The controller within the meaning of the GDPR is:
We process personal data only to the extent necessary to provide a functional platform and our services. Processing is based on legal grounds, in particular Art. 6 GDPR.
3.1 Access Data / Server Logs
On each visit, the web server automatically records: IP address, date and time, requested URL, data transferred, browser type and operating system. Legal basis: Art. 6(1)(f) GDPR (legitimate interest in ensuring stable operation).
3.2 Registration & User Account
Registration is required to use the platform. Name, email address and — depending on the login method — additional profile data are processed. Legal basis: Art. 6(1)(b) GDPR (contract performance).
3.3 Crew Management Data
Project data, shift schedules, availability and assignments are processed for the purpose of contract performance (Art. 6(1)(b) GDPR).
3.4 Notifications
When notifications via email, SMS or Discord are enabled, the corresponding contact details are used for delivery. Legal basis: Art. 6(1)(b) GDPR.
When signing in via OAuth, these services transmit basic profile data (name, email, profile picture). We do not store passwords for any third-party provider.
Discord (Discord Inc., San Francisco, USA)
Privacy policy: discord.com/privacy. Data transfer to the USA based on Standard Contractual Clauses (Art. 46 GDPR).
Google (Google LLC, Mountain View, USA)
Privacy policy: policies.google.com/privacy. Google LLC is certified under the EU-US Data Privacy Framework (Art. 45 GDPR).
GitHub (GitHub Inc. / Microsoft, USA)
Privacy policy: github.com/privacy. Data transfer to the USA based on Standard Contractual Clauses (Art. 46 GDPR).
We use the following processors under Data Processing Agreements (Art. 28 GDPR):
| Service | Purpose | Location |
|---|---|---|
| Hetzner Online GmbH | Server hosting, database (server location: Helsinki, Finland) | Germany (EU) |
| Twilio Inc. | SMS notifications | USA (SCCs) |
| Self-hosted email server | System emails (notifications, transactional) | EU (Hetzner) |
User-provided SMTP: Project owners may configure their own SMTP credentials. For those emails, the respective project owner is responsible for GDPR compliance with their chosen provider.
Crewvolution uses only technically necessary cookies (session cookies for authentication). No tracking, analytics or advertising cookies are used. Legal basis: § 25(2)(2) TTDSG — no consent required for strictly necessary cookies.
Personal data is deleted once the purpose no longer applies or when you delete your account. Server logs are automatically deleted after 30 days at the latest.
You have the following rights regarding your personal data:
Since we process data on the basis of contract performance and legitimate interests — not consent — there is no separate right of withdrawal. You may object to processing based on legitimate interests at any time (Art. 21 GDPR).
To exercise your rights: [email protected]
We do not use automated decision-making or profiling within the meaning of Art. 22 GDPR.
Name and email address are contractually required for registration and use of Crewvolution. Additional data (e.g. phone number for SMS notifications) is voluntary and can be managed in your settings.
All data transfers are secured by TLS/SSL encryption. We implement technical and organisational measures to protect your data against unauthorised access, loss or alteration.
We reserve the right to update this privacy policy to reflect changes in legal requirements or our services. The updated version applies from the date of publication.
Last updated: April 2026