Privacy Policy

Version 2026-05-05-vendor-anonymized · Effective May 5, 2026

PRIVACY POLICY

Kream & Sugar Dating LLC

Last Updated: April 20, 2026

Effective Date: April 20, 2026

PLEASE READ THIS PRIVACY POLICY CAREFULLY. THIS PRIVACY POLICY DESCRIBES HOW KREAM & SUGAR DATING LLC COLLECTS, USES, DISCLOSES, RETAINS, AND PROTECTS YOUR INFORMATION WHEN YOU VISIT OUR WEBSITE, USE THE KREAM & SUGAR DATING APPLICATION, INTERACT WITH OUR MARKETING PLATFORMS, SUBSCRIBE TO UPDATES, OR OTHERWISE ENGAGE WITH OUR SERVICES. BY ACCESSING OR USING ANY PORTION OF THE SERVICE, YOU ACKNOWLEDGE THAT YOU HAVE READ, UNDERSTOOD, AND AGREE TO THE PRACTICES DESCRIBED IN THIS PRIVACY POLICY. IF YOU DO NOT AGREE TO THIS PRIVACY POLICY, YOU MUST IMMEDIATELY CEASE ALL USE OF THE SERVICE.

1. INTRODUCTION AND SCOPE

1.1 Identity of the Data Controller

This Privacy Policy (hereinafter referred to as this "Policy," "Privacy Policy," or "Privacy Notice") is issued by Kream & Sugar Dating LLC, a limited liability company duly organized and existing under the laws of the State of North Carolina, with its principal place of business in the State of North Carolina (hereinafter referred to as the "Company," "we," "us," or "our"). The Company operates the Kream & Sugar dating application (including all mobile, web, and desktop versions thereof), the website located at https://kreamandsugardating.com and any subdomains thereof, all associated marketing pages, landing pages, and promotional microsites, and all related services, features, content, functionality, tools, games, virtual cafes, interactive experiences, application programming interfaces, and any other products or offerings provided by the Company in connection therewith (collectively, the "Service" or "Services").

1.2 Scope of This Policy

This Privacy Policy applies to all personal information, personally identifiable information, and non-personal information (collectively, "Information" or "Data") that the Company collects from or about you (hereinafter referred to as "User," "you," "your," or "yourself") through:

(a) Your use of the Kream & Sugar dating application and all features thereof, including account registration, profile creation, messaging, voice chat, event participation, game and virtual cafe sessions, subscription management, and payment processing;
(b) Your visits to the Company's marketing website, including all landing pages, promotional pages, and informational pages;
(c) Your interactions with forms hosted on the website, including email subscription forms, contact forms, and popup forms;
(d) Your interactions with the Company's analytics and advertising integrations, including TikTok Pixel and Conversions API, Google Analytics (including Google Tag Manager and server-side API), and Meta Pixel (Facebook/Instagram) and Conversions API;
(e) Any and all other interactions with the Service, regardless of the device, platform, or method by which you access the Service.

This Policy governs the collection, use, disclosure, storage, retention, transfer, and protection of such Information in all of the foregoing contexts.

1.3 Relationship to Terms and Conditions

This Privacy Policy is incorporated by reference into the Company's Terms and Conditions of Use (the "Terms"). Capitalized terms used herein but not otherwise defined in this Policy shall have the meanings ascribed to them in the Terms. In the event of any conflict between this Privacy Policy and the Terms with respect to data collection, use, or disclosure practices, the provisions of this Privacy Policy shall control.

1.4 Changes to This Policy

The Company reserves the right, at its sole and absolute discretion, to modify, amend, update, or revise this Privacy Policy at any time and for any reason, with or without prior notice to you. Any such modifications shall become effective immediately upon posting the revised Privacy Policy on the Service. The "Last Updated" date at the top of this Policy will reflect the date of the most recent revision. Your continued use of the Service following the posting of any revised Privacy Policy shall constitute your acceptance of and agreement to such revised Privacy Policy. It is your sole responsibility to review this Privacy Policy periodically for changes. If we make material changes to this Privacy Policy that substantively affect how we collect, use, or disclose your personal information, we will make reasonable efforts to notify you via in-app notification, email, or other appropriate means, provided that such notification is a courtesy and shall not be a condition to the effectiveness of such changes.

