PRIVACY INFORMATION

Last updated: May 30, 2026

1. GENERAL

This privacy policy explains which personal data we collect, why we process it, and which rights you have. It applies to: - visitors to our website and prospective customers (see section 3.1) - customers (admins) who use our software (see section 3.2) - employees / crew members whose data is processed through our software (see section 3.3) - business partners and suppliers (see section 3.4) - applicants (see section 3.5)

2. WHAT ARE PERSONAL DATA?

Personal data are information relating to natural persons whose identity is identified or identifiable, such as your name, contact details, working hours, invoicing data, or IP address.

3. HOW ARE YOUR PERSONAL DATA PROCESSED?

3.1 Processing of data of website visitors and prospective customers

We process personal data of website visitors on the following legal bases: - To safeguard our legitimate interests (Art. 6(1)(f) GDPR) - To ensure the technical operation and security of the website - To improve and optimize our online offering - To handle enquiries (Art. 6(1)(a) and (b) GDPR) when you contact us by email or phone - On the basis of consent (Art. 6(1)(a) GDPR) when you subscribe to our newsletter

Automatic collection of data ("server log files") When you visit our website, the following data are collected automatically: - IP address (anonymized) - Date and time of the request - Browser type and operating system - Domain name and access status - Referrer URL (website from which access occurred) These data are technically required to display the website correctly and to ensure its security.

Cookies and tracking technologies We use technically required cookies, local storage, and comparable technologies to provide the website and software securely and reliably. Required cookies and storage: These technologies are technically necessary for login, security, language settings, session management, cookie settings, and the provision of functions expressly requested by the user. They cannot be disabled. Depending on the function, the processing of personal data is based on contract performance (Art. 6(1)(b) GDPR) or our legitimate interests in security and technical operation (Art. 6(1)(f) GDPR). Under Austrian law, technically necessary storage of or access to information on your device does not require consent pursuant to Section 165(3) of the Austrian Telecommunications Act 2021 (TKG 2021); where German law applies, the corresponding exemption for strictly necessary storage or access under Section 25 of the German Telecommunications Digital Services Data Protection Act (TDDDG) applies. Analytics and product analytics cookies: - PostHog: we use PostHog to process pseudonymized usage statistics and product analytics events, such as page views, user interactions, technical device information, and error signals - This processing takes place only if you consent to analytics and product analytics cookies - The legal basis for data processing is your consent (Art. 6(1)(a) GDPR); the legal basis for storing or accessing non-essential information on your device is your consent under Section 165(3) TKG 2021 and, where German law applies, under Section 25 TDDDG - If you reject cookies or make no choice, we do not capture PostHog product analytics events - We do not use this data for advertising and do not carry out automated decision-making - You can withdraw your consent at any time via the cookie settings with effect for the future

Newsletter registration (personal data) If you subscribe to our newsletter, we process the following personal data: - your email address - optionally your name Legal basis: processing is based on your consent (Art. 6(1)(a) GDPR). You can withdraw your consent at any time via the unsubscribe link in every email. After unsubscribing, your data will be deleted within 30 days. We use Mailjet as a service provider for newsletter delivery.

External services on the website - Web fonts are self-hosted - No social media plugins are used

3.2 Processing of customer data (admins, production companies)

If you use our software as a customer, we process your data for contract performance (Art. 6(1)(b) GDPR): - creation of a user account - management of projects and crew data for personnel administration and payroll processing - billing and invoicing - sending emails for authentication purposes, such as account creation or password reset, via AWS Simple Email Service

To comply with legal obligations (Art. 6(1)(c) GDPR): - tax and retention obligations - social security law requirements

Categories of data: - email address, optional phone number, and access data such as password hash and account status - billing address and payment information - technical and function-related usage data within the software, such as the most recently selected project, language settings, login/session data, and security-relevant events

Recipients of data: - Hosting provider: Hetzner Online GmbH (Germany), for operation of our servers - Email service: Amazon Web Services (AWS SES), for authentication and system emails - SMS service: Twilio Inc., for transactional invitation and reminder SMS messages to crew members - Payment service providers where used for payment processing; we do not store full payment details ourselves

3.3 Processing of crew member data

The software is used by crew members to enable payroll processing and to record working time.

