Privacy Policy

Effective as of 2026-02-17

This privacy policy applies to the Nomad Crew app (hereby referred to as "Application") for mobile devices that was created by Naqeebali Shamsi (hereby referred to as "Service Provider") as an Open Source service. This service is intended for use "AS IS".

Data Controller: Naqeebali Shamsi, operating as NomadCrew. Contact: nomadcrew5@gmail.com

Information Collection and Use

The Application collects information when you download and use it. This information may include:

  • Your device's Internet Protocol address (e.g. IP address)
  • The pages of the Application that you visit, the time and date of your visit, the time spent on those pages
  • The time spent on the Application
  • The operating system you use on your mobile device
  • Travel documents and identity documents you choose to upload (e.g. passports, visas, insurance cards, vaccination records, flight bookings, hotel reservations, receipts, loyalty cards)
  • Document metadata (document type, name, upload date)

Location Data

The Application collects your device's location, which helps the Service Provider:

  • Geolocation Services: Provide features such as personalized content, relevant recommendations, and location-based services.
  • Analytics and Improvements: Analyze user behavior, identify trends, and improve the overall performance.
  • Third-Party Services: Periodically transmit anonymized location data to external services for enhancement purposes.

Document Storage

The Application provides a "Wallet" feature that allows you to store travel-related documents for your convenience. The types of documents you may upload include:

  • Passports and visas
  • Travel insurance cards
  • Vaccination records
  • Flight bookings and hotel reservations
  • Receipts and loyalty cards

Purpose: Document storage is provided solely for your travel convenience and organization. The Service Provider does not access, analyze, or process the contents of your uploaded documents for any purpose other than storing and displaying them to authorized users.

How documents are stored: All uploaded documents are stored on secure servers with encryption at rest (server-side encryption via AWS EBS encryption). Documents are transmitted over encrypted connections (HTTPS/TLS).

Retention: Documents are retained for as long as you choose to keep them. When you delete a document, it is soft-deleted and permanently purged from our servers after 30 days. You may delete individual documents or all of your documents at any time through the Application.

Access controls: Documents uploaded to your personal wallet are accessible only to you. Documents uploaded to a trip's group wallet are accessible to all current members of that trip. When you share a document with a group, all trip members can view it.

Sensitive Personal Data

Certain documents you may upload contain sensitive personal data that receives special protection under applicable data protection laws, including the EU General Data Protection Regulation (GDPR):

  • Health data: Vaccination records and medical certificates are classified as special category data under GDPR Article 9.
  • Government-issued identity information: Passports, visas, and national ID documents contain identity numbers and biometric data.

The Application will request your explicit consent before you upload these types of documents. You are not required to upload any sensitive documents to use the Application.

Important: You should not use the Application as the sole storage location for any important document. Always retain the original copies of your identity and travel documents. The Service Provider is not responsible for data loss.

Group Document Sharing

When you upload a document to a trip's group wallet, all members of that trip can view the document. Please exercise caution when sharing identity documents (such as passports or visas) with group members. You should only share sensitive documents with people you trust.

The Service Provider does not control how other trip members may use, screenshot, or share documents that you make available through the group wallet. Once a document is shared with a group, other members may have viewed or saved it before you remove it.

Third Party Access

Only aggregated, anonymized data is periodically transmitted to external services to aid the Service Provider in improving the Application and their service. The Service Provider may share your information with third parties in the ways that are described in this privacy statement.

The Service Provider may disclose User Provided and Automatically Collected Information:

  • as required by law, such as to comply with a subpoena, or similar legal process;
  • when they believe in good faith that disclosure is necessary to protect their rights, protect your safety or the safety of others, investigate fraud, or respond to a government request;
  • with their trusted services providers who work on their behalf, do not have an independent use of the information we disclose to them, and have agreed to adhere to the rules set forth in this privacy statement.

Opt-Out Rights

You can stop all collection of information by the Application easily by uninstalling it. You may use the standard uninstall processes as may be available as part of your mobile device or via the mobile application marketplace or network.

Data Retention Policy

The Service Provider will retain User Provided data for as long as you use the Application and for a reasonable time thereafter. If you'd like them to delete User Provided Data that you have provided via the Application, please contact them at nomadcrew5@gmail.com and they will respond in a reasonable time.

