Privacy Policy

1. Definitions

1.1. Account: the user account you create to access the Service.

1.2. Organization: the employer, business, or team that operates an Account and invites Users to it.

1.3. User: any individual using the Service, including Managers, Administrators, and Employees.

1.4. Personal Data: any information relating to an identified or identifiable natural person.

1.5. Sensitive Information: information as defined by the Australian Privacy Principles, including health information, racial or ethnic origin, and biometric data.

1.6. User Data: all data and content submitted to the Service by Users or Organizations.

1.7. Cookies: small text files placed on your device to help the Service recognize repeat visitors and support certain features.

2. Information We Collect

2.1. Information You Provide

• Registration Data: name, email address, phone number, and date of birth where required for age verification.
• Profile Data: profile photo, position, skills, certifications, preferred availability, hour targets, and emergency contact details.
• Organization Data: company name, business address, positions, shift templates, location details, and scheduling rules you configure.
• Scheduling Data: shifts, assignments, shift swaps, leave requests, availability changes, and timesheet information.
• Communications: messages, notifications, and support requests submitted through the Service.
• Social Authentication Data: when you sign in using a third-party provider (Google, Apple, Microsoft), we collect only the email address and basic profile information (name, profile picture) required to create and authenticate your Account.

2.2. Automatically Collected Information

• Usage Data: pages viewed, actions taken, feature interactions, and session length.
• Device & Technical Data: IP address, browser type and version, operating system, device identifiers, and network information.
• Location Data: approximate location inferred from IP address or device settings, where enabled.

2.3. Cookies & Tracking Technologies

• We use Cookies and similar technologies (e.g., web beacons, local storage) for essential functionality, analytics, and marketing.
• Essential Cookies: required for basic operation such as login sessions.
• Analytics Cookies: help us understand usage patterns.
• Marketing Cookies: used only with consent to enable remarketing and measurement.
• You can manage cookie preferences through in-app settings or your browser's cookie controls.

3. How We Use Your Information

• Provision of Service: to operate, maintain, and improve scheduling, shift templates, availability tracking, leave management, and related features.
• Organization Operations: to allow Managers and Administrators to build rosters, approve leave and swaps, and track hours within your Organization.
• Communications: to send account confirmations, schedule change notifications, security alerts, and optional product updates.
• Analytics & Insights: to analyze usage trends, model scheduling performance, and improve the product.
• Fraud Prevention & Security: to detect and prevent unauthorized access, abuse, or fraudulent activity.
• Legal & Compliance: to comply with legal obligations, respond to lawful requests, and enforce our Terms.
• SMS / Email Messaging: to send transactional messages such as shift reminders and verification codes, with your prior consent.

4. Roles and Responsibilities

4.1. When you use CrewCentral as part of an Organization, the Organization is the controller of the Personal Data submitted in connection with your employment or engagement (for example, scheduling, availability, and shift history). CrewCentral acts as a processor on behalf of the Organization for that data.

4.2. For Personal Data related to account access, billing, and direct use of our public website, CrewCentral acts as the controller.

4.3. If you are an Employee of an Organization using CrewCentral and have questions about your data, please contact your Organization's administrator first. We will assist as required to fulfil your rights under applicable law.

5. SMS / Messaging Services

5.1. Consent Required: by providing your phone number and opting in, you consent to receive SMS or push notifications from CrewCentral for service notifications, schedule changes, shift reminders, verification codes, and other transactional communications.

5.2. Message Frequency: frequency varies based on your activity and preferences; you may receive multiple messages per week.

5.3. Opt-Out: you can opt out at any time by replying "STOP" to any SMS or updating preferences in your Account settings. Opting out of transactional messages may affect the Service.

5.4. Message and Data Rates: standard message and data rates may apply from your mobile carrier.

5.5. Service Providers: we use third-party providers such as Twilio and similar vendors to deliver messages. These providers may access your phone number and message content solely to deliver the communication.

6. Legal Bases for Processing

Where applicable privacy laws require a legal basis, we rely on:

• Consent: where you have given clear consent.
• Performance of Contract: to deliver the Service you or your Organization has subscribed to.
• Legitimate Interests: to operate and secure the Service, improve functionality, and promote our offerings, balanced against your rights.
• Legal Obligation: to comply with applicable laws and regulations.

7. Data Sharing & Disclosure

• Within Your Organization: Managers and Administrators can view Personal Data necessary for scheduling operations, including profile details, availability, and schedule history.
• Service Providers & Partners: we share Personal Data with third-party vendors (hosting, email delivery, analytics, messaging) under contractual confidentiality obligations.
• Rostering Integrations: where you connect an external rostering platform (for example, Sling), we exchange data required to keep your schedule in sync. You control which integrations are enabled.
• Business Transfers: in a merger, acquisition, or sale of assets, Personal Data may be transferred to the acquiring entity, subject to this Policy.
• Aggregated & De-identified Data: we may aggregate and anonymize data for research and product analytics; no personally identifiable information is included.
• Legal Requirements: we may disclose Personal Data to comply with law, respond to valid legal process, or protect the rights and safety of our Users.

We do not sell your Personal Data.

8. Data Retention

We retain Personal Data only as long as necessary to provide the Service, comply with legal obligations, or resolve disputes. Data associated with inactive accounts may be deleted after 24 months of inactivity unless you request earlier deletion or your Organization requires longer retention for record-keeping.

