Privacy policy.

Information you give us:

• Account info — .edu email address, password (if applicable), first name, last initial, username.
• Profile data — photo, bio, lifestyle preferences (sleep, cleanliness, social, smoking, guests, pets), budget, move-in date, what you’re looking for.
• Messages and matches — the content of conversations, likes, and matches with other users.
• Listings — any rooms, subleases, or takeovers you post.
• Payment info — processed by Stripe; we never store full card numbers ourselves.

Information collected automatically:

• Device & usage — IP address, browser type, operating system, pages viewed, timestamps, referring URL.
• Login events — when you sign in, from what general location, on what device.
• Cookies — session cookies for keeping you signed in. See Section 5.

From third parties:

• IPEDS database — we cross-check your .edu domain against the public US Department of Education IPEDS dataset to verify your school. We don’t pull personal data from IPEDS — only validate that the domain belongs to an accredited college.

• To verify you’re a current student at an accredited US college.
• To create your profile and show it to other verified students at your school.
• To compute compatibility scores between you and other users.
• To enable matches and messages between you and other users.
• To detect and prevent fraud, abuse, harassment, and Terms violations.
• To respond to support requests, safety reports, and legal requests.
• To process payments and provide receipts.
• To send transactional emails (sign-in links, account alerts) and — with your consent — product updates.
• To improve the Service through analytics on aggregated, anonymized usage.

We do not use your data for behavioral advertising. We do not sell your personal information.

Your profile data (first name + last initial, username, photo, bio, lifestyle, budget, looking-for, move-in date) is visible to other verified students at your school by default. You control what goes into your profile and can edit or hide it anytime.

Your full email, last name, payment info, and personal contact details are never shown to other users.

We share data with vendors who help us operate the Service (Section 4) and may disclose data when required by law, valid legal process, or to protect against abuse and harm.

Our core vendors:

• Supabase — database, authentication, file storage. Data hosted on AWS US-East. supabase.com/privacy
• Vercel — application hosting and edge delivery. vercel.com/legal/privacy-policy
• Resend — transactional email delivery (magic links, alerts). resend.com/legal/privacy-policy
• Stripe — payment processing for credit purchases. stripe.com/privacy
• Mapbox — map tiles and location services for browse-by-neighborhood. mapbox.com/legal/privacy

Each vendor receives only the data needed to perform their function. None of them are authorized to use your data for their own marketing.

We use a small number of cookies and similar technologies:

• Session cookies — keep you signed in. Essential for the Service to function.
• Security cookies — detect and block suspicious requests.
• Preference cookies — remember UI preferences like dark mode (if added).

We don’t use third-party tracking cookies, advertising trackers, or cross-site profiling. We may add privacy-respecting product analytics in the future (Plausible, Fathom-type tools) — we’ll update this policy if we do.

While your account is active, we retain your data as needed to provide the Service. When you delete your account:

• Your profile is hidden immediately.
• Your messages may be retained up to 90 days for safety, fraud prevention, and legal compliance.
• After 90 days, personal information is deleted or anonymized except where retention is required by law.
• Aggregated analytics (counts, no personal info) may be retained indefinitely.

You can:

• Access all data we hold about you — export from your settings or email privacy@crashmates.com.
• Correct inaccurate data through your profile editor.
• Delete your account and personal data at any time.
• Object to certain processing of your data.
• Withdraw consent for optional processing (we’ll always tell you which is optional).

Send requests from your registered .edu email so we can verify it’s you. We respond within 30 days.

If you’re a California resident, you have additional rights:

• Right to know what categories of personal information we collect and how we use them.
• Right to delete personal information we hold.
• Right to correct inaccurate personal information.
• Right to opt-out of \u201csale\u201d or \u201csharing\u201d — we don’t sell or share for cross-context behavioral advertising, but you can confirm this.
• Right to non-discrimination for exercising these rights.

To exercise California rights, email privacy@crashmates.com from your registered .edu address.

Crashmates is built for US college students and is not actively marketed to people outside the US. If you access the Service from the EU/UK, you have GDPR rights including access, rectification, erasure, restriction, portability, and objection.

The lawful basis for processing your data is: (a) performance of a contract (these Terms), (b) our legitimate interest in operating the Service safely, and (c) your consent for optional features like marketing email.

We use industry-standard safeguards:

• All data encrypted in transit (HTTPS/TLS 1.2+).
• Database encrypted at rest (Supabase / AWS).
• Magic-link authentication — no passwords to leak.
• Row-level security on every database table.
• Service-role credentials never exposed to the browser.

No system is 100% secure. If we discover a breach affecting your data, we’ll notify you in compliance with applicable law.

The Service is not directed to children under 18. We don’t knowingly collect data from anyone under 18. If you believe we have collected data from someone under 18, email privacy@crashmates.com and we’ll delete it.

If we make material changes, we’ll notify you by email and/or in-app notice at least 14 days before they take effect. The \u201cUpdated\u201d date at the bottom always reflects the latest version.

Privacy questions or requests: privacy@crashmates.com
Crashmates, Inc. — Los Angeles, California, United States