CrewVisa.App

Privacy Policy

Last updated 2026-05-07 · v1.2 draft · covers POPIA (South Africa), GDPR (EU/EEA), UK GDPR, CCPA / CPRA (California), and equivalent rights elsewhere

This policy explains what personal data CrewVisa collects, why we collect it, how we look after it, and what rights you have. CrewVisa is operated by HelmWise Pty Ltd. We are the “data controller” (and the “responsible party” under South African law) for the data described below. This policy forms part of our Terms of Service. The plain-English summary at Settings → Privacy & data → Data Management says the same thing in shorter words; if the two ever appear to conflict, this policy is the one that wins.

1. Who controls your data

HelmWise Pty Ltd (operating CrewVisa) is the controller.

  • Registered office: 12 Hall Road, Cape Town, South Africa 8005
  • CIPC company registration number: K2026258092
  • Contact email: hello@crewvisa.app

The contact above is the right address for any privacy question, and serves as the contact for our Information Officer under the Protection of Personal Information Act, 2013 (POPIA).

2. The data we collect

Account data, from you

  • email address;
  • password (we store it as a one-way hash; we never see the plain text);
  • first name;
  • position on board (for example, deckhand, engineer, captain);
  • nationality and country of residence (optional).

Trip data, from your use of the app

  • type of movement (entry or exit);
  • date and country;
  • optional free-text note;
  • optional proof photo (image of a passport stamp, sea-time letter, or similar);
  • optional proof label.

Document data (CrewVisa Pro)

  • PDF or image files you upload to your wallet (your contract, travel letter, and visa letter);
  • filename, file size, and mime type;
  • an optional vessel label that you assign;
  • the date the document was added.

The contents of these documents are not read by us, by automated systems, or by any third party.

Authentication and security data

  • session tokens that keep you signed in;
  • device identifiers needed to bind a session to your device;
  • a locally-stored, hashed PIN if you enable PIN unlock for sensitive documents;
  • a flag indicating that you have enabled biometric unlock.

About biometrics. CrewVisa uses your device’s built-in biometric authentication (Face ID or Touch ID on iOS; the equivalent on Android). The biometric template is managed by your operating system inside its secure enclave. CrewVisa never sees, receives, or stores your biometric data. All we hold is a flag that says “biometric unlock is enabled” so we know to ask the OS to authenticate you.

About the PIN. If you set a PIN as a fallback, the PIN is hashed locally on your device. The hash never leaves the device. We cannot recover or reverse it.

Anonymous app-usage data

  • which screens you view and which buttons you tap;
  • aggregate device information (operating system, app version);
  • crash and performance information from your device’s native logs.

This data is not linked to your name, your email, or the contents of your documents. It is anonymous.

Communications data

  • the content of any feedback message you send through the app;
  • the email address you used to sign up, so that we can reply.

Subscription data

If you subscribe to CrewVisa Pro, the App Store or Google Play handles your payment. We never see your card number or full billing details. We receive only your subscription status (active, cancelled, expired) so we can unlock the right features.

What we do not collect

  • your location;
  • your contacts;
  • your microphone or calendar;
  • your camera, beyond the moment you actively snap a stamp photo or upload a document — never in the background;
  • any data from a third-party advertising network;
  • any cross-app or cross-site tracking identifier.

3. Why we collect it, and the legal basis under GDPR

DataPurposeLegal basis (GDPR)
Account data, trip data, document dataTo provide the service you signed up forContract (Article 6(1)(b))
Authentication and security dataTo keep your account secureLegitimate interest (Article 6(1)(f)) and legal obligation
Subscription dataTo deliver the Pro features you paid for and meet our tax/accounting obligationsContract (Article 6(1)(b)) and legal obligation (Article 6(1)(c))
Anonymous app-usage dataTo understand how the app is used and improve itLegitimate interest (Article 6(1)(f))
Communications data (feedback)To reply to youLegitimate interest (Article 6(1)(f))

We do not rely on consent to use the app, and we do not use your data for advertising or for any purpose unrelated to those above. If we ever introduce a feature that requires consent (for example, marketing emails), we will ask you separately and you can refuse without losing access to the service.

4. Where your data is stored, and international transfers

HelmWise Pty Ltd is established in South Africa, but your account, your trips, and the documents in your wallet are stored on infrastructure located in the European Union (Ireland). Outbound email (account verification, password recovery, replies to feedback) is sent through an email service provider in the European Union.

