Crumble

Privacy policy

Last updated: 2026-04-28

Crumble is a social food-tracking app operated from the Netherlands. This policy explains what personal data we process when you use Crumble, why, and the rights you have under the EU General Data Protection Regulation (GDPR) and the Dutch implementing act (UAVG).

Who we are

The data controller is the operator of Crumble (contact details below under "Contact"). For privacy questions you can reach us at privacy [at] crumble [dot] me. We have not yet appointed a formal Data Protection Officer because our processing does not meet the Article 37 GDPR threshold; that contact address routes to the people responsible for privacy decisions at Crumble.

What we collect

  • Account data. Your email address and Google profile name when you sign in via Google OAuth, plus the username, display name, avatar emoji, and optional home location you set during onboarding.
  • Content you create. Spots, reviews (rating, notes, photos), wishlist entries, comments, likes, friend connections, and custom tags. You author this — it would not exist without your action.
  • Photos. Images you upload to a review or avatar. We compress images client-side and strip EXIF metadata server-side (including GPS coordinates) before storage.
  • Location data. Coordinates of spots you save (when you allow location, drop a pin, or pick a place from search). Your home location, if you set one, is stored against your account. We do not continuously track your device location.
  • Technical data. Your IP address (visible to Cloudflare for routing and abuse prevention), user-agent, and timestamps of requests. These are processed in transient access logs.
  • Session data. A signed session cookie (crumble_session), an OAuth state cookie (oauth_state) used during sign-in, and an optional referral cookie (pending_ref). See the cookie policy.

We do not use third-party analytics, advertising trackers, or fingerprinting.

Why we process it (legal basis)

  • Performance of contract (Art. 6(1)(b) GDPR) — we need your account, content, and session data to actually run the service you signed up for.
  • Consent (Art. 6(1)(a)) — for any non-essential cookies you opt into via the consent banner. We currently set none, but the legal basis is in place for future analytics or marketing tooling.
  • Legitimate interests (Art. 6(1)(f)) — for security, abuse prevention, and rate-limiting (e.g. friend-request spam, login brute force). The interest is balanced against your rights and is limited to what is necessary.

Who we share it with (data processors)

We use a small number of sub-processors. They process data only on our instructions, under written agreements:

  • Cloudflare, Inc. — hosting (Cloudflare Pages / Workers), database (D1), and image storage (R2). Data is stored within Cloudflare's EU data regions where available. Cloudflare also provides DDoS and WAF protection, which means your IP is briefly visible to it on every request.
  • Google LLC — only for the Google OAuth sign-in flow. We receive your email and profile name from Google after you authorise the consent screen. We do not use Google Analytics, Firebase, or AdSense.
  • Foursquare (Factual, Inc.) — when you search for a place to review, we forward your search query (and approximate map area) to the Foursquare Places API to fetch venue suggestions. Search responses are cached at our edge for up to 29 days. We do not send your account identifier.
  • OpenStreetMap Foundation (Nominatim) — used for reverse-geocoding pin-drop locations into a country code. Only the coordinates are sent.

International transfers

Our processors are global. Where personal data leaves the European Economic Area (notably to Google and Foursquare in the United States), the transfer is covered by the EU Standard Contractual Clauses and, for Google, by their Data Privacy Framework certification.

How long we keep it

  • Account, spots, reviews, photos: for as long as your account exists. Deleting your account removes them.
  • Session cookies: 30 days; refreshed on use.
  • Consent cookie: 1 year, then we re-prompt.
  • Cloudflare access logs: retained per Cloudflare's standard retention (typically days, not months).

Your rights

Under the GDPR you can request, free of charge:

  • Access to the personal data we hold about you (Art. 15).
  • Rectification of inaccurate data (Art. 16). You can edit most fields directly in the app.
  • Erasure — the "right to be forgotten" (Art. 17). Email privacy [at] crumble [dot] me from the address tied to your account and we will delete it within 30 days.
  • Restriction of processing (Art. 18) and objection to processing based on legitimate interest (Art. 21).
  • Portability (Art. 20) — a machine-readable export of your data on request.
  • Withdraw consent at any time via the cookie banner; this does not affect prior lawful processing.
  • Lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, autoriteitpersoonsgegevens.nl) or your local supervisory authority.

Children

Crumble is not intended for users under 13. If you believe a child has created an account, contact us and we will remove it.

Security

See our security disclosure policy for how to report vulnerabilities. Photos have EXIF GPS metadata stripped on upload. Sessions are HMAC-signed. Friend ACLs are enforced server-side on every endpoint that exposes user content.

Changes

Material changes will be announced in-app and the "last updated" date above will move forward. If a change requires fresh consent, the cookie banner will reappear.

Contact

Privacy questions, deletion requests, or right-of-access requests: privacy [at] crumble [dot] me.

v3.70.26