Privacy Policy

Last updated: May 2026

1. Who we are

CrewSwap is a UK-based SaaS platform that helps airline crew members find compatible duty swaps and check FTL legality. For the purposes of GDPR, the data controller is CrewSwap. Contact us at privacy@crewswap.co.uk.


2. Data we collect
  • Account information: name, email address, password (hashed).
  • Airline & role information: airline, home base, crew type (flight crew / cabin crew), rank, and aircraft type. You provide this during registration or in your profile.
  • Roster data: duty schedules imported via ICS URL, ICS file upload, PDF upload, or manual entry. This includes flight numbers, airport codes, duty start/end times, and raw duty summaries.
  • Swap preferences: which of your duties are offered for swap, notes you attach to offers, and what you are looking for in return.
  • Payment information: subscription status. We do not store card numbers — payments are processed by Stripe (see section 5).
  • Usage data: pages visited, browser type, IP address (collected via standard server logs and Google Analytics).
  • Cookies: see our Cookie Policy.

3. How we use your data
  • To create and manage your account.
  • To display your roster in the dashboard and strip view.
  • To match you with compatible crew at your base and airline so you can find suitable swaps.
  • To run FTL compliance checks (ORO.FTL) on proposed duty swaps.
  • To send transactional emails (account confirmation, subscription receipts).
  • To process subscription payments via Stripe.
  • To improve the platform using aggregated, anonymised analytics data.

4. Legal basis for processing
  • Contract performance — processing necessary to provide the service you signed up for.
  • Legitimate interests — analytics, fraud prevention, platform security.
  • Consent — non-essential cookies (you can withdraw consent at any time via the Cookie Policy page).

5. Third parties
  • Stripe — payment processing. Your payment data is held by Stripe under their own privacy policy (stripe.com/gb/privacy).
  • Railway — cloud hosting. Your data is stored on Railway's infrastructure in the EU/UK region.
  • Google Analytics — anonymised usage analytics. Google may transfer data outside the UK/EEA under Standard Contractual Clauses.

We do not sell your personal data to any third party.


6. Data retention
  • Account and roster data is kept for as long as your account is active.
  • On account deletion, all personal data is permanently erased within 30 days.
  • Anonymised, aggregated data (e.g. route popularity statistics) may be retained indefinitely.

7. Your rights (UK GDPR)

You have the right to:

  • Access — request a copy of the personal data we hold about you.
  • Rectification — ask us to correct inaccurate data.
  • Erasure — ask us to delete your data ("right to be forgotten").
  • Portability — receive your data in a machine-readable format.
  • Restriction — ask us to limit processing in certain circumstances.
  • Object — object to processing based on legitimate interests.

To exercise any of these rights, email privacy@crewswap.co.uk. We will respond within one calendar month.

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.


8. Security

We use HTTPS for all data in transit. Passwords are hashed using Django's PBKDF2 algorithm. Access to production data is restricted to authorised personnel only.


9. Changes to this policy

We may update this policy from time to time. Material changes will be notified by email or a banner on the site. Continued use of CrewSwap after notification constitutes acceptance.


10. Contact

Email: privacy@crewswap.co.uk