Anonymous app-usage data is processed by an analytics provider with infrastructure in the United States. This data is anonymous and does not contain your name, your email address, or the contents of your documents.

Because we are a South African controller using EU-based storage, your personal information crosses borders. Under POPIA Section 72, we are permitted to transfer personal information out of South Africa where the recipient is subject to a law, binding corporate rules, or a binding agreement that provides protection substantially similar to POPIA. The European Union’s GDPR provides such protection. When data is transferred outside the European Economic Area or the United Kingdom (for example, to our analytics provider in the United States), we rely on the European Commission’s Standard Contractual Clauses or, for transfers to the United States, the EU–US Data Privacy Framework where applicable, as the legal mechanism for the transfer.

For the current list of service providers and where they operate, see our Sub-processors page.

5. How long we keep it

  • Account data and content: for as long as your account exists, then up to thirty days for backup expiry, after which it is deleted.
  • Anonymous app-usage data: up to twelve months from the date it is collected.
  • Feedback emails and support tickets: until the conversation is closed, then archived for up to twenty-four months for our records.
  • Financial records (Pro purchases): kept for as long as required by South African tax and company law (currently five years under SARS).

6. Who we share it with

We share personal data only with the service providers we use to run the service. They process your data only on our instructions, and only for the purposes described in this policy. They are contractually bound to GDPR-equivalent data-protection standards.

The current list of these providers is at crewvisa.app/sub-processors and is also available inside the app under Settings → Privacy & data → Data Management. If we add or change a sub-processor in a way that affects your data, we will notify you in the app or by email at least thirty days in advance, unless we need to act faster for security reasons.

We do not sell, rent, lend, or otherwise share personal data with brokers, advertisers, marketing networks, or AI training pipelines. We never have, and we never will.

We may disclose personal data if we are legally compelled to do so by a valid order from a competent authority. Where we are legally permitted to, we will tell you before we comply, so that you can challenge the order if you wish.

Sharing inside the service

Where you choose to share data with another user inside CrewVisa (for example, with a vessel or a captain through Handover), the receiving user becomes responsible for handling that data appropriately. We will tell you on the share screen exactly what fields will be shared before you confirm. You can stop sharing at any time.

7. Your rights under POPIA (South Africa)

If you are in South Africa, the Protection of Personal Information Act, 2013 (POPIA) gives you the following rights:

  • Access — ask us to confirm whether we hold personal information about you and to give you a copy.
  • Correction — ask us to correct or update information that is inaccurate, irrelevant, excessive, out of date, incomplete, misleading, or obtained unlawfully.
  • Deletion or destruction — ask us to delete or destroy personal information we are no longer authorised to retain. You can do this yourself in the app from Settings → Account → Delete account.
  • Object to processing — object to processing on reasonable grounds, including where we rely on legitimate interest.
  • Lodge a complaint — with the Information Regulator of South Africa (inforegulator.org.za).

To exercise any of these rights, email hello@crewvisa.app. We will respond within a reasonable time and at no cost for ordinary requests.

8. Your rights under the GDPR and UK GDPR

If you are in the European Union, the European Economic Area, or the United Kingdom, you have the following rights:

  • Access — ask us for a copy of the personal data we hold about you.
  • Rectification — ask us to correct inaccurate or incomplete data.
  • Erasure — ask us to delete your data. You can do this yourself in the app from Settings → Account → Delete account.
  • Restriction — ask us to stop processing your data while a question about it is resolved.
  • Portability — ask us for the data you gave us in a machine-readable format. You can export your trips yourself from Settings → Account → Export my trips.
  • Objection — object to any processing we carry out on the basis of legitimate interest.
  • Withdraw consent — where we ever rely on consent, you can withdraw it at any time without affecting the lawfulness of earlier processing.
  • Lodge a complaint — with your local data-protection authority. In Ireland that is the Data Protection Commission (dataprotection.ie); in the UK that is the Information Commissioner’s Office (ico.org.uk); for other EU/EEA countries, see your national authority.

To exercise any of these rights, email hello@crewvisa.app. We will respond within one calendar month, and there is no fee for ordinary requests.

