Privacy Policy

Effective July 8, 2026 · Last updated July 8, 2026

The short version

Crossed ("we," "us," "our") is an iOS app that helps friends discover when their paths almost crossed during the day. This Privacy Policy explains what information we collect, how we use it, and the specific technical choices we have made to keep your data private — including from ourselves.

If you have questions, email hello@crossed.social.

Section 1

Information we collect

Account information

When you sign up, we collect your email address (for authentication via magic link) and a username you choose. You may optionally provide a display name.

Location data — in transformed form only

Crossed uses your device's location services in the background to detect where you have been. Before any location data leaves your device:

  • Your precise coordinates are converted into geohashes at approximately 150-meter precision.
  • Timestamps are rounded down to 5-minute buckets.
  • Any locations falling within a "Private Zone" you have defined (home, work, or custom) are discarded on-device and never transmitted.

Only the resulting (geohash, time bucket) pairs are uploaded to our servers. We never receive or store your precise latitude and longitude.

Friend graph

When you add a friend, we store the relationship (sender, receiver, status) and per-friend privacy preferences you set.

Near-miss records

When two friends' location hashes overlap, we store a record of the intersection: the two users involved, the shared geohash cell, and the time bucket. This is what powers the "Crossings" feature.

Section 2

How we use your information

Your information is used strictly to:

  • Authenticate you into the app.
  • Show you the crossings between you and your friends.
  • Send you optional notifications about crossings, per your closeness settings.
  • Provide support if you contact us.

We do not use your data for advertising, and we do not build behavioral profiles.

Section 3

On-device processing and privacy architecture

Crossed is designed around a specific privacy principle: even in the worst-case scenario of a full server breach, no one should be able to determine where you live, work, or spend most of your time.

We achieve this through:

  • On-device geohashing. Precise coordinates never leave your phone.
  • Private zone redaction. Points within zones you have defined are dropped at the source, before any transmission.
  • Bilateral consent. Crossings between two users are only computed and stored if both users have opted in to visibility for each other. The stricter of the two settings always applies.
  • No location trail on our servers. We store only the intersection results, not your continuous movement history.
Section 4

Data sharing

We do not sell, rent, share, or license your personal data to third parties for their advertising, marketing, or research purposes.

We may share limited information with:

  • Service providers who help us operate the app, listed in Section 5.
  • Law enforcement, if legally compelled by a valid court order — noting that because of our on-device architecture, the amount of information we can produce is inherently limited.
Section 5

Third-party services

Crossed uses the following services. Each is bound by contract and their own privacy policies:

  • Supabase — database and edge functions. Stores your account, friend graph, hashed location buckets, and near-miss records. See Supabase's Privacy Policy.
  • Resend — transactional email. Sends your sign-in magic links. See Resend's Privacy Policy.
  • Cloudflare — hosting and DNS for our website. May collect standard server logs. See Cloudflare's Privacy Policy.
  • Apple — App Store, TestFlight, and iOS platform services. Governed by Apple's Privacy Policy.
Section 6

Data retention

  • Account data: kept while your account is active. Deleted immediately if you delete your account.
  • Location buckets (hashed): retained for 30 days by default to enable historical crossings, then automatically deleted.
  • Near-miss records: retained for the life of your account or until you delete it.
Section 7

Your rights

You can:

  • Access your data by contacting hello@crossed.social.
  • Correct your account information (username, email) from within the app.
  • Delete your account and all associated data at any time from Settings → Delete Account. This action is immediate and permanent. Cascading deletion removes your friendships, location buckets, near-miss records, and account row.
  • Withdraw consent for any specific feature by adjusting privacy settings or, if desired, deleting your account.

Depending on where you live, you may have additional rights under laws like GDPR (EU/UK) or CCPA (California), including the right to portability and the right to lodge a complaint with a supervisory authority.

Section 8

Security

We implement industry-standard security practices including:

  • Row-level security on all database tables so users can only access their own data.
  • JWT-based authentication for all API calls.
  • HTTPS encryption for all data in transit.
  • Location data hashed on-device before transmission.

No system is perfectly secure. We commit to notifying affected users promptly if we detect a data breach that affects their information.

Section 9

Children

Crossed is not intended for children under 13. We do not knowingly collect information from children under 13. If we learn that we have collected information from a child under 13, we will delete it. If you believe your child has provided information, please contact hello@crossed.social.

Users in the European Economic Area must be at least 16 to use Crossed.

Section 10

International users

Crossed is operated from the United States. If you use Crossed from outside the U.S., your data will be transferred to and processed in the U.S. and other countries where our service providers operate. By using Crossed, you consent to this transfer.

Section 11

Changes to this policy

We may update this policy from time to time. If we make material changes, we will notify you within the app and update the effective date at the top of this document. Continued use of Crossed after a change constitutes acceptance of the updated policy.

Section 12

Contact

For any privacy questions, requests, or concerns:

hello@crossed.social

We aim to respond to all privacy inquiries within 7 days.