Draft: pending legal review. This document is a working draft. It must be reviewed and approved by a UK solicitor before being relied upon. Placeholders in {{double braces}} need to be replaced with the relevant company information.

Legal

Privacy Policy

Last updated 30 May 2026

This Privacy Policy explains how {{COMPANY_NAME}} (trading as Crewmates) collects, uses and protects personal data when you visit our website, sign up for our services or otherwise interact with us. It is written in line with the UK GDPR, the Data Protection Act 2018 and the Privacy and Electronic Communications Regulations (PECR).

1. Who we are

The data controller for this website and the Crewmates service is {{COMPANY_NAME}}, a company registered in England and Wales (company number {{COMPANY_NUMBER}}), with its registered office at {{REGISTERED_ADDRESS}}.

We are registered with the UK Information Commissioner's Office (ICO) under registration number {{ICO_REGISTRATION}}.

For any data protection enquiry, including how to exercise your rights, you can contact our Data Protection Officer at {{DPO_EMAIL}} or by post at the address above.

Where Crewmates is used by your employer or another organisation (the "Customer"), that organisation is the controller of personal data processed within the platform on its behalf. In that case we act as a processor under Article 28 UK GDPR, and the Customer's own privacy notice will set out how your data is used. The terms of our processing are set out in the Data Processing Addendum we sign with each Customer, available on request.

2. The personal data we collect

We collect and process the following categories of personal data:

  • Account data: name, work email, role/job title, employing organisation, phone number, profile photo, account credentials.
  • Employment & compliance data: DBS check results, DVLA licence details, qualifications and certificates, training records, policy acknowledgements, working time records.
  • Operational data: shifts, locations during shifts, vehicle and equipment usage, incident reports, messages and bulletins.
  • Clinical (special category) data: when used to record patient care: patient demographics, vitals, treatments, medications administered, attachments and clinical notes. See section 4.
  • Financial data: payroll details, bank or sort code information for staff (where required for pay), invoicing data for customers (processed via our payments provider).
  • Technical & usage data: IP address, browser type, device identifiers, pages viewed, time spent on pages, referring URL, error logs.
  • Marketing & enquiry data: contact details provided via our website forms, demo requests, sales correspondence.

3. Why we process it (lawful bases)

Under Article 6 UK GDPR we rely on the following lawful bases:

  • Contract (Art. 6(1)(b)): to provide the Crewmates service to you or your organisation, including authentication, billing and support.
  • Legitimate interests (Art. 6(1)(f)): to keep the service secure, prevent fraud, improve the product, and conduct limited B2B marketing. Where we rely on legitimate interests we balance these against your rights and you can object at any time (see section 8).
  • Legal obligation (Art. 6(1)(c)): to comply with statutory duties, including those under the Data Protection Act 2018, employment law, tax/HMRC rules and clinical record retention guidance.
  • Consent (Art. 6(1)(a)): for non-essential cookies and optional marketing communications.

4. Health and other special category data

Clinical records (electronic Patient Care Records, vitals, treatments) constitute special category personal data under Article 9 UK GDPR. We process this data only when our Customer (the controller, typically the provider organisation employing the clinician) has a valid Article 9 condition, most commonly:

  • Article 9(2)(h): provision of health or social care; management of health systems and services. Supplemented by the conditions in Schedule 1 Part 1 of the Data Protection Act 2018.
  • Article 9(2)(c): vital interests, where the patient is physically or legally incapable of giving consent (e.g. unconscious casualties).

We support our Customers' obligations by providing role-based access, end-to-end audit logging, and clinical retention defaults aligned to NHS guidance (currently 8 years for adult records).

5. Cookies and similar technologies

We use cookies and similar technologies on our website. Under PECR we need your consent for any non-essential cookie. We classify cookies as follows:

  • Strictly necessary: authentication, session security, CSRF tokens, load-balancing. These are set on every visit and cannot be switched off.
  • Functional: preferences such as theme and language. Used only after you choose them.
  • Analytics: anonymised page-view and performance metrics so we can understand how the site is used and improve it. Set only with your consent.
  • Marketing: we do not currently set marketing or advertising cookies.