Purposes of processing: Contract performance (Art. 6(1)(b) GDPR): - management of working hours and compensation - provision of a platform for time tracking - sending invitation SMS messages for first-time sign-in via Twilio Legal obligation (Art. 6(1)(c) GDPR): - retention obligations for tax and social security purposes

Data collected: - name, email address, and phone number for identification, communication, and, where enabled by the Customer, display in a project-related contact list - working hours, breaks, compensation, and per diem information for payroll processing - comments on working hours (optional, for example to explain how overtime arose) - department and position for assignment and, where enabled by the Customer, display in a project-related contact list - documents such as passports or driving licenses for payroll processing and verification of data accuracy

Recipients of data: - Hosting provider: Hetzner Online GmbH (Germany), for operation of our servers - Email service: Amazon Web Services (AWS SES), for authentication and system emails - SMS service: Twilio Inc., for transactional invitation and reminder SMS messages to crew members

3.4 Processing of data of business partners and suppliers

We process personal data of suppliers and business partners: - for contract performance (Art. 6(1)(b) GDPR) - to manage supplier relationships - to handle payments and invoices - to comply with legal obligations (Art. 6(1)(c) GDPR)

Recipients of data: none

3.5 Processing of applicant data

If you apply to us, we process your data: - to initiate an employment relationship (Art. 6(1)(b) GDPR) - if you would like to remain in our candidate pool, on the basis of your consent (Art. 6(1)(a) GDPR) - to comply with employment law obligations (Art. 6(1)(c) GDPR)

Deletion: under Austrian law, applicant data are generally deleted after 7 months if no employment relationship is established. Where German law applies, applicant data are generally deleted 6 months after completion of the application process unless longer retention is necessary for the establishment, exercise, or defense of legal claims, due to statutory obligations, or based on consent to longer retention in a talent pool.

3.6 SMS Privacy

crewser may send transactional SMS messages to crew members who have provided consent through a production company's crew onboarding process. These messages may include project invitation links, secure access/login links, time-tracking reminders, and timesheet submission reminders.

crewser does not sell, rent, or share mobile phone numbers, SMS opt-in data, or SMS consent records with third parties or affiliates for their own marketing or promotional purposes.

Text messaging originator opt-in data and consent will not be shared with any third parties, except as necessary to provide and operate the SMS messaging service, comply with law, prevent fraud or abuse, or support the crewser service requested by the user or production company.

Message frequency varies based on project activity. Msg & data rates may apply. Crew members can opt out of SMS messages at any time by contacting support@crewser.app. Each crewser SMS message contains the notice "Unsubscribe at support@crewser.app".

For more information about SMS consent requirements, see https://crewser.app/en/sms-consent.

3.7 Processors, subprocessors, and third-country transfers

Where we process personal data on behalf of our customers, we act as a processor within the meaning of Art. 28 GDPR. The relevant customer remains the controller for project, crew, working-time, payroll, and document data processed in crewser. For our own purposes, such as contract conclusion, billing, website operation, security, and our own customer communication, we act as controller.

We use service providers and subprocessors only where necessary for the operation, security, communication, payment processing, or improvement of crewser. Relevant current categories include in particular: - Hosting and infrastructure: Hetzner Online GmbH, Germany - Email delivery for authentication and system emails: Amazon Web Services, where used - Newsletter delivery: Mailjet, where newsletter features are used - Transactional SMS: Twilio, where SMS features are used - Product analytics: PostHog, only after consent to analytics and product analytics cookies - Payment processing: external payment service providers, where used for the relevant payment

Where service providers are located outside the EU/EEA or where access from third countries may occur, we ensure that a lawful basis under the GDPR is in place, in particular an adequacy decision, EU Standard Contractual Clauses, additional safeguards, or another permitted legal basis.

Customers receive information about material subprocessors and changes with reasonable advance notice by email, in the software, or through a publicly accessible list. Customers may object for an important data protection reason; further details are set out in the data processing provisions of the Terms or in a separate data processing agreement.

