Roles stay clear
Customers normally control workforce records; CrewByte processes them to provide the service.
Data protection at CrewByte
CrewByte is designed to help shift-based organisations handle workforce data responsibly. This page explains our practical approach, our processor commitments and the responsibilities we share with customers.
Customers normally control workforce records; CrewByte processes them to provide the service.
We design features and permissions around defined operational needs and proportionate access.
We provide controls and assistance; each customer remains responsible for its own lawful use.
An honest status
UK GDPR and EU GDPR compliance is an ongoing programme involving people, contracts, processes and technology. CrewByte provides features, working practices and contractual commitments intended to support that programme. We do not describe CrewByte as “GDPR certified”, because the GDPR does not give software products a general certificate of compliance.
This page is a transparency overview, not legal advice and not a replacement for a signed agreement. The commitments that apply to a particular customer are set out in the customer’s contract and, where applicable, CrewByte’s data processing agreement (DPA).
References to EU GDPR apply only where that law is relevant to the proposed service. This page does not represent that CrewByte has an EEA establishment or appointed an Article 27 representative; those facts must be assessed and confirmed before offering a service that requires one.
Compliance depends on context. A customer must assess its own purposes, lawful bases, workforce rules, configuration choices and local legal obligations. Using compliant software does not by itself make every use compliant.
Accountability starts with roles
A controller decides why and how personal data is used. A processor handles personal data for a controller and on its instructions. CrewByte’s role changes according to the processing involved.
Customer as controller
The customer normally controls employee profiles, pay-rate information, rotas, availability, attendance, leave, documents, compliance records, workplace communications and other data added to its workspace.
CrewByte as processor
CrewByte processes customer-controlled data to host, secure, support and operate the requested workforce features, subject to the agreement and the customer’s lawful instructions.
CrewByte as controller
We normally control account administration, billing relationships, service security, support, website choices, waitlists, roadmap participation and communications sent in our own name.
Our privacy policy explains these roles in more detail and tells individuals how CrewByte handles data when acting as controller.
Article 28 readiness
Where CrewByte will act as a processor, written terms need to document the subject matter, duration, nature and purpose of processing, the categories of data and people involved, and each party’s rights and duties. The following is our intended contracting position, but it applies to a customer only when included in signed data-processing terms:
We process customer data only on documented lawful instructions, including agreed service configuration and support requests, unless applicable law requires otherwise.
People authorised to handle customer data are expected to follow appropriate confidentiality obligations and access it only for authorised work.
We maintain technical and organisational measures designed to protect personal data in light of the processing risks.
Any provider used to process customer data must be identified and placed under data-protection terms appropriate to the service it performs before that processing begins.
Taking account of the nature of processing, we support customers with rights requests, security duties, DPIAs and regulator consultation where required and reasonably possible.
Signed terms must define the return or deletion process, its scope, applicable legal retention and the handling of uploaded files and any backup copies.
We make information reasonably necessary to demonstrate relevant processor obligations available through contractual assurance and agreed audit arrangements.
If we believe an instruction infringes applicable data protection law, we will raise the concern with the customer rather than quietly proceeding.
Signed terms control. This overview describes CrewByte’s intended position but does not itself create Article 28 terms. Do not place production workforce data in CrewByte as a processor until appropriate written data-processing terms are approved by both parties.
Building responsible defaults
Data protection is considered when features, permissions and workflows are designed. Our goal is to collect and expose only the information reasonably needed for the workforce task, while giving customers practical ways to control who can see and change it.
We review data needs as the product develops. Customers should also minimise free text, uploaded documents and integrations because those areas can contain more information than a structured field requires.
Supporting individuals
Individuals may have rights to access, correct, erase, restrict, port or object to the use of their personal data, and to withdraw consent where consent is the lawful basis. When workforce data is in a customer workspace, the customer normally decides how to respond because it is the controller.
CrewByte supports appropriate requests by helping the customer identify relevant records, use available account and workspace functions, correct data, restrict access, export information where reasonably available, and carry out an agreed deletion. We may need the customer to verify the requester and provide clear instructions before acting.
For workspace users
They normally control your workforce data and can understand the employment context. You can still contact CrewByte if you cannot identify the controller or need help routing a request.
Incident readiness
Suspected incidents need to be assessed, contained and investigated through an owned operational process. Signed processor terms should require CrewByte to notify the affected customer without undue delay after becoming aware of a personal data breach affecting customer-controlled data, and should define the communication route.