You can withdraw or change your cookie preferences at any time via the cookie banner or your browser settings.

6. Who we share data with

We do not sell personal data. We share personal data only with the following categories of recipients, each engaged under written contracts that meet UK GDPR Article 28 requirements:

  • Hosting & database: Vercel Inc. (web hosting) and Supabase Inc. (Postgres database, authentication, file storage), with data held in the UK / EU region.
  • Payments: Stripe Payments UK Ltd, for subscription and customer invoice processing.
  • Communications: Resend (transactional email), Twilio Inc. (SMS), LiveKit (real-time voice/video where used).
  • Mapping & navigation: Leaflet/OpenStreetMap tile providers for in-app maps.
  • Professional advisors: accountants, lawyers and auditors, bound by confidentiality.
  • Public authorities: where required by law (e.g. court order, HMRC notice, ICO investigation).

A current list of sub-processors is maintained and provided to Customers on request as part of the Data Processing Addendum.

7. International transfers

We aim to keep personal data within the UK or the European Economic Area (EEA). Where a sub-processor is located outside the UK/EEA (for example Stripe and Twilio operate group infrastructure in the US), transfers are protected by an appropriate safeguard under Article 46 UK GDPR, typically the UK International Data Transfer Agreement, the UK Addendum to the EU Standard Contractual Clauses, or reliance on a relevant adequacy decision.

Details of the safeguards in place are available from {{DPO_EMAIL}}.

8. Your rights

Under the UK GDPR you have the right to:

  • be informed about how your data is used (this notice);
  • request a copy of your data (subject access);
  • correct inaccurate data (rectification);
  • erase data we hold about you, in limited circumstances;
  • restrict or object to processing in certain circumstances;
  • receive your data in a portable format and have it transmitted;
  • not be subject to solely automated decisions with legal effect; and
  • withdraw consent where processing is based on consent.

To exercise any of these rights, contact {{DPO_EMAIL}}. We will respond within one calendar month. You also have the right to complain to the Information Commissioner's Office at ico.org.uk or 0303 123 1113. We'd ask you to raise concerns with us first so we can put things right.

9. How long we keep data

We retain personal data only for as long as we need it for the purpose for which it was collected, or for as long as we are required to by law:

  • Account data: for the duration of your account, plus 6 years after closure (in line with limitation periods).
  • Clinical records: controlled by the relevant Customer (the controller); platform defaults are aligned to NHS retention (currently 8 years for adult records, longer for paediatric).
  • Payroll & financial records: at least 6 years (HMRC requirement).
  • Marketing enquiries: 2 years from last interaction, unless you withdraw consent earlier.
  • Audit logs: 7 years.
  • Server logs (security): typically 90 days.

10. How we protect your data

We apply technical and organisational measures appropriate to the risk, including TLS 1.3 encryption in transit, AES-256 encryption at rest, role-based access control, row-level security at the database, mandatory multi-factor authentication for staff users, immutable audit logs and regular backups with documented restore testing. Full detail is set out on our security page.

11. Children

The Crewmates service is intended for use by professional users aged 16 or over (or 18+ for clinical roles). We do not knowingly process the personal data of children for our own marketing. Patient records may relate to children where the controlling Customer provides paediatric care.

12. Automated decision-making

We do not make decisions about you that produce legal effects based solely on automated processing. Some workflows (e.g. compliance flags) are surfaced automatically but a human always reviews the outcome.

13. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be flagged on this page and, where appropriate, notified to you by email or in-app message. The "last updated" date at the top reflects the latest version.

14. Contact us

If you have any questions about this Privacy Policy or how we handle your personal data, please email {{DPO_EMAIL}} or write to {{COMPANY_NAME}}, {{REGISTERED_ADDRESS}}.