Privacy Policy
How we handle your data — clearly explained.
Privacy Policy
Last updated: May 2026
Nascent Group Ltd ("we", "us", "our") operates the Crawlr mobile application. This policy explains what personal data we collect, why we collect it, how long we keep it, and what rights you have.
Crawlr is intended for users aged 18 and over. If we discover that a user is under 18, we will delete their account and all associated data without notice.
1. Who We Are
Data Controller: Nascent Group Ltd
Registered office: 48 Langham Street, London W1W 7AY
Companies House number: 16259791
ICO Registration: ZB961271
Contact: legal@crawlr.com
2. What Data We Collect and Why
We process your personal data on one of four legal bases under UK GDPR Article 6:
- Contract — processing is necessary to provide the service you signed up for
- Legitimate interests — processing is necessary for our reasonable safety, security, or operational interests, balanced against your rights
- Consent — you have actively opted in and can withdraw at any time
- Legal obligation — processing is required by UK law
2.1 Account and Profile Data
| Data | Why | Legal Basis | Retention |
|---|---|---|---|
| Name and username | Create and identify your account | Contract | Until account deleted + 30 days |
| Email address | Authentication, security notifications | Contract | Until account deleted + 30 days |
| Date of birth | Verify you are 18 or over | Contract | Until account deleted + 30 days |
| Profile biography | Display on your public or private profile | Contract | Until account deleted or you remove it |
| Profile picture | Display on your profile and in chat | Contract | Deleted automatically when you upload a new one; deleted on account closure |
| Gender and pronouns | Optionally display on your profile | Contract | Until account deleted or you remove it |
| Account status (active, under review, suspended, banned) | Safety and community moderation | Legitimate interests | Until resolved or account deleted |
2.2 Location Data
| Data | Why | Legal Basis | Retention |
|---|---|---|---|
| Real-time location (GPS) | Power the "Presence" feature — share your location with selected friends while on a crawl | Consent — you control who sees it and can turn it off at any time in Privacy & Location settings | Not stored persistently; presence updates are ephemeral and discarded when you close the app or turn off sharing |
| Crawl route (GPS trail) | Record your completed crawl route for your profile stats | Contract | Stored as part of your crawl record until you delete the crawl |
| Location at time of filing a report | Provide context to our safety team when a report is made during an active crawl | Legitimate interests (safety) | Stored within the report record — see Section 2.5 |
We never sell location data. We never use your location for advertising.
2.3 Social and Activity Data
| Data | Why | Legal Basis | Retention |
|---|---|---|---|
| Friend connections | Power friend requests, friend lists, and mutual content access | Contract | Until connection removed or account deleted |
| Follow relationships | Display follower and following counts | Contract | Until unfollowed or account deleted |
| Blocked users | Prevent blocked users from finding or contacting you | Contract + legitimate interests | Until unblocked or account deleted |
| Crawl participation and history | Build your crawl profile, stats, and badges | Contract | Until you remove the crawl from your profile or delete your account |
| Check-in history | Record which pubs you have visited on crawls | Contract | Until you delete the check-in or your account |
| Pub favourites | Save pubs you have liked | Contract | Until you remove the favourite or delete your account |
| Badge unlocks | Record achievements earned through app activity | Contract | Until account deleted |
2.4 Messages and Media
| Data | Why | Legal Basis | Retention |
|---|---|---|---|
| Chat messages (text) | Deliver and display messages to recipients | Contract | Until the message is deleted by you or the chat is deleted; deleted on account closure |
| Images sent in chat | Deliver photo messages | Contract | Until the message or chat is deleted; deleted on account closure |
| Check-in photos | Share photos from your pub check-ins | Contract | Until you delete the photo or your account |
| Crawl photos | Share photos taken during a crawl | Contract | Until you delete the photo or your account |
| Group chat names, descriptions, and avatars | Display group identity | Contract | Until the chat is deleted |
2.5 Safety and Moderation Data (Report Records)
When you file a report about another user or content, or when a report is filed about you, we record the following:
| Data | Why | Legal Basis | Retention |
|---|---|---|---|
| Reporter's user ID | Identify who filed the report | Legitimate interests | 2 years (dismissed reports); 7 years (actioned or referred to law enforcement) |
| Reported user's profile snapshot | Preserve identity evidence that might be deleted by the reported user before review | Legitimate interests + legal obligation | Same as above |
| Report category and context | Determine priority and appropriate response | Legitimate interests | Same as above |
| Your additional details (free text) | Provide context for our review team | Legitimate interests | Same as above |
| Reporter's IP address (captured server-side) | Assist law enforcement if required; fraud prevention | Legitimate interests | Same as above |
| Reporter's GPS location (during active crawls only) | Establish physical proximity to the incident | Legitimate interests (safety) | Same as above |
| Crawl member list at time of report | Identify potential witnesses | Legitimate interests | Same as above |
| Evidence copies (profile pictures, images, message content at time of report) | Preserve content that may be deleted before our team reviews it | Legitimate interests + legal obligation | Same as above; stored in a restricted evidence archive |
Note on account deletion and reports: Deleting your account anonymises the identifiers (your user ID is set to NULL in report records) but does not erase the report record itself. The safety record is retained for the periods above. This is required under UK law and for compliance with the Online Safety Act 2023.
Reporter anonymity: We never disclose who filed a report to the person who was reported. This is a firm product guarantee.
