Last updated: April 9, 2026

Privacy Policy

DRAFT — NOT LEGAL ADVICE. This document is a starting point. Before going public with real users beyond a small test group, have it reviewed by a qualified Dutch lawyer or run it through a paid privacy policy generator (Termly, iubenda).

1. Who we are

Crew Lounge ("we", "us", "the app") is an independent personal project operated by Tony Wilffert, based in the Netherlands. Crew Lounge is not affiliated with, endorsed by, or operated by KLM Royal Dutch Airlines or any other airline.

For privacy questions, contact: akwilffert@gmail.com

2. Scope

This policy explains what personal data we collect when you use Crew Lounge, why we collect it, how we store it, and what rights you have under the General Data Protection Regulation (GDPR).

3. What data we collect

When you create an account and use the app, we collect:

• Account data: your name, email address (which must be @klm.com), and password (stored as a secure hash, never in plain text)
• Profile data: your home base, role (cabin or cockpit), and optional avatar image
• Schedule data: your upcoming and past layovers (city, dates, flight numbers), either synced from your KLM crew calendar via the iCal URL you provide or added manually
• Connection data: the friend connections you make with other users
• Tips: any tips or destination notes you write
• Notifications: records of matches between your schedule and other users' schedules
• Push subscription data: if you enable push notifications, the technical endpoint and keys needed to deliver them
• Technical data: standard server logs (IP address, browser type, timestamps) for security and debugging

We do not collect:

• Payment information (the app is free)
• Location data from your device
• Browsing or advertising data
• Any data from KLM's internal systems

4. Why we collect it (legal basis)

• To provide the service (contract): account, schedule, friends, tips, and notifications are essential to the app working
• Consent: push notifications are only sent if you explicitly opt in; you can opt out anytime
• Legitimate interest: server logs for security and abuse prevention

5. Who we share it with

We use the following sub-processors to operate the app:

• Supabase (database and authentication, EU region) — stores all account, schedule, and user-generated data
• Vercel (hosting) — serves the app and handles server-side functions
• KLM crew calendar (your iCal URL) — we fetch your roster from this URL on your behalf

We do not sell your data, share it with advertisers, or use it for any purpose other than running the app.

Other users can see:

• Your name and avatar
• Your upcoming layovers, depending on your privacy setting (everyone or friends only)
• Tips you have published

6. How long we keep it

• Account data: as long as your account exists
• Schedule data: layovers are automatically removed when they no longer appear in your synced iCal feed; past layovers are retained for historical view unless you delete your account
• Connections, tips, notifications: until you delete them or your account
• Push subscriptions: until you disable notifications or delete your account
• Server logs: maximum 30 days

If you delete your account, all your personal data is permanently removed from our database within 30 days, except where we are legally required to keep it.

7. Your rights under GDPR

You have the right to:

• Access the personal data we hold about you
• Rectify inaccurate data
• Erase your data ("right to be forgotten") by deleting your account
• Restrict processing in certain circumstances
• Data portability — receive your data in a machine-readable format
• Object to processing based on legitimate interest
• Withdraw consent at any time (e.g. disable push notifications)
• Lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) at autoriteitpersoonsgegevens.nl

To exercise any of these rights, contact us at akwilffert@gmail.com. We will respond within 30 days.

8. Data security

We protect your data through:

• Encryption in transit (HTTPS) and at rest (Supabase database encryption)
• Row-level security policies that prevent users from accessing data they should not see
• Secure password hashing
• Regular dependency updates

In the event of a data breach affecting your personal data, we will notify you and the relevant authorities within 72 hours as required by GDPR.

9. Cookies and local storage

We use browser local storage to keep you logged in between visits. We do not use tracking cookies, advertising cookies, or third-party analytics.

10. Children

Crew Lounge is intended for adult airline crew members. We do not knowingly collect data from anyone under 18.

11. Changes to this policy

We may update this policy from time to time. Significant changes will be communicated to you via the app or by email. Your continued use of the app after changes means you accept the updated policy.

12. Contact

For any privacy-related questions, contact: akwilffert@gmail.com