CrewPlan

Home

Contact

Join Waitlist


Privacy Policy App

In the event of any discrepancies between the German and English versions of this Privacy Policy, the German version shall prevail.

For the legally required German version of this Privacy Policy, please click here
Die gesetzlich vorgeschriebene deutsche Fassung dieser Datenschutzerklärung finden Sie hier

Last updated: 26 March 2026

1. Overview

1.1 Data Controller

The controller responsible for data processing in the app pursuant to Art. 4(7) GDPR is:

CrewPlan
Marcel Jonik
Kaiserswerther Str. 14
50739 Köln
Germany

Email: info@crew-plan.de
Phone: +49 155 67239904

1.2 Scope and Purpose of Data Processing

The following sections provide information about the processing of personal data in connection with the use of the CrewPlan app. CrewPlan is a group organisation app allowing users to plan together, communicate, and share files. Personal data is processed exclusively to provide app functionality, ensure technical operation, and improve the user experience.

The legal bases for processing are, in principle:

  • Art. 6(1)(a) GDPR serves as the legal basis for processing based on consent (e.g. push notifications).

  • Art. 6(1)(b) GDPR applies where processing is necessary for the performance of a contract (e.g. user account, in-app purchases).

  • Art. 6(1)(f) GDPR applies where we rely on legitimate interests (e.g. crash analysis, usage analytics, map service).

1.3 Data Transfers Outside the EEA

Where we transfer data to service providers outside the European Economic Area (EEA), this is done on the basis of Standard Contractual Clauses (SCCs) adopted by the EU Commission pursuant to Art. 46(2)(c) GDPR, or on the basis of an adequacy decision (e.g. for the United Kingdom pursuant to Art. 45 GDPR). Some US providers additionally participate in the EU-US Data Privacy Framework. Deviating arrangements are noted under the respective services.

1.4 Retention Periods

Unless specific retention periods are stated below, personal data is deleted as soon as it is no longer required for its processing purpose and no statutory retention obligations apply (e.g. commercial or tax retention obligations of up to 10 years). Data that cannot be deleted immediately will be blocked and not processed further.

1.5 User Accounts and Data Deletion

The app can be used without registration as an anonymous user. Registration is required for some features but is not mandatory in general.

  • Anonymous users: On first app launch, an anonymous user account is automatically created in our backend (Supabase UUID), without requiring an email address or password. Logging out causes the user to lose access to that account; the stored data remains on our servers but can be deleted upon request.

  • Registered users: Self-service account deletion is not currently available in the app. You can request anonymisation of your data at any time by emailing info@crew-plan.de. We will process your request within one month.

Anonymisation comprises: deletion of your account from the authentication database (email address, password hash, social login identities) and removal of your name from your user profile. Content you created within groups (e.g. expenses, tasks, polls) will remain in anonymised form within the group, as it may also be relevant to other group members and forms part of a shared record.

Once anonymisation is complete, please also delete the app from your device to remove any locally cached data (e.g. session data in the app cache).

1.6 Rights of Data Subjects

As a data subject, you have the following rights with respect to your personal data:

  • Right of access (Art. 15 GDPR)

  • Right to rectification (Art. 16 GDPR)

  • Right to erasure (Art. 17 GDPR)

  • Right to restriction of processing (Art. 18 GDPR)

  • Right to data portability (Art. 20 GDPR)

  • Right to object to processing (Art. 21 GDPR)

  • Right to withdraw consent at any time. Withdrawal does not affect the lawfulness of processing carried out prior to withdrawal.

You may exercise these rights by contacting us using the contact details provided above. You also have the right to lodge a complaint with a data protection supervisory authority. The competent supervisory authority for North Rhine-Westphalia is the State Commissioner for Data Protection and Freedom of Information (ldi.nrw.de). A list of all supervisory authorities is available at www.bfdi.bund.de.

1.7 No Obligation to Provide Data

You are not contractually or legally obliged to provide us with personal data. If you refuse to provide data that is required for certain app features, you may not be able to use those features at all or only in a limited way.

1.8 No Automated Decision-Making

We do not use fully automated decision-making pursuant to Art. 22 GDPR.

