Grewp is a free community organising app that helps local groups coordinate events, RSVPs, ride sharing, tasks, and photo sharing. It works alongside your existing WhatsApp or Facebook group chat.

Yes, Grewp is completely free for community groups. There are no hidden fees, premium tiers, or advertising.

Where is Grewp data stored?

All Grewp data is hosted in the European Union for GDPR compliance. We never sell your data or show advertisements.

Do I need to install an app?

No app installation required. Grewp works in any web browser and can be added to your home screen as a Progressive Web App (PWA). Native iOS and Android apps are also available.

Data Security & GDPR Compliance

A technical overview of how we protect your data. No marketing fluff—just facts for people who care about security.

TL;DR

EU-hosted — All data stored in Frankfurt, Germany (eu-central-1)
No ads, no data selling — We make money from paid plans, not your data
GDPR compliant — Full data export, deletion with 30-day grace period
Row-level security — Database enforces access control, not just application code
Comprehensive audit logging — Security-sensitive actions are tracked

Infrastructure

Grewp is built on Supabase (PostgreSQL + Auth + Storage), hosted in the EU region (Frankfurt, Germany). This means your data never leaves the EU unless you explicitly share it with someone outside the EU.

Region: eu-central-1 (Frankfurt)
Database: PostgreSQL 15 with Row-Level Security
Storage: S3-compatible object storage (EU)
CDN: Vercel Edge Network (EU edge nodes)

We use Vercel for hosting the web application, configured to use EU edge nodes for GDPR compliance. All server-side rendering and API routes execute in EU regions.

Data Protection

Encryption

In transit: TLS 1.3 for all connections (HTTPS enforced)
At rest: AES-256 encryption for database and storage
Authentication: Magic links (passwordless) via secure email tokens

Row-Level Security (RLS)

PostgreSQL Row-Level Security enforces access control at the database level. This means even if application code has a bug, the database itself prevents unauthorised data access.

-- Example: Users can only see their own group memberships
CREATE POLICY "users_see_own_memberships" ON group_members
FOR SELECT USING (user_id = auth.uid());

Every table with user data has RLS policies. Storage buckets also have RLS—you can only upload/delete your own avatar, and only group admins can manage group images.

Location Privacy

When you search for groups near you, we use your coordinates to calculate distances. However, we round coordinates to 3 decimal places (~111m precision) before storing them. Your exact location is never stored.

Your GDPR Rights

Right of Access (Article 15)

Export all your data in JSON format from Settings → Account → Export My Data. This includes your profile, group memberships, RSVPs, survey responses, payment history, and more.

Right to Erasure (Article 17)

Delete your account from Settings → Account → Delete My Account. We implement a 30-day grace period so you can recover your account if you change your mind. After 30 days, deletion is permanent and irreversible.

Data Retention

We retain your data only as long as your account is active. Scheduled deletions run daily via a secure edge function that processes accounts past the 30-day grace period.

Audit Logging

Security-sensitive actions are automatically logged via database triggers. This creates a tamper-resistant audit trail for compliance and incident response.

Logged Events

Group membership changes (join, leave, role changes, removals)
User blocking and unblocking
Event creation, cancellation, and deletion
Organisation admin changes
Data exports and deletion requests

Audit logs include who performed the action, when, and relevant context. Group admins can review the audit trail for their groups.

No Ads. No Data Selling. Ever.

This isn't just a marketing claim—it's our business model. We make money from paid subscription plans (Club, Enterprise), not from advertising or selling your data.

No third-party ad trackers
No selling or sharing data with advertisers
No profiling for targeted advertising
No dark patterns to extract more data

We use minimal analytics (Vercel Analytics) for basic usage metrics like page views. This helps us understand what features people use—it doesn't profile individuals.

Security Practices

Passwordless authentication — Magic links eliminate password breaches
Secure session management — HTTP-only cookies, short-lived JWTs
Input validation — Server-side validation on all user inputs
XSS protection — React's built-in escaping + Content Security Policy
SQL injection prevention — Parameterized queries via Supabase client
Dependency scanning — Automated security updates via Dependabot

Questions about our security?

We're happy to discuss our security practices in more detail. For security researchers, we welcome responsible disclosure.