CrewDriven

Privacy Policy

Last updated: 2026-05-27

This Privacy Policy explains how HALSOFT OÜ ("CrewDriven", "we", "us", or "our") collects, uses, shares, and protects personal data when you visit our website, sign up for an account, or use the CrewDriven service (the "Service"). It applies to both the marketing site at crewdriven.com and to authenticated use of any tenant workspace (e.g. customer.crewdriven.com).

We aim to be straightforward about our data practices. If anything is unclear, please contact us at [email protected].

For the purposes of the European Union General Data Protection Regulation (GDPR), the data controller of personal data collected through our marketing and account systems is HALSOFT OÜ, located at Papli tn 20, Viljandi 71020, Estonia (Registry code 10208842, VAT EE100210936). For data you store inside a Workspace about your own clients, employees, or contractors, you are the controller and we act as a processor on your behalf.

1. Who we are

CrewDriven is operated by HALSOFT OÜ, an entity established at Papli tn 20, Viljandi 71020, Estonia (Registry code 10208842, VAT EE100210936). You can reach us at [email protected] for any privacy-related questions, including to exercise your rights under applicable data protection law.

2. What we collect

We collect the following categories of personal data:

Account information

When you create an account, we collect your name, email address, a hashed password, your chosen Workspace name and subdomain, and your preferred locale and timezone. We also store basic profile information you choose to add later, such as a display name or role within a Workspace.

Workspace data

While using the Service, your team will create and store data about your business — for example, client profiles, employee or team-member profiles, invoices, payments, time logs, recurring billing schedules, resource plans, and financial summaries. This is your data, not ours. We process it on your behalf so that the Service works for you, but we do not use it to train models, advertise, or for any unrelated purpose.

Technical information

When you visit our site or use the Service, our servers automatically receive technical information about your request, including IP address, user-agent string, browser type and version, operating system, referring page, locale and timezone settings, and timestamps. We use this for security, abuse prevention, debugging, and basic operational analytics.

Cookies and analytics

We use a small number of strictly necessary cookies for session management and CSRF protection — these are required for the Service to function and cannot be turned off. We also use Google Analytics (measurement ID G-9MLYCMH6XH) on the marketing site to understand aggregate usage. Google Analytics is loaded via deferred gtag.js and is only used where consent is required and given, or where applicable law permits use of analytics under a legitimate-interest basis. Typography is served from Bunny Fonts (fonts.bunny.net), which Bunny states does not track end users and does not set tracking cookies.

Communications

If you email us, send a support request, fill in our feedback form, or join a waitlist, we will receive and store your message, your email address, and any other information you choose to provide. We use this to reply to you and to keep a record of the exchange.

3. How we use your data

We use the personal data we collect to:

  • Provide, operate, and maintain the Service, including authenticating you, displaying your Workspace data, sending transactional emails (account verification, password resets, security alerts), and providing customer support.
  • Secure the Service against fraud, abuse, and unauthorized access, and to investigate and respond to suspected violations of our Terms of Service.
  • Communicate with you about updates, security notices, service changes, and — where you have asked for them — product announcements or feedback requests.
  • Bill and account for any paid services in the future, including invoicing, tax reporting, and reconciling payments. (No billing happens during the free-during-launch period.)
  • Improve and develop the Service by analysing aggregated and de-identified usage patterns, diagnosing errors, and prioritising features. We do not use the contents of your Workspace data to train machine-learning models.
  • Comply with our legal, regulatory, tax, accounting, and risk-management obligations.

4. Legal bases (GDPR)

Where the GDPR applies to our processing, we rely on the following legal bases under Article 6(1):

  • Performance of a contract (Art. 6(1)(b)) — to deliver the Service you signed up for, host your Workspace, and provide related support.
  • Legitimate interests (Art. 6(1)(f)) — for security and fraud prevention, basic operational and product analytics, improving the Service, and direct communications with existing customers about features and updates of the kind they have subscribed to. Where we rely on legitimate interests, we have considered your rights and freedoms and concluded that our interests do not override them; you have the right to object at any time.
  • Consent (Art. 6(1)(a)) — for any non-essential cookies and analytics where consent is required by local law, for any optional marketing communications, and for any other processing for which we ask you to opt in. You can withdraw consent at any time, without affecting the lawfulness of processing before withdrawal.
  • Legal obligation (Art. 6(1)(c)) — to comply with applicable laws, including tax, accounting, and information-request obligations.

5. Sharing and sub-processors

We do not sell your personal data. We do not share your personal data for cross-context behavioural advertising. We do not rent it.

To run the Service, we use a small number of trusted third-party service providers (sub-processors) that process personal data on our behalf, under contracts that require appropriate security and confidentiality safeguards. Current sub-processors include:

  • Hosting and infrastructure — DigitalOcean, LLC (United States) — application servers, database, file storage, and backups, used to host the application, the database, file storage, and backups.
  • Transactional email — Resend, Inc. (United States), used to send account-related and operational emails such as verification, password resets, and notifications.
  • Analytics — Google Analytics, used on the marketing site for aggregated usage analytics. Loaded only where consent is given or otherwise permitted by applicable law.

We may also disclose personal data where we are required to do so by law, court order, or other legally binding request, or where we reasonably believe disclosure is necessary to protect our rights, the safety of users or the public, or to investigate fraud or security issues. We will, where lawfully possible, notify you of any such request.

