Legal
Privacy Policy
Last updated: May 2025 · We do not sell your data.
1. What We Collect
When you create an account we collect your email address and account type. When you complete your profile we collect your display name, handle, bio, date of birth, and location (city level — never GPS coordinates). When you upload media we store the files in a private cloud bucket. When you use the platform our servers log your IP address, pages visited, and actions taken (connection requests sent, messages, etc.).
2. How We Use It
Your email is used only to send one-time login codes and important account notifications. We never send marketing email without your explicit opt-in. Your profile data is shown to other authenticated members according to your privacy settings. Your date of birth is used solely to verify you are 18+ and to calculate the age shown on your profile. We do not sell, rent, or share your personal data with advertisers or data brokers.
3. Media & Private Content
All photos are stored in a private cloud bucket (Supabase/S3). Public photos are accessible to any authenticated member. Private photos are only accessible to members you have an accepted connection with — access is enforced at the API level, not just the UI. Verification photos are only visible to our admin team for the purpose of approving or rejecting your verification submission and are not shown to other members.
4. Session Analytics
We use PostHog to record session replays and capture in-app behaviour (page views, clicks, navigation). This helps us understand how people use the platform and fix UX issues. PostHog data is stored on PostHog's US-based cloud infrastructure. Recorded sessions may include your interactions with the UI but do not capture passwords or payment information. You can opt out by enabling a "Do Not Track" setting in your browser, though this may affect functionality.
5. Cookies & Storage
We use an httpOnly cookie to store your refresh token — this is required for you to stay logged in and cannot be accessed by JavaScript. Your access token is held in memory only and is never written to localStorage. We use localStorage for PostHog analytics session continuity. We do not use advertising cookies or third-party tracking pixels.
6. Data Retention
Active accounts retain all data for as long as the account is active. If you delete your account, your profile and media are soft-deleted immediately and permanently purged within 30 days. Log data (IP, request logs) is retained for up to 90 days for security and abuse-prevention purposes. Backup snapshots may retain your data for up to an additional 30 days after purge.
7. Security
All data is transmitted over HTTPS. Passwords are not used — authentication is OTP-only. Access tokens expire after 15 minutes. Media is served through signed URLs that expire after 10 minutes. We do not store payment card information — we do not currently offer paid features that require it.
8. Third-Party Services
We use the following third-party services to operate the platform: Supabase (database and media storage, US-based), PostHog (analytics and session recording, US-based). We do not use Google Analytics, Facebook Pixel, or any advertising networks.
9. Your Rights
You have the right to access the data we hold about you, request correction of inaccurate data, request deletion of your account and associated data, and request a copy of your data in a portable format. To exercise any of these rights, contact us. We will respond within 30 days.
10. Changes to This Policy
We may update this policy as the platform evolves. We will notify active users of material changes via an in-app notification. Continued use after changes are posted constitutes acceptance.