privacy policy
we collect the minimum needed to operate the service. we do not sell data, run advertising, or share data for marketing. this document is the long version.
who we are
crew society ("we", "us", "our") is a layover-discovery social app for airline crew. the service is operated by the crew society.
service domain: thecrewsociety.site. privacy contact: contact@thecrewsociety.site.
for the purposes of gdpr, ccpa, and similar laws, we act as the data controller of the personal data described below. where we use third parties to process data on our behalf (push delivery, email delivery, network ingress), they act as data processors under written agreements.
what data we collect, why, and the legal basis
we deliberately collect the minimum needed to operate the service. we do not sell data, run advertising, or share data for marketing.
2.1account & profile (required)
| data | collected when | used for | legal basis |
|---|---|---|---|
| work email address | sign-up via otp verification | verifying you're an airline employee, account login, otp delivery | performance of contract (art 6(1)(b) gdpr) |
| airline (derived from email domain) | sign-up | showing your airline to other crew once they accept your knock | performance of contract |
| first name | profile completion | identity reveal after a mutual knock; never shown publicly without your action | performance of contract |
| role (cabin crew / pilot / ground crew) | profile completion | discovery filtering | performance of contract |
| base city | profile completion | discovery defaulting | performance of contract |
| bio (optional, ≤ 80 chars) | profile completion | display after mutual knock | consent, you choose to add it |
| profile photo (optional) | photo upload | display after mutual knock | consent, you choose to upload it |
2.2activity data (generated as you use the app)
| data | used for | legal basis |
|---|---|---|
| layovers (city, vibe, time window) | showing you to other crew in the same city; matching | performance of contract |
| knocks sent / received | discovery + connection establishment | performance of contract |
| connections (mutual matches) | authorising chat between you and one other person | performance of contract |
| chat messages | real-time conversation | performance of contract |
| trust ratings you give / receive | aggregate trust score that orders the crew list | performance of contract; rater anonymity is preserved |
| settings (notifications, default vibe, default window) | tailoring the service | performance of contract |
| block list | preventing future contact | performance of contract; legitimate interest in user safety |
2.3technical & security data
| data | used for | retention |
|---|---|---|
| ip address | security, abuse prevention, rate limiting | see §05 |
| user-agent header | same | see §05 |
| session metadata | session management and sign-out across devices | short window after expiry |
| audit log of important account actions | security, account recovery, fraud investigation | see §05 |
| request logs | security and abuse detection | see §05 |
| activity logs (never message content) | aggregate analytics on feature use, identifiers anonymised over time | see §05 |
2.4push notification data
we never include chat message contents in push notification bodies. push titles and bodies are limited to you have a new knock, X accepted, X sent you a message, never the message itself. this is a deliberate privacy guarantee enforced by our system, not a setting you have to toggle on.
2.5what we do not collect
- no location data, we use the city you tell us; we don't track gps
- no contact list or address book
- no third-party analytics (no google analytics, no mixpanel, no segment)
- no advertising identifiers (idfa / aaid)
- no sensitive personal data categories (health, biometric, religion, sexuality)
- no keystroke or behavioural analytics
- no microphone or camera access, other than you explicitly choosing a photo
- no payment information, the service is currently free
the privacy model, who sees what
this is the most important section of this policy.
3.1before a knock is accepted
when you appear on someone else's "crew list" because you're on a layover in the same city, only the following is visible:
- the first letter of your first name (e.g. S for sarah)
- your airline (e.g. emirates)
- your role (e.g. cabin crew)
- your current vibe (e.g. coffee)
not visible: your full first name, your bio, your photo, your email, or your trust score's individual ratings.
3.2at the moment of mutual knock
when the other person accepts your knock (or vice versa), the following is revealed to both of you: first name, bio (if you set one), profile photo (if you uploaded one), and vibe + city.
this is the identity reveal moment. until this point, no full identity has been shared.
3.3block behaviour
- all active conversations with them dissolve immediately
- chat history is deleted within 24 hours
- their email is added to your block list, they cannot knock you again
- the blocked person is not told they were blocked. they see the conversation as ended, same wording as a layover-ended dissolution. our rating system also refuses ratings after a block, so a blocker cannot retaliate.
3.4trust ratings
- aggregate trust score is shown to other crew (orders the crew list)
- individual ratings are never shown to the rated user, they cannot see who gave them a particular score
- if a rater later deletes their account, their past ratings remain in the rated user's aggregate but their identity is removed (anonymity preserved permanently)
3.5discovery scope
you only appear in the crew list of users who are: in the same city as your active layover, on an active layover themselves, not blocked by you and not having blocked you, and not currently in an active connection with you.
where data is stored & who processes it
4.1where it's stored
data is stored on managed infrastructure in europe. the service is delivered through cloudflare's network for ingress and tls.
4.2sub-processors
| processor | purpose | data shared |
|---|---|---|
| cloudflare, inc. | network ingress, ddos protection, encrypted transport | all app traffic transits cloudflare |
| google llc (firebase cloud messaging) | android push notification delivery | device token and push title only, never message content |
| apple inc. (apns) | ios push notification delivery | device token and push title only, never message content |
| hostinger international ltd. | outbound email delivery (one-time codes, welcome emails) | your email and the message body sent to you |
we do not use any other third-party processors. we do not transfer personal data to any other recipients.
4.3international transfers
where data leaves your country to reach the processors above (typically to the us for google / apple / cloudflare), the transfer is covered by standard contractual clauses as adopted by the european commission.
how long we keep data
| data | retention | why |
|---|---|---|
| your account profile | for as long as your account is active | service operation |
| active layover / knocks / connections | for as long as the layover is active | service operation |
| chat messages | deleted within 24 hours of the layover ending | privacy by design, chats are ephemeral |
| trust ratings (received) | kept while your account is active, anonymised if the rater deletes their account | reputation persistence |
| trust ratings (given) | until you delete your account | personal data of yours |
| one-time codes | minutes, then discarded | security |
| user sessions | short window after expiry | cleanup |
| notification and request logs | short retention | security and operations |
| activity logs | identifiers anonymised over time | aggregate analytics, minimisation |
| email blocklist (after deletion) | around 30 days | prevents accidental immediate re-registration |
| audit logs | limited window | security, dispute resolution |
these windows are enforced automatically and we do not exceed them in normal operation.
your rights
the following rights apply to all users; some specifically named rights (e.g. erasure, portability) derive from gdpr and apply by default to eu/uk users, we extend them to all users regardless of location.
| right | how to exercise |
|---|---|
| access, get a copy of all personal data we hold about you | in-app: settings → privacy → download my data. we generate a file containing everything we hold about you, available via a one-time link. |
| erasure (right to be forgotten) | in-app: settings → privacy → delete my account. locks you out instantly and erases your data within seconds. your email is blocked from re-registering for 30 days afterwards. |
| rectification | in-app: settings → edit profile to change your name, role, base city, bio, or photo at any time. |
| restriction of processing | email contact@thecrewsociety.site. we can disable your account without deleting it. |
| object to processing | email us. we will assess and respond within 30 days. |
| withdraw consent (push notifications) | in-app: settings → toggle off notifications. can also revoke at os level. |
| data portability | same as access, the export is machine-readable json. |
| lodge a complaint with a supervisory authority | eu users: your local dpa. uk users: ico (ico.org.uk). |
we will respond to any request within 30 days. we may need to verify your identity (typically by sending an otp to your registered email) before fulfilling requests that disclose data.
security
we implement industry-standard safeguards:
- in transit, modern tls for all traffic between your device and our servers
- at rest, chat messages, encrypted with authenticated encryption. even if the database were stolen, message content is unreadable without our encryption key
- no passwords, authentication is one-time codes sent to your work email
- tokens, short-lived signed access tokens; refresh tokens rotate on use and are stored only as irreversible hashes
- photo uploads, validated, resized, location metadata stripped, and re-encoded
- photo serving, short-lived links scoped to the viewer
- data export downloads, short-lived links scoped to you
- rate limiting on every endpoint
- audit logging of important account actions
no system is perfectly secure. if you suspect a security incident, please contact contact@thecrewsociety.site immediately.
push notifications
if you grant push permission, we store the device token issued by your operating system to deliver notifications for: a knock you received, a knock you sent being accepted, a new chat message, and a reminder shortly before your chat closes.
01you can disable these at any time
- in-app, settings → notifications toggle stops all push notifications
- at os level, ios: settings → crew society → notifications. android: system settings → apps → crew society → notifications
we do not send marketing pushes. we do not sell your device token.
children
the service is intended for working airline crew members and is not directed at children. by creating an account you confirm you are at least 18 years old. if we become aware that someone under 18 has created an account, we will delete it.
changes to this policy
if we materially change how we collect or process personal data, we will:
- update this document with a new version number and date
- notify you in-app on next launch (and by email for significant changes)
- for changes that require fresh consent, request that consent before the change takes effect for your account
the current version is shown at the top of this document. earlier versions are available on request.
contact us
for privacy questions, complaints, data subject requests, or security incidents:
we respond within 30 days, usually much sooner.