2. Legal framework – why GDPR applies to us

Crewilo is established in Norway. Norway is part of the European Economic Area (EEA) and applies the General Data Protection Regulation (EU) 2016/679 (“GDPR”) through the Norwegian Personal Data Act (Personopplysningsloven).

This means that when we process personal data of Crewilo users, we comply in particular with:

the principles and obligations set out in the GDPR,
the Norwegian Personal Data Act (Personopplysningsloven),
other applicable Norwegian laws, for example on accounting, tax and the pursuit or defence of legal claims.

3. Scope of this Policy

This Policy describes how we process personal data in connection with:

your use of the crewilo.com website and any related websites or subdomains,
your use of the Crewilo platform (e.g. client dashboard, talent/contractor dashboard),
contacting us by e‑mail, contact forms, chat, or social media,
receiving marketing communications from us (e.g. newsletters, offers),
managing business relationships (e.g. demos, sales calls, invoicing, technical support),
other situations where we explicitly refer to this Policy.

This Policy does not replace the terms of service or SaaS agreement. Rules on how the platform works (functionality, fees, limitations of liability) are set out in a separate document, such as the Terms of Service or Subscription Agreement.

4. Key definitions

User – any natural person using Crewilo (e.g. a representative of a B2B customer, a talent/candidate, or a website visitor).
Customer – an entity that has entered into an agreement with us to use the platform (typically a business client).
Platform – our SaaS services provided via crewilo.com and any related applications.
Personal data – any information relating to an identified or identifiable natural person (e.g. name, e‑mail, IP address).
GDPR – the General Data Protection Regulation (EU) 2016/679.

5. What data do we collect?

The data we process depends on how you use Crewilo. Typically this includes:

5.1. Identification and contact data

first name and last name,
company name, position, department,
business e‑mail address and phone number,
country / time zone, preferred language.

5.2. Account and configuration data

username / user ID,
password (stored in encrypted / hashed form),
profile settings, language preferences, notifications,
roles and permissions within an organisation account.

5.3. Professional and project‑related data

If Crewilo is used to match companies with talent or remote staff, we may process for example:

information about your professional experience, skills, CV, portfolio, links to profiles (e.g. LinkedIn),
information about your availability, compensation, project preferences,
collaboration data within the platform (task assignments, performance feedback, comments).

5.4. Billing data

data required to issue invoices (company name, address, VAT or other tax ID, organisation number),
payment information (amount, date, payment method used).

Payment card details (such as card numbers) are generally processed by an external payment provider. Crewilo only receives a limited amount of payment-related information, such as the last digits of the card, transaction identifiers, or payment tokens, which are needed to confirm that payment was successful.

5.5. Content uploaded to the platform

documents and files you upload (e.g. contracts, CVs, briefs, recruitment notes),
messages, comments, internal notes, form entries,
any other data you actively enter into Crewilo.

Please avoid uploading “special categories” of data (such as data about health, racial or ethnic origin, religious or philosophical beliefs, political opinions, etc.), unless it is strictly necessary and lawful.

5.6. Technical data (logs, analytics)

IP address, device and browser identifiers,
information about your operating system and device configuration,
event logs (e.g. log‑ins, settings changes, errors),
usage information (pages visited, clicks, time spent in the platform).

5.7. Cookie and similar technology data

identifiers from session and persistent cookies,
data used to remember your preferences,
information used for basic analytics and – where you consent – for marketing.

Details are provided in the Cookies section below and/or in a separate cookie policy.

5.8. Data from other sources

We may also receive data from:

external services we integrate with (e.g. SSO providers, HR / ATS tools, CRM systems – to the extent enabled by a Customer),
publicly available sources (e.g. company registers, professional profiles, for B2B use),
other users who add your data to the platform (e.g. a manager adding a team member, a recruiter adding a candidate).

Where required by law, we will inform you from which source we obtained your data and for which purposes we process it.

6. For what purposes and on what legal basis do we process data?

6.1. Performance of a contract (Art. 6(1)(b) GDPR)

In particular, we process data in order to:

create and manage your account,
provide Crewilo services (access to the platform, integrations and collaboration features),
handle service and technical support requests,
send essential service communications (system notifications, invoices, critical updates).

Without this data, using the platform may be impossible or significantly limited.

6.2. Compliance with legal obligations (Art. 6(1)(c) GDPR)

We process data where required by law, in particular to:

comply with tax and accounting obligations (e.g. retention of accounting documentation and invoices for statutory periods),
comply with data protection rules (e.g. responding to data subject requests, keeping records required by law).

