Privacy Policy

Maritime Delivery — operated by Nordic Crew Worldwide, S.L. · Version 4 · Last updated: June 2026 · In accordance with GDPR (EU) 2016/679, LOPDGDD (Spain) and ePrivacy Directive 2002/58/EC

1. Data Controller

Nordic Crew Worldwide, S.L. ("NCW") is the data controller for all personal data collected through Maritime Delivery. Contact: hello@nordiccrewworldwide.com

NCW has assessed its DPO obligation under Article 37 GDPR. As NCW does not fall within a mandatory DPO sector under Spanish law, a formal DPO has not been appointed. Our designated privacy contact will respond to all rights requests and supervisory authority enquiries.

2. What Data We Collect and Why

2.1 Crew Members

  • Identity data: full name, date of birth, nationality, passport or national ID number, photo ID document
  • Contact data: email address, phone number, country of residence
  • Professional data: certifications, STCW endorsements, sea service records, qualifications, crew level, years of experience
  • Platform activity: applications, assignment history, messages, login events
  • Technical data: IP address, browser type, session data, device identifiers

Identity documents — dual purpose

NCW collects photo ID documents for two distinct purposes: (1) certification verification — to confirm identity before granting access to assignments; and (2) crime prevention and legal defence — to enable identification in the event of vessel theft, fraud, criminal damage, or other unlawful conduct. Retention periods vary — see Section 4.

2.2 Clients

  • Identity data: name, company name, company registration number
  • Contact data: email, phone, country
  • Vessel data: vessel name, type, flag state, registration documents
  • Financial data: invoice records, payment history

2.3 Automatically collected

IP addresses, browser type, pages visited, session duration — processed under legitimate interests (Art. 6(1)(f) GDPR) for security and fraud prevention. LIA available on request.

3. Legal Bases for Processing

  • Contract performance (Art. 6(1)(b)): Account creation, matching profiles with listings, payment processing via Stripe.
  • Legitimate interests (Art. 6(1)(f)): Identity verification, fraud prevention, crime prevention (including vessel theft), platform security. For identity documents: protection of Clients and third parties from unverified individuals accessing high-value maritime assets. LIA available on request.
  • Legal obligation (Art. 6(1)(c)): Compliance with maritime, tax, employment law, and law enforcement cooperation obligations including Spanish tax law (Ley 58/2003).
  • Consent (Art. 6(1)(a)): Where explicitly consented, including for special category data.

3.1 Special category data (Article 9 GDPR)

Passports and national ID documents contain nationality data constituting special category data under Art. 9(1) GDPR. NCW processes all such documents on the basis of your explicit consent under Art. 9(2)(a) GDPR — separate from and independent of acceptance of the Terms. This consent can be withdrawn at any time; withdrawal results in account suspension. NCW does not use automated biometric recognition.

4. Data Retention

  • Active account data: retained for the duration of your account.
  • Identity documents — standard retention: 30 days after verification, then permanently deleted. A verification record (document type, issuing country, date, outcome) is retained for 24 months. Where a Crew Member is confirmed for an assignment before the 30-day period expires, the active assignment retention period applies automatically from the date of confirmation.
  • Identity documents — active assignment: Retained for the duration of the assignment and 90 days after confirmed completion, to enable resolution of any claims or incidents. Consistent with standard practice in vehicle rental and maritime crewing.
  • Identity documents — extended (fraud / crime / vessel theft): Retained for as long as necessary for: (a) prevention, detection, investigation or prosecution; (b) establishment, exercise or defence of legal claims; or (c) law enforcement cooperation. Based on Art. 6(1)(f) and Art. 17(3)(e) GDPR, applied case-by-case with internal documentation. Documents not retained beyond conclusion of proceedings.
  • Post-activity data: 24 months after last meaningful activity. Reminders sent 30 days and 7 days before expiry.
  • Financial records: 7 years (Spanish tax law — Ley 58/2003).
  • Consent records (standard): 12 months from date given or last renewed.
  • Consent records (special category data, Art. 9): 3 years from date given, renewed, or withdrawn.
  • Security and fraud-prevention logs: 12 months, or longer for active investigations.

Anonymisation is performed by irreversible removal of all direct and indirect identifiers. Pseudonymised data (which could be re-identified) is not treated as anonymised under this Policy.

5. Data Security (Article 32 GDPR)

NCW implements: TLS/HTTPS encryption on all connections; encryption of data at rest (Vercel and Neon); access controls on a need-to-know basis; periodic security reviews; staff data protection training; documented incident response procedure; regular backup and recovery testing; and secure deletion procedures. Absolute security cannot be guaranteed.

6. Automated Decision-Making (Article 22 GDPR)

Certification gating: Automatically restricts listings a Crew Member can apply for based on verified certifications. You have the right to request human review if incorrectly assessed.

