C
CurbCrew

Privacy Policy

Effective May 5, 2026

This policy explains what information CurbCrew collects, how we use it, and what choices you have. We aim to keep this short and plainly worded — the legalese version is the same idea wrapped in extra adjectives.

What we collect

From you, when you sign up

  • Your name, email, and password (passwords are hashed — we never see the plain text)
  • Your company's name, location name, and timezone
  • Your role within the company (owner, manager, valet, dev)
  • Optionally: phone number, seniority level, profile metadata

From you, while you use the Service

  • Shift schedules — dates, times, locations, slot assignments, who confirmed what when
  • Clock events — when valets clock in and out, with optional GPS coordinates if your venue requires geofenced clock-in
  • End-of-night and opening reports — tip totals, car counts, reservations, free-text notes, and photos uploaded as part of the report
  • Tip distributions — per-valet tip records when your company runs in per-valet tip mode
  • Time-off requests — date ranges and reasons
  • Trade requests and decline requests — between valets, and between valets and managers
  • Crew chat messages — text content of crew-thread and direct-message conversations
  • Notifications — in-app inbox records of system events

Automatically, from your device

  • Your device's push notification token (so we can send shift assignments and chat alerts)
  • Your timezone (stored in a cookie so server-rendered pages show the correct “today”)
  • Standard server access logs (IP address, user agent, timestamps) for security and operational debugging

How we use it

We use this data to:

  • Run the Service: schedule shifts, send push notifications, sync data in real time, generate reports
  • Authenticate you and protect your account from unauthorized access
  • Communicate with you about your account, billing, and important Service changes
  • Investigate and resolve bugs, abuse, and security incidents
  • Improve the Service over time (we look at aggregate usage patterns; we don't read your chat messages or reports for product research)

Crew chat retention

Crew chat threads tied to a specific shift are automatically and permanently deleted at the start of the second day after the shift's calendar day, in the location's timezone. So a Tuesday shift's chat is gone by Thursday morning. Direct messages between valets persist until either party clears them from their account settings.

Photos & GPS data

Photos uploaded as part of end-of-night or opening reports are stored in our cloud storage and accessible to your company's admins, owners, and the closer who filed the report. They are retained as long as the report is retained.

GPS coordinates are recorded with clock-in and clock-out events, but only when your venue's admin has enabled GPS-required clock-in for that location. We use these coordinates only to verify the valet was within the geofence at the time. We don't track location continuously, and we don't use location data for anything other than clock-event verification.

Third parties we use

We use a few essential service providers to run CurbCrew. Each receives only the data needed to do its job:

  • Supabase — our database, authentication, file storage, and real-time subscriptions. Your shift data, photos, and account records are stored here.
  • Vercel — hosts the web application. Sees standard request logs.
  • Expo Push Notifications — delivers push notifications to your device. Receives the notification title, body, and your device's push token.
  • Google Firebase Cloud Messaging — delivers Android push notifications under the hood. Receives only the push payload and your Android device's FCM token.
  • Stripe — processes subscription payments. Stripe receives your billing details (card, billing address) directly through their hosted checkout; we never see or store full card numbers. Stripe sends us back only the customer ID, subscription ID, and high-level status.
  • Resend — delivers transactional email (welcome, trial reminders, account notices). Receives recipient email address, subject, and message body. Does not receive any other personal data.
  • Cloudflare Turnstile — runs an invisible spam check on signup forms. Receives standard browser signals (User-Agent, IP, page interaction patterns) to score whether the request is from a real person. No persistent identifiers stored on our side.

We don't sell your data. We don't share it with advertisers. We don't use it to build profiles for third-party marketing.

Cookies

We use a small number of cookies, all functional:

  • Authentication cookies set by Supabase to keep you signed in
  • A tz cookie holding your browser's timezone, so server-rendered “today” is correct in your local time

We don't use third-party tracking cookies, advertising cookies, or analytics that require consent banners.

Account inactivity & deletion

Account lifecycle behavior worth understanding:

  • Trial accounts that go cold: if a company signs up, never adds a payment method, and shows no activity for 60 days (no invited valets, no scheduled shifts, no recent sign-in), we mark the account as archived and email the owner. The owner has 14 days to sign in and click Restore my account to bring it back. After 14 days, the company and all of its data are permanently deleted.
  • Self-service cancellation: owners can cancel a paid subscription anytime from their billing settings (via Stripe Customer Portal). Canceling stops billing at the end of the current period; data is retained as long as the account exists.
  • Self-service deletion: owners can request permanent deletion of their company at any time. We process the request within 30 days. Active subscriptions are canceled as part of the deletion.
  • Backup retention: after deletion, Supabase retains automated database backups for up to 7 days for disaster recovery purposes. Those backups are encrypted and access is limited to operations staff for restore-from-disaster scenarios only.

Your rights

Depending on where you live (CCPA in California, GDPR in the EU, and similar laws elsewhere), you may have rights to:

  • Access the personal data we hold about you
  • Correct inaccurate data
  • Request deletion of your data
  • Object to certain processing or request restriction
  • Receive a copy of your data in a portable format

To exercise any of these rights, email hello@curbcrew.app with the request. We'll respond within 30 days. We may need to verify your identity before acting on a request.

Data security

We use industry-standard security practices: passwords are hashed with modern algorithms, all data in transit is encrypted with TLS, the database is access-controlled with row-level security policies enforced server-side, and we limit who on our team can access production data. No system is ever 100% secure; we'll notify affected users and applicable authorities if a material breach occurs.

Children's privacy

CurbCrew isn't directed at children under 18. We don't knowingly collect data from minors. If you believe a child has signed up, email us and we'll delete the account.

International transfers

CurbCrew operates from the United States. If you use the Service from outside the US, your data is processed in the US under the protections of US law. We rely on standard contractual clauses and other lawful transfer mechanisms where required.

Changes to this policy

We'll update this Privacy Policy when we change how we handle data. Material changes will be communicated by email or in-app notice at least 14 days before they take effect. The “Effective” date at the top of this page reflects the latest revision.

Contact

Privacy questions, data requests, or anything in between: hello@curbcrew.app.

This policy is a working draft for an early-access closed beta. It will be reviewed by counsel before public launch. If specific regulations apply to you (HIPAA, GDPR Article 28, COPPA, etc.), let us know and we'll work with you on a Data Processing Addendum or equivalent.