6.3. Our legitimate interests (Art. 6(1)(f) GDPR)

We also process data based on our legitimate interests, such as:

ensuring the security and integrity of the platform (preventing abuse, detecting attacks, keeping security logs),
establishing, exercising or defending legal claims (including storing certain information about account activity for limitation periods),
performing basic business analytics and statistics (e.g. understanding which features are used most),
reasonable B2B contact with representatives of Customers (e.g. follow‑ups after a demo, sales communications within existing business relationships),
creating backups and conducting tests of our systems.

Whenever we rely on legitimate interest, we balance our interests against your rights and freedoms. Where your interests override ours, or where the law requires consent, we will not rely on legitimate interest.

6.4. Consent (Art. 6(1)(a) GDPR)

On the basis of your consent we may, for example:

send you newsletters and certain marketing communications, where a separate consent is required,
use non‑essential cookies (e.g. advanced analytics, remarketing),
publish testimonials, case studies or opinions including your name or image.

You can withdraw your consent at any time. This does not affect the lawfulness of processing based on consent before it was withdrawn.

7. Crewilo as controller and as processor

In line with typical SaaS practice, Crewilo may act both as a data controller and as a data processor (service provider), in different contexts.

7.1. Crewilo as data controller

We act as a controller, for example, with respect to:

data of people visiting the website and creating accounts,
contact data of representatives of our B2B Customers,
data we need for security, billing and accounting,
data used for our own analytics and marketing,
system logs and usage analytics.

7.2. Crewilo as data processor (service provider)

When a Customer uses Crewilo to process personal data of other individuals (e.g. employees, contractors, candidates, business contacts), we typically act as a data processor on behalf of that Customer.

In that case, the Customer is the data controller for such data.
We process that data only in accordance with our agreement with the Customer and the Customer’s documented instructions.
The details are set out in a separate Data Processing Agreement (DPA).

If you contact us about data that we process as a processor on behalf of a Customer, we may need to forward your request to that Customer and cooperate with them in handling it, as required by GDPR.

8. Do you have to provide your data?

Providing personal data is:

voluntary but necessary to create an account and use key features of the platform (without basic data we cannot provide the service),
required by law for certain data needed to meet our tax and accounting obligations (e.g. invoice details),
optional for other data (e.g. additional profile information, marketing consents). If you do not provide this data, some functionalities may not be available.

If you refuse to provide data that is necessary in a given situation, we may not be able to provide the service, enter into a contract, or respond to your inquiry.

9. Who do we share data with?

We do not sell your personal data. We may share it with the following categories of recipients:

IT and hosting providers – supplying server infrastructure, data storage, e‑mail services, backup and monitoring,
analytics and marketing tool providers – where such tools are enabled and in line with your choices and cookie settings,
payment service providers – processing online payments for the use of the platform,
business partners – if you use additional partner services or integrations and the transfer is necessary to provide them,
external advisors – such as law firms, tax advisors, auditors, to the extent necessary to provide advisory and support services,
public authorities – where required by law (e.g. tax authorities, law enforcement, courts).

Whenever we share data, we do so on the basis of appropriate contracts and only to the extent necessary for the specific purpose.

10. International data transfers

Norway is part of the EEA and is treated, for GDPR purposes, like an EU country providing an adequate level of personal data protection.

However, your data may also be transferred to countries outside the EEA (for example where a third‑party provider’s servers are located). In such cases:

we only use providers that offer an adequate level of protection under GDPR, and
we rely on mechanisms such as adequacy decisions, standard contractual clauses (SCCs) and, where necessary, additional safeguards (e.g. encryption, transfer impact assessments).

You can obtain more information about key transfers and applicable safeguards by contacting us at privacy@crewilo.com.

11. How long do we keep your data?

The retention period depends on the specific purpose:

User account / platform data – for as long as your account is active or our agreement with the Customer is in force, and thereafter for the period needed to secure or pursue legal claims (typically 3–5 years from the end of the relationship, unless a longer period is required by law).
Accounting and tax data – in line with Norwegian accounting and tax rules, we keep accounting documents (such as invoices and related records) for statutory retention periods.
Marketing data (newsletters, consents) – until you withdraw consent or object to processing, and afterwards for a limited period only to document when and how consent was given or withdrawn.
System and security logs – typically up to 12 months, unless a longer retention period is necessary to investigate an incident or defend against claims.
Correspondence – for the time needed to handle your request, and then for a period corresponding to applicable limitation periods.