3.8 International use and country-specific requirements

crewser is operated from Austria. The processing of personal data is governed in particular by the GDPR and, supplementarily, applicable Austrian data protection law. If crewser is used in other countries, additional local obligations may apply, in particular in employment, tax, retention, telecommunications, and employee data protection law. The relevant customer remains responsible for ensuring that its use of crewser and its processing of project and crew data comply with the local obligations applicable to it.

Where crewser is made available in further countries in a targeted way, supplementary country-specific privacy notices, contractual addenda, or consent language may be provided.

4. RETENTION PERIOD

We store personal data only for as long as necessary for the relevant purposes, for as long as statutory retention duties apply, or for as long as claims may need to be asserted, exercised, or defended. After that, we delete or anonymize the data unless further processing is legally permitted or required.

Customer and admin account data are generally stored for the duration of the contractual relationship. After that, we retain data required for settlement, documentation, and legal enforcement for the applicable limitation periods. Payment, invoice, and accounting records are generally retained for seven years under Austrian law. Where German law applies, retention periods of six, eight, or ten years may apply depending on the document type under the German Commercial Code (HGB) and Fiscal Code (AO), for example for commercial and business letters, accounting vouchers, invoices, books, and annual financial statements.

Project, crew, working-time, payroll, and document data that we process for customers are generally stored according to the instructions of the relevant customer. The customer decides, within the limits of applicable legal obligations, on deletion, export, and retention. After the end of the contract, we delete or anonymize these data after a reasonable technical wind-down period unless statutory duties or legitimate evidentiary interests require retention.

For projects with an international connection, additional local retention and evidence obligations may apply. Where the data are customer project, crew, working-time, payroll, or document data, the customer must review those local obligations and provide us with corresponding instructions.

SMS delivery information, opt-in/opt-out information, and evidence relating to transactional SMS are stored for as long as necessary for message delivery, abuse prevention, unsubscribe management, evidence to network operators or authorities, and the defense of claims.

Server and security logs are stored only for as long as necessary for technical operation, security, and error analysis; security incidents may require longer retention. Newsletter data are deleted no later than 30 days after unsubscribe unless statutory duties require retention. Applicant data are generally deleted after 7 months under Austrian law and, where German law applies, generally after 6 months following completion of the application process unless longer retention is permitted or required. Backups are overwritten as part of our technical backup cycles and are used only for restoration, security, or evidentiary purposes.

5. DATA SECURITY

Your personal data are protected by appropriate organizational and technical measures. These measures are aimed in particular at protecting personal data transmitted, stored, or otherwise processed against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or unauthorized access.

6. RIGHTS OF DATA SUBJECTS

You have the right of access to personal data concerning you (Art. 15 GDPR), the right to rectification (Art. 16 GDPR), erasure (Art. 17 GDPR), restriction of processing (Art. 18 GDPR), notification regarding these processing activities (Art. 19 GDPR), data portability (Art. 20 GDPR), and the right to object to processing based on our legitimate interests (Art. 21 GDPR).

If we process your data on the basis of your consent, you have the right to withdraw that consent at any time by email to support@crewser.app or by post. This does not affect the lawfulness of processing carried out before the withdrawal (Art. 7(3) GDPR).

You also have the right to lodge a complaint with the Austrian Data Protection Authority or with another supervisory authority in the EU, especially at your place of residence or work. For Germany, the competent state data protection authority may be responsible depending on the relevant federal state; in Luxembourg, the Commission nationale pour la protection des données (CNPD); in Slovenia, the Information Commissioner (Informacijski pooblaščenec); and in Spain, the Agencia Española de Protección de Datos (AEPD). For the United Kingdom, the Information Commissioner's Office (ICO) is generally responsible. Please also inform us of any changes to your personal data.

If, despite our obligation to process your data lawfully, a violation of your rights should unexpectedly occur, please contact us by post or by email at support@crewser.app so that we can understand and address your concerns. If you have further questions about the processing of your data, you can also write to Cinework Software GmbH, Weyringergasse 19/2/10, 1040 Vienna.

7. UPDATING THIS PRIVACY INFORMATION

It may become necessary to amend this privacy information due to the continued development of our website and offers or due to changed legal or regulatory requirements. The current version of this privacy information can always be accessed on this website.