1.5 Applicability to Minors

The Service is intended exclusively for individuals who are at least eighteen (18) years of age. The Company does not knowingly collect, solicit, or maintain personal information from anyone under the age of eighteen (18). If we become aware that we have collected personal information from an individual under the age of eighteen (18), we will take prompt steps to delete such information from our records. If you are a parent or legal guardian and believe that your minor child has provided personal information to the Company, please contact us at the email address provided in Section 16 of this Policy, and we will take reasonable steps to delete such information.

2. CATEGORIES OF INFORMATION WE COLLECT

The Company collects, receives, and generates various categories of Information in connection with your use of the Service. The following sections describe, in detail, the types of Information collected, the sources from which such Information is obtained, and the circumstances under which such collection occurs. For the avoidance of doubt, not all categories of Information described below will be collected from every User; the specific categories collected depend on how you interact with the Service (e.g., whether you use only the marketing website, or whether you also create an account and use the dating application).

2.1 Information You Provide Directly

The following categories of Information are collected directly from you when you voluntarily provide them through your interactions with the Service:

2.1.1 Website Forms and Subscriptions

When you interact with forms hosted on the Company's marketing website, you may provide:

(a) Your email address, submitted through the email subscription form for the purpose of receiving updates and marketing communications;
(b) Your name, email address, phone number (optional), and message content, submitted through the website contact form or Elementor popup forms;
(c) Your email address, submitted through FluentForm submissions, which is hashed on our server prior to transmission to third-party analytics APIs (including TikTok's Conversions API) for privacy-preserving advertising attribution.

2.1.2 Account Registration Information

When you create an account on the dating application, you are required to provide certain Information necessary for account creation and authentication, including but not limited to:

(a) Your email address, which serves as your primary account identifier and is used for authentication via one-time password ("OTP") verification;
(b) Your phone number, which may be used for SMS-based OTP verification, account recovery, and as an additional authentication vector;
(c) Your first name and last name;
(d) Your date of birth, which is used to verify that you meet the minimum age requirement of eighteen (18) years of age;
(e) Your timezone designation.

If you choose to register or authenticate through a third-party social login provider (including but not limited to Google, Apple, or Facebook), the Company may receive certain Information from such provider as described in Section 2.4 of this Policy.

2.1.3 Profile Information

Upon registration for the dating application, you may provide additional Information to create and customize your user profile, including but not limited to:

(a) Your gender identity (which may include, without limitation, Male, Female, Non-Binary, or Prefer Not to Say);
(b) A biographical description or personal statement (limited to one thousand (1,000) characters), which is sanitized for security purposes prior to storage;
(c) Profile photographs (you may upload up to nine (9) photographs, of which one (1) must be designated as your primary photograph and must depict you);
(d) Your dating context preference (In-Person, Virtual, or both);
(e) Your gender preference for potential matches (Men, Women, or Everyone);
(f) Your preferred age range for potential matches (minimum and maximum);
(g) Your preferred matchmaking radius (in miles);
(h) Your preference regarding global matching outside your designated geographic region.

2.1.4 Communication Content

When you communicate through the dating application, we collect the content and metadata of such communications, including but not limited to:

(a) Text messages transmitted through the in-app messaging system;
(b) Voice notes and audio recordings you create and send through the messaging system;
(c) GIF images you select and send via the integrated Giphy service;
(d) Voice chat session participation data;
(e) Timestamps, delivery status, and read receipts associated with all messages;
(f) Conversation metadata, including participant information, conversation creation and closure dates, and conversation status;
(g) Audio segments captured during voice cafe sessions that match the Company's automated prohibited-content detection rules, together with the corresponding speech-to-text transcripts. Audio segments that do not match the prohibited-content rules are discarded immediately after analysis and are not retained by the Company.