Children

The Service Provider does not use the Application to knowingly solicit data from or market to children under the age of 13.

The Application does not address anyone under the age of 13. The Service Provider does not knowingly collect personally identifiable information from children under 13 years of age. In the case the Service Provider discover that a child under 13 has provided personal information, the Service Provider will immediately delete this from their servers. If you are a parent or guardian and you are aware that your child has provided us with personal information, please contact the Service Provider (nomadcrew5@gmail.com) so that they will be able to take the necessary actions.

Data Security

The Service Provider is concerned about safeguarding the confidentiality of your information and implements the following security measures:

  • Encryption in transit: All data transmitted between your device and our servers is encrypted using HTTPS/TLS.
  • Encryption at rest: Stored documents and personal data are encrypted on our servers using server-side encryption (AWS EBS encryption).
  • Access controls and authentication: Access to your data is protected by authentication (Supabase Auth with Google and Apple Sign-In) and role-based access controls.
  • Audit logging: Access to stored documents is logged for security monitoring purposes.
  • Automatic purge: Deleted data is permanently purged from our servers after 30 days.

While the Service Provider takes reasonable measures to protect your data, no method of electronic storage or transmission is 100% secure. The Service Provider cannot guarantee absolute security of your information.

Lawful Basis for Processing

We process your personal data on the following legal bases under the GDPR:

  • Contract performance (Article 6(1)(b)): Processing necessary to provide the Application's core features, including trip management, group chat, and location sharing.
  • Legitimate interests (Article 6(1)(f)): Analytics and service improvement, security monitoring, and fraud prevention. Our legitimate interest is to maintain and improve the Application while protecting our users.
  • Consent (Article 6(1)(a)): Document storage in the wallet feature. You consent to this processing when you choose to upload documents. You may withdraw consent at any time by deleting your documents.
  • Explicit consent (Article 9(2)(a)): Processing of special category data such as vaccination records and health certificates. The Application will request your explicit, informed consent before you upload health-related documents. This consent is separate from general document storage consent.

Your Data Rights

Under applicable data protection laws, including the GDPR, you have the following rights regarding your personal data:

  • Right to Access: You can view all of your stored documents and personal data directly within the Application at any time.
  • Right to Erasure: You can delete any individual document through the Application. To request complete deletion of all your personal data, contact us at nomadcrew5@gmail.com.
  • Right to Data Portability: You can download your stored documents from the Application at any time.
  • Right to Withdraw Consent: You can withdraw consent for document storage by deleting your documents at any time. This does not affect the lawfulness of processing carried out before withdrawal.
  • Right to Rectification: You can update or replace any document you have uploaded.
  • Right to Restriction of Processing: You may request that we restrict processing of your personal data by contacting us at nomadcrew5@gmail.com.
  • Right to Object: You have the right to object to processing based on legitimate interests. Contact us at nomadcrew5@gmail.com.
  • Right to Lodge a Complaint: You have the right to lodge a complaint with a supervisory authority. For UK users, this is the Information Commissioner's Office (ICO): ico.org.uk/make-a-complaint, telephone 0303 123 1113. For EU users, you may contact your local data protection authority.

To exercise any of these rights, you may use the in-app controls or contact the Service Provider at nomadcrew5@gmail.com. We will respond to your request within 30 days.

Changes

This Privacy Policy may be updated from time to time for any reason. The Service Provider will notify you of any changes to the Privacy Policy by updating this page with the new Privacy Policy. You are advised to consult this Privacy Policy regularly for any changes, as continued use is deemed approval of all changes.

This privacy policy is effective as of 2026-02-17.

International Data Transfers

Your data is stored on servers located in the European Union (AWS eu-west, Ireland). Authentication services are provided by Supabase, which may process authentication data in accordance with their own privacy policy.

Where your personal data is transferred outside the UK or the European Economic Area, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) or reliance on adequacy decisions by the UK Secretary of State or European Commission.

Third Party Services

The Application uses third-party services that have their own Privacy Policies:

Contact Us

If you have any questions regarding privacy while using the Application, please contact the Service Provider via email at:

nomadcrew5@gmail.com