Privacy Policy

1. Introduction and Scope

MyCrew ("we", "us", "our") is committed to protecting the privacy, confidentiality, and security of your personal data. This Privacy Policy explains in detail what information we collect, why we collect it, how we use and process it, who we share it with, how we protect it, and what rights you have in relation to your personal data when you use the MyCrew platform, website, and related services (collectively, the "Service").

This Privacy Policy applies to all users of the Service, including crew members, captains, recruiters, vessel managers, and visitors. By accessing or using the Service, you acknowledge that you have read, understood, and consent to the collection, use, and processing of your personal data as described in this Privacy Policy.

If you do not agree with any part of this Privacy Policy, you must not access or use the Service. We encourage you to read this Privacy Policy in conjunction with our Terms of Service.

2. Data Controller

For the purposes of applicable data protection laws, including the EU General Data Protection Regulation (GDPR), MyCrew is the data controller responsible for your personal data collected through the Service. If you have any questions about how we handle your data, please contact us at hello@mycrew.now.

3. Information We Collect

We collect different categories of information depending on how you interact with the Service:

3.1 Account and identity information: When you create an account, we collect your name, email address, and authentication credentials. If you sign up using a third-party provider (such as Google), we receive your name, email address, and profile picture from that provider. Authentication is managed through Clerk, our trusted identity provider.

3.2 Profile information (Crew and Captains): To build your professional profile, we collect information you voluntarily provide, including but not limited to:

• Personal details: Date of birth, nationality, dual nationality, gender, marital status
• Physical information: Height, weight, shoe size, clothing size, eye colour, hair colour, build type (used for uniform and safety equipment purposes in the maritime industry)
• Contact details: Phone number, WhatsApp number, social media handles, portfolio URL
• Professional information: Current role, target role, department, years of experience, specialisations, career goals, technical and soft skills
• Certifications and qualifications: STCW certificates, maritime licences, professional certifications with institution names, issue dates, expiry dates, and certificate numbers
• Work history: Previous vessel names, roles, dates of employment, vessel specifications, responsibilities, and achievements
• References: Referee names, roles, companies, email addresses, phone numbers, and feedback
• Documents: Passport details, seaman's book information, visa status, driving licence details, medical certificates
• Photographs: Up to six profile images
• Location and availability: Current location, nearest airport, availability status, preferred regions, willingness to relocate, notice period
• Compensation: Salary expectations, daily/weekly rates, currency preference, benefits expected
• Lifestyle information: Dietary requirements, hobbies, interests, personality traits, habits
• Health information: Blood type, allergies, medications, medical conditions, vaccination status, emergency contact details
• Preferences: Job type, rotation preference, vessel preferences, cabin sharing willingness, contract length preferences

3.3 Profile information (Recruiters): For recruiter accounts, we additionally collect company name, company description, website URL, industry, company size, founded year, headquarters location, office locations, regions served, contact details, and social media links.

3.4 Vessel information: If you register vessels, we collect vessel name, type, length, build year, builder, flag state, classification, crew capacity, charter details, and vessel images.

3.5 Usage and interaction data: We automatically collect information about your interactions with the Service, including pages and features accessed, search queries, swipe actions, matches, messages sent and received, job applications, timestamps and frequency of use, and feature engagement patterns.

3.6 Technical data: We collect device type and model, operating system and version, browser type and version, IP address, approximate geographic location derived from IP address, screen resolution, and language preferences.

3.7 Payment data: When you subscribe to a paid plan, payment processing is handled entirely by Stripe. We do not collect, store, or have access to your full credit card number, CVV code, or banking credentials. Stripe may share with us limited information including your card brand, last four digits, expiry date, billing address, and transaction history for record-keeping and customer support purposes.

4. Legal Basis for Processing (GDPR)

For users in the European Economic Area (EEA), United Kingdom, and other jurisdictions where a legal basis for processing is required, we rely on the following:

• Contractual necessity (Article 6(1)(b) GDPR): Processing necessary to perform our contract with you (providing the Service, managing your account, processing payments)
• Consent (Article 6(1)(a) GDPR): Where you have given explicit consent for specific processing activities (e.g., sharing health information, receiving marketing communications). You may withdraw consent at any time.
• Legitimate interests (Article 6(1)(f) GDPR): Processing necessary for our legitimate business interests, including improving the Service, ensuring security, preventing fraud, and conducting analytics, provided these interests are not overridden by your fundamental rights and freedoms
• Legal obligation (Article 6(1)(c) GDPR): Processing necessary to comply with applicable legal obligations (e.g., tax reporting, responding to lawful government requests)

Special category data: Certain information you provide, such as health data (blood type, allergies, medical conditions, vaccination status) and potentially data revealing racial or ethnic origin (nationality, photographs), constitutes special category data under the GDPR. We process this data solely on the basis of your explicit consent (Article 9(2)(a) GDPR), which you provide when you voluntarily enter this information into your profile. You are never required to provide this information, and you may remove it at any time.

