Legal
Privacy Policy
Last updated: 15 May 2026.
This is the authoritative privacy policy for the Crew service at crew.driveops.uk and the captain application at app.driveops.uk. The same policy is published at driveops.uk/privacy and crew.driveops.uk/privacy.
1. Who we are
Crew is a service of Tolmon Ltd, a company registered in England and Wales (Companies House number 14468414), with its registered office in London. Tolmon Ltd is the data controller for all personal data processed through Crew.
You can contact us at info@tolmon.com for any privacy-related question. If you want to exercise one of your rights under UK GDPR, the section "How to exercise your rights" below tells you how.
2. What data we collect
The personal data we hold on a Crew member falls into the following categories:
- Account data: name, email address, password hash, and account role (driver or captain).
- Profile data: display name, short bio, location (city and postcode area), driving licence categories, languages spoken, hourly rate range, and a profile photo if you choose to upload one.
- Verification documents: driving licence (DVLA), insurance, enhanced DBS where applicable, and vehicle MOT. You upload these yourself; they are stored in Amazon S3 in the eu-west-2 (London) region.
- Availability data: the dates and windows you publish as available, unavailable, or tentative.
- Messages: the content of messages you exchange with other Crew members through the in-app messaging service.
- Ratings and reviews: the star ratings and free-text reviews you give and receive after working on a production.
- Skills: the skill and certification tags you add to your profile from the canonical Crew taxonomy.
- Invitation history: invitations you send (as a captain) or receive (as a driver), including the production context and the optional message attached.
- Subscription and billing data: handled by Stripe. We store references (your Stripe customer ID and subscription ID) and a cached status; we never see or store card numbers, CVCs, or cardholder addresses on our servers.
- Notification preferences: which transactional and digest emails you have opted into, and a server-side queue of pending or recently sent messages.
3. Why we collect it (lawful bases)
We rely on the following lawful bases under UK GDPR Article 6:
- Contract performance. Crew is a paid service. We need account data, profile data, and the messaging and ratings infrastructure to provide it.
- Consent. Cross-production visibility, where captains outside your current production can see your profile in search, is opt-in and recorded in the
drivers_crew_consenttable. You can withdraw this consent at any time from your settings without deleting your account. - Legitimate interests. We rely on legitimate interests for features like search ranking, abuse prevention, and the rating signals that other members use to decide whether to work with you.
- Legal obligation. Subscription records held by Stripe and reconciled to our systems are kept as long as required by HMRC for tax purposes.
5. International transfers
The primary processing region is the United Kingdom, with European Union as the secondary location:
- Verification documents are held in the AWS London region (eu-west-2).
- Resend may process email content in the EU or the US under appropriate Standard Contractual Clauses.
- Stripe may process transaction data in the EU or the US under appropriate Standard Contractual Clauses.
6. How long we keep it
- Account and profile data: while your account is active, plus a 30-day soft-delete window in which an accidental deletion can be reversed by support.
- Messages: kept while either participant has an account. When one participant deletes their Crew profile, their messages stay in the other participant's conversation history with the body replaced by "[message deleted]" and the sender attribution removed.
- Ratings: the rating row is kept indefinitely as part of the Crew trust signal. When a subject deletes their profile, their name is severed from the row and the free-text review and reply are blanked.
- Verification documents: kept until the verified status expires or until you delete your Crew profile, whichever is sooner. Deletion of the underlying S3 object is queued asynchronously after the database write commits.
- Subscription records: kept for as long as required by UK tax law (currently 7 years from the end of the relevant accounting period).
- Notification queue: pending and recently sent rows are purged after 90 days.
7. Your rights
Under UK GDPR you have the following rights in relation to your personal data:
- Right of access: request a copy of your data.
- Right to rectification: correct inaccurate or incomplete data.
- Right to erasure: delete your Crew profile or your full account.
- Right to object or restrict processing for certain purposes.
- Right to data portability: receive your data in a portable format.
- Right to withdraw consent: in particular, cross-production visibility can be turned off in your settings without deleting your account.
- Right to complain to the Information Commissioner's Office at https://ico.org.uk if you believe your rights have not been respected.
8. How to exercise your rights
For most rights you can act yourself from inside the app:
- Cross-production visibility: toggle in /settings.
- Verification documents: remove from /verifications.
- Crew profile deletion: POST to /api/crew/me/delete via the in-app deletion flow. This removes all Crew-specific data (profile, messages you sent are redacted, ratings about you are anonymised, verification documents are erased) but leaves any DriveOps captain or driver account you may also hold intact.
- Full account deletion: DELETE on /api/auth/me via the same flow. This soft-deletes the underlying user record in addition to the Crew scrub above.
For everything else, including data access and portability requests, email info@tolmon.com with enough detail to identify your account. We respond within 30 days; complex requests may be extended once by a further 60 days, and we will tell you if that applies.
9. Security
We apply the following controls:
- TLS for all data in transit.
- Encryption at rest for verification documents in S3.
- Bcrypt with a current cost factor of 12 for password hashes.
- Short-lived JWTs for session access, paired with rotating refresh tokens that can be revoked centrally on logout, password reset, or suspected compromise.
- Card data is held only by Stripe under PCI DSS; we never receive a card number on our servers.
10. Cookies and tracking
- app.driveops.uk: a small set of first-party
httpOnlycookies for session management. - crew.driveops.uk: session tokens are held in browser local storage rather than cookies.
- We do not use third-party tracking cookies and we do not place advertising cookies.
- Plausible Analytics: on crew.driveops.uk we use Plausible, a cookieless and privacy-first analytics tool, only after you accept it through the cookie banner or enable it on /cookie-preferences. Plausible does not set cookies and does not track you across sites. Your choice is stored locally in your browser under
crew:cookie_consent; clear that key (or your site data) to be asked again. You can change your mind at any time from /cookie-preferences, linked from the site footer.
11. Children
Crew is not directed at people under the age of 18 and we do not knowingly collect data about anyone under 18. If you believe a child has signed up to Crew, please contact info@tolmon.com and we will delete the account.
12. Changes to this policy
We may update this policy from time to time. Material changes will be notified to all current Crew members by email at least 30 days before they take effect. Non-material changes (clarifying wording, fixing typos) take effect on publication.
Tolmon Ltd, Companies House number 14468414. Questions about this policy: info@tolmon.com.