2.1.5 Payment and Subscription Information

When you subscribe to a paid tier of the Service or purchase standalone products, we collect transaction-related Information, including but not limited to:

(a) Your Braintree payment customer identifier;
(b) Payment method tokens (note: full credit card numbers, debit card numbers, and bank account numbers are collected and processed directly by our third-party payment processor, Braintree, a subsidiary of PayPal Holdings, Inc., and are not stored on our servers);
(c) Subscription tier selections and subscription period dates;
(d) Transaction amounts, currency, billing period dates, invoice identifiers, and transaction identifiers;
(e) Promotion codes redeemed, including redemption timestamps and associated discount amounts;
(f) Standalone product purchase records.

2.1.6 User Reports and Feedback

When you submit reports about other Users or provide feedback, we collect:

(a) The content of your report or feedback, including any free-text descriptions you provide;
(b) The category of your report (which may include, without limitation, Harassment, Inappropriate Content, Spam, Fake Profile, or Other);
(c) Any supplementary information you voluntarily provide in connection with such report;
(d) The identity of the reported User and the timestamp of the report submission.

2.1.7 Blocking and Interaction Preferences

When you choose to block or unblock another User, we collect:

(a) The identity of the blocked User;
(b) The timestamp of the blocking or unblocking action;
(c) Any optional reason you provide for the block.

2.1.8 Notification Preferences

You may configure your notification preferences within the dating application, and we collect:

(a) Your preferred delivery methods for each notification type (which may include Email, SMS, Push Notification, and In-App Notification);
(b) Your enabled or disabled status for each notification type, including but not limited to: Upcoming Events, New Messages, Match Requests Received, Match Requests Accepted, Subscription Expiration, Promotions, Account Security, and Inactivity Re-engagement notifications;
(c) Timestamps of any changes to your notification preferences.

2.1.9 Event Participation Information

When you register for, attend, or participate in in-person or virtual events organized or facilitated through the Service, we collect:

(a) Your event registration and attendance records;
(b) Your event participation status (including check-in and no-show records);
(c) Any feedback or ratings you provide concerning events or other attendees.

2.2 Information Collected Automatically

The following categories of Information are collected automatically when you access or use the Service, without requiring any affirmative action on your part beyond the use of the Service itself:

2.2.1 Website Analytics and Pixel Data

When you visit the Company's marketing website, we automatically collect Information through cookies, pixels, and server-side analytics integrations, including but not limited to:

(a) Page views, scroll depth, time spent on page, button clicks, and other user interaction events;
(b) Your IP address (which may be anonymized for certain analytics purposes);
(c) Your device type, browser type, browser version, operating system, and screen resolution;
(d) Traffic source and referral information, including UTM parameters (source, medium, campaign, term, content);
(e) Event data transmitted to TikTok via the TikTok Pixel (client-side) and TikTok Conversions API (server-side), which may include hashed identifiers (such as hashed email addresses), event timestamps, event types (page views, form submissions, registrations), and associated metadata;
(f) Event data transmitted to Google via Google Analytics, Google Tag Manager, and Google's server-side API, which may include traffic sources, UTM parameters, page interactions, device and browser information, and anonymized IP addresses;
(g) Event data transmitted to Meta (Facebook/Instagram) via the Meta Pixel (client-side) and Meta Conversions API (server-side), which may include hashed identifiers (such as hashed email addresses), event timestamps, event types (form submissions, registrations, page views), UTM parameters, and associated metadata.

The use of both client-side pixel tracking and server-side Conversions API tracking enables the Company to maintain analytics and advertising attribution even when browser cookies are deleted, expire, or are blocked, in accordance with industry best practices for privacy-preserving measurement.