5. How We Use Your Information

We use your personal data for the following specific purposes:

• Service delivery: Displaying your profile to potential employers, crew members, or recruiters; facilitating matches through our discovery system; enabling in-platform messaging; processing job applications and listings
• Account management: Creating, maintaining, and securing your account; authenticating your identity; managing your subscription and processing payments
• Communication: Sending you notifications about new matches, messages, job updates, and important account or service-related information
• Personalisation: Tailoring the content and experience of the Service to your preferences, role, and location
• Safety, security, and moderation: Detecting, investigating, and preventing fraudulent, abusive, or illegal activity; enforcing our Terms of Service; protecting the safety and rights of our users and third parties
• Analytics and improvement: Analysing usage patterns, performance metrics, and user feedback to improve, maintain, and develop new features for the Service
• Customer support: Responding to your inquiries, requests, complaints, and feedback
• Legal and regulatory compliance: Fulfilling our legal obligations, responding to lawful requests from government authorities, and establishing, exercising, or defending legal claims

We will not use your personal data for purposes materially different from those described above without first obtaining your consent or providing you with notice and an opportunity to opt out, as required by applicable law.

6. Information Sharing and Disclosure

6.1 With other users: Your profile information is visible to other users of the platform as part of the crew matching and recruitment service. The specific information visible to others depends on your user type and profile visibility settings. You can control your profile visibility (public or private) in your account settings.

6.2 With service providers: We share personal data with trusted third-party service providers who assist us in operating the Service. These providers are bound by contractual obligations to protect your data and may only process it for the specific purposes we instruct:

• Clerk (clerk.com) — Authentication, identity verification, and session management
• Stripe (stripe.com) — Payment processing, subscription management, and billing
• Hosting and infrastructure providers — Server hosting, content delivery, and data storage

6.3 We do NOT:

• Sell, rent, or lease your personal data to any third party for any purpose
• Share your personal data with advertisers or ad networks
• Provide your personal data to data brokers or data aggregators
• Use your personal data for automated profiling that produces legal effects or similarly significant effects without your consent

6.4 Legal requirements: We may disclose your personal data if we believe in good faith that such disclosure is necessary to: (a) comply with applicable law, regulation, legal process, or enforceable governmental request; (b) enforce our Terms of Service, including investigation of potential violations; (c) detect, prevent, or address fraud, security issues, or technical problems; (d) protect the rights, property, or personal safety of MyCrew, our users, or the public as required or permitted by law.

6.5 Business transfers: In the event of a merger, acquisition, reorganisation, bankruptcy, dissolution, or other sale or transfer of some or all of MyCrew's assets, your personal data may be among the assets transferred. We will notify you before your data is transferred and becomes subject to a different privacy policy.

7. Data Security

We implement and maintain appropriate technical and organisational security measures to protect your personal data against unauthorised access, accidental or unlawful destruction, loss, alteration, or unauthorised disclosure. Our security measures include:

• Encryption in transit: All data transmitted between your device and our servers is encrypted using TLS 1.2 or higher (HTTPS)
• Secure authentication: User authentication is handled by Clerk, with support for multi-factor authentication (MFA), passwordless login, and OAuth providers
• Challenge-response security: API requests use a cryptographic nonce-based challenge-response mechanism to prevent replay attacks and unauthorised access
• Rate limiting: Per-user and per-endpoint rate limiting to prevent abuse and brute-force attacks
• Access controls: Strict role-based access controls limiting internal access to personal data on a need-to-know basis
• Payment security: Payment processing through Stripe, which is PCI-DSS Level 1 certified — the highest level of certification in the payment card industry
• Regular updates: Ongoing security assessments, dependency updates, and vulnerability patching

While we strive to protect your personal data, no method of transmission over the Internet or method of electronic storage is completely secure. We cannot guarantee the absolute security of your data. In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will notify you and the relevant supervisory authority as required by applicable law.

8. Data Retention

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, as described in this Privacy Policy, and as required by applicable law. Specifically:

• Active account: Your profile data, content, and usage data are retained for as long as your account remains active
• Account deletion: Upon your request for account deletion, we will delete or anonymise your personal data within 30 days, except where retention is required by law
• Messages: Messages exchanged with other users may persist in the recipients' accounts after your account is deleted
• Financial records: Transaction and billing records may be retained for up to 7 years as required by tax and accounting laws
• Security logs: Security-related logs (login attempts, IP addresses) may be retained for up to 12 months for fraud prevention and security purposes
• Legal disputes: Data relevant to pending or anticipated legal proceedings may be retained until the matter is fully resolved
• Anonymised data: Aggregated, anonymised data that cannot be used to identify you may be retained indefinitely for statistical and analytical purposes

9. Your Rights

Under applicable data protection laws, including the GDPR for users in the European Economic Area (EEA) and United Kingdom, you have the following rights with respect to your personal data:

