CrewBase
Get started

Legal

Privacy Policy

We collect what's needed to run your portal — nothing more.

Last updated: May 2, 2026

This policy explains what CrewBase collects, why, where it lives, and what rights you have over it. If you're evaluating CrewBase for your team and need a Data Processing Addendum (DPA), email support@crewbase.app and we'll send one.

Who is the controller?

For the customer's own employee data submitted into a CrewBase workspace (vacation requests, expense receipts, onboarding tasks, etc.), the customer (the Workspace Owner's organization) is the data controller. CrewBase is the data processor — we process that data on the customer's instructions to provide the Service.

For account-level data (Owner's own email, billing data, login activity), CrewBase is the controller.

What we collect

Account data

  • Email address and name of the Owner who creates the workspace
  • Password (stored only as a salted Argon2id hash — we never see the plaintext)
  • Workspace metadata: company name, subdomain, branding choices, plan tier
  • Last-login timestamp

Customer Data submitted into a workspace

  • Employee profiles: name, email, job title, department, employment type
  • Manager / reporting relationships
  • Requests: type, fields, attachments, comments, timestamps, decision history
  • Onboarding / offboarding checklist progress
  • Policy acknowledgements (with IP and user-agent at the moment of signing)
  • Confidential workplace concerns (visible only to administrators)

Server logs

We log standard request metadata (IP address, user-agent, request path, response status, timestamp) for operational and security purposes. Logs are retained for up to 90 days, then purged.

What we don't collect

  • We don't use third-party analytics, ad pixels, or behavioral trackers.
  • We don't collect biometric data, government IDs, or payment-card numbers (Stripe handles those when billing is enabled).
  • We don't profile users or build advertising audiences.
  • We don't use customer data to train machine-learning models.

How we use the data

  • To operate the Service — let employees submit requests, managers approve them, and admins review history.
  • To communicate about the Service — service-impacting issues, security disclosures, billing notices.
  • To prevent abuse, debug issues, and respond to security incidents.
  • To comply with legal obligations.

Where data is stored

CrewBase is hosted on Vercel (application) and Prisma Postgres (database). Both run in US-East regions as of this writing. We'll update this policy if the storage region changes.

Sub-processors

We use a small set of vetted sub-processors to deliver the Service:

  • Vercel — application hosting, edge network, build pipeline
  • Prisma Data (Prisma Postgres) — managed PostgreSQL database
  • Resend — transactional email (invitations, notifications, password resets)
  • Stripe — payment processing (when billing is enabled — currently opt-in)
  • GitHub — source code hosting (no customer data)

Each sub-processor has its own privacy commitments. We'll notify customers before adding a new sub-processor that handles Customer Data.

Cookies

We use one category of cookies, all strictly necessary:

  • Session cookie — set after login to keep you signed in. HTTP-only, Secure, SameSite=Lax. No tracking, no persistence beyond the session lifetime.

We do not use advertising or analytics cookies.

Your rights

Depending on your jurisdiction, you may have rights to:

  • Access the personal data we hold about you
  • Correct inaccurate data
  • Delete your account and associated data (the “right to be forgotten”)
  • Export your data in a machine-readable format
  • Object to or restrict certain processing
  • Lodge a complaint with a supervisory authority

Email support@crewbase.app to exercise any of these rights. If you're an employee whose data is in someone else's CrewBase workspace, we'll typically forward your request to the Workspace Owner — they control your data, not us.

Data retention

  • Active workspaces: we retain data as long as the workspace is active.
  • Cancelled workspaces: Customer Data is retained for at least 30 days after cancellation so you can export it. After that, it's permanently deleted.
  • Server logs: up to 90 days.
  • Backups: rolling daily backups for 30 days, then deleted.

Security

Passwords are hashed with Argon2id. Sessions use signed JWTs with HTTP-only cookies. All traffic is served over HTTPS (the .app TLD enforces this at the browser level). Tenant data is isolated at the database level by companyId on every record, with capability gates that fail closed.

We don't claim a SOC 2 / ISO 27001 audit at this stage; we'll publish those when we have them. Security questions and vulnerability reports go to support@crewbase.app.

Children

CrewBase is a workplace tool. It is not directed at children under 16. We don't knowingly collect data from anyone under 16. If you believe we have, email us and we'll delete it.

International transfers

Because data is stored in the US, transferring data into CrewBase from outside the US constitutes an international transfer under EU/UK GDPR. We rely on standard contractual clauses (SCCs) where applicable. If you need a signed DPA with SCCs attached, email support@crewbase.app.

Changes

We may update this policy. Material changes will be announced by email to Workspace Owners at least 14 days before they take effect. Minor clarifications (typo fixes, rephrasing) may be made without notice but will be reflected in the “Last updated” date above.

Contact

Privacy questions, DPA requests, or data-rights requests: support@crewbase.app.