2.2.2 Device and Browser Information (Dating Application)

When you access the dating application, we automatically collect technical information about your device and browser, including but not limited to:

(a) A device fingerprint, which is a unique identifier generated from the characteristics of your device and browser configuration;
(b) Your user agent string, which contains information about your browser type, browser version, operating system, and device type;
(c) VOIP (Voice over Internet Protocol) detection data, which indicates whether your phone number is associated with a VOIP service rather than a traditional cellular carrier.

2.2.3 IP Address and IP-Based Location Data

Upon your access to and use of the Service, including at the time of account registration, we automatically collect:

(a) Your Internet Protocol ("IP") address;
(b) Geolocation data derived from your IP address through our third-party IP geolocation service provider, which may include your approximate city, state or region, country, country code, and approximate latitude and longitude coordinates;
(c) A confidence score associated with the accuracy of the IP-based geolocation determination;
(d) Your Internet Service Provider ("ISP") and organization information as reported by the IP geolocation service.

2.2.4 GPS-Based Location Data

If you grant the dating application permission to access your device's Global Positioning System ("GPS") capabilities, we collect:

(a) Your precise GPS latitude and longitude coordinates (to a precision of up to eight (8) decimal places, which corresponds to approximately 1.1 millimeters of accuracy);
(b) The accuracy radius of the GPS reading (in meters);
(c) Timestamps indicating when GPS location data was last updated.

YOU ACKNOWLEDGE THAT GPS-BASED LOCATION DATA IS SUBSTANTIALLY MORE PRECISE THAN IP-BASED GEOLOCATION DATA AND THAT THE COLLECTION OF SUCH DATA IS NECESSARY FOR CORE SERVICE FUNCTIONALITY, INCLUDING WITHOUT LIMITATION PROXIMITY-BASED MATCHMAKING, LOCATION-RESTRICTED FEATURE ACCESS, AND EVENT-RELATED SERVICES. DISABLING GPS ACCESS WILL CAUSE DEGRADATION OF SERVICE FUNCTIONALITY.

2.2.5 Activity and Usage Data

We automatically log and track your interactions with and usage of the dating application, including but not limited to:

(a) The types of activities you engage in on the Service (including without limitation voice chat sessions, questions answered, points scored, virtual cafe sessions joined, profile changes, and password resets);
(b) Timestamps and metadata associated with each activity;
(c) Your geographic location at the time of each activity;
(d) The features you access and the frequency of such access;
(e) Features for which you were denied access and the reasons for such denial;
(f) Your online status (which may include Online, Offline, Away, Busy, or Active);
(g) Login and logout timestamps;
(h) The date and time of your last activity and your last online status;
(i) Profile views you initiate and profile views of your profile by other Users, including associated timestamps;
(j) Match requests sent and received, and the outcomes thereof (accepted, rejected, expired).

2.2.6 Security Event Data

For the purposes of maintaining the security and integrity of the Service, we automatically log security-related events, including but not limited to:

(a) Login attempts (both successful and unsuccessful);
(b) Password reset requests and completions;
(c) Email verification events;
(d) Phone verification events;
(e) OAuth login and authentication events;
(f) Logout events;
(g) Account lock and unlock events;
(h) The IP address associated with each security event;
(i) The user agent string associated with each security event;
(j) The success or failure status and severity level of each security event;
(k) Additional contextual metadata associated with each security event.

2.2.7 Payment Event Data

In connection with payment processing, we automatically collect and log:

(a) Webhook events received from our payment processor, including event identifiers, event types, and processing timestamps;
(b) Payment processing status updates (including Pending, Completed, Failed, and other status indicators);
(c) Error messages and processing metadata associated with payment transactions.