If CrewDriven is involved in a merger, acquisition, financing, reorganisation, bankruptcy, or sale of assets, personal data may be transferred as part of that transaction. We will continue to treat your personal data in accordance with this Privacy Policy and will notify you (for example, by email or in-app notice) of any such transfer and any change to applicable terms.

6. International data transfers

CrewDriven may store and process personal data in countries outside the country in which it was collected, including in jurisdictions where data protection laws may differ. Where we transfer personal data of EEA, UK, or Swiss data subjects to a country that has not been recognised as providing adequate protection, we rely on appropriate safeguards under the GDPR — typically the European Commission Standard Contractual Clauses (SCCs), the UK Addendum where applicable, and, where available, adequacy decisions.

You can contact us at [email protected] for information about the safeguards we use for international transfers, including a copy of the relevant clauses where required.

7. Cookies

We use cookies and similar technologies in the following categories:

  • Essential cookies — required for the Service to function, including session cookies that keep you logged in and CSRF tokens that protect against cross-site request forgery. These cannot be turned off through our own controls because the Service does not work without them.
  • Analytics cookies — set by Google Analytics on the marketing site to understand aggregated traffic patterns. Where required by local law, these are loaded only after you give consent. You can also disable them at any time by using your browser's "Do Not Track" setting, a privacy-focused browser extension, or an ad-blocking or tracking-blocking tool.

We do not use advertising cookies, third-party retargeting tags, or behavioural advertising trackers.

8. Data retention

We retain personal data for as long as your Account or Workspace is active and we need it to provide the Service to you.

When a Workspace is deleted, we delete or anonymise the associated personal data from active systems within approximately 90 days, except where we are required to retain it for longer to comply with legal, tax, accounting, or regulatory obligations, to resolve disputes, or to enforce our agreements.

Backups containing your data are kept in line with our normal backup-rotation schedule and are overwritten in the ordinary course of operations. If you ask us to delete your data, we will also remove it from backups when the next rotation runs.

Aggregated and de-identified information that cannot reasonably be linked back to you may be retained for longer for analytics and product-improvement purposes.

9. Your rights

Depending on where you live, you may have the following rights with respect to your personal data.

Under the GDPR (EEA, UK, Switzerland)

You have the right to (a) access the personal data we hold about you and obtain a copy; (b) request correction of inaccurate or incomplete data; (c) request erasure of your data in certain circumstances; (d) request that we restrict the processing of your data; (e) receive your data in a portable, machine-readable format and have it transmitted to another controller; (f) object to processing that we carry out on the basis of our legitimate interests, including direct marketing; and (g) withdraw consent at any time, where processing is based on consent. You also have the right to lodge a complaint with your local data protection authority — in Ukraine, the Ukrainian Parliament Commissioner for Human Rights; in the EU, your country's supervisory authority; in the UK, the Information Commissioner's Office.

Under the CCPA / CPRA (California)

If you are a California resident, you have the right to (a) know what categories of personal information we collect, the sources, the purposes, and the categories of third parties with whom we share it; (b) request a copy of the specific pieces of personal information we have collected about you; (c) request deletion of your personal information, subject to certain exceptions; (d) request correction of inaccurate personal information; (e) opt out of the "sale" or "sharing" of your personal information (we do not sell or share personal information for cross-context behavioural advertising, and we have not done so in the preceding twelve months); and (f) not be discriminated against for exercising any of these rights.

How to exercise your rights

You can exercise these rights by emailing [email protected] from the address associated with your Account. We will respond within the timeframes required by applicable law (typically 30 days under the GDPR, 45 days under the CCPA, with possible extensions). We may need to verify your identity before responding to ensure we do not disclose personal data to the wrong person. Some requests may be refused or restricted where allowed by law (for example, where complying would conflict with our legal obligations or affect the rights of others).

10. Children

The Service is not directed to individuals under the age of 16 and we do not knowingly collect personal data from children. If you believe a child has provided personal data to us, please contact [email protected] and we will take steps to delete it.

11. Security

We take reasonable technical and organisational measures designed to protect personal data against accidental loss, unauthorised access, alteration, or disclosure. These measures include encryption in transit (TLS for all connections between your browser and the Service), encryption at rest at the storage layer for our PostgreSQL database and file storage where the underlying provider supports it, salted and hashed password storage (using the bcrypt algorithm), strict access controls for our team, regular security updates of our software dependencies, and tenant data isolation through a schema-per-tenant model so each Workspace's data is stored in its own isolated database schema.

No method of transmission over the Internet or storage on electronic systems is fully secure. We cannot guarantee absolute security. Where you become aware of any actual or suspected security incident affecting your Account or Workspace, please contact us immediately at [email protected].

You also play a role in keeping your data secure: use a strong, unique password, do not share credentials, keep your devices and browsers up to date, and review access to your Workspace regularly.

12. Changes to this policy

We may update this Privacy Policy from time to time to reflect changes in our practices, the Service, or applicable law. When we make material changes, we will notify you by email (to the address associated with your Account) and/or by prominent in-app notice, and we will update the "Last updated" date at the top of this page.

We encourage you to review this page periodically. Your continued use of the Service after a change becomes effective constitutes acceptance of the updated Privacy Policy, except where additional consent is required by law, in which case we will ask you separately.

13. Contact

For any questions about this Privacy Policy or to exercise your rights, please contact:

  • HALSOFT OÜ
  • Papli tn 20, Viljandi 71020, Estonia (Registry code 10208842, VAT EE100210936)
  • Email: [email protected]