Privacy Policy

Crew Champ ("we," "our," or "us") is committed to protecting your privacy and ensuring the security of your personal data. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our employee engagement and gamification platform (the "Service").

We are committed to compliance with the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and other applicable data protection laws. By using our Service, you agree to the collection and use of information in accordance with this policy.

For the purposes of GDPR, Crew Champ acts as both a data controller and data processor:

• Data Controller: We determine the purposes and means of processing personal data for our own operations (e.g., account management, billing).
• Data Processor: We process data on behalf of organizations ("Customers") who use our platform to engage their employees and participants.

If you are an employee or participant using Crew Champ through your organization, your employer is the data controller for your employment-related data, and we act as their data processor.

Account Information

• Name (display name, first name, last name)
• Email address
• Phone number (in E.164 international format)
• Profile photo/avatar
• Date of birth (optional)
• Job title (optional)
• Organization-specific unique identifier

Authentication Data

• Encrypted password (bcrypt hashed)
• OAuth tokens (when using Google or Microsoft sign-in)
• Session tokens and refresh tokens
• Email and phone verification status

Activity and Engagement Data

• Game participation records and scores
• Activity logs and completion timestamps
• Experience points (XP) and level progression
• Badges and achievements earned
• Virtual chip transactions
• Leaderboard rankings
• Partnership connections with other users

Technical Data

• IP address
• Browser type and version
• Device information (for mobile apps)
• Push notification tokens
• Last login timestamp
• Locale/language preferences

Communication Preferences

• Notification settings (inbox, contacts, weekly summary)
• Newsletter and product update preferences
• Quiet hours settings

We process your personal data under the following legal bases:

Contract Performance (Article 6(1)(b))

Processing necessary to provide our Service, including account creation, authentication, game participation, and score tracking.

Consent (Article 6(1)(a))

Processing based on your explicit consent, such as marketing communications, newsletters, and optional data collection (e.g., date of birth).

Legitimate Interests (Article 6(1)(f))

Processing necessary for our legitimate interests, including service improvement, security monitoring, and fraud prevention, balanced against your rights and freedoms.

Legal Obligation (Article 6(1)(c))

Processing required to comply with legal obligations, such as tax records for billing and responding to lawful requests from authorities.

• Service Delivery: To provide, maintain, and improve our gamification platform, including account management, game mechanics, and leaderboards.
• Authentication: To verify your identity and secure your account through password protection, OAuth, and session management.
• Communications: To send transactional notifications (password resets, game updates), and with your consent, marketing communications.
• Analytics: To understand how our Service is used and to improve user experience (we use Sentry for error tracking).
• Support: To respond to your inquiries and provide customer support.
• Billing: To process payments and manage subscriptions for organization accounts.

We share your data with trusted third-party service providers who assist us in operating our Service. All providers are contractually obligated to protect your data and process it only as instructed:

Email Services

• SendGrid (Twilio): For transactional and marketing emails.Privacy Policy

SMS Services

• Twilio: For SMS notifications and phone verification.Privacy Policy

Push Notifications

• Expo Push Service: For mobile app notifications (iOS/Android).Privacy Policy

Real-Time Messaging

• Stream Chat: For in-app messaging and chat features.Privacy Policy

Payment Processing

• Stripe: For subscription billing and payments (organization accounts only).Privacy Policy

Cloud Storage

• Cloudflare R2: For storing uploaded images and files.Privacy Policy

Error Monitoring

• Sentry: For error tracking and application monitoring.Privacy Policy

Authentication Providers

• Google OAuth: For "Sign in with Google" functionality.Privacy Policy
• Microsoft Entra ID: For "Sign in with Microsoft" functionality.Privacy Policy

We retain your personal data for as long as necessary to:

• Provide our Service to you and your organization
• Comply with legal obligations
• Resolve disputes and enforce agreements

Retention Periods

• Active Accounts: Data is retained while your account is active.
• Deleted Accounts: Upon account deletion, personal data is soft-deleted (marked with a deletion timestamp) and may be retained for up to 90 days for recovery purposes before permanent deletion.
• Session Data: Refresh tokens expire after 7 days by default.
• Billing Records: Financial records are retained for 7 years to comply with tax and accounting requirements.
• Activity Logs: Game activity and audit logs may be retained for the duration of the organization's subscription plus 1 year.

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have the following rights:

Right of Access (Article 15)

You have the right to request a copy of the personal data we hold about you.

Right to Rectification (Article 16)

You have the right to request correction of inaccurate personal data. You can update most information directly in your account settings.

Right to Erasure (Article 17)

You have the right to request deletion of your personal data ("right to be forgotten"). You can delete your account through the settings, which will remove your personal data from our active systems.

Right to Restrict Processing (Article 18)

You have the right to request restriction of processing of your personal data in certain circumstances.

Right to Data Portability (Article 20)

You have the right to receive your personal data in a structured, commonly used, machine-readable format and to transmit that data to another controller.

Right to Object (Article 21)

You have the right to object to processing of your personal data based on legitimate interests or for direct marketing purposes.

Right to Withdraw Consent (Article 7)

Where processing is based on consent, you have the right to withdraw your consent at any time. This does not affect the lawfulness of processing before withdrawal.

Exercising Your Rights

To exercise any of these rights, please contact us at privacy@crewchamp.com. We will respond to your request within 30 days. You also have the right to lodge a complaint with a supervisory authority.

If you are a California resident, you have additional rights under the California Consumer Privacy Act:

• Right to Know: You can request information about the categories and specific pieces of personal information we have collected about you.
• Right to Delete: You can request deletion of your personal information, subject to certain exceptions.
• Right to Opt-Out: We do not sell personal information. If this changes, you will have the right to opt-out.
• Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights.

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction:

• Encryption: All data is encrypted in transit using TLS 1.2+ and at rest where applicable.
• Password Security: Passwords are hashed using bcrypt with appropriate cost factors.
• Access Controls: Role-based access controls limit data access to authorized personnel only.
• Session Management: Secure session handling with expiring tokens and refresh mechanisms.
• Infrastructure: Our services are hosted on secure, enterprise-grade cloud infrastructure.

Your data may be transferred to and processed in countries outside your country of residence, including the United States. When we transfer data outside the EEA, we ensure appropriate safeguards are in place:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Data processing agreements with all third-party service providers
• Adequacy decisions where applicable

We use minimal cookies and similar technologies for essential functionality:

• Authentication Cookies: Session cookies to keep you logged in and secure your session.
• Security Cookies: To protect against cross-site request forgery and other security threats.

We do not use tracking cookies or third-party advertising cookies. Our mobile apps use secure token storage rather than cookies.

Our Service is not directed to individuals under the age of 16. We do not knowingly collect personal data from children under 16. If you become aware that a child has provided us with personal data, please contact us at privacy@crewchamp.com, and we will take steps to delete such information.

We may update this Privacy Policy from time to time. We will notify you of any material changes by:

• Posting the new Privacy Policy on this page
• Updating the "Last updated" date at the top
• Sending an email notification for significant changes (if you have opted in)

We encourage you to review this Privacy Policy periodically for any changes.

If you have any questions about this Privacy Policy or our data practices, please contact us:

• Email: privacy@crewchamp.com
• General Inquiries: support@crewchamp.com

For GDPR-related requests, please include "GDPR Request" in your email subject line, and we will respond within 30 days.