9. International Data Transfers

CrewCentral operates a remote-first team and engages service providers across multiple regions. User data may be stored or processed in Australia or in other regions where our service providers operate. When Personal Data is transferred internationally, we rely on appropriate safeguards (including Standard Contractual Clauses where required) to ensure an adequate level of protection consistent with the Australian Privacy Principles and other applicable laws.

10. Your Rights & Choices

Access & Portability: you may request a copy of the Personal Data we hold about you in a commonly used format.

Correction: you may update or correct inaccurate information via your Account settings or by contacting us.

Deletion: you may request deletion of your Personal Data, subject to legal retention obligations.

Objection & Restriction: where lawful, you may object to or restrict processing based on legitimate interests or direct marketing.

Withdraw Consent: where processing relies on consent, you may withdraw at any time without affecting prior processing.

Opt-Out: you can opt out of marketing communications at any time via unsubscribe links or in-app settings.

You may also lodge a complaint with the Office of the Australian Information Commissioner (OAIC) or your local data protection authority.

11. Minors

The Service is intended for users aged 16 and over. Users aged 16–17 may use the Service only where it is permitted by their Organization and with parental or guardian consent where required by local law. We do not knowingly collect Personal Data from children under 16 without appropriate consent.

12. Security

We implement reasonable technical, administrative, and physical safeguards to protect Personal Data against unauthorized access, loss, or alteration, including encrypted data transmission (TLS), secure authentication tokens, and access controls. No security system is impenetrable, and we cannot guarantee absolute security.

13. Third-Party Services and External Links

13.1. The Service may contain links to or integrations with third-party websites, applications, and APIs (for example, rostering platforms, calendar services, and authentication providers). We are not responsible for their privacy practices.

13.2. We encourage you to review the privacy policies of any third-party services before connecting them to your Account or providing them with Personal Data.

14. Data Export and User Remedies

14.1. Data Export: you may request an export of your Personal Data in a commonly used format (JSON or CSV) by contacting us at support@crewcentral.com. We will respond within 30 days.

14.2. Account Deletion: you may request deletion of your Account and associated Personal Data. Upon deletion, your data will be permanently removed within 30 days, except where retention is required by law or by your Organization.

14.3. Data Retention: after account deletion or 24 months of inactivity, we permanently delete Personal Data unless legal obligations (for example, payroll or tax records held on behalf of an Organization) require longer retention.

15. Jurisdictional Compliance

15.1. Australian Privacy Principles (APPs): we handle Personal Data consistent with the APPs set out in the Privacy Act 1988 (Cth), including obligations around collection, use, disclosure, quality, security, access, and correction.

15.2. GDPR Rights: if you are located in the European Economic Area or the UK, you have additional rights under the GDPR or UK GDPR, including the rights to access, rectify, erase, restrict processing, data portability, and object to processing.

15.3. CCPA Rights: if you are a California resident, you have rights under the California Consumer Privacy Act (CCPA), including the right to know what Personal Data is collected, to delete Personal Data, and to opt out of any sale of Personal Data (we do not sell Personal Data).

15.4. Data Subject Requests: to exercise any of these rights, please contact us at privacy@crewcentral.com with your request and proof of identity. We will respond within 30 days.

16. Automated Decision-Making

16.1. Automated Scheduling: we use automated algorithms to generate proposed shift schedules based on Organization rules, availability, skills, and preferences you and your Organization configure.

16.2. Human Oversight: proposed schedules are reviewed and published by a human Manager or Administrator within your Organization. We do not make employment, disciplinary, or payroll decisions on your behalf.

16.3. Your Rights: you have the right to request human review of any automated output that affects you. Contact us at privacy@crewcentral.com to exercise these rights.

17. Cookie Management and Consent

17.1. Strictly Necessary Cookies: essential for the Service to function (authentication, security, core functionality) and cannot be disabled.

17.2. Non-Essential Cookies: analytics and marketing cookies are used only with your consent. You can manage these preferences via the cookie banner or your account settings.

17.3. Browser Controls: you may also manage cookies through your browser settings, though doing so may affect Service functionality.

18. Third-Party Service Providers

18.1. Infrastructure & Hosting: cloud hosting, content delivery networks, and application performance providers.

18.2. Analytics & Performance: privacy-aware analytics providers used to understand how the Service is used.

18.3. Communication Services: Twilio and similar vendors for SMS, email delivery providers, and push notification services.

18.4. Rostering Integrations: Sling and other rostering or workforce platforms, where you explicitly connect them.

18.5. Social Authentication: Google, Apple, and Microsoft for optional sign-in. We only collect the email address and basic profile information required for Account creation.

18.6. Data Processing Agreements: all third-party providers are contractually bound to protect your data and use it only for the specified purposes.

19. Data Breach Notification

19.1. Breach Response: we maintain an incident response process to contain, assess, and remediate any suspected security incident.

19.2. Regulatory Notification: where an eligible data breach occurs under the Notifiable Data Breaches scheme of the Privacy Act 1988 (Cth) or comparable law, we will notify the relevant supervisory authority as soon as practicable.

19.3. User Notification: where a breach is likely to result in a serious risk to your rights, we will notify you without undue delay via email, in-app notice, or prominent website notice, including information about the incident and any steps you should take.

20. Changes to This Policy

20.1. We may update this Policy from time to time. Material changes will be communicated via email, in-app notification, or prominent notice on our website at least 30 days before they take effect.

20.2. Your continued use of the Service after changes take effect constitutes acceptance of the revised Policy. If you do not agree, you must stop using the Service.

20.3. Previous versions of this Policy are retained in our archives for your reference.

21. Contact Information

For questions, requests, or concerns regarding this Policy, please contact us at: