Back to Crayp

Privacy Policy

Last updated · April 29, 2026

Crayp is built so you can be where you actually are. To make that work we collect a small amount of personal information. This page explains, in plain English, what we collect, why we collect it, and what control you have over it.

This policy applies to the Crayp iOS app and the website at crayp.com (together, the Service), operated by Bytea, Ltd., a Delaware corporation ("we," "us," "our"). If you have questions, email hi@crayp.com.

1. What we collect

Account information

When you sign up we ask for your phone number (US or Canada only) and a display name. We send a one-time verification code to your phone via our SMS provider, Prelude. We don't store the code itself, only whether the verification succeeded.

Profile information

If you upload an avatar, we store the image on Convex's encrypted file storage and link it to your account. You can change or remove it at any time from the profile drawer.

Contacts (only if you grant permission)

To find friends already on Crayp, we read the phone numbers in your iOS Contacts and hash them on your device using SHA-256 before sending the hashes to our server. We never receive your contacts' raw phone numbers or names. The hashed values are matched against the same one-way hashes of registered users to surface mutual friends.

Activity

We store the records that make Crayp work:

  • Friendships, friend requests, and crews you create.
  • Sessions you start, join, lock, and unlock — including the duration and participants.
  • Streak history (which days you completed at least one session in your timezone).
  • Reports you submit and people you block.

Device + delivery information

We store your Apple Push Notification token so we can deliver session invites and friend requests, your device timezone so streak boundaries reflect your local day, and a hashed identifier of your network address (used briefly to rate-limit OTP requests; never linked back to you).

What we do not collect

  • We don't track your browsing or location outside Crayp.
  • We don't read messages, photos, or content from any other app.
  • We don't sell, rent, or trade your data to anyone, ever.
  • We don't use third-party advertising, retargeting pixels, fingerprinting SDKs, or analytics vendors that resell data.

2. How we use it

  • To run the Service — sign-in, friend matching, sessions, streaks, push notifications.
  • To prevent abuse — rate-limiting OTP requests, reviewing reports, banning accounts that violate these terms.
  • To respond when you contact us at hi@crayp.com.

3. Who we share it with

We use a small number of trusted infrastructure providers, each scoped to a specific purpose:

  • Convex — our backend database and realtime sync. Stores everything in Section 1 except the SMS code itself.
  • Prelude — sends and verifies the SMS one-time code at sign-in. Receives your phone number for the duration of the verification.
  • Apple Push Notification service — delivers push notifications to your device. Receives your push token and the notification payload.
  • Apple App Store / TestFlight — distributes the app and may share aggregated install metrics with us.

We share information with these providers only as needed to operate the Service, under contractual confidentiality and security obligations. We don't share your data for any other purpose.

We may disclose information if required by law or to protect rights, safety, or property — but only the minimum necessary, and we'll notify you unless the law forbids it.

4. Your rights

You can, at any time:

  • See and edit your profile from inside the app.
  • Block or report any user from their friend row.
  • Change your phone number from the profile drawer (re-verifies via OTP).
  • Delete your account from the profile drawer. Deletion is permanent and cascades through every table that references you — friendships, crews, sessions you host, session history, push tokens, contact match hashes, streak records, and any blocks or reports you filed.
  • Request a copy of the data we hold about you, or ask us to correct it, by emailing hi@crayp.com. We respond within 30 days.

If you're in the EU or UK, GDPR gives you additional rights including the right to object, restrict processing, and lodge a complaint with your local data-protection authority. The same rights apply to California residents under the CCPA, including the right to know what personal information we sell — which is none.

5. Data retention

We keep your data only as long as your account is active. When you delete your account, we delete your records immediately and irrevocably. Backups roll off within 30 days.

Two narrow exceptions: (i) records we're required to keep by law (e.g., financial or tax records — though Crayp doesn't currently process payments), and (ii) anonymized, non-identifying counters (e.g., total sessions on the platform).

6. Children

Crayp is intended for users 13 and older. We don't knowingly collect information from anyone under 13. If you believe a child under 13 has created an account, email hi@crayp.com and we'll delete it. Apple's Family Controls features used by Crayp are appropriate for users 13+.

7. Security

Data is encrypted in transit (HTTPS / TLS 1.2+) and at rest. Authentication uses a per-device bearer token stored in your iOS Keychain; revoke it any time by signing out or deleting your account. We restrict access to production systems to a short list of people, audited regularly.

No system is unbreakable. If we ever experience a breach affecting your data, we'll notify you without undue delay and tell you what happened, what's at risk, and what we're doing about it.

8. Changes to this policy

If we make material changes, we'll notify you by email (if we have one for you) or through the app at least 14 days before they take effect. The "Last updated" date at the top will change. Older versions are available on request.

9. Contact

Questions, requests, or concerns? Email hi@crayp.com.

Bytea, Ltd.
1111B South Governors Ave, STE 39131
Dover, DE 19904, USA