After the relevant retention periods have expired, the data is deleted or anonymised (irreversibly transformed so that it can no longer be linked to an identifiable individual).

12. Your rights

In connection with our processing of your personal data, and within the limits set by GDPR, you have the following rights:

Right of access – to obtain confirmation as to whether we process your data and to receive a copy of such data.
Right to rectification – to have inaccurate data corrected and incomplete data completed.
Right to erasure (“right to be forgotten”) – to request deletion of your data, for example when the data is no longer necessary, you withdraw consent and there is no other legal basis, you successfully object, or the data has been processed unlawfully.
Right to restriction – e.g. for the time we verify your objection or your request to correct data.
Right to data portability – for data processed based on consent or contract by automated means, you may request it in a structured, commonly used and machine‑readable format and, where technically feasible, have it transmitted to another controller.
Right to object – to processing based on our legitimate interests (on grounds relating to your particular situation) and always to processing for direct marketing purposes (including profiling for such purposes).
Right to withdraw consent – where processing is based on your consent, you may withdraw it at any time.
Right to lodge a complaint – with a supervisory authority (see below).

To exercise your rights, contact us at privacy@crewilo.com. Before responding, we may need to ask for additional information to verify your identity.

13. Right to lodge a complaint

You have the right to lodge a complaint with a supervisory authority, in particular:

Norwegian Data Protection Authority (Datatilsynet)
Postboks 458 Sentrum
0105 Oslo, Norway
phone: +47 22 39 69 00
e‑mail: postkasse@datatilsynet.no

You may also lodge a complaint with the data protection authority in the EU/EEA country where you normally live or work, or where the alleged infringement took place.

14. Cookies and similar technologies

Crewilo uses cookies and similar technologies (such as local storage) for the following purposes:

strictly necessary (technical) – to make the website and platform work (log‑in, session management, security),
functional – to remember your settings and preferences (e.g. language),
analytics – to help us understand how users interact with the platform so we can improve it,
marketing / advertising – to display or measure the effectiveness of our own promotions and, where allowed, other marketing activities.

You can manage cookies via your browser settings (blocking or deleting cookies) and through any cookie banner or preference centre we provide on the website. Disabling some types of cookies may affect your ability to use certain functionalities or reduce the quality of your experience with Crewilo.

15. Data security

We implement appropriate technical and organisational measures to protect your data, taking into account the nature of the processing and the associated risks. These measures include in particular:

encryption of the connection to the website and platform (HTTPS / TLS),
segregation of environments (production / test),
access control mechanisms (roles, permissions, logging of key events),
regular updates of software and security components,
backup and disaster‑recovery procedures,
limiting access to personal data to authorised persons who need it for their tasks,
training for staff and collaborators who may have access to personal data.

In the event of a personal data breach that may result in a risk to your rights and freedoms, we will take the steps required by law, including – where necessary – notifying the competent supervisory authority and informing affected individuals.

16. Children’s data

Crewilo is intended primarily for business users (B2B) and adults. We do not knowingly target children or knowingly collect children’s personal data for marketing purposes.

If you believe we are processing a child’s data unlawfully, please contact us so that we can investigate and, if necessary, delete such data.

17. Links and responsibility for data you provide

The Crewilo service may contain links to third‑party websites (e.g. integration partners, social networks, other tools).

We are not responsible for how such third parties process personal data. We encourage you to read their own privacy policies before providing them with your data.

If you enter into the platform personal data relating to other individuals (e.g. employees, contractors, candidates), you are responsible for:

having a proper legal basis to process and share that data with us,
providing those individuals with information required by law (e.g. about the controller, purposes, rights, recipients),
not entering data that goes beyond what is necessary for the use of the platform.

Crewilo provides technical tools, but we are not responsible for the scope and content of data that users decide to upload as part of their own business activities (this does not limit our obligations as a data processor under GDPR).

18. Changes to this Privacy Policy

Laws, technology and our services may change, so we may update this Policy from time to time.

When we make material changes, we will publish the updated Policy on crewilo.com and, where reasonably possible, inform users (e.g. via a notice in the dashboard, e‑mail or other communication channel).

The current version of this Policy is always available on our website and marked with an effective date. Your continued use of the platform after changes take effect will mean that you accept the updated rules to the extent permitted by law.

19. Contact

For any questions or requests related to personal data, please contact us at:

e‑mail: privacy@crewilo.com
postal address:
RM BAKLARZ INVEST
Vestsideveien 9E
3403 Lier, Norway
with the note “Data protection / Privacy”.

1. Who is the data controller?