Privacy Policy | NomadCrew

Effective as of 2026-05-09

This privacy policy applies to the Nomad Crew app (hereby referred to as "Application") for mobile devices that was created by Naqeebali Shamsi (hereby referred to as "Service Provider") as an Open Source service. This service is intended for use "AS IS".

Data Controller: Naqeebali Shamsi, operating as NomadCrew. Contact: nomadcrew5 [at] gmail [dot] com or use our feedback form.

Information Collection and Use

The Application collects the following information when you create an account and use it:

Account information: email address, display name, and (optionally) profile picture, provided by you directly or via your Apple ID or Google account when you sign in.
Trip data: trip names, dates, destinations, members, chat messages, todo items, polls, and expenses that you and your trip members create within the Application.
Travel documents: documents you choose to upload to the Wallet feature (e.g. passports, visas, insurance cards, vaccination records, flight bookings, hotel reservations, receipts, loyalty cards) and their metadata (document type, name, upload date).
Push notification token: an opaque device identifier issued by Apple Push Notification service (APNs) on iOS or Firebase Cloud Messaging (FCM) on Android, used solely to deliver notifications you have opted into.
Device and request metadata: your device's Internet Protocol (IP) address, mobile operating system and version, app version, and device model. This data appears in standard server request logs and is used for service operation, security, and debugging.
Error and crash reports: when the Application encounters an error or crash, anonymized diagnostic information (stack trace, app version, OS version) is sent to our error monitoring provider so we can fix bugs. These reports do not contain the contents of your messages, documents, or location.

The Application does not embed any third-party advertising or behavioral analytics SDK, and does not track which screens you visit, how long you spend on them, or what you do inside the app for advertising or profiling purposes.

Location Data

The Application collects your device's location only when you actively choose to share it with a trip you are a member of, by enabling live-location sharing in that trip's map view. Location is not collected in the background and is not collected when no trip's map is open.

Your shared location is used for the following purposes only:

Live trip map: to display your live position to other current members of the same trip while you have sharing enabled, so your group can coordinate meetups and travel logistics.
Service operation: transmitted to NomadCrew's backend over an encrypted connection (HTTPS/TLS) for the duration of your sharing session, then relayed to authorized trip members.

Your location is not sold or transferred to third-party advertisers, data brokers, or analytics services. It is not used to build behavioral profiles, target advertising, or recommend products. You can stop location sharing at any time from within a trip's map view, or by revoking the Application's location permission in your device's system settings.

Document Storage

The Application provides a "Wallet" feature that allows you to store travel-related documents for your convenience. The types of documents you may upload include:

Passports and visas
Travel insurance cards
Vaccination records
Flight bookings and hotel reservations
Receipts and loyalty cards

Purpose: Document storage is provided solely for your travel convenience and organization. The Service Provider does not access, analyze, or process the contents of your uploaded documents for any purpose other than storing and displaying them to authorized users.

How documents are stored: All uploaded documents are stored in Cloudflare R2 object storage with server-side encryption at rest. Documents are transmitted between your device and our servers over encrypted connections (HTTPS/TLS).

Retention: Documents are retained for as long as you choose to keep them. When you delete a document, it is soft-deleted and permanently purged from our servers after 30 days. You may delete individual documents or all of your documents at any time through the Application.

Access controls: Documents uploaded to your personal wallet are accessible only to you. Documents uploaded to a trip's group wallet are accessible to all current members of that trip. When you share a document with a group, all trip members can view it.

Sensitive Personal Data

Certain documents you may upload contain sensitive personal data that receives special protection under applicable data protection laws, including the EU General Data Protection Regulation (GDPR):

Health data: Vaccination records and medical certificates are classified as special category data under GDPR Article 9.
Government-issued identity information: Passports, visas, and national ID documents contain identity numbers and biometric data.

The Application will request your explicit consent before you upload these types of documents. You are not required to upload any sensitive documents to use the Application.

Important: You should not use the Application as the sole storage location for any important document. Always retain the original copies of your identity and travel documents. The Service Provider is not responsible for data loss.

Group Document Sharing

When you upload a document to a trip's group wallet, all members of that trip can view the document. Please exercise caution when sharing identity documents (such as passports or visas) with group members. You should only share sensitive documents with people you trust.

The Service Provider does not control how other trip members may use, screenshot, or share documents that you make available through the group wallet. Once a document is shared with a group, other members may have viewed or saved it before you remove it.

Third Party Access

The Service Provider does not sell your personal data and does not share your personal data with third-party advertisers, data brokers, or behavioral analytics providers.

The Application does, however, rely on a small set of essential service providers ("processors") to operate. These processors only receive the data necessary to perform their function, and only act on instructions from the Service Provider:

Authentication: Supabase Auth handles sign-in via email/password, Apple Sign-in, and Google Sign-in, and issues your session token.
Document storage: Cloudflare R2 stores the documents you upload to your wallet, encrypted at rest.
Push notification delivery: Apple Push Notification service (APNs) on iOS and Firebase Cloud Messaging (FCM) on Android relay push messages from our backend to your device. Expo Application Services (EAS) acts as the relay between our backend and APNs/FCM.
Error monitoring: Sentry receives anonymized crash and error reports (stack traces, app version, OS version) so we can diagnose and fix bugs. Sentry does not receive the contents of your messages, documents, or location.

In addition, the Service Provider may disclose User Provided and Automatically Collected Information:

as required by law, such as to comply with a subpoena, court order, or similar legal process;
when the Service Provider believes in good faith that disclosure is necessary to protect their rights, protect your safety or the safety of others, investigate fraud, or respond to a lawful government request;
in the event of a corporate transaction (merger, acquisition, or sale of assets), in which case any successor entity will be bound by this Privacy Policy.

Opt-Out Rights

You can stop all collection of information by the Application easily by uninstalling it. You may use the standard uninstall processes as may be available as part of your mobile device or via the mobile application marketplace or network.

Data Retention Policy

The Service Provider will retain User Provided data for as long as you use the Application and for a reasonable time thereafter. If you'd like them to delete User Provided Data that you have provided via the Application, please contact them at nomadcrew5 [at] gmail [dot] com or use the feedback form, and they will respond in a reasonable time.

Children

The Service Provider does not use the Application to knowingly solicit data from or market to children under the age of 13.

The Application does not address anyone under the age of 13. The Service Provider does not knowingly collect personally identifiable information from children under 13 years of age. In the case the Service Provider discover that a child under 13 has provided personal information, the Service Provider will immediately delete this from their servers. If you are a parent or guardian and you are aware that your child has provided us with personal information, please contact the Service Provider at nomadcrew5 [at] gmail [dot] com or through the feedback form so that they will be able to take the necessary actions.

Data Security

The Service Provider is concerned about safeguarding the confidentiality of your information and implements the following security measures:

Encryption in transit: All data transmitted between your device and our servers is encrypted using HTTPS/TLS.
Encryption at rest: Uploaded documents are encrypted at rest in Cloudflare R2 using server-side encryption. The application database storing your account, trip, and chat data resides on infrastructure that provides encryption at rest.
Access controls and authentication: Access to your data is protected by authentication (Supabase Auth with email/password, Google, and Apple Sign-in) and role-based access controls.
Audit logging: Server-side access to stored documents is logged for security monitoring purposes.
Automatic purge: Soft-deleted data is permanently purged from our servers after 30 days.

While the Service Provider takes reasonable measures to protect your data, no method of electronic storage or transmission is 100% secure. The Service Provider cannot guarantee absolute security of your information.

Lawful Basis for Processing

We process your personal data on the following legal bases under the GDPR:

Contract performance (Article 6(1)(b)): Processing necessary to provide the Application's core features, including trip management, group chat, and location sharing.
Legitimate interests (Article 6(1)(f)): Analytics and service improvement, security monitoring, and fraud prevention. Our legitimate interest is to maintain and improve the Application while protecting our users.
Consent (Article 6(1)(a)): Document storage in the wallet feature. You consent to this processing when you choose to upload documents. You may withdraw consent at any time by deleting your documents.
Explicit consent (Article 9(2)(a)): Processing of special category data such as vaccination records and health certificates. The Application will request your explicit, informed consent before you upload health-related documents. This consent is separate from general document storage consent.

Your Data Rights

Under applicable data protection laws, including the GDPR, you have the following rights regarding your personal data:

Right to Access: You can view all of your stored documents and personal data directly within the Application at any time.
Right to Erasure: You can delete any individual document through the Application. To request complete deletion of all your personal data, contact us at nomadcrew5 [at] gmail [dot] com or through the feedback form.
Right to Data Portability: You can download your stored documents from the Application at any time.
Right to Withdraw Consent: You can withdraw consent for document storage by deleting your documents at any time. This does not affect the lawfulness of processing carried out before withdrawal.
Right to Rectification: You can update or replace any document you have uploaded.
Right to Restriction of Processing: You may request that we restrict processing of your personal data by contacting us at nomadcrew5 [at] gmail [dot] com or through the feedback form.
Right to Object: You have the right to object to processing based on legitimate interests. Contact us at nomadcrew5 [at] gmail [dot] com or through the feedback form.
Right to Lodge a Complaint: You have the right to lodge a complaint with a supervisory authority. For UK users, this is the Information Commissioner's Office (ICO): ico.org.uk/make-a-complaint, telephone 0303 123 1113. For EU users, you may contact your local data protection authority.

To exercise any of these rights, you may use the in-app controls or contact the Service Provider at nomadcrew5 [at] gmail [dot] com or through the feedback form. We will respond to your request within 30 days.

Changes

This Privacy Policy may be updated from time to time for any reason. The Service Provider will notify you of any changes to the Privacy Policy by updating this page with the new Privacy Policy. You are advised to consult this Privacy Policy regularly for any changes, as continued use is deemed approval of all changes.

This privacy policy is effective as of 2026-05-09.

International Data Transfers

The Application's backend, authentication, document storage, and notification delivery providers operate globally and may process or store your data outside your country of residence, including in the United States, the European Union, and other regions where these providers maintain infrastructure:

Cloudflare R2: distributes object storage across Cloudflare's global network.
Supabase Auth: processes authentication data on its own infrastructure under its privacy policy.
Apple Push Notification service / Firebase Cloud Messaging: route push notifications through Apple and Google infrastructure.
Sentry: processes anonymized error and crash reports on its own infrastructure under its privacy policy.

Where your personal data is transferred outside the UK or the European Economic Area, the Service Provider relies on appropriate safeguards as required by applicable data protection law, including Standard Contractual Clauses (SCCs) or reliance on adequacy decisions by the UK Secretary of State or European Commission, in addition to the safeguards each processor has in place under its own privacy program.

Third Party Services

The Application relies on the following third-party services, each of which has its own privacy policy:

Supabase — authentication (email/password, Apple Sign-in, Google Sign-in).
Cloudflare — document storage (R2 object storage) and edge networking.
Expo Application Services (EAS) — mobile app delivery and push-notification relay.
Apple Push Notification service (APNs) — push delivery on iOS, and Apple Sign-in identity.
Firebase Cloud Messaging (FCM) and Google Sign-in — push delivery on Android, and Google Sign-in identity.
Sentry — anonymized crash and error monitoring.

Contact Us

If you have any questions regarding privacy while using the Application, contact the Service Provider at nomadcrew5 [at] gmail [dot] com or through the feedback form.