• Right of access (Article 15 GDPR): You have the right to request a copy of the personal data we hold about you and to receive information about how it is processed
• Right to rectification (Article 16 GDPR): You have the right to request that we correct any inaccurate or incomplete personal data we hold about you. You can also update most of your data directly through your account settings
• Right to erasure (Article 17 GDPR): You have the right to request that we delete your personal data, subject to certain exceptions (such as legal obligations to retain data). Also known as the "right to be forgotten"
• Right to restriction of processing (Article 18 GDPR): You have the right to request that we restrict the processing of your personal data in certain circumstances, such as when you contest the accuracy of the data or object to its processing
• Right to data portability (Article 20 GDPR): You have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to have it transmitted to another data controller where technically feasible
• Right to object (Article 21 GDPR): You have the right to object to the processing of your personal data for certain purposes, including processing based on legitimate interests and direct marketing
• Right to withdraw consent (Article 7(3) GDPR): Where processing is based on your consent, you have the right to withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal
• Right not to be subject to automated decision-making (Article 22 GDPR): You have the right not to be subject to decisions based solely on automated processing, including profiling, that produce legal effects or similarly significantly affect you
• Right to lodge a complaint: You have the right to lodge a complaint with your local data protection supervisory authority if you believe your data protection rights have been violated

To exercise any of these rights, please contact us at hello@mycrew.now with the subject line "Data Protection Request". We will respond to your request within 30 days of receipt. We may request additional information to verify your identity before processing your request. There is no fee for exercising your rights, except where requests are manifestly unfounded or excessive.

10. Cookies and Tracking Technologies

MyCrew uses cookies and similar technologies to provide, secure, and improve the Service. A cookie is a small text file stored on your device by your web browser.

Types of cookies we use:

• Strictly necessary cookies: Required for core platform functionality, authentication, session management, and security. These cookies are essential for the Service to function and cannot be disabled. They include Clerk authentication cookies, CSRF protection tokens, and session identifiers.
• Functional cookies: Remember your preferences, settings, and choices (such as language preference and theme) to provide a more personalised experience. These cookies are not used for tracking purposes.

What we do NOT use:

• Third-party advertising or targeting cookies
• Cross-site tracking technologies
• Social media tracking pixels or beacons
• Third-party analytics platforms that share data with advertisers

You can manage your cookie preferences through your browser settings. Please note that disabling strictly necessary cookies may prevent you from using the Service or cause it to function improperly.

11. International Data Transfers

Your personal data may be processed and stored on servers located in countries outside your country of residence, including countries outside the European Economic Area (EEA). Our service providers, including Clerk and Stripe, may process your data in the United States and other jurisdictions.

Where personal data is transferred outside the EEA to countries not deemed to provide an adequate level of data protection by the European Commission, we ensure that appropriate safeguards are in place to protect your data, including:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Adequacy decisions by the European Commission (where applicable)
• Binding corporate rules of our service providers
• The EU-US Data Privacy Framework (where applicable)

You may request a copy of the relevant safeguards by contacting us at hello@mycrew.now.

12. Children's Privacy

The Service is not intended for, directed at, or designed to be used by anyone under the age of 18. We do not knowingly collect, solicit, or store personal data from children under 18. If we become aware that we have inadvertently collected personal data from a person under 18, we will take prompt steps to delete that data from our systems. If you are a parent or guardian and believe your child has provided personal data to us, please contact us immediately at hello@mycrew.now.

13. Do Not Track Signals

Some web browsers transmit "Do Not Track" (DNT) signals to websites. As there is no universally accepted standard for how to respond to DNT signals, the Service does not currently respond to DNT signals. However, as described in this Privacy Policy, we do not engage in cross-site tracking, third-party advertising tracking, or the sale of personal data.

14. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you may have additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), including:

• The right to know what personal information we collect, use, disclose, and sell
• The right to request deletion of your personal information
• The right to opt out of the sale or sharing of your personal information
• The right to non-discrimination for exercising your privacy rights
• The right to correct inaccurate personal information
• The right to limit the use and disclosure of sensitive personal information

MyCrew does not sell or share your personal information as defined under the CCPA/CPRA. To exercise your California privacy rights, please contact us at hello@mycrew.now.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:

• Update the "Last updated" date at the top of this page
• Post the revised Privacy Policy on this page
• Where required by applicable law, notify you by email or through the Service before the changes take effect

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your personal data. Your continued use of the Service after the posting of changes constitutes your acceptance of the revised Privacy Policy.

16. Contact Information

If you have any questions, concerns, or complaints about this Privacy Policy, our data processing practices, or if you wish to exercise your data protection rights, please contact us at:

Email: hello@mycrew.now
Website: https://mycrew.now
Subject line: Privacy Policy Inquiry

We will make reasonable efforts to respond to all privacy-related inquiries within 30 days of receipt. If you are not satisfied with our response, you have the right to lodge a complaint with your local data protection supervisory authority.