Privacy Policy

1. Data Controller

The Platform is operated by:

Vladislav Poliakov
Merkez Mah. Eski Edirne Asfalti Cad. No: 1307/A
Gaziosmanpaşa, 34250 Istanbul, Turkey
Email: support@crewbase.pro | hello@crewbase.pro
Web: https://crewbase.pro

The Operator serves as Data Controller under GDPR (and analogous frameworks) for personal data processed.

2. Data Protection Principles & Minimization

We apply core principles: lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity & confidentiality, and accountability. We collect only data reasonably necessary for recruitment matching, application workflows, security, subscription management and user support. Optional fields are labelled. Do not upload sensitive personal data not requested unless explicitly required by applicable maritime regulation.

3. Categories of Personal Data

3.1 Account & Identity: Email (required), name, user type (jobSeeker/employer/admin), company name (employer), internal IDs.

3.2 Profile & Professional (Job Seeker): Experience, vessel history, ranks, availability dates, regions, certifications metadata, uploaded documents, languages, skills, preferences, AI search prompts, and contact details.

3.3 Employer & Company: Company description, logo, contact role, approval status, posting history, moderation flags.

3.4 Job & Application: Job titles, descriptions, requirements, source attribution, timestamps, application status, view indicators, delivery metrics, resume generation metadata.

3.5 Interaction & Feedback: Reports, complaints, feedback forms, moderation notes (access restricted to admins).

3.6 Technical & Usage: Auth events, session timestamps, notification tokens, app version, crash & performance diagnostics, anonymized usage metrics.

3.7 Purchases & Subscriptions: Transaction/receipt identifiers, product identifiers (SKUs), entitlement state, renewal period, trial eligibility via RevenueCat. No raw card data is received.

3.8 Security & Abuse: Fraud indicators, rate limit counters, hashed references, temporarily cached IP for abuse prevention.

3.9 Notification Preferences: Toggle states for job alerts, application updates, profile views, reminder categories.

4. Special Categories & Children

We do not intentionally collect special category data (GDPR Art. 9) nor children's data (<16). The Platform's professional orientation means minors should not register. If you believe such data was submitted inadvertently, request removal: support@crewbase.pro.

5. Legal Bases (GDPR Mapping)

• Contract Performance: Account creation, profile display, job matching, application submission, subscription entitlement.
• Legitimate Interests: Security, service reliability, aggregated analytics, preventing spam, improving matching quality, defending legal claims.
• Consent: Optional notifications, marketing emails (future), additional optional profile attributes.
• Legal Obligation: Retention for tax, financial record keeping, responding to lawful requests.

6. Purposes of Processing

Provide core functionality; candidate discovery & evaluation; resume generation; delivery and tracking of applications; acceptable use enforcement; moderation & complaint handling; subscription entitlement & billing validation; security monitoring; aggregated, anonymized analytics; service notices; legal and regulatory compliance.

7. Job Source Transparency & Data Origins

Jobs appear either posted directly by verified employers, curated from publicly accessible sources with attribution, or contributed through authorized agency feeds. If a source owner disputes inclusion, we will review and remove or adjust attribution within 24 hours.

CrewBase acts as an aggregation platform and does not verify, endorse, or guarantee the accuracy, legitimacy, or safety of any job posting or employer listed on the Platform. Users should independently verify all job opportunities and employer identities before sharing personal data or documents. See Section 7A for safety recommendations.

7A. Safety & Fraud Awareness

To protect your personal data and safety:

• Never send money, bank details, or payment as a condition of employment or recruitment.
• Do not share copies of passports, certificates (STCW, CoC), or other identity documents with unverified employers or via insecure channels.
• Verify the employer's identity through official maritime authority registries, company websites, and independent research before engaging.
• Be wary of offers requiring urgency, upfront fees, or communication outside the Platform.
• Report suspicious job postings or contacts immediately via the in-app report function or support@crewbase.pro.

CrewBase bears no liability for losses arising from interactions with third parties encountered through the Platform.

8. Disclosure & Sharing

We do NOT sell personal data. We disclose only as necessary:

• Infrastructure & Processors: Firebase (Auth, Firestore, Storage, Messaging), email services, RevenueCat.
• Employers: Receive applicant profile data only for active recruitment evaluation. Applications may be routed via proxy channels.
• Job Seekers: View job posting details employers publish. Proxy routing may hide employer's underlying email address.
• Admins/Moderation: Limited access for compliance, verification, abuse and safety review.
• Legal/Regulatory: When compelled by valid legal request.

9. International Transfers

Data may be processed in multiple regions including EU and US via Firebase. Safeguards include Standard Contractual Clauses (Google), encryption in transit (TLS) and at rest.

10. Retention

We apply defined retention windows then delete or anonymize:

• Account & Profile: Until deletion or 24 months inactivity. "Inactivity" is defined as no authenticated login or app activity for a continuous period of 24 months, as determined by the last recorded activity timestamp in the user’s profile.
• Applications & Jobs: Active + up to 24 months
• Subscription Records: Statutory period + up to 6-10 years (jurisdiction dependent)
• Security & Access Logs: 90-365 days
• Crash/Performance Data: Up to 180 days
• Complaints/Reports: Lifecycle + up to 24 months
• Backups: Rolling up to 30 days

11. Data Subject Rights & Procedure

Rights: Access, Rectification, Erasure, Restriction, Portability, Objection, Withdraw Consent, Complaint to supervisory authority.

