Crewshift Landing Page Subprocessor List
Last updated: 30 May 2026 Version: 2.2 Scope: `crewshift-app.com` and `zmianowo-app.pl` as landing pages only1. Scope
This list covers providers that may process data in connection with the landing page, forms, security, optional analytics and optional chat.
It does not cover the future Crewshift/Zmianowo application, user accounts, payments, application database, employee data or training modules. Those areas require a separate processor list when the application is launched.
2. Providers
| Provider | Role | Data categories | Use condition |
|---|---|---|---|
| Vercel Inc. | page hosting, serverless functions, technical logs and Vercel Web Analytics | IP, headers, source domain, request and error logs; analytics events and device data | hosting is always used as page infrastructure; Vercel Web Analytics only after analytics consent |
| Upstash Inc. | Redis for request rate limiting | rate-limit key based on IP, rate-limit metadata | when `UPSTASH_REDIS_REST_URL` is configured |
| Cloudflare Inc. | Turnstile, form anti-bot protection | verification token, IP, device and browser signals | when Turnstile is configured |
| Resend / Plus Five Five, Inc. | e-mail delivery for forms and Brillnet-owned contact-list handling | full name, e-mail, company, subject, message content, assessment result, subscription source, consent or unsubscribe status, message metadata | when the user submits a form or subscribes to Brillnet-owned communication |
| Google Ireland Ltd. / Google LLC | Google Analytics 4 | cookie identifiers, page events, device data | only after analytics consent and when GA4 is configured |
| Crisp IM SAS | chat widget | chat session data, conversation content, IP, device metadata | only after functional consent and when Crisp is configured |
3. Transfers outside the EEA
Providers may use infrastructure or subprocessors outside the European Economic Area. Resend / Plus Five Five, Inc. is a US-based provider. Transfers should rely on safeguards declared by the relevant provider, including a data processing agreement, Standard Contractual Clauses, the EU-US Data Privacy Framework or other GDPR-compliant mechanisms.
4. Deliberately excluded items
The landing page should not list services that are not used by the page itself, in particular:
- payment processors,
- application login,
- the production application database,
- error monitoring, unless actually enabled in this project,
- providers for scheduling, working time, employee records or training modules.
If any of those services is actually added to the landing page, this list should be updated before deployment.