PRIVACY POLICY

1. Introduction

This Privacy Policy describes how Scoutbase ApS (“Workerline”, “we”, “us”, or “our”), a company registered in Denmark (CVR 39001543), collects, uses, stores, and protects personal data in connection with the Workerline platform and related services.

Workerline provides a proactive crew wellbeing monitoring platform for the maritime industry. Our platform conducts anonymous AI-powered check-ins with seafarers, detects early warning signs of wellbeing concerns, and facilitates appropriate support through our escalation framework.

We are committed to protecting the privacy and rights of all individuals whose data we process, including seafarers (“Crew Members”), our business customers (“Customers”), and visitors to our website. This policy applies to all personal data processing carried out by Workerline, whether as a data controller or data processor.

2. Data Controller and Data Processor

Workerline acts in two distinct capacities depending on the type of data being processed:

Data Processor for Crew Data: When Crew Members interact with the Workerline platform, any personal data collected is processed by Workerline on behalf of the Customer (typically the vessel operator or manager), who acts as the data controller. The relationship between Workerline as data processor and the Customer as data controller is governed by a Data Processing Agreement forming part of the SaaS Agreement between the parties.

Data Controller for other data: For personal data relating to Customer contacts, website visitors, prospective clients, and other individuals who interact with us directly, Workerline acts as the data controller.

The data controller for Workerline’s own processing activities is:

Scoutbase ApS (trading as Workerline)

CVR: 39001543

Nørrebrogade 45D, 2200 Copenhagen N, Denmark

Email: info@scoutbase.com

For questions about this policy or our data practices, please contact us at the email address above.

3. Data We Collect

3.1 Crew Wellbeing Data (Processed on Behalf of Customers)

When seafarers interact with our AI-powered check-in system, the following data may be processed:

• Anonymised responses to wellbeing check-in conversations
• Self-reported wellbeing indicators and mood assessments
• Language preferences and communication patterns
• Vessel and fleet identifiers (not linked to individual crew identity)

Anonymity is a foundational principle of the Workerline platform. Our system never asks for personal or identifiable information, and crew check-in data is anonymous by design. Individual crew members cannot be identified by Workerline, the Customer, or ship management through the data collected.

The only circumstance in which identifying information may be associated with a crew member is if the crew member voluntarily discloses their own identity during a check-in conversation and explicitly consents to that information being shared. This is entirely at the crew member’s discretion and is never prompted or required by the system.

3.2 Customer Data

When businesses engage with Workerline, we collect:

• Contact details of authorised representatives (name, email, phone number, job title)
• Company information (company name, address, vessel fleet details)
• Billing and payment information
• Communications and correspondence with our team

3.3 Website Visitor Data

When you visit our website, we may collect:

• IP address and general location data
• Browser type, device information, and operating system
• Information voluntarily provided through contact forms or newsletter sign-ups

We also collect cookies and similar tracking technologies as described in our Cookie Policy.

4. Legal Basis for Processing

We process personal data on the following legal grounds under the General Data Protection Regulation (GDPR):

Contractual necessity (Article 6(1)(b)): Processing necessary to perform our contractual obligations to Customers, including providing the Workerline platform and related services.

Legitimate interests (Article 6(1)(f)): Processing necessary for our legitimate interests, such as improving our services, ensuring platform security, conducting analytics, and communicating with prospects, provided these interests are not overridden by data subject rights.

Consent (Article 6(1)(a)): Where website visitors consent to non-essential cookies or marketing communications.

Legal obligation (Article 6(1)(c)): Processing required to comply with applicable legal obligations, including tax, accounting, and regulatory requirements.

Regarding crew wellbeing data: because the Workerline system never collects personal or identifiable information and crew check-in responses are anonymous by design, the data processed through standard platform use does not constitute personal data under GDPR. In the limited circumstance where a crew member voluntarily discloses their identity and explicitly consents to sharing, we process that information on the basis of the crew member’s explicit consent (Article 6(1)(a) and, to the extent health-related information is involved, Article 9(2)(a)).

5. Anonymity and Critical Case Escalation

Workerline is built on the principle that crew members should be able to communicate openly about their wellbeing without fear of identification or repercussions.

Our system is anonymous by design. The platform never asks for, collects, or stores personal or identifiable information about crew members. There is no mechanism within the system for Workerline, the Customer, or ship management to identify which crew member provided any given response.

The only exception occurs when a crew member voluntarily discloses their own identity during a check-in conversation and explicitly consents to that information being shared. In such cases, and only with the crew member’s explicit consent:

• The voluntarily shared identifying information may be passed to the vessel Master or Customer’s designated wellbeing contact to facilitate appropriate support.
• External wellbeing providers (such as our clinical partners) may be engaged to provide professional assistance.
• Any disclosure is limited to the information the crew member has voluntarily provided and consented to share.

Where the system detects indicators of serious concern (such as references to self-harm or acute crisis) but the crew member has not identified themselves, Workerline may issue a general alert to the vessel Master indicating that a wellbeing concern has been detected on board, without any identifying information. This alert is designed to prompt general welfare checks and does not and cannot identify the individual.

Full details of our escalation framework are available in our SaaS Agreement with Customers.

6. How We Use Personal Data

We use the data we collect for the following purposes:

• Providing and operating the Workerline platform, including AI-powered crew wellbeing check-ins
• Generating anonymised and aggregated wellbeing insights and reports for Customers
• Detecting early warning signs and facilitating appropriate escalation where necessary
• Improving, developing, and enhancing our platform and AI models
• Communicating with Customers regarding their accounts and our services
• Processing payments and managing billing
• Complying with legal obligations
• Ensuring the security and integrity of our platform

7. Data Sharing and Third Parties

We may share personal data with the following categories of recipients:

Customer organisations: Aggregated and anonymised crew wellbeing data is shared with the relevant Customer (typically the vessel operator or manager) as part of our service. Individual crew identity is never disclosed unless a crew member has voluntarily identified themselves and explicitly consented to sharing, as described in Section 5.

Wellbeing service providers: Where a crew member has voluntarily identified themselves and consented, or where general (non-identifying) escalation alerts are triggered, we may share relevant data with professional wellbeing support partners to facilitate appropriate care.

Technology service providers: We use third-party infrastructure and service providers (such as cloud hosting, AI/ML platforms, and analytics tools) to operate our platform. These providers process data on our behalf under Data Processing Agreements.

Professional advisors: We may share data with legal, accounting, or other professional advisors as necessary.

Legal and regulatory authorities: We may disclose data where required by law, regulation, or legal process.

We do not sell personal data to third parties.

8. International Data Transfers

Workerline operates in the global maritime industry, and data may be transferred to and processed in countries outside the European Economic Area (EEA). Where such transfers occur, we ensure appropriate safeguards are in place, including EU Standard Contractual Clauses (SCCs), adequacy decisions by the European Commission, and other appropriate safeguards as permitted under GDPR Chapter V.

Given the nature of the maritime industry, where vessels and crew operate across international waters and jurisdictions, we take particular care to ensure that our data handling practices meet GDPR standards regardless of where the data is accessed.

9. Data Retention

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by law.

Crew wellbeing data: Because crew check-in data is anonymous by design, it does not constitute personal data. Anonymised and aggregated analytics data may be retained indefinitely for service improvement and research purposes. In the limited case where a crew member has voluntarily disclosed identifying information, that data is retained for the duration of the Customer’s subscription and deleted within ninety (90) days following termination, unless retention is required by law.

Customer account data is retained for the duration of the business relationship and for up to five years thereafter, or as required by applicable tax and accounting laws.

Website analytics data is retained for up to 26 months.

Upon termination of a Customer’s subscription, Workerline will make Customer Data available for export for a period of thirty (30) days. All Customer Data is securely deleted within ninety (90) days of termination, except where retention is required by law or where data has been irreversibly anonymised.

10. Your Rights

Under the GDPR, individuals have the following rights regarding their personal data:

• Right of access: You may request a copy of the personal data we hold about you.
• Right to rectification: You may request correction of inaccurate or incomplete data.
• Right to erasure: You may request deletion of your personal data in certain circumstances.
• Right to restrict processing: You may request that we limit how we process your data.
• Right to data portability: You may request a copy of your data in a structured, machine-readable format.
• Right to object: You may object to processing based on legitimate interests or for direct marketing purposes.
• Right to withdraw consent: Where processing is based on consent, you may withdraw your consent at any time.

To exercise any of these rights, please contact us at info@scoutbase.com. We will respond to your request within 30 days.

For crew wellbeing data processed on behalf of Customers: because Workerline acts as a data processor for this data, data subject requests relating to crew data should be directed to the relevant Customer (the data controller). Workerline will assist the Customer in responding to such requests as required by our Data Processing Agreement.

Please note that because crew check-in data is anonymous by design, it is generally not possible to identify a specific individual’s data within our system, which may limit the ability to fulfil certain requests.

11. Data Security

We implement appropriate technical and organisational measures to protect personal data against unauthorised access, alteration, disclosure, or destruction. These measures include encryption of data in transit (TLS 1.2+) and at rest (AES-256), role-based access controls and multi-factor authentication, hosting on ISO 27001 / SOC 2 certified cloud infrastructure, regular security assessments, employee training and confidentiality obligations, and documented incident response procedures.

12. Children’s Data

Our services are not directed at individuals under the age of 18. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a minor, please contact us immediately.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. We will notify Customers of material changes through our platform or by email. The “Last updated” date at the top of this policy indicates when it was most recently revised.

14. Contact and Complaints

If you have questions, concerns, or complaints about our data processing practices, please contact us at:

Scoutbase ApS (trading as Workerline)

Nørrebrogade 45D, 2200 Copenhagen N, Denmark

Email: info@scoutbase.com

You also have the right to lodge a complaint with the Danish Data Protection Agency (Datatilsynet) or the supervisory authority in your country of residence. Datatilsynet can be contacted at dt@datatilsynet.dk or through their website at datatilsynet.dk.