Crewvolution

Politique de confidentialité

1. Controller

The controller within the meaning of the GDPR is:

Luke Hanssen

[Address - see Legal Notice]

Email: [email protected]

2. General

We process personal data only to the extent necessary to provide a functional platform and our services. Processing is based on legal grounds, in particular Art. 6 GDPR.

3. Data Collected & Purposes

3.1 Access Data / Server Logs

On each visit, the web server automatically records: IP address, date and time, requested URL, data transferred, browser type and operating system. Legal basis: Art. 6(1)(f) GDPR (legitimate interest in ensuring stable operation).

3.2 Registration & User Account

Registration is required to use the platform. Name, email address and - depending on the login method - additional profile data are processed. Legal basis: Art. 6(1)(b) GDPR (contract performance).

3.3 Crew Management Data

Project data, shift schedules, availability and assignments are processed for the purpose of contract performance (Art. 6(1)(b) GDPR).

3.4 Notifications

When notifications via email, SMS or Discord are enabled, the corresponding contact details are used for delivery. Legal basis: Art. 6(1)(b) GDPR.

3.6 Usage Analytics

We use Plausible Analytics, self-hosted on our own Hetzner infrastructure. The following data is collected: page URL, HTTP referrer, browser and operating system (derived from the user agent), device type, and country (derived from the IP address - the IP address itself is never stored or logged). When key workflows are completed (e.g. creating a project, assigning a shift), a named event with no personal identifiers is recorded. No cookies are set and no personal identifiers are stored. Legal basis: Art. 6(1)(f) GDPR - legitimate interest in understanding and improving platform usage.

3.5 Error Monitoring, Observability & Session Replay

We use Sentry (Functional Software, Inc.) to detect and resolve technical errors and to monitor platform stability. The following data is processed: error messages, stack traces, device information and IP address on errors; application logs from normal operation; performance metrics and profiling data from server components (CPU profiles, response times, counters). For authenticated users, the user ID, email address and display name are additionally transmitted to associate error reports with a user account and enable targeted troubleshooting. Data is stored on EU servers (Frankfurt, Germany). Legal basis: Art. 6(1)(f) GDPR (legitimate interest in maintaining platform stability and fixing errors).

Session Replay (consent-based only):With your consent, a small fraction of sessions (~1%, up to 100% on errors) may be recorded as an anonymised session replay to help diagnose bugs. Personal inputs (e.g. passwords, form fields) are automatically masked. Legal basis: Art. 6(1)(a) GDPR (consent). Consent can be withdrawn at any time by clearing your browser's localStorage.

4. OAuth / Third-Party Login

When signing in via OAuth, these services transmit basic profile data (name, email, profile picture). We do not store passwords for any third-party provider.

  • Discord (Discord Inc., San Francisco, USA)

    Privacy policy: discord.com/privacy. Data transfer to the USA based on Standard Contractual Clauses (Art. 46 GDPR).

  • Google (Google LLC, Mountain View, USA)

    Privacy policy: policies.google.com/privacy. Google LLC is certified under the EU-US Data Privacy Framework (Art. 45 GDPR).

  • GitHub (GitHub Inc. / Microsoft, USA)

    Privacy policy: github.com/privacy. Data transfer to the USA based on Standard Contractual Clauses (Art. 46 GDPR).

5. Processors & Third-Party Services

We use the following processors under Data Processing Agreements (Art. 28 GDPR):

ServicePurposeLocation
Hetzner Online GmbHServer hosting, database (server location: Helsinki, Finland)Germany (EU)
Twilio Inc.SMS notificationsUSA (SCCs)
Self-hosted email serverSystem emails (notifications, transactional)EU (Hetzner)
Sentry (Functional Software, Inc.)Error monitoring, Logs, Profiling, Session ReplayEU (Frankfurt, DE)

User-provided SMTP: Project owners may configure their own SMTP credentials. For those emails, the respective project owner is responsible for GDPR compliance with their chosen provider.

6. Cookies & Browser Storage

Crewvolution uses two categories of cookies and local browser storage:

  • Strictly necessary (always active): Authentication session cookie, error monitoring and performance tracing (Sentry, without behaviour recording). Legal basis: § 25(2)(2) TTDSG - no consent required.
  • Session Replay (consent-based):Sentry stores a session identifier in localStorage to enable anonymised session recording. Only set when you choose "Accept all" in the cookie banner. Legal basis: § 25(1) TTDSG in conjunction with Art. 6(1)(a) GDPR. Consent is valid for 12 months. Withdraw at any time via the "Cookie settings" button in the website footer, or by deleting the cookie-consent key from localStorage.

No tracking, analytics or advertising cookies are used. Our analytics tool (Plausible) operates without cookies and stores no personal identifiers.

7. Retention

Personal data is deleted once the purpose no longer applies or when you delete your account. Server logs are automatically deleted after 30 days at the latest.

8. Your Rights

You have the following rights regarding your personal data:

  • Access to your stored data (Art. 15 GDPR)
  • Rectification of inaccurate data (Art. 16 GDPR)
  • Erasure of your data (Art. 17 GDPR)
  • Restriction of processing (Art. 18 GDPR)
  • Data portability (Art. 20 GDPR)
  • Objection to processing (Art. 21 GDPR)
  • Complaint to a supervisory authority (Art. 77 GDPR) - a list of German authorities is available at the BfDI.

Since we process data on the basis of contract performance and legitimate interests - not consent - there is no separate right of withdrawal. You may object to processing based on legitimate interests at any time (Art. 21 GDPR).

To exercise your rights: [email protected]

9. Automated Decision-Making & Profiling

We do not use automated decision-making or profiling within the meaning of Art. 22 GDPR.

10. Obligation to Provide Data

Name and email address are contractually required for registration and use of Crewvolution. Additional data (e.g. phone number for SMS notifications) is voluntary and can be managed in your settings.

11. Security

All data transfers are secured by TLS/SSL encryption. We implement technical and organisational measures to protect your data against unauthorised access, loss or alteration.

12. Changes to This Policy

We reserve the right to update this privacy policy to reflect changes in legal requirements or our services. The updated version applies from the date of publication.

Last updated: May 2026