Procedure: Email support@crewbase.pro with subject "Data Rights Request". We may require email validation. Response normally within 30 days. Portability format: JSON/CSV where feasible.

12. Automated Processing & Profiling

AI/semantic ranking and match scores are assistive relevance indicators only; no automated decision produces legal or similarly significant effects. Human review is required for any hiring decision.

12A. Data Protection Impact Assessment (DPIA)

Where processing activities are likely to result in a high risk to the rights and freedoms of individuals (e.g. large-scale profiling, AI-assisted candidate matching, or systematic monitoring), the Operator conducts Data Protection Impact Assessments in accordance with GDPR Art. 35. DPIAs are reviewed and updated when processing operations change materially.

13. Security

Measures include: Firebase Auth session handling; Firestore security rules; encryption in transit (TLS 1.2+) and at rest; scoped API keys; periodic access review; segregation of production and test data; rate limiting & abuse detection; monitoring for anomalous patterns. No method guarantees absolute security; residual risk remains.

13A. Security Incident Response

Material data breaches are handled per Section 14A of the Terms (incident investigation, containment, notification where mandated, remediation). Users should promptly report suspected unauthorized access to support@crewbase.pro.

14. Candidate Data Confidentiality (Employers)

Employers agree to use candidate personal data exclusively for recruitment evaluation. Prohibited: exporting candidate lists for unrelated marketing, public disclosure, resale, or indefinite retention after a role is filled. Suspected breach: notify support@crewbase.pro promptly.

15. Job Seeker Responsibilities

Do not submit fabricated credentials, forged certificates or another person's identity. Do not mass spam applications. Use of publicly sourced job data is restricted to personal application purposes.

16. Complaints & Takedown (24H)

Report alleged infringement, privacy breach, unlawful posting, impersonation or data misuse to support@crewbase.pro with sufficient detail. Validated reports will trigger removal within 24 hours.

17. Data Deletion & Account Closure

In-app deletion or written request results in profile, applications and documents being deleted or irreversibly anonymized, subject to: retention of minimal transactional/security logs; legal obligations; backup latency up to 30 days.

18. Children & Age Rating

App Store content rating 4+ does not indicate the intended professional audience. The Platform is not directed to children under 16. If we learn a minor under 16 registered, we will promptly delete the account.

19. Cookies / SDK Identifiers

The mobile app does not use third-party advertising SDKs nor IDFA. Firebase/RevenueCat may utilize internal identifiers strictly for functionality, analytics or entitlement reconciliation.

19A. Website Cookies & Tracking

The CrewBase website (crewbase.pro) may use the following categories of cookies and similar technologies:

• Strictly Necessary: Session management, security tokens, cookie consent preferences. These cannot be disabled.
• Functional: Language preferences, theme settings. Used to enhance user experience.
• Analytics: Anonymized usage metrics (e.g. page views, referral sources) to improve the website. No personal advertising profiles are built.

We do not use third-party advertising or behavioral tracking cookies. A cookie consent banner is displayed on first visit allowing users to manage non-essential cookie preferences. For more information or to withdraw consent, contact support@crewbase.pro.

20. Marketing Communications

At present we do not send promotional email marketing. If introduced, a clear opt-in and unsubscribe mechanism will be provided.

21. Changes

Material Privacy Policy changes will be announced in-app or by email with reasonable notice. Continued use post-effective date indicates acceptance.

22. Complaints to Authorities

You may lodge a complaint with your local data protection authority. We encourage contacting us first.

23. Subprocessors

Current subprocessors handling Personal Data:

• Google Firebase (GCP): Hosting, DB, Auth, Storage, FCM – EU/US (SCCs)
• RevenueCat: Subscription receipt & entitlement processing – US/SCCs
• Resend: Transactional email delivery – US/SCCs
• Apple (APNs): Push delivery – Global
• Firebase Crashlytics/Performance: Crash & performance telemetry – EU/US (SCCs)

24. Law Enforcement Request Policy

We require valid legal process for disclosure unless there is an emergency involving imminent risk. Requests are reviewed for scope and legality. Where permitted, affected users are notified prior to disclosure.

25. CCPA / CPRA (California)

We do not sell or share Personal Information for cross-context behavioral advertising. California consumers may exercise access, deletion, correction and opt-out rights via support@crewbase.pro. We will not discriminate for exercising any CPRA right.

26. Schrems II & International Transfer Safeguards

EU/EEA Personal Data transfers rely on Standard Contractual Clauses plus supplementary measures: TLS encryption, provider at-rest encryption, role-based access, minimization, logging and periodic risk review.

27. Contact

Data Controller / Operator: Vladislav Poliakov
Address: Merkez Mah. Eski Edirne Asfalti Cad. No: 1307/A, Gaziosmanpaşa, 34250 Istanbul, Turkey
Support: support@crewbase.pro
General: hello@crewbase.pro

Privacy: https://crewbase.pro/privacy
Terms: https://crewbase.pro/terms
Refund: https://crewbase.pro/terms#refund

28. Data Processing Addendum (DPA) Placeholder

Where an Employer requires a GDPR Art. 28 DPA and the Operator acts as processor for certain limited processing, a mutually executed DPA with SCCs can be provided upon request. Until execution, processing is performed as independent controllers except for clearly processor-style tasks.