Available information may include the known nature of the incident, affected data and people, likely consequences, containment steps and a contact for follow-up. Customers remain responsible for deciding whether their processing requires notification to a regulator or affected people. This page does not state a universal incident response or notification SLA.
Security concerns can be reported to support@crewbyte.io. Please do not include passwords, API secrets or unnecessary personal data in an initial email.
Responsible supply chain
A CrewByte deployment may rely on providers for hosting, databases, backups, email delivery, billing and optional connected services. A provider is a subprocessor when it processes customer personal data to help deliver CrewByte. The actual providers and regions are deployment-specific and must be confirmed rather than inferred from these categories.
Before a subprocessor handles production customer data, the contracting process must address appropriate confidentiality, security and data-protection terms, responsibility for the provider, and any agreed notice or objection process.
Before a restricted international transfer takes place, the parties must identify and document the applicable transfer route. Depending on the facts, that may involve the UK International Data Transfer Agreement, the UK Addendum, the European Commission’s Standard Contractual Clauses or another lawful mechanism, together with supplementary measures where appropriate.
Contact us for the provider, region, contract and transfer information that applies to your proposed service. CrewByte does not make a universal data-residency promise on this page.
Lifecycle control
Customer-controlled data is retained for the active service relationship and then handled according to the customer agreement, documented instructions, security needs and applicable legal obligations. Retention can vary by record because audit history, active disputes and statutory records may need different treatment.
At the end of services, the customer can request return or deletion under the applicable terms. The scope and timing need to address active database records, uploaded files and any backup copies separately. CrewByte does not currently promise that deleting a workspace record automatically removes every file or backup, so any contractual deletion commitment must reflect the operational process actually available.
CrewByte-controlled records, such as billing, security and support records, follow the criteria explained in our privacy policy. We do not promise a universal deletion period where the operational or legal basis differs by record.
Higher-risk processing
Standard CrewByte fields are aimed at ordinary workforce operations. However, leave reasons, compliance evidence, support messages, free-text notes and uploaded documents can contain health information or other special-category data if a customer chooses to enter it.
Customers must determine whether special-category or criminal-offence data is necessary, identify the required Article 6 lawful basis and any Article 9 or Article 10 condition, provide suitable notices, restrict access and avoid collecting excessive details. CrewByte should not be used as an unrestricted repository for information unrelated to the enabled workforce purpose.
A data protection impact assessment (DPIA) may be required where a customer’s proposed use is likely to create a high risk to people—for example, large-scale sensitive-data use, systematic monitoring or a novel integration. The customer owns that assessment. Taking account of the information available to us and the nature of processing, we provide reasonable product, security and data-flow information to assist.
Ask before enabling a higher-risk workflow. Contact us if you need data-flow, security or processor information for a DPIA. We can explain CrewByte; your organisation remains responsible for assessing its intended use.
People remain accountable
CrewByte scheduling tools may use inputs such as availability, leave, location, contracted hours, pay information, role or leadership requirements to help prepare a rota. Those tools are decision support: they create suggestions or drafts for an authorised manager to review, change and publish.
CrewByte is not designed to make a solely automated employment decision that produces legal or similarly significant effects without meaningful human involvement. Customers should ensure managers genuinely review outputs, understand relevant constraints, correct inaccurate inputs and provide an appropriate route for staff to question a decision.
If a customer configures an integration or workflow that changes that position, it must assess the legal effect, transparency, accuracy, bias, human-review and DPIA requirements before use.
Consent before optional tracking
Strictly necessary storage supports requested functions, security and remembering a privacy choice. Optional analytics and marketing technologies on CrewByte’s public pages are blocked until a visitor makes a positive choice. Rejecting them keeps those categories disabled, and the settings can be reopened at any time.
No optional analytics or advertising provider is active on this public page at the date shown above. Basic connection data still has to be processed to deliver the page securely. Our cookie information lists current first-party cookies, purposes and typical durations.
What customers need to do
CrewByte’s safeguards support compliance, but the customer remains accountable for how its organisation uses the platform. Customers should:
Due diligence and support
We want procurement, privacy and security reviews to start with accurate information. Contact us to discuss Article 28 terms, deployment-specific provider and transfer details, or the product information needed for a customer DPIA. Security questions can be routed separately so the right person can respond.
Data processing agreement
No approved DPA is published by this page yet. Tell us which CrewByte service and customer organisation your review concerns so appropriate data-processing terms can be discussed.
Privacy and security review
Send the scope of your question without including passwords, API secrets or unnecessary personal data.