2. Specific Data Processing Activities

2.1 Downloading the App

Our app is available for download in the Google Play Store and the Apple App Store (hereinafter "Stores"). When downloading, the required information is transmitted to the respective Store (e.g. username, email address, customer number, download time, payment information, individual device identifier). We have no influence over this data collection. We only process this data to the extent necessary to download the app to the device.

2.2 User Account and Authentication

When you create a user account, we process your email address and a password you choose (stored as a hash), as well as login timestamps and session tokens. Alternatively, you may sign in using Google Sign-In or Apple Sign-In (see sections 3.2 and 3.3). Authentication is handled via Supabase Auth (see 3.1).

The legal basis is Art. 6(1)(b) GDPR (performance of contract). Data is stored for the duration of the user account. Following an anonymisation request, personal data will be removed.

2.3 Use of App Features

All data you enter or upload as part of the app's features (e.g. group content, planning data, comments, files, expenses, tasks, polls, shopping lists, meal plans, routes) is stored in Supabase. This also includes your notification preferences (which push notification types you have enabled) and your push token (see 3.6). Access to this data is technically restricted to you personally or to the members of your group — other users cannot access third-party data.

The legal basis is Art. 6(1)(b) GDPR (performance of contract). Data is stored for as long as your account is active. Following an anonymisation request, your data will be removed.

2.4 CrewPlan Pro (Subscriptions)

CrewPlan offers an optional paid subscription ("CrewPlan Pro") that unlocks additional features. Subscriptions can be purchased at user or crew level. Subscription management is handled by RevenueCat (see 3.8). The actual payment processing is handled exclusively by the respective app store.

2.5 Data Security

All data transmissions between the app and our servers are encrypted (TLS). Supabase Row Level Security (RLS) policies ensure at database level that no user can access data belonging to other users or groups.

2.6 Contact

When you contact us by email, the data provided (name, email address, message content) is stored to respond to your enquiry. Data is deleted once the enquiry has been fully resolved, at the latest after 3 years. The legal basis is Art. 6(1)(f) GDPR (legitimate interest in responding to enquiries) or Art. 6(1)(b) GDPR where the enquiry relates to an existing usage relationship.

3. Third-Party Services

3.1 Supabase (Backend, Database, Auth, Storage, Edge Functions)

We use Supabase as our central backend. The provider is Supabase Inc., 970 Toa Payoh North #07-04, Singapore 318992. Our Supabase project is hosted in the EU region Frankfurt (AWS eu-central-1), meaning all data is stored within the EU.

The provider processes the following data categories:

  • Authentication data (email address, password hash, session token, linked social login identities)

  • All app content entered or uploaded by the user (user data, group content, files, expenses, tasks, polls, etc.)

  • Notification preferences (enabled notification types, language preference)

  • FCM push token (for push notifications, see 3.6)

  • Technical operational data (IP address, timestamps)

Edge Functions are used for server-side logic, particularly for creating and sending push notifications (the notification content and FCM token are passed to Firebase Cloud Messaging for delivery, see 3.6).

The legal basis is Art. 6(1)(b) GDPR (performance of contract). Data is stored for the duration of the user account. We have concluded a Data Processing Agreement (DPA) with the provider pursuant to Art. 28 GDPR. The public DPA version is available at supabase.com/legal/dpa. Transfers outside the EEA are based on Standard Contractual Clauses pursuant to Art. 46(2)(c) GDPR; data is stored within the EU.

Further information is available at https://supabase.com/privacy.

3.2 Google Sign-In (Authentication)

We offer the option to sign in with a Google account. The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. When using Google Sign-In, a Google ID token and — if released by the user — name and email address from the Google profile are transmitted to our app. This data is used exclusively for authentication and to create or link the user account in Supabase.

The legal basis is Art. 6(1)(b) GDPR (performance of contract). Google participates in the EU-US Data Privacy Framework.

Further information is available at https://policies.google.com/privacy.

3.3 Apple Sign-In (Authentication)

We offer the option to sign in with an Apple ID. The provider is Apple Inc., One Apple Park Way, Cupertino, CA 95014, USA. When using Apple Sign-In, Apple transmits an identity token to our app. Name and email address are only transmitted if the user consents to this at first login; Apple also offers the option of using an anonymised relay email address. This data is used exclusively for authentication and to create or link the user account in Supabase.

The legal basis is Art. 6(1)(b) GDPR (performance of contract). Transfers to the USA are based on Standard Contractual Clauses pursuant to Art. 46(2)(c) GDPR.

Further information is available at https://www.apple.com/privacy.

3.4 Firebase Analytics (Usage Analysis)

We use Firebase Analytics to analyse user behaviour in the app. The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. The provider processes usage data (e.g. screen views, button clicks, use of specific app features) and technical metadata (device model, operating system, app version, language, country; the IP address is anonymised by Google before storage). No user-linked identifiers (user IDs) are transmitted to Firebase Analytics; analysis is conducted exclusively on an aggregated, device-level basis.

The legal basis for processing is Art. 6(1)(f) GDPR. Our legitimate interest is to understand aggregate usage behaviour within the app in order to continuously improve it. As no user-linked identifiers are transmitted and IP addresses are anonymised, our interests outweigh the data subjects' privacy interests. Google participates in the EU-US Data Privacy Framework; the DPA with Google is automatically concluded upon acceptance of the Firebase Terms of Service.

Further information is available at https://firebase.google.com/support/privacy.

3.5 Firebase Crashlytics (Crash Reporting)

We use Firebase Crashlytics to detect, analyse, and fix app crashes. The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. The provider processes technical crash data (stack traces, error messages — no user content) and technical metadata (device model, operating system, app version, crash timestamp). For logged-in users, the pseudonymised Supabase user ID is additionally transmitted to allow crashes to be attributed to a user and support requests to be handled efficiently.

The legal basis for processing is Art. 6(1)(f) GDPR. Our legitimate interest is to be able to offer a stable and functional app. Crash data is automatically deleted after 90 days. Google participates in the EU-US Data Privacy Framework; the DPA is automatically concluded upon acceptance of the Firebase Terms of Service.

Further information is available at https://firebase.google.com/support/privacy.

3.6 Firebase Cloud Messaging (Push Notifications)

We use Firebase Cloud Messaging (FCM) to deliver push notifications. The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. The provider processes the device's FCM push token (device-specific identifier, stored in Supabase), the push notification content (title and text, e.g. group updates, reminders), and delivery status and timestamps.

Technical note: push notifications are created server-side via a Supabase Edge Function. This Edge Function passes the notification content together with the recipient's stored FCM token to Firebase for delivery to the device.

The legal basis for processing is Art. 6(1)(a) GDPR. Processing is based on consent obtained at OS level when push notifications are first enabled. You can disable push notifications at any time in your device settings. Withdrawal does not affect the lawfulness of processing prior to withdrawal. Google participates in the EU-US Data Privacy Framework; the DPA is automatically concluded upon acceptance of the Firebase Terms of Service.

Further information is available at https://firebase.google.com/support/privacy.

3.7 Firebase Remote Config (Feature Configuration)

We use Firebase Remote Config to manage app features and configurations server-side (e.g. feature flags). The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. When fetching configuration data, technical metadata is transmitted (app instance ID, Firebase installation ID, app version, platform, country/region). No user content or personal data in the strict sense is transmitted.

The legal basis for processing is Art. 6(1)(f) GDPR. Our legitimate interest is the central management of app configurations without requiring an app update. Google participates in the EU-US Data Privacy Framework; the DPA is automatically concluded upon acceptance of the Firebase Terms of Service.

Further information is available at https://firebase.google.com/support/privacy.

3.8 RevenueCat (In-App Purchases and Subscriptions)

We use RevenueCat to manage in-app purchases and subscriptions. The provider is RevenueCat, Inc., 1032 E Brandon Blvd #3003, Brandon, FL 33511, USA. The provider processes usage data (subscription status, purchase history, transaction data — transmitted by the app store), technical metadata (app version, platform iOS/Android, pseudonymised app store user ID), and custom attributes (e.g. an anonymised crew ID for purchase attribution to a crew, where an upgrade is initiated in the context of a crew).

Note: actual payment processing (credit card data, address) takes place exclusively via the Apple App Store or Google Play Store. RevenueCat does not receive access to payment data.

The legal basis for processing is Art. 6(1)(b) GDPR (performance of contract). Data is stored for the duration of the subscription and, after its end, for the statutory retention periods. We have concluded a Data Processing Agreement (DPA) with the provider pursuant to Art. 28 GDPR. The public DPA is available at www.revenuecat.com/dpa. Transfers to the USA are based on Standard Contractual Clauses pursuant to Art. 46(2)(c) GDPR.

Further information is available at https://www.revenuecat.com/privacy.

3.9 tawk.to (In-App Support)

We use tawk.to for in-app support. The provider is tawk.to Inc., 187 East Warm Springs Rd, SB298, Las Vegas, NV 89119, USA (EU office: tawk.to Europe SIA, Miera iela 1, Salaspils, LV-2169, Latvia). The provider processes:

  • Content data: support chat history and message content

  • Contact data: user's name and email address, if provided or transmitted from the app profile

  • User identifiers: pseudonymised Supabase user ID for attribution of support requests

  • Device information: device model, operating system and version, app version, IP address (automatically transmitted)

The legal basis for processing is Art. 6(1)(f) GDPR (legitimate interest in responding to user enquiries) or Art. 6(1)(b) GDPR where the enquiry relates to an existing usage relationship. Support data is stored for up to 1 year after the enquiry is closed. We have concluded a Data Processing Agreement (DPA) with the provider pursuant to Art. 28 GDPR. The public DPA is available at www.tawk.to/data-protection/dpa-data-processing-addendum. The provider participates in the EU-US Data Privacy Framework.

Further information is available at https://www.tawk.to/privacy-policy.

3.10 Thunderforest / OpenStreetMap (Map Service)

We use Thunderforest as a tile server for displaying OpenStreetMap-based maps. The provider is Gravitystorm Limited, 53 Ancaster Crescent, New Malden KT3 6BD, United Kingdom (registered in England and Wales, No. 7126880). The provider processes technical access data (IP address, requested map tiles and coordinates, zoom level, timestamp, user agent) when map content is loaded in the app. No personal user content or user location data is transmitted to Thunderforest.

The legal basis for processing is Art. 6(1)(f) GDPR. Our legitimate interest is to display map content within the app. Gravitystorm Limited is subject to UK GDPR, for which the EU Commission has issued an adequacy decision (Art. 45 GDPR). Map data is based on OpenStreetMap (© OpenStreetMap contributors, licence: ODbL).

Further information is available at https://www.thunderforest.com/privacy.

3.11 all-inkl. (Deep Link Domain)

The domain crew-plan.com is used for app deep links. A technical verification file (.well-known/apple-app-site-association and assetlinks.json) is hosted on this domain and is automatically retrieved by iOS and Android when deep links are opened. Hosting is provided by ALL-INKL.COM – Neue Medien Münnich, Inh. René Münnich, Hauptstraße 68, 02742 Friedersdorf, Germany. The provider processes technical access data (IP address, timestamp, user agent) when the verification file is retrieved. No app content or user data is transmitted via this domain.

The legal basis for processing is Art. 6(1)(f) GDPR. Our legitimate interest is the operation of functional app deep links. all-inkl.'s servers are located in Germany. We have concluded a Data Processing Agreement (DPA) with the provider pursuant to Art. 28 GDPR (concluded individually via the all-inkl. MembersArea).

Further information is available at https://all-inkl.com/datenschutzinformationen.

4. Platform Notes

When using the app via the Apple App Store or Google Play Store, the respective privacy policies of Apple (apple.com/privacy) and Google (policies.google.com/privacy) also apply.

5. Updates to this Privacy Policy

This privacy policy is currently valid. As the app develops or legal requirements change, it may be necessary to update this policy. The most recent version is always available in the app and at www.crew-plan.de/app-datenschutz.

CrewPlan

About

Home

Social

Instagram

TikTok

Company

Imprint

Privacy Policy Website

Privacy Policy App

Terms & Conditions

Contact