9. Your rights under the CCPA / CPRA (California)

If you are a California resident, you have the right to:

  • know what personal information we collect about you and how we use it;
  • access a copy of that information;
  • request deletion of that information;
  • correct inaccurate information;
  • limit the use and disclosure of sensitive personal information;
  • opt out of the “sale” or “sharing” of personal information;
  • not be discriminated against for exercising any of these rights.

We do not sell or share personal information as those terms are defined under the CCPA / CPRA, and we have not done so in the preceding twelve months. If our practices ever change, you will be able to opt out by emailing hello@crewvisa.app.

You may make any of the requests above by emailing hello@crewvisa.app or by deleting your account from Settings → Account.

Categories of personal information we collect (California “Notice at Collection”)

Under the CCPA / CPRA, we are required to tell you which statutory categories of personal information we collect, why we collect each one, and how long we keep it. The table below maps the data described in section 2 of this policy to those categories.

CCPA categoryExamples in CrewVisaPurposeRetention
IdentifiersEmail address, first name, account IDAccount creation and sign-inWhile your account is active, then up to 30 days
Customer recordsPosition on board, nationality, country of residenceProfile, vessel pairingWhile your account is active, then up to 30 days
Commercial informationCrewVisa Pro subscription statusDeliver Pro featuresWhile your account is active; financial records up to 7 years
Internet or network activityAnonymous app-usage events, screens viewed, buttons tappedImprove the appUp to 12 months
Geolocation dataNone — we do not collect your location
Sensory dataStamp photos and uploaded documents that you choose to addProvide the wallet and proof-photo featuresWhile your account is active, then up to 30 days
Professional / employment informationPosition on board, optional vessel labelProfileWhile your account is active, then up to 30 days
Sensitive personal informationAccount credentials (hashed password, hashed PIN); the contents of documents you uploadSign-in, secure storageWhile your account is active, then up to 30 days

We do not collect biometric identifiers, precise geolocation, racial or ethnic origin, religious or philosophical beliefs, union membership, genetic data, sexual-orientation data, or health data. We do not infer characteristics about you from the data we hold.

10. Rights elsewhere in the world

If you live somewhere not covered above (for example, Brazil under the LGPD, Canada under PIPEDA, Australia under the Privacy Act), the same set of rights generally applies under your local law. We honour them on the same terms as the rights described above. Email hello@crewvisa.app with your request.

11. Cookies and similar technologies

The CrewVisa website (crewvisa.app) uses cookies that are strictly necessary to keep you signed in. We do not use advertising cookies or cross-site tracking. The mobile app uses the device’s native secure storage rather than cookies for the same purpose.

12. Children

CrewVisa is not aimed at children under the age of sixteen. We do not knowingly collect personal data from anyone under that age. If you believe we have, contact hello@crewvisa.app and we will delete it.

13. Automated decision-making and profiling

We do not carry out any automated decision-making that produces legal effects for you, and we do not engage in profiling.

14. Security

We protect your data with industry-standard measures: encryption in transit (HTTPS / TLS), encryption at rest at the storage layer, row-level security so that one user’s data is never visible to another, and biometric or PIN unlock for sensitive documents. We restrict internal access to those who need it for support, and require multi-factor authentication for any administrative access. Despite this, no system is perfectly secure; we cannot guarantee absolute security, and you should keep your password safe.

If we ever discover a personal-information breach that is likely to result in a risk to your rights, we will notify the Information Regulator (South Africa) and any other relevant data-protection authority as soon as reasonably possible after becoming aware of it, and, where the risk is high, we will tell you directly without undue delay.

15. Changes to this policy

We will update this policy when our practices change. The “Last updated” line at the top of this page tells you when. For material changes, we will notify you in the app or by email before the change takes effect.

16. Apple privacy notice (iOS users only)

If you use CrewVisa from an iPhone or iPad, the App Store privacy label for the app summarises what personal data is collected and how it is used. The label is intended as a summary; this policy is the complete description and prevails in the case of any conflict between the two.

17. Google Play privacy notice (Android users only)

If you use CrewVisa from an Android phone or tablet, the Google Play Data Safety section for the app summarises what personal data is collected, what is shared, and the security practices that apply. The Data Safety section is intended as a summary; this policy is the complete description and prevails in the case of any conflict between the two.

18. How to contact us

HelmWise Pty Ltd · 12 Hall Road, Cape Town, South Africa 8005 · hello@crewvisa.app

v1.2 draft 2026-05-07. Subject to legal review before public app-store submission.