Privacy policy
Effective date 15 March 2026
1. Who we are
Mandylights provides the mCrew app to support internal crew scheduling, workplace notifications, and related workforce tools.
2. Scope
This policy explains how we handle information when you use the mCrew app on a phone or tablet. It does not replace the privacy policy for our website or employer systems you may use to obtain a login or manage your account; those may collect or process information separately.
3. Information the app uses
3.1 Account and sign-in
Sign-in is tied to your organisation's mCrew account. You may sign in using a one-time access code or QR code obtained from our authorised web experience. The app exchanges that code for a session token, which is stored on your device in protected storage (for example iOS Keychain or Android Keystore, depending on your device) so you stay signed in.
3.2 Information we process when you use the app
When you are signed in, the app communicates with Mandylights systems over the internet and may process data including, as relevant to your role and features you use:
- Identity and contact details (for example name, email address, phone number).
- Work-related profile information (for example job title, location field, employment type, qualifications, roles or permissions).
- Scheduling and operational data (for example shifts, projects, responses to shifts, crew lists, sites or custom locations).
- Notifications (in-app notification content and read/cleared status as supported by the service).
- Leave and unavailability information you submit or that is made available through connected systems your employer uses.
- Preferences you set in the app or account (for example notification preferences, email notification settings, calendar integration on/off).
3.3 Device permissions
| Permission / capability | Why we use it |
|---|---|
| Notifications | To send you alerts about shifts and other work-related events you are entitled to receive. |
| Camera | Only to scan a QR code for sign-in where that method is offered. We do not use the camera for other purposes in the app. Images are not stored for this purpose beyond what the operating system requires to complete the scan. |
| Calendar (optional) | If you enable calendar integration, the app may read or write events in your device calendar (for example to add or update shift-related events). You can control this through your device settings and in-app preferences. |
| Background activity | To refresh data or handle notifications when the app is not in the foreground, within limits set by your device's operating system. |
3.4 Push notifications and device tokens
To deliver push notifications, the app uses platform push services. Depending on version and configuration, that may include Firebase Cloud Messaging (FCM) and/or Apple Push Notification service (APNs). A push token or equivalent identifier for your device may be sent to our servers so we can route notifications to you. Google's handling of data in connection with Firebase is described in Google's documentation and privacy policy: https://policies.google.com/privacy.
3.5 Local storage on your device
To work offline or show information quickly, the app may cache data on your device. Widgets, watch faces, Live Activities, or similar features may store a limited subset of scheduling information (for example upcoming shift summaries) in shared app storage allowed by the operating system so those surfaces can display it. This data is cleared or invalidated when you sign out or when the app is designed to reset it.
3.6 Analytics
We do not use the mCrew app to collect behavioural analytics or advertising identifiers for third-party ad networks.
4. How we use information
We use the information above to:
- Provide, operate, and secure the mCrew application/service.
- Authenticate you and maintain your session.
- Show schedules, projects, crew information, and notifications you are allowed to see.
- Honour your preferences (notifications, calendar sync, etc.).
- Comply with law and respond to lawful requests where required.
5. Who receives information
- Mandylights and authorised personnel involved in operating the service.
- Service providers that help us host, deliver, or secure the service (for example cloud hosting, push notification infrastructure).
- Your employer or project organisers, where the product is provided in a workforce context and they control accounts and policies.
- Authorities when we believe disclosure is required by law.
We do not hold or sell your personal information.
6. Security
We use industry-standard measures appropriate to the nature of the data, including encrypted transport (HTTPS) for app traffic and secure storage for session material on the device. No method of transmission or storage is completely secure.
7. Retention
We retain information in line with operational needs, your employer's instructions (where applicable), and legal obligations. Session and device tokens are refreshed or invalidated when you sign out, when tokens expire, or when we revoke access. Cached data on your device may remain until removed by the app or by you (for example uninstalling the app).
8. Your choices and rights
Depending on where you live, you may have rights to access, correct, delete, restrict, or object to certain processing, or to data portability. Because mCrew is often provided through your workplace, your organisation may be the first point of contact for account and roster data. You may also contact us via prescribed support methods.
You can disable push notifications in your device settings, revoke calendar access in settings, and sign out of the app to end the session on the device.
9. Children
mCrew is intended for professional/workforce use and is not directed at children.
10. International transfers
If you use the app from outside Australia your information may be processed in countries where we or our providers operate. We take steps required by applicable law for such transfers.
11. Changes
We may update this policy from time to time. We will post the updated version on this page and update the effective date above.
12. Apple App Store / Google Play
If the app is distributed through Apple or Google, those companies are not responsible for the app or this privacy policy. For platform-specific data practices, see Apple's Privacy Policy and Google Play's policies as applicable.