2.3 Information Derived or Generated by the Company

The Company may derive, generate, compute, or infer additional Information from the Information described in Sections 2.1 and 2.2, including but not limited to:

(a) Compatibility assessments and match scores based on your profile attributes, preferences, and behavior patterns;
(b) Location assignments mapping your detected geographic position to a predefined location within the Service's location system;
(c) Feature usage analytics and engagement metrics;
(d) Risk assessments for fraud detection and account security purposes;
(e) Behavioral patterns for the purposes of automated promotion eligibility determination (including, without limitation, registration-based, inactivity-based, feature-usage-based, and location-based promotional triggers);
(f) Device trust scores based on VOIP detection, device fingerprinting, and phone number history analysis;
(g) Advertising attribution models derived from the correlation of website analytics data (including pixel and Conversions API event data) with account registration and subscription conversion events.

2.4 Information Received from Third Parties

The Company may receive Information about you from the following third-party sources:

2.4.1 Social Login Providers

If you choose to register or authenticate via a third-party OAuth provider (Google, Apple, or Facebook), we receive from such provider:

(a) Your unique provider-specific user identifier;
(b) An access token and, where applicable, a refresh token, along with associated expiration timestamps;
(c) Such profile information as the provider makes available pursuant to its own terms and your privacy settings with that provider (which may include your name, email address, and profile photograph).

2.4.2 Payment Processor

Our third-party payment processor, Braintree (a subsidiary of PayPal Holdings, Inc.), may provide us with:

(a) Transaction confirmation data, including transaction identifiers and payment status;
(b) Webhook notifications concerning subscription status changes, payment failures, and other payment-related events;
(c) Customer identifiers and payment method tokens necessary for subscription management.

2.4.3 IP Geolocation Provider

Our third-party IP geolocation provider (IP-API) provides us with:

(a) Geographic location data derived from your IP address, including city, state, country, approximate coordinates, and ISP information, as described in Section 2.2.3.

2.4.4 Carrier and VOIP Detection

Through our telecommunications service provider (Twilio Inc.), we may receive:

(a) Carrier line type intelligence data indicating whether a phone number is associated with a mobile carrier, landline, or VOIP service;
(b) Phone number validation and verification status.

2.4.5 Analytics and Advertising Platforms

Through our analytics and advertising integrations, we may receive:

(a) Aggregated analytics data and reports from Google Analytics, Meta (Facebook/Instagram), and TikTok concerning website traffic patterns, user demographics, and campaign performance;
(b) Advertising attribution data correlating ad impressions, clicks, and conversions;
(c) Audience segmentation data derived from pixel and Conversions API events.

3. COOKIES, TRACKING TECHNOLOGIES, AND SIMILAR TECHNOLOGIES

3.1 Types of Cookies and Tracking Technologies

The Service employs cookies, pixels, local storage, session tokens, and similar tracking technologies. The specific technologies used vary depending on whether you are interacting with the marketing website or the dating application:

3.1.1 Essential Cookies and Tokens

(a) Session Tokens and JWT Tokens (Dating Application): Used for authentication and session management within the dating application. These tokens are issued upon login and expire after a designated period or upon logout (at which point they are blacklisted to prevent reuse);
(b) Refresh Tokens (Dating Application): Used to obtain new access tokens without requiring re-authentication, subject to expiration;
(c) Essential Website Cookies: First-party cookies necessary to maintain website session state, preferences, and core functionality.

3.1.2 Analytics and Advertising Cookies

(a) Google Analytics Cookies: Cookies set by Google Analytics and Google Tag Manager for the purpose of understanding site usage, traffic sources, and user engagement on the marketing website. These cookies may track page views, session duration, bounce rates, and conversion events;
(b) TikTok Pixel Cookies: Cookies set by the TikTok Pixel for client-side tracking of page views, clicks, form submissions, and other user interaction events on the marketing website;
(c) Meta Pixel Cookies: Cookies set by the Meta (Facebook/Instagram) Pixel for client-side tracking of on-site events, including page views, form submissions, registrations, and other conversion events on the marketing website.