CEOP referral: If any report involves content that meets the legal threshold for child sexual abuse material (CSAM), we are legally required to refer it to the Child Exploitation and Online Protection Command (CEOP) and the Internet Watch Foundation (IWF) under the Protection of Children Act 1978 and the Online Safety Act 2023. We will comply with all related law enforcement requests.
2.6 Device and Technical Data
| Data | Why | Legal Basis | Retention |
|---|---|---|---|
| Push notification token | Send you push notifications; updated on each app launch | Contract (where notifications are on) / Consent | Until you disable notifications or delete your account |
| Crash and performance reports | Identify and fix app crashes and performance issues | Legitimate interests | 90 days |
| Session tokens (Supabase authentication) | Keep you logged in securely | Contract | Duration of session; deleted on sign-out |
| Google Sign-In OAuth credentials | Authenticate you via your Google account | Contract | Session duration; revocable via your Google Account settings |
We do not attach your user ID, email, or IP address to crash and performance reports. Reports contain stack traces, device model, OS version, and app version only.
3. Who We Share Your Data With
We do not sell your personal data. We share it only with:
Supabase Inc. — our database, file storage, authentication, and serverless function provider. Your data is processed on Supabase infrastructure. Supabase may host data in the EU or the United States; where data is transferred to the US, this is subject to Supabase's Data Processing Agreement and Standard Contractual Clauses (SCCs) as permitted under UK GDPR. See supabase.com/privacy.
Google LLC — if you sign in with Google, your Google account email and authentication tokens are processed by Google. See policies.google.com/privacy.
Law enforcement and regulatory authorities — we will disclose data when required to do so by a valid legal order, court order, or statutory obligation (including the Online Safety Act 2023). We will notify you where we are legally permitted to do so.
Our moderation team — members of the Nascent Group moderation team may access report records and flagged content solely for the purpose of reviewing reports and enforcing our community guidelines.
Crash and performance reports are processed on infrastructure we operate ourselves. No third-party diagnostic processor is involved.
4. Data Transfers Outside the UK
Supabase and Google are based in the United States. We rely on Standard Contractual Clauses (SCCs) approved by the UK Information Commissioner's Office as the transfer mechanism for personal data leaving the UK. You can request a copy of the relevant SCCs by contacting legal@crawlr.com.
5. Your Rights Under UK GDPR
You have the following rights in relation to your personal data:
Right of access (Art. 15): You can request a copy of the personal data we hold about you. We will respond within one calendar month.
Right to rectification (Art. 16): You can correct inaccurate data directly in the app (profile settings) or by contacting us.
Right to erasure (Art. 17): You can delete your account from Settings → Delete Account. We will delete your data within 30 days. Note that certain safety records (Section 2.5) are exempt from erasure where retention is required by law or for the establishment, exercise, or defence of legal claims.
Right to restriction (Art. 18): You can ask us to restrict processing of your data in certain circumstances.
Right to data portability (Art. 20): You can request your profile and activity data in a machine-readable format.
Right to object (Art. 21): You can object to processing based on legitimate interests. We will consider your objection and cease processing unless we have compelling legitimate grounds.
Right to withdraw consent: Where we rely on consent (e.g. location sharing, push notifications), you can withdraw it at any time in the app settings. Withdrawal does not affect the lawfulness of processing before withdrawal.
Right not to be subject to automated decisions (Art. 22): We do not make solely automated decisions that produce legal or similarly significant effects about you.
To exercise any of these rights, contact us at legal@crawlr.com. You also have the right to lodge a complaint with the UK Information Commissioner's Office at ico.org.uk.
6. Data Retention Summary
| Category | Retention Period |
|---|---|
| Account and profile data | Account lifetime + 30 days after deletion |
| Location presence (real-time) | Not stored — ephemeral |
| Crawl routes | Until crawl deleted or account deleted |
| Messages and media | Until deleted by you or account deleted |
| Crash and diagnostic data | 90 days |
| Authentication tokens | Session duration |
| Safety report records (dismissed) | 2 years from report date |
| Safety report records (actioned or law enforcement referral) | 7 years from report date |
| Evidence archive (images, snapshots preserved at report time) | Mirrors the report record retention above |
7. Age Restriction
Crawlr is strictly for users aged 18 and over, in line with UK licensing law. By creating an account you confirm you are 18 or over. We use your date of birth to verify this at sign-up. If we are made aware that a user is under 18 — through a report or any other means — we will immediately suspend the account, delete the user's data, and retain only the minimum records required to prevent re-registration.
Date of birth is collected once and is never updated, in line with our database design.
8. Security
We apply reasonable technical and organisational measures to protect your data, including encrypted transit (TLS), row-level security policies on our database, and restricted access to production systems. No system is 100% secure; please use a strong password and keep your device secure.
9. Changes to This Policy
We will notify you via a push notification or an in-app notice when we make material changes to this policy. The "Last updated" date at the top of this document will always reflect the most recent version. Continued use of Crawlr after notification of changes constitutes acceptance of the updated policy.
10. Contact
Data Controller: Nascent Group Ltd
Privacy enquiries: legal@crawlr.com
Complaints: ico.org.uk (UK Information Commissioner's Office)
If you have any questions about this policy or how we handle your data, please email us at legal@crawlr.com and we will respond within 30 days.
Last updated: 1 June 2026 · v8