Back to Crayp

Privacy Policy

Last updated · May 3, 2026

Crayp is built so you can be where you actually are. To make that work we collect a small amount of personal information. This page explains, in plain English, what we collect, why we collect it, and what control you have over it.

This policy applies to the Crayp iOS app and the website at crayp.com (together, the Service), operated by Bytea, Ltd., a Delaware corporation ("we," "us," "our") — also the data controller for the purposes of GDPR, UK GDPR, and Quebec Law 25. If you have questions or want to exercise any of the rights below, email hi@crayp.com.

1. What we collect

Account information

When you sign up we ask for your phone number (any country we support; verified via our SMS provider, Prelude) and a display name. We send a one-time verification code to your phone. We don't store the code itself, only whether the verification succeeded.

Profile information

If you upload an avatar, we store the image on Convex's encrypted file storage and link it to your account. You can change or remove it at any time from the profile drawer.

Contacts (only if you grant permission)

To find friends already on Crayp, we read the phone numbers in your iOS Contacts and hash them on your device using SHA-256 before sending the hashes to our server. We never receive your contacts' raw phone numbers or names. The hashed values are matched against the same one-way hashes of registered users to surface mutual friends.

Activity

We store the records that make Crayp work:

  • Friendships, friend requests, invite-link redemptions, and crews you create.
  • Sessions you start, join, lock, take mid-session breaks during, and unlock — including the duration, participants, and any emergency exits.
  • Streak history (which days you completed at least one session in your timezone), grace-day usage, and admin-issued streak credits.
  • Reports you submit and people you block.
  • Push-notification telemetry (which kinds we sent you, when, and whether you tapped or converted) so we can measure whether nudges are useful and stop sending ones that aren't.

Device + delivery information

We store your Apple Push Notification token so we can deliver session invites, friend requests, streak nudges, and (with your consent) marketing notices; your device timezone so streak boundaries reflect your local day; and a hashed identifier of your network address (used briefly to rate-limit OTP requests; never linked back to you).

Authentication state

We store an opaque bearer token + a rotating refresh token in your iOS Keychain to keep you signed in across launches. Tokens are revoked the moment you sign out, change your phone number, are banned, or delete your account.

What we do not collect

  • We don't track your browsing or location outside Crayp.
  • We don't read messages, photos, or content from any other app.
  • While the lock-in shield is active we never see which apps are installed, used, or shielded — Apple's Family Controls runs entirely on your device.
  • We don't sell, rent, or trade your data to anyone, ever.
  • We don't use third-party advertising, retargeting pixels, fingerprinting SDKs, or analytics vendors that resell data.

2. How we use it (lawful bases)

For users in the EU, UK, and other GDPR-style jurisdictions, here's what we rely on:

  • Performance of a contract (you signing up to use Crayp) — running your account, matching contacts, enabling sessions, persisting streaks, delivering transactional pushes (session invites, friend requests, emergency-exit notices, streak grace saves).
  • Legitimate interests (keeping the Service running and fair) — rate-limiting OTP, reviewing reports, banning abusive accounts, capturing the audit log of admin actions, using bounded telemetry to debug push delivery and improve nudge timing.
  • Consent — sending marketing or promotional pushes (off by default; toggle in profile → Marketing notifications), and reading your iOS Contacts (system permission).
  • Legal obligation — disclosure required by valid legal process; minimum necessary; we'll notify you unless the law forbids it.

3. Who we share it with

We use a small number of trusted infrastructure providers, each scoped to a specific purpose:

  • Convex — our backend database, realtime sync, and file storage. Stores everything in Section 1 except the SMS code itself. Hosted in the United States.
  • Prelude — sends and verifies the SMS one-time code at sign-in and on phone-number changes. Receives your phone number for the duration of the verification.
  • Apple Push Notification service (APNs) — delivers push notifications and Live Activity updates to your device. Receives your push token and the notification payload.
  • Apple App Store / TestFlight — distributes the app and may share aggregated install metrics with us.

We share information with these providers only as needed to operate the Service, under contractual confidentiality and security obligations. For transfers from the EU/EEA, UK, or Switzerland to the United States, we rely on the European Commission's Standard Contractual Clauses (SCCs) and the equivalent UK addendum.

We may disclose information if required by valid legal process or to protect rights, safety, or property — but only the minimum necessary, and we'll notify you unless the law forbids it.

4. Your rights

You can, at any time:

  • See and edit your profile from inside the app.
  • Block or report any user from their friend row. Blocks are mutual hides: the blocked person can't find you, request you, or share crews with you.
  • Change your phone number from the profile drawer (re-verifies via OTP).
  • Toggle marketing notifications off (profile → Marketing notifications). Transactional notifications you've consented to (session invites, friend activity, emergency exits, streak nudges) keep working unless you disable Crayp notifications system-wide in iOS Settings → Crayp.
  • Delete your account from the profile drawer. Deletion is initiated immediately and your active session ends; signing back in with the same number within 14 days recovers your account exactly as it was. After 14 days, all data cascades through every table that references you — friendships, crews, sessions you host, session history, push tokens, contact match hashes, streak records, admin audit references, and any blocks or reports you filed — and is permanently destroyed.
  • Request a copy of the data we hold about you, ask us to correct or restrict it, or object to processing, by emailing hi@crayp.com. We respond within 30 days.

If you're in the EU, EEA, UK, or Switzerland, GDPR / UK GDPR also gives you the right to data portability, the right to object to processing based on legitimate interests, the right to withdraw consent at any time without affecting prior lawful processing, and the right to lodge a complaint with your local data-protection authority (e.g. the ICO in the UK, or the supervisory authority of your member state). The same substantive rights apply to California residents under the CCPA / CPRA — including the right to know what personal information we sell, which is none. Quebec residents have the same rights under Law 25, plus the right to be informed of any automated decision-making (we don't perform any).

Crayp does not currently maintain an EU representative (Article 27 GDPR). We may designate one as our EU user base grows; in the interim, EU users can reach us directly at hi@crayp.com.

5. Data retention

We keep your data only as long as your account is active. When you initiate deletion, we close access immediately; the underlying records are permanently destroyed after a 14-day recovery window so an accidental deletion can be undone.

Push-notification telemetry is automatically pruned after 90 days. The admin-actions audit log is retained for the life of the deployment for accountability. Encrypted backups roll off within 30 days of deletion.

Two narrow exceptions: (i) records we're required to keep by law (e.g. financial or tax records — though Crayp doesn't currently process payments), and (ii) anonymized, non-identifying counters (e.g. total sessions on the platform).

6. Children

Crayp is intended for users 13 and older, or the higher minimum age required by your local law (for example, age 16 in some EU member states). We don't knowingly collect information from anyone below the applicable minimum age. If you believe a child has created an account, email hi@crayp.com and we'll delete it. Apple's Family Controls features used by Crayp are appropriate for users 13+.

7. Security

Data is encrypted in transit (HTTPS / TLS 1.2+) and at rest. Authentication uses a per-device opaque bearer token + a rotating refresh token stored in your iOS Keychain; sign out, change your phone, or delete your account to revoke them all. Administrative access to production is gated behind WebAuthn passkeys (no passwords); every privileged admin action is recorded in an internal audit log.

No system is unbreakable. If we ever experience a breach affecting your data, we'll notify you without undue delay and tell you what happened, what's at risk, and what we're doing about it — consistent with GDPR Article 33/34, UK GDPR, and US state breach-notification laws.

8. Changes to this policy

If we make material changes, we'll notify you in the app or by email (if we have one for you) at least 14 days before they take effect. The "Last updated" date at the top will change. Older versions are available on request.

9. Contact

Questions, requests, or concerns? Email hi@crayp.com. We treat it as the privacy-officer inbox for the purposes of GDPR, UK GDPR, CCPA, and Quebec Law 25 inquiries.

Bytea, Ltd.
1111B South Governors Ave, STE 39131
Dover, DE 19904, USA