3.1.3 Server-Side Tracking (Cookieless)

In addition to client-side cookies and pixels, the Company employs server-side Conversions APIs for TikTok, Google, and Meta (Facebook/Instagram). Server-side tracking transmits event data directly from our servers to the respective analytics platforms, enabling privacy-preserving measurement and advertising attribution that is not dependent on browser cookies. Server-side events may include hashed identifiers (such as hashed email addresses), event timestamps, event types, and associated metadata. This approach enables the Company to maintain analytics and advertising attribution capabilities even when browser cookies are deleted, expire, or are blocked by the User's browser settings or privacy tools.

3.1.4 Local Storage

The Service may use browser local storage to store preferences, cached data, and other information necessary for the efficient operation of the Service on your device.

3.2 Cookie Management and Opt-Out

You may control, restrict, or delete cookies through your web browser settings. Please note that disabling or deleting cookies may impair certain features of the Service, including website functionality and personalization. The following resources provide information on managing cookies and opting out of specific analytics and advertising platforms:

(a) Google Analytics Opt-Out: You may opt out of Google Analytics tracking by installing the Google Analytics Opt-Out Browser Add-On, available at: https://tools.google.com/dlpage/gaoptout
(b) Meta (Facebook/Instagram) Advertising Preferences: You may manage your Meta advertising preferences at: https://www.facebook.com/settings/?tab=ads
(c) TikTok Privacy Settings: You may review TikTok's privacy settings and policies at: https://www.tiktok.com/legal/privacy-policy
(d) Browser Cookie Settings: You may adjust your browser's cookie settings to block or delete first-party and third-party cookies. Refer to your browser's help documentation for instructions.

3.3 Do Not Track Signals

Certain web browsers may transmit "Do Not Track" ("DNT") signals to websites and online services. At this time, there is no universally accepted standard for how companies should respond to DNT signals. The Service does not currently alter its data collection or use practices in response to DNT signals. If a uniform standard for responding to DNT signals is adopted, the Company will reassess its practices and update this Privacy Policy accordingly.

4. HOW WE USE YOUR INFORMATION

The Company uses the Information it collects for the following purposes. Each purpose is described with specificity to enable you to understand the nature and extent of our data processing activities.

4.1 Provision and Operation of the Service

We use your Information to provide, operate, maintain, and improve the Service, including but not limited to:

(a) Creating, authenticating, and managing your account through passwordless one-time password verification via email or SMS, or through third-party OAuth social login;
(b) Displaying your profile to other Users in accordance with your preferences and our matching algorithms;
(c) Facilitating matches between Users based on geographic proximity, age preferences, gender preferences, dating context preferences, and compatibility assessments;
(d) Enabling and facilitating real-time messaging (including text, voice notes, and GIF images), voice chat sessions, virtual cafe interactions, and game participation;
(e) Processing and managing subscriptions, payments, refunds, and standalone product purchases;
(f) Organizing, facilitating, and managing in-person and virtual events;
(g) Enforcing blocking preferences by preventing blocked Users from viewing your profile information, communicating with you, interacting with you in virtual cafes, or being paired with you in games (whether in-person or virtual).

4.2 Marketing Website and Communications

We use your Information to:

(a) Send you updates and marketing emails if you have opted in to receive such communications through the email subscription form;
(b) Respond to your inquiries, messages, and requests submitted through the website contact form, Elementor popup forms, or other communication channels;
(c) Send transactional communications that are necessary for the operation of your account and the Service, including but not limited to authentication codes, email verification messages, phone verification messages, payment confirmations, subscription status updates, and account security alerts (note: transactional communications cannot be opted out of, as they are essential to the operation and security of your account);
(d) Send non-transactional communications in accordance with your notification preferences, including but not limited to new message alerts, match request notifications, event reminders, promotional offers, and re-engagement notifications.

4.3 Location-Based Services

We use your location data (both IP-based and GPS-based) for the following purposes:

(a) Determining your geographic location for proximity-based matchmaking within your specified radius;
(b) Assigning you to a geographic region within the Service's location system for the purposes of location-restricted features, events, and promotions;
(c) Verifying your eligibility for location-specific promotions and events;
(d) Providing location-relevant content and recommendations;
(e) Detecting and preventing fraud, including the identification of suspicious geographic anomalies.

