Privacy Policy

CrewSwap (“we”, “us”, or “our”) is a flight crew scheduling and swap management application (“App”). We operate the App and act as the data controller responsible for the processing of personal data collected through it.

By downloading, registering, or using CrewSwap, you acknowledge that you have read and understood this Privacy Policy and agree to the collection and use of your information as described herein.

2.1 Information You Provide Directly

• Account registration: Full name, email address, phone number, employee ID, airline, crew position, and password.
• Profile data: Profile photo, base airport, certifications, and language preference.
• Trip & swap data: Flight numbers, dates, routes, and swap requests you create or respond to.
• Messages: In-app chat messages exchanged with other crew members.
• Support communications: Messages and attachments you send to our support team.

2.2 Information Collected Automatically

• Device information: Device model, operating system version, app version, and unique device identifiers.
• Log data: IP address, access timestamps, pages/screens viewed, API request logs, and crash diagnostics.
• Push notification tokens: Firebase Cloud Messaging (FCM) tokens used solely to deliver in-app notifications to your device.

2.3 Information We Do NOT Collect

• Provide, operate, and maintain the App and all its features.
• Authenticate your identity and keep your account secure.
• Match crew members for flight swaps and vacation swaps.
• Send push notifications about swap requests, approvals, and new messages.
• Respond to support inquiries and resolve technical issues.
• Monitor, diagnose, and improve App performance and security.
• Comply with legal obligations, including fraud prevention and law-enforcement requests.
• Generate anonymized, aggregated analytics to understand usage patterns and improve the service.

Legal Bases for Processing (GDPR — Article 6)

• Contract performance (Art. 6(1)(b)): Processing necessary to provide the service you signed up for.
• Legitimate interests (Art. 6(1)(f)): Security monitoring, fraud prevention, and service improvement.
• Legal obligation (Art. 6(1)(c)): Where processing is required by applicable law.
• Consent (Art. 6(1)(a)): For push notifications — you may withdraw at any time via device settings.

We do not sell, rent, or trade your personal information. We may share data only in the following limited circumstances:

• Other crew members: Your name, position, airline, and trip details are visible to other registered users when you create or respond to a swap request — this is core to the App's function.
• Airline administrators: Authorized administrators from your airline may view swap records relevant to their employees for operational purposes.
• Service providers: Firebase (Google) for push notifications and crash analytics; cloud hosting providers. These parties process data strictly on our behalf under written data-processing agreements.
• Legal authorities: If required by applicable law, valid court order, or to protect the rights, property, or safety of CrewSwap, our users, or the public.
• Business transfers: In the event of a merger, acquisition, or asset sale, your data may be transferred — we will notify you before it becomes subject to a different privacy policy.

• Account data: Retained for as long as your account remains active. You may request deletion at any time — we will act within 30 days.
• Swap & trip records: Retained for 24 months after the swap date for audit and dispute-resolution purposes, then permanently deleted or anonymized.
• Chat messages: Retained for 12 months, then automatically deleted.
• Log & crash data: Retained for 90 days, then purged.
• Deleted accounts: Personal data is removed within 30 days; anonymized aggregate data may be retained indefinitely.

• Encryption in transit: All data is transmitted over TLS 1.2+ encrypted connections.
• Password security: Passwords are hashed using bcrypt — we never store plaintext passwords.
• Authentication: API access is secured via Laravel Sanctum token-based authentication.
• Access controls: Strict role-based access controls limit data access to authorised personnel only.
• Regular audits: We conduct periodic security reviews and vulnerability assessments.

All Users — Universal Rights

EU / EEA Users — GDPR Rights

• Right to erasure (“right to be forgotten”): Request permanent deletion of your personal data.
• Right to data portability: Receive your data in a structured, machine-readable format (e.g., JSON).
• Right to object: Object to processing based on legitimate interests at any time.
• Right to restrict: Request restriction of processing in certain circumstances.
• Right to complain: Lodge a complaint with your local data protection supervisory authority.

California Residents — CCPA / CPRA Rights

• Right to know: Know what personal information is collected, used, disclosed, or sold about you.
• Right to delete: Request deletion of your personal information, subject to certain exceptions.
• Right to opt out: Opt out of the sale or sharing of personal information. We do not sell personal information.
• Right to non-discrimination: You will not receive inferior service for exercising your privacy rights.
• Right to correct: Correct inaccurate personal information we maintain about you.

We do not knowingly collect, solicit, or maintain personal information from children under the age of 13 (or 16 in EU member states, per GDPR Article 8). If we become aware that a child under the applicable age has provided us with personal information, we will delete such data immediately.

If you are a parent or guardian and believe your child has provided us with personal information, please contact us immediately at privacy@crewswap.app.

Your information may be transferred to and processed in countries other than your country of residence, including countries that may not provide the same level of data protection as your home jurisdiction.

When we transfer personal data from the EEA or the UK to third countries, we rely on appropriate safeguards including:

• Standard Contractual Clauses (SCCs) approved by the European Commission (Decision 2021/914).
• Adequacy decisions issued by the European Commission where applicable.
• Data Processing Agreements (DPAs) with all sub-processors under Article 28 GDPR.

The App integrates the following third-party services. Each is governed by its own privacy policy, and we have Data Processing Agreements with each where required:

We are not responsible for the privacy practices of these third parties. Data shared with these services is limited to the minimum necessary for the described function.

We use push notifications to inform you about important events including new swap requests, approvals, rejections, and incoming in-app messages. Push notifications require your explicit consent on iOS and are enabled by default on Android (you may disable them at any time).

• Managing notifications: Go to your device's Settings → Notifications → CrewSwap to enable or disable.
• What we send: Swap request updates, approval/rejection alerts, new in-app messages, and important account notifications.
• What we don't send: We do not send marketing, promotional, or third-party advertisement notifications.
• FCM tokens: Your device push token is stored securely. You can request deletion by contacting support.

We may update this Privacy Policy from time to time. When we make changes, we will:

• Update the “Effective Date” at the top of this page.
• For material changes, notify you via a push notification and/or a prominent in-app banner at least 7 days before the changes take effect.
• For minor changes, the updated policy will be available on this page only.

Your continued use of the App after the effective date constitutes your acceptance of the changes. If you do not agree, you should stop using the App and may request account deletion.

If you have any questions, concerns, or requests regarding this Privacy Policy or the way we handle your personal data, please contact our Privacy Team: