CrewPayScan Logo CrewPayScan

GDPR Compliance of CrewPayScan

7 min read

Last Updated: April 15, 2025

At CrewPayScan (“we,” “us,” or “our”), we are committed to protecting the privacy and security of personal data in compliance with the General Data Protection Regulation (GDPR). This document outlines our approach to GDPR compliance, our responsibilities as a data controller and processor, and the responsibilities of our customers (e.g., maritime professionals, software makers) who use our Services. Our Services, which include sanctions compliance for maritime crew allotments, are designed with data protection at their core.

1. Overview

CrewPayScan provides a platform for automating sanctions checks on maritime crew allotments, ensuring compliance with US (OFAC), UK (OFSI), and EU (CSL) regulations. During our pre-launch phase, we collect waitlist data (e.g., email, company details). Once launched, our Services will process crew data uploaded by customers for sanctions screening purposes. As such, we handle personal data subject to GDPR, and we take our obligations seriously.

This document supplements our Privacy Policy and Terms of Service, which provide additional details on data handling and usage terms.

2. Our Role Under GDPR

2.1 Data Controller (Waitlist Phase)

During the pre-launch waitlist phase, CrewPayScan acts as a data controller for the personal data you provide (e.g., email address, name, company details). We determine the purposes and means of processing this data, such as managing waitlist sign-ups and sending launch updates.

2.2 Data Processor (Post-Launch Services)

Once our Services launch, CrewPayScan will act as a data processor for the crew data you upload for sanctions screening. Our customers (e.g., maritime HR managers, software makers) will typically act as data controllers, as they determine the purposes for processing crew data (e.g., ensuring sanctions compliance). We process this data on your behalf, following your instructions and GDPR requirements.

3. Our GDPR Compliance Measures

We have implemented the following measures to ensure GDPR compliance:

3.1 Lawful Basis for Processing

  • Waitlist Data: We process your waitlist data based on your consent (e.g., when you sign up) or our legitimate interest (e.g., to manage the waitlist and improve our Services).
  • Crew Data (Post-Launch): We process crew data on your behalf as a data processor, relying on the lawful basis you establish as the data controller (e.g., contractual necessity, legal obligation for sanctions compliance).

3.2 Data Security

  • German-Hosted Data: All data is stored in Germany with Hetzner, a GDPR-compliant hosting provider, ensuring data remains within the European Economic Area (EEA).
  • Encryption: We use bank-grade AES-256 encryption to protect all data at rest, except for a crew record’s Crew ID, which is stored in plain text for compliance purposes (e.g., audit trails).
  • Access Controls: Only authorized personnel have access to personal data, under strict confidentiality agreements.
  • Bot Protection: We use Cloudflare to prevent malicious bots from submitting fake waitlist entries, ensuring data integrity.

3.3 Data Minimization

We collect only the data necessary for the intended purpose:

  • Waitlist: Email (required), with optional fields like name and company.
  • Post-Launch: Crew data limited to what’s needed for sanctions screening (e.g., names, nationalities), as provided by you.

3.4 Data Subject Rights

We support your ability to exercise GDPR rights:

  • Access, Rectification, Erasure, etc.: You can request access, correction, or deletion of your data by emailing info@crewpayscan.com. We respond within 30 days, as required by GDPR.
  • Customer Support for Rights: As a data processor, we assist our customers in fulfilling data subject requests related to crew data (e.g., providing data exports or deleting records upon request).

3.5 Data Retention

  • Waitlist Data: Retained until CrewPayScan launches or you request deletion.
  • Crew Data: Retained only for the duration necessary to provide sanctions screening services, as instructed by you, or as required by law (e.g., audit trails for sanctions compliance).
  • We delete data securely when no longer needed.

3.6 Data Protection Impact Assessments (DPIAs)

We conduct DPIAs for processing activities that may pose a high risk to data subjects, such as handling crew data for sanctions screening, to identify and mitigate risks.

3.7 Data Processing Agreements (DPAs)

For post-launch customers, we provide a DPA outlining our obligations as a data processor, ensuring compliance with GDPR Article 28. This includes commitments to process data only on your documented instructions, maintain confidentiality, and assist with data subject rights.

3.8 International Data Transfers

All data is stored within the EEA (Germany). If we transfer data outside the EEA in the future (e.g., for API integrations), we will use safeguards like Standard Contractual Clauses to ensure adequate protection.

4. Our Responsibilities

As a data controller (waitlist) and processor (post-launch), we are responsible for:

  • Implementing technical and organizational measures to protect personal data (e.g., encryption, secure hosting).
  • Responding to data subject requests within GDPR timelines.
  • Notifying you of any personal data breach within 72 hours, as required by GDPR, if we act as a processor.
  • Assisting you with DPIAs, audits, and regulatory inquiries related to crew data processing.
  • Ensuring our third-party providers (e.g., Hetzner, Google Analytics) comply with GDPR through appropriate contracts.

5. Customer Responsibilities

As a user of CrewPayScan, particularly if you are a data controller for crew data, you are responsible for:

  • Lawful Basis: Ensuring you have a lawful basis for processing crew data (e.g., contractual necessity, legal obligation for sanctions compliance) before uploading it to our Services.
  • Data Accuracy: Providing accurate and up-to-date crew data to ensure sanctions screening results are reliable.
  • Informing Data Subjects: Notifying crew members or other data subjects about the processing of their data, including sharing it with CrewPayScan for sanctions screening, as required by GDPR.
  • Handling Requests: Managing data subject requests (e.g., access, erasure) for crew data. We will assist by providing necessary tools or data exports upon request.
  • Compliance with Laws: Ensuring your use of our Services complies with all applicable laws, including GDPR and sanctions regulations (e.g., US (OFAC), UK (OFSI), EU (CSL)).
  • Secure Transmission: Transmitting crew data to us securely (e.g., via encrypted upload methods we provide) to prevent unauthorized access.

6. Data Breach Notification

In the event of a personal data breach:

  • As a data controller (waitlist), we will notify affected users and relevant authorities within 72 hours, as required by GDPR.
  • As a data processor (post-launch), we will notify you, the data controller, within 72 hours of becoming aware of a breach, providing details to help you meet your reporting obligations.

7. Third-Party Processors

We use the following third-party processors, all of whom comply with GDPR:

  • Hetzner: Hosting provider in Germany for secure data storage.
  • Cloudflare: For bot protection and website security.
  • Google Analytics: For anonymized website usage tracking (waitlist phase).

Each processor is bound by a data processing agreement ensuring GDPR compliance.

8. Contact Us

For GDPR-related inquiries, to exercise your data protection rights, or to request our Data Processing Agreement, contact us at:

Email: info@crewpayscan.com
Website: crewpayscan.com

Contact for GDPR Compliance:
CrewPayScan’s parent company is in the process of being registered in Singapore. For GDPR-related inquiries, please reach out to:
Email: info@crewpayscan.com
Full company details will be provided upon registration.

Data Protection Officer:
CrewPayScan is currently in the pre-launch phase, and our parent company is in the process of being registered in Singapore. For any privacy or data protection inquiries, please contact us at:
Email: info@crewpayscan.com
We will update this section with full company details upon official registration.

We will respond to all requests within 30 days, as required by GDPR.

9. Changes to This GDPR Compliance Statement

We may update this document to reflect changes in our practices or legal requirements. We will notify you of significant changes via email (if provided) or by posting a notice on our website. The “Last Updated” date at the top will reflect the latest revision.

Note: This GDPR Compliance statement applies to our current waitlist phase and will extend to our sanctions compliance services upon launch. We are committed to maintaining GDPR compliance as our Services evolve.