4.4 Analytics, Advertising Attribution, and Service Improvement

We use Information collected through website analytics, pixels, and server-side APIs to:

(a) Track and optimize website performance and user experience;
(b) Analyze user behavior on the marketing website to improve content, design, and functionality;
(c) Measure the effectiveness of advertising campaigns across TikTok, Google, and Meta (Facebook/Instagram) platforms;
(d) Provide cookieless tracking through server-side Conversions APIs for key events (form submissions, registrations) that persist beyond browser cookie limitations;
(e) Generate advertising attribution models to understand which marketing channels and campaigns drive user acquisition and conversions;
(f) Analyze aggregated, de-identified, or anonymized usage patterns, trends, and user engagement to improve the Service;
(g) Evaluate the effectiveness of features, events, promotions, and content;
(h) Conduct research and development to enhance user experience;
(i) Generate internal reports and business intelligence.

4.5 Safety, Security, and Fraud Prevention

We use your Information to protect the safety and security of our Users and the integrity of the Service, including but not limited to:

(a) Detecting, investigating, and preventing fraud, unauthorized access, and other illegal or harmful activities;
(b) Monitoring and enforcing compliance with our Terms and Conditions of Use and all applicable policies;
(c) Conducting content moderation and reviewing User reports of violations;
(d) Implementing device bans to prevent circumvention of account suspensions and bans;
(e) Performing VOIP detection to identify potentially fraudulent phone numbers;
(f) Maintaining security event logs for audit, investigation, and incident response purposes;
(g) Implementing rate limiting to prevent brute-force attacks, denial-of-service attacks, and other forms of automated abuse;
(h) Employing device fingerprinting to detect and prevent the creation of multiple accounts by a single individual in violation of the Terms.

4.6 Legal Compliance and Law Enforcement

We use your Information as necessary to comply with our legal obligations, including but not limited to:

(a) Responding to lawful requests from law enforcement agencies, regulatory authorities, courts, and other governmental bodies, including subpoenas, court orders, search warrants, and national security letters;
(b) Preserving evidence in connection with legal proceedings, law enforcement requests, or regulatory investigations, including the imposition of evidence holds on relevant communications and account data;
(c) Establishing, exercising, or defending legal claims;
(d) Complying with applicable laws, regulations, and legal processes;
(e) Disclosing Information in emergency situations involving imminent danger of death or serious physical injury to any person, in accordance with applicable law.

4.7 Automated Promotional Targeting

We use certain behavioral and transactional data to determine your eligibility for automated promotions, including but not limited to promotions triggered by:

(a) Account registration date and location;
(b) First subscription event;
(c) Duration of account inactivity;
(d) Feature usage patterns and engagement metrics;
(e) Geographic location.

Such automated promotional targeting does not involve the sale of your personal information to third parties and is conducted solely within the Service for the purpose of offering you relevant promotional pricing.

5. HOW WE SHARE AND DISCLOSE YOUR INFORMATION

The Company does not sell or rent your personal information to third parties. However, we may share, disclose, or otherwise make your Information available to the following categories of recipients, under the following circumstances and for the following purposes:

5.1 Other Users of the Service

Certain Information is inherently shared with other Users as part of the core functionality of the dating application, including but not limited to:

(a) Your profile information (including your name, age, gender, bio, photographs, dating context preference, and general geographic location) is visible to other Users in accordance with the Service's matching and discovery features, subject to your blocking preferences;
(b) The content of your messages, voice notes, and GIFs is visible to the recipients thereof;
(c) Your online status and last active timestamps may be visible to other Users with whom you are matched;
(d) Your participation in events, virtual cafes, and games may be visible to other participants thereof;
(e) A blocked indicator is visible on the profile of any User you have blocked, but only to you; blocked Users receive no notification of being blocked and cannot see any of your Information.

