltd (we) are committed to protecting your personal data and respecting your privacy.

This policy (together with our user terms and conditions (Agreement) and any additional terms of use incorporated by reference into the Agreement, together our Terms of Use) applies to any use of:

CrewPass is available on our site and hosted on this website (Hosted Site).
The CrewPass mobile application software (App) once it has been downloaded or a copy is streamed onto a mobile telephone or handheld device (Device).
Any of the services accessible through the Hosted Site or the App (Services) that are available on the App Site or other sites of ours (Services Sites).

This policy sets out the basis on which any personal data we collect from a user, or that a user provides to us, will be processed by us. The Services are not intended for persons under the age of 18 years and we do not knowingly collect data relating to children. Please read the following carefully to understand our practices regarding your personal data and how we will treat it.

This policy is split into sections to explain our practices of using your personal data within the business. Please contact us via info@crewpass.co.uk if you have any queries regarding this policy.

Important information and who we are

CrewPass Ltd is the controller and is responsible for your personal data (collectively referred to as "CPL", "we", "us" or "our" in this policy).

If you have any questions about this privacy policy, please contact us using the details set out below:

Full name of legal entity: CrewPass Ltd
Email address: info@crewpass.co.uk
Postal address: F1 Adanac North, Adanac Drive, Southampton, Hampshire, England SO16 0BT, United Kingdom

You have the right to make a complaint at any time to the Information Commissioner's Office (ICO), the UK regulator for data protection issues.

Changes to the privacy policy and your duty to inform us of changes

We keep our privacy policy under regular review.

This version was last updated on 4 March 2025. It may change and if it does, these changes will be posted on this page and, where appropriate, notified to you by SMS, email, or when you next start the App or log onto one of the Services Sites. The new policy may be displayed on-screen and you may be required to read and accept the changes to continue your use of the App or the Services.

It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during our relationship with you.

Third-party links

Our Sites may, from time to time, contain links to and from the websites of our partner networks, advertisers, CrewPass service providers, agencies, vessels and other affiliates. Please note that these websites and any services that may be accessible through them have their own privacy policies and that we do not accept any responsibility or liability for these policies or for any personal data that may be collected through these websites or services, such as Contact and Location Data. Please check these policies before you submit any personal data to these websites or use these services.

The data we collect about Users

We may collect, use, store and transfer different kinds of personal data about you as follows:

Identity Data
Contact Data
Financial Data
Transaction Data
Criminal Convictions Data
Device Data
Content Data
Profile Data
Usage Data
Marketing and Communications Data
Location Data

We explain these categories of data here.

We also collect, use and share Aggregated Data such as statistical or demographic data for any purpose. Aggregated Data could be derived from a user's personal data but is not considered personal data in law as this data will not directly or indirectly reveal your identity. For example, we may aggregate any Usage Data to calculate the percentage of users accessing a specific Service or App feature. However, if we combine or connect Aggregated Data with specific personal data so that it can directly or indirectly identify a user, we treat the combined data as personal data which will be used in accordance with this privacy policy.

We collect and process information about criminal convictions and offences as part of our employment eligibility checks and CrewPass Accreditation scheme. Our Appropriate Policy Document attached as Schedule 1 details how we process criminal convictions data. Schedule 1 forms an integral part of this policy.

How is personal data collected?

We will collect and process the following data about users:

Information users give us — This is information (including identity, contact, financial marketing and communications data) a user consents to give us about the user by filling in forms on the App Site and the Services Sites (together Our Sites), or by corresponding with us (for example, by email or chat). It includes information the user provides when the user registers to use the Services, download or registers the App, subscribe to any of our Services, share data via the App's social media or chat functions, or any other activity carried out in connection with the CrewPass Services, and when the user reports a problem with an App, our Services, or any of Our Sites. If the user contacts us, we will keep a record of that correspondence.

Information we collect about the user and the user's device — Each time a user visits our Site or uses the App we will automatically collect personal data including Device, Content and Usage Data.

Location Data — We may use GPS or similar technology to determine a user's current location. Some of our location-enabled Services require user personal data for the feature to work.

Information we receive from other sources including third parties and publicly available sources

We will receive personal data about users from various third parties and public sources as set out below:

Contact, Financial and Transaction Data from providers of technical, payment and delivery services based inside or outside the UK;
Identity and Contact Data from data brokers or aggregators based inside or outside the UK;
Identity and Contact Data from publicly available sources inside or outside the UK; and
Criminal Convictions Data from screening agents as well as publicly available sources inside or outside the UK.

Unique application numbers — When a user wants to install or uninstall a Service containing a unique application number or when such a Service searches for automatic updates, that number and information about the user's installation, for example, the type of operating system, may be sent to us.

During the verification process, our app collects and shares data with Veriff, a third-party identity verification service. This includes personal information, document details, identity verification data, contact details, technical data, machine-readable data, metadata, device and network information, photos and videos, data from external registries, and data from communications with Veriff. Veriff uses this data to authenticate your identity, and the collected data may be shared with us. For more information on how Veriff uses and processes your data, please visit Veriff's privacy notice.

Cookies

You can set your browser to refuse all or some browser cookies or to alert you when websites set or access cookies. If you disable or refuse cookies, please note that some parts of this website may become inaccessible or not function properly. For more information about the cookies we use, please see our Cookie Policy.

How we use personal data

We will only use personal data when the law allows us to do so. Most commonly we will use personal data in the following circumstances:

Where a user has consented before the processing.
Where we need to perform a contract we are about to enter or have entered with the user.
Where it is necessary for our legitimate interests (or those of a third party) and the user's interests and fundamental rights do not override those interests.
Where we need to comply with a legal or regulatory obligation.

Click here to find out more about the types of lawful basis that we will rely on to process your personal data.

Purposes for which we will use your personal data

The following examples show types of personal data and reasons for processing personal data collected by CrewPass when an individual submits this data to CrewPass, thus consenting to its use.

Identity — Identifiable personal data for example an individual's name, postal address and date of birth will be processed when an individual creates a CrewPass account in order to carry out a background check and verify the individual's identity, allow them to install the CrewPass mobile application and participate in the CrewPass Accreditation Scheme.
Contact — Contact information including personal telephone and mobile contact numbers, account names and email addresses will be used to contact individuals to manage and maintain our relationship with them, carry out contractual obligations including notifying them of changes to the app or any service updates, or carry out marketing and communications.
Financial — An individual's financial data including transaction information, financial or bank details and payment information are necessary for our legitimate interests (to collect subscription fees from you and to facilitate employment eligibility checks – background and criminal records checks and ID verification).
Marketing and Communications — We will get a user's express opt-in consent before we share personal data with any third party for marketing purposes.
Usage — Necessary for our legitimate interests (to keep records updated and to analyse how customers use our products/Services) and to also monitor trends so we can improve the service and the App.
Device — Necessary for our legitimate interests (for running our business, provision of administration and IT services, network security).
Profile — To manage our relationship with you including notifying you of changes to the App or any Services and to deliver content to you.
Criminal Convictions Data — Performance of a contract with you.
Location — Necessary for our legitimate interests (to develop our products/Services and grow our business).

Disclosures of personal data

When a user consents to providing us with their personal data, we will also ask the user for their consent to share that personal data with the third parties set out below for the purposes set out in the table above (Purposes for which we will use your personal data): Internal Third Parties as set out in the Glossary; External Third Parties as set out in the Glossary; and third parties to whom we may choose to sell, transfer or merge parts of our business or our assets. Alternatively, we may seek to acquire other businesses or merge with them. If a change happens to our business, then the new owners may use your personal data in the same way as set out in this privacy policy.

International transfers

Many of our external third parties are based outside the UK so their processing of your personal data will involve a transfer of data outside the UK.

Whenever we transfer your personal data out of the UK, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented: We will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data; and where we use certain service providers, we may use specific contracts approved by the UK which give personal data the same protection it has in the UK.

Please contact us if you want further information on the specific mechanism used by us when transferring your personal data out of the UK.

Data security

All information you provide to us is stored on our secure servers. Any payment transactions carried out by us or our chosen third-party provider of payment processing services will be using TLS/SSL v1.2 encrypted HTTPS. Where we have given you (or where you have chosen) a password that enables you to access certain parts of Our Sites, you are responsible for keeping this password confidential. We ask you not to share a password with anyone.

Once we have received your information, we will use strict procedures and security features to try to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way.

Certain Services include social networking, chat room or forum features. Ensure when using these features that you do not submit any personal data that you do not want to be seen, collected or used by other users.

We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator when we are legally required to do so.

Data retention

We retain a user's personal data for the duration of their contract with us for the provision of services to them for CrewPass.

By law, we have to keep basic information about our customers (including Contact, Identity, Financial and Transaction Data) for seven years after they cease being customers for tax purposes.

In some circumstances you can ask us to delete your data: see Your legal rights below for further information.

In some circumstances, we will anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes, in which case we may use this information indefinitely without further notice to you.

Your legal rights

Under certain circumstances, you have the following rights under data protection laws in relation to your personal data. Please click on the links below to find out more about these rights:

You can exercise any of these rights at any time by contacting us at info@crewpass.co.uk.

Glossary

Consent: Processing your personal data where you have signified your agreement by a statement or clear opt-in to processing for a specific purpose. Consent will only be valid if it is a freely given, specific, informed and unambiguous indication of what you want. You can withdraw your consent at any time by contacting us.

Legitimate Interest: The interest of our business in conducting and managing our business to enable us to give you the best service/product and the best and most secure experience. We make sure we consider and balance any potential impact on you (both positive and negative) and your rights before we process your personal data for our legitimate interests.

Performance of Contract: Processing your data where it is necessary for the performance of a contract to which you are a party or to take steps at your request before entering into such a contract.

Internal third parties: Other companies in the CrewPass Group acting as joint controllers or processors who are based globally and provide IT and system administration and maintenance services.

External third parties: Service providers acting as processors and screening agents based in countries around the world who provide IT and system administration services, background and criminal record check services. Some examples include: employment or placement agencies based in countries around the world that provide crew placement services to marine vessels and who have registered with CrewPass; marine vessels employing crew members, using CrewPass for crew management and vessel operations services; professional advisers acting as processors or joint controllers including lawyers, bankers, auditors and insurers; HM Revenue and Customs, regulators and other authorities.

Description of categories of personal data

A user's personal data can include one or all of the following categories: Identity Data (first name, last name, maiden name, username or similar identifier, marital status, title, date of birth, gender); Contact Data (billing address, delivery address, email address and telephone numbers); Financial Data (bank account and payment card details); Criminal Convictions Data; Transaction Data; Device Data; Content Data; Profile Data (username, password, unique CrewPass ID, biography, qualifications, vaccination status, visa status, employment history, etc.); Usage Data; Marketing and Communications Data; Location Data.

SCHEDULE 1 – Appropriate Policy Document for Processing Criminal Convictions Data and Special Categories of Personal Data

This is the "appropriate policy document" for CrewPass Ltd setting out how we will protect Criminal Convictions Data and Special Categories of Personal Data. This policy supports CrewPass' Privacy Policy and adopts its definitions. This document meets the requirement of the Data Protection Act 2018 that an appropriate policy document is in place where Processing Criminal Convictions Data within certain circumstances.

We process Special Categories of Personal Data and Criminal Convictions Data for purposes including: assessing an employee's fitness to work; complying with health and safety obligations; complying with the Equality Act 2010; checking applicants' and employees' right to work; and verifying that candidates are suitable for employment or continued employment.

We comply with the data protection principles set out in the UK GDPR. We are responsible for and must be able to demonstrate compliance. We have administrative, physical and technical safeguards in place to protect Personal Data. This policy is reviewed annually.

Dated: 4 March 2025

Review date: 4 March 2025

Next review: 4 March 2026