Legal

Privacy Policy

Last updated: 2026-05-18

1. Who we are

NomadCrew is a personal finance and trip-budgeting web application, operated as an independent project by a solo developer (Pavel Shestakov, individual entrepreneur registered in Georgia). We are the data controller for the personal data you provide while using the service. Contact: support@nomadcrew.app.

2. Data we collect

  • Account: email, hashed password, optional display name and avatar image.
  • Financial data you enter: transactions, categories, tags, budgets, recurring payments, and trip / shared-space context including participants and split shares.
  • Operational metadata: account and record timestamps, IP address used for authentication and rate-limiting, device language and theme preference, active workspace selection.
  • Receipts: images you attach to transactions (stored in object storage, scoped to your workspace).
  • No third-party financial integrations: we do not connect to your bank, broker, or any open-banking provider. All numbers in the app are what you (or your space members) entered manually.

3. Legal basis (GDPR)

We process your data on the basis of contract performance (delivering the service you signed up for), legitimate interest (security, abuse prevention, debugging), and consent (any future marketing communications or non-essential analytics, where applicable).

4. Where data lives and who processes it

We use a small set of subprocessors. Each has a published Data Processing Agreement that we accept before sending them any data.

  • Supabase — Postgres database, authentication, and object storage for receipts and avatars. EU region (Ireland, eu-west-1).
  • Vercel — application hosting and edge rendering. Requests are served from the edge node closest to you; static assets and the rendered HTML may transit through regions outside the EU. No financial records are stored on Vercel; it only proxies requests to Supabase.
  • Resend — transactional email (sign-up confirmation, password reset). Only your email address and the content of the system email are shared.
  • Amplitude — product analytics, used only inside the signed-in application to understand how features are used and to improve them. EU region (events are sent to api.eu.amplitude.com). We share a pseudonymous device and account identifier, in-product usage events (such as pages opened and buttons clicked within the app), and an approximate location (country, derived from your IP address — the full IP is not stored by us). We do not run session replay, and we do not track visitors on our marketing or landing pages — analytics begins only after you sign in.

We do not run advertising or session-replay scripts, and we never sell your data. Product analytics is limited to authenticated use of the application and relies on our legitimate interest in maintaining and improving the service. You can object to this processing at any time by contacting us (see “Your rights”).

5. Your rights

Under GDPR you can request access, correction, export, restriction of processing, or erasure of your personal data. The fastest channel for most rights is in-app:

  • Edit or correct any record at any time from Settings.
  • Delete your account and all associated data from Settings → Danger zone. Deletion removes your account, workspaces you own (and everything inside them), and severs your identity from shared workspaces you were a member of.
  • Export or any other request: email support@nomadcrew.app — we respond within 30 days as required by GDPR.

You can also lodge a complaint with your local data protection authority.

6. Cookies and local storage

We use only strictly necessary cookies. They are required for the site to function and do not need consent under the EU ePrivacy Directive.

  • Authentication (sb-…) — set by Supabase to keep you signed in. Session lifetime.
  • Active workspace (space_id) — remembers which workspace you opened last.
  • Theme — your light/dark preference.
  • Language — your interface language.
  • Trip share viewer — set only when you open a trip via a share link, so you don’t have to enter the access code on every visit.

Inside the signed-in application, our analytics provider (Amplitude) also stores first-party identifiers in your browser’s local storage to recognise your device and group events into sessions. These are set only after you sign in — never on our marketing or landing pages — and are cleared when you log out. We do not use advertising or cross-site tracking cookies.

7. Data retention

We keep your data as long as your account exists. After you delete your account, application data is removed immediately; database backups containing the data are retained for up to 7 days and then overwritten according to our backup rotation.

8. Children

NomadCrew is not directed at children under 16. We do not knowingly collect data from anyone under 16. If you believe a minor has created an account, contact us and we will delete it.

9. Changes

When this policy changes materially, we notify active users by email and update the “Last updated” date above.