crossings privacy

Last updated · April 24, 2026

Privacy Policy

Crossings is built so most of your data never leaves your phone. This document explains exactly what we do collect, why, and what we don’t. Effective April 24, 2026.

1. Who we are

“Crossings” (“we”, “us”) is the operator of the Crossings mobile application and the crossings.so website. If you have privacy questions, email support@crossings.so.

2. Our design principle: photos stay on your phone

Crossings finds moments where two users’ paths crossed. To do this, we never see your photos. The app reads each photo’s time and location on your device, hashes the result into an opaque fingerprint, and only the fingerprint is uploaded. Image bytes never leave your phone unless you explicitly choose to share a photo with someone you’re connected to, in which case it is end-to-end encrypted before upload.

3. Data we collect

Account information

When you sign in with Apple or Google, we receive your name, email address, and an account identifier from the provider. We store these so we can recognise you across devices.

Photo fingerprints

For each photo we process on-device:

  • Capture time
  • Approximate location, rounded to roughly a city block (~110 m)
  • An anonymous hash of an internal photo identifier so the same photo isn’t counted twice

The location component is encrypted at rest before it’s written to our database, using a key only the server holds. We never store the original photo, the original filename, or precise GPS coordinates.

Crossings

When you and another user have fingerprints that line up in time and place, we record a crossing: a connection between you, a coarse location, and the time. Coordinates are encrypted at rest. The venue name (if any) is reverse-geocoded by us using OpenStreetMap and is also encrypted at rest.

Shared photos

If you choose to reveal a photo to someone you’re connected to, the photo is encrypted on your device with a key only the recipient’s device can unwrap. We store the resulting ciphertext. We cannot decrypt these photos. They are deleted when either party deletes the connection or their account.

Profile photo

If you upload a profile picture, we store it in object storage to serve via our CDN. Profile photos are not end-to-end encrypted because they’re visible to anyone you connect with. We run an automated content classifier on every upload and reject obviously not-safe-for-work images.

Subscription status

If you purchase Crossings Plus, our payments partner RevenueCat tells us when your subscription starts and expires. We store an expiry timestamp on your account; we do not see card details or billing addresses.

Diagnostic data

When the app crashes or hits an error, we send a stack trace and basic device information (OS version, device model) to Sentry so we can fix bugs. These reports do not include your photos, fingerprints, or location.

4. What we don’t collect

  • Original photo bytes (except as ciphertext you explicitly share)
  • Precise GPS coordinates
  • Real-time location
  • Contacts, calendars, or messages
  • Browsing history outside the app
  • Advertising identifiers; we do not run ads

5. How we use your data

  • To match your fingerprints with people you connect to and surface crossings.
  • To deliver photos you choose to share, end-to-end encrypted, to the people you choose to share them with.
  • To authenticate you across devices.
  • To process your subscription and unlock Plus features.
  • To monitor for crashes and improve reliability.

We do not sell your data. We do not use your data for advertising. We do not train machine-learning models on it.

6. Service providers

We use a small number of trusted infrastructure providers to run Crossings. Each only sees the data needed for their part:

  • Neon — Postgres database hosting (account info, fingerprints, crossings, encrypted photo metadata).
  • Cloudflare — CDN, DNS, WAF, and R2 object storage (encrypted shared photos and profile photos).
  • Sentry — crash and error reporting.
  • RevenueCat — subscription management.
  • Apple and Google — sign-in providers and app distribution (Apple App Store, Google Play, Apple Sign in with Apple, Google Maps SDK).
  • OpenStreetMap / Nominatim — reverse-geocodes coarse coordinates to venue names. We send only the rounded coordinate of a crossing, never your location stream.

Each provider has its own privacy policy. We have written agreements with each that limit what they can do with your data.

7. Data retention

We retain account data and the fingerprints, connections, and crossings tied to it for as long as your account exists. When you delete your account from inside the app:

  • Your account row, fingerprints, invites, connections, crossings, and shared photos (both sent and received) are removed from our database.
  • Your profile photo and any photo ciphertext you uploaded are removed from object storage.
  • Backups containing prior copies of this data are overwritten on a rolling 30-day window.

Authentication providers (Apple, Google) retain their own records of your sign-ins independently; you can revoke our access from their account settings at any time.

8. Your rights

Depending on where you live, you may have the right to:

  • Access the data we have about you
  • Correct inaccurate data
  • Delete your account and the data associated with it
  • Export your data in a portable format
  • Object to or restrict our processing of your data
  • Lodge a complaint with your local data-protection authority

You can delete your account directly from the app under Profile → Delete account. For other requests, email support@crossings.so. We respond within 30 days.

9. Security

We use TLS for every connection between your device and our servers. Photo coordinates and venue names are encrypted at rest with a key the database does not know. Photos shared between users are end-to-end encrypted on-device with the recipient’s public key; the server can’t decrypt them. No system is completely secure, but we treat your data with the same care we’d want for our own.

10. Children

Crossings is not directed at children under 13 (under 16 in the EU). We do not knowingly collect data from children under those ages. If you believe a child has signed up, email support@crossings.so and we’ll remove the account.

11. International transfers

Our infrastructure is hosted in the United States and Europe. If you use Crossings from outside those regions, your data will be transferred to and processed there. Where required, we rely on standard contractual clauses with our providers to protect transfers out of the EU and UK.

12. Changes to this policy

We may update this policy as the app evolves. When we make material changes, we’ll update the date at the top and, if you have an account, send you a notice in-app or by email before the change takes effect.

13. Contact

Questions or requests: support@crossings.so.