Account suspension triggers: Automated checks may flag accounts for review — all flags are subject to human review before a permanent decision is made. You have the right to contest any automated decision.

No other automated decision-making that produces legal or similarly significant effects is used.

7. Data Processors, International Transfers and Client Controllers

All processors have Data Processing Agreements (Art. 28 GDPR). Transfers outside the EEA are made under SCCs. Transfer Impact Assessments (TIAs) have been conducted for all US processors — summaries available on request.

ProcessorPurposeLocationSafeguardRetention
Vercel Inc.Platform hosting, database, file storageUSASCCs + TIAAccount + 30d
Neon Inc.Database (via Vercel Postgres)USASCCs + TIAAccount + 30d
Resend Inc.Transactional email deliveryUSASCCs + TIALogs: 90d
Stripe Inc.Payment processing and escrowUSASCCs + TIA7 years (financial)
Google LLCOAuth sign-in (optional)USASCCs + TIASession only
Cookiebot (Cybot A/S)Cookie consent managementDenmark (EU)EU adequacyConsent: 12 months

We do not sell personal data. We do not share data with advertising networks.

Client Data Controller Notice

Prior to sharing a Crew Member's profile with a Client, NCW notifies the Client that: (a) they become an independent data controller; (b) they must comply with GDPR; and (c) they must not retain the Crew Member's data beyond what is necessary. Contact details and identity documents are shared only upon confirmed Placement, and solely to the extent necessary for the engagement.

NCW does not use your personal data to train AI or machine learning models.

8. Personal Data Breaches and Law Enforcement Sharing

NCW will notify the AEPD within 72 hours where required (Art. 33 GDPR), and notify affected individuals directly for high-risk breaches (Art. 34 GDPR). All breaches are recorded in our internal breach register.

Law enforcement disclosure

Where NCW reasonably suspects criminal conduct — including vessel theft, fraud, identity falsification, or criminal damage — NCW may proactively share relevant personal data, including identity documents, with law enforcement, insurers, and legal representatives. This is based on Art. 6(1)(c) GDPR (legal obligation) and Art. 6(1)(f) GDPR (legitimate interests). This sharing does not require your consent as it is based on legal obligation and legitimate interests, not on consent.

Report security incidents at hello@nordiccrewworldwide.com.

9. Your Rights Under GDPR

  • Right of access (Art. 15): Request a copy of all data we hold about you.
  • Right to rectification (Art. 16): Correct inaccurate data via your profile or by contacting us.
  • Right to erasure (Art. 17): Request deletion, subject to legal retention. Where NCW declines under Art. 17(3) GDPR, we will notify you in writing within one month, specifying: (a) the legal basis; (b) anticipated duration of retention; and (c) your right to complain to the AEPD.
  • Right to restriction (Art. 18): Request restricted processing in certain circumstances.
  • Right to data portability (Art. 20): Request your data in JSON or CSV format.
  • Right to object (Art. 21): Object to processing based on legitimate interests.
  • Right to withdraw consent (Art. 7(3)): Withdraw consent at any time without affecting prior processing.
  • Rights in relation to automated decisions (Art. 22): Request human review of any automated decision.

Contact: hello@nordiccrewworldwide.com. We respond within one calendar month. Identity verification may be requested before processing a rights request.

10. Cookies

We use: strictly necessary cookies (session authentication — no consent required); and functional cookies (consent preferences). We do not use analytics, advertising, or tracking cookies. Where we introduce analytics in future, this policy will be updated and explicit consent obtained. Managed by Cookiebot (Cybot A/S, Denmark). Update via "Cookie Settings" in the footer.

11. Complaints

Agencia Española de Protección de Datos (AEPD) · C/Jorge Juan, 6 — 28001 Madrid, Spain · Tel: +34 900 293 183 · www.aepd.es

We encourage you to contact us first at hello@nordiccrewworldwide.com. We respond within one calendar month.

13. Policy Governance

This Policy is owned by the designated privacy contact at Nordic Crew Worldwide, S.L. and is reviewed at least annually or whenever a material change in processing activities occurs. The current version and version history are maintained in NCW's internal data governance records. Prior versions are available on request. A Records of Processing Activities (ROPA) is maintained in accordance with Article 30 GDPR and is available to supervisory authorities upon request.

12. Changes to this Policy

We will notify you of material changes at least 14 days before they take effect. Where a material change affects processing based on your consent — including special category data under Section 3.1 — NCW will request explicit renewed consent before the change takes effect and will not rely on continued use as consent for such processing.

14. Contact

Nordic Crew Worldwide, S.L. (operating as Maritime Delivery)

Email: hello@nordiccrewworldwide.com · Website: maritime.delivery

© 2026 Nordic Crew Worldwide, S.L. All rights reserved.