5.2 Third-Party Service Providers (Dating Application)

We engage third-party service providers to perform certain functions on our behalf in connection with the dating application, and we share Information with such providers only to the extent necessary for them to perform such functions. Such providers are contractually obligated to use your Information only for the purposes for which it was shared and in accordance with this Privacy Policy. The following is a comprehensive list of such providers and the categories of Information shared with each:

5.2.1 Payment Processing — Braintree (PayPal Holdings, Inc.)

Information shared: Payment method tokens, customer identifiers, subscription identifiers, transaction amounts, currency, and billing period information.
Purpose: Processing payments, managing subscriptions, issuing refunds, and handling payment-related webhook events.
Note: Braintree directly collects your full payment instrument details (e.g., credit card numbers) through its own secure payment interfaces. Such details are not transmitted through or stored on our servers.
Braintree/PayPal Privacy Policy: For information on how Braintree and PayPal handle your payment data, please refer to the PayPal Privacy Statement.

5.2.2 Transactional Email — ZeptoMail (Zoho Corporation Pvt. Ltd.)

Information shared: Email addresses, email content (including verification codes, password reset links, notification content, and transactional communications), sender addresses, and unsubscribe headers.
Purpose: Delivering transactional and notification emails on our behalf.

5.2.3 SMS and Telecommunications — Twilio Inc.

Information shared: Phone numbers, SMS message content (including verification codes, notification text, and the Company's application name), and carrier line type intelligence queries.
Purpose: Delivering SMS messages for account verification, phone number verification, and notification delivery; performing VOIP detection and carrier line type analysis for fraud prevention.

5.2.4 IP Geolocation — IP-API

Information shared: Your IP address.
Purpose: Determining your approximate geographic location (city, state, country, approximate coordinates) for location-based service functionality, including matchmaking, promotion eligibility, and fraud detection.

5.2.5 GPS-Based Reverse Geocoding — OpenStreetMap Nominatim

Information shared: Your GPS latitude and longitude coordinates.
Purpose: Converting your GPS coordinates into human-readable geographic location names (reverse geocoding) for the purpose of location assignment within the Service.

5.2.6 GIF Integration — Giphy (Meta Platforms, Inc.)

Information shared: Search queries you enter when searching for GIFs within the messaging interface.
Purpose: Providing searchable GIF content within the messaging feature of the Service. Giphy may collect additional information in accordance with its own privacy policy.

5.2.7 Social Login Authentication — Google LLC, Apple Inc., Meta Platforms, Inc. (Facebook)

Information shared: OAuth authentication tokens and, as necessary, your account identifier on the respective platform.
Purpose: Enabling account registration and authentication through third-party social login. Each provider may have access to Information in accordance with its own privacy policy and your privacy settings on that platform.

5.2.8 Cloud Infrastructure and Storage — Amazon Web Services, Inc. (AWS)

Information shared: User-uploaded photographs and files, encryption keys managed through AWS Key Management Service (KMS), and temporary security credentials via AWS Security Token Service (STS).
Purpose: Securely storing user-uploaded content (photographs) in Amazon S3; managing encryption keys for data security through KMS; issuing temporary security credentials through STS for secure access to storage resources.

5.2.9 Biometric Verification and Photo Moderation — Amazon Rekognition (Amazon Web Services, Inc.)

Information shared: (a) For Users who voluntarily opt in to age verification: a self-captured photograph of the User's face ("verification selfie"); a face vector (a non-reversible mathematical representation of the User's facial geometry) that is added to a private Face Collection scoped solely to the Service for the purpose of detecting duplicate accounts; (b) For all profile photo uploads: the photograph submitted to your profile gallery, transmitted as raw image bytes for content-moderation classification only.
Purpose: (i) Estimating an apparent age range from the verification selfie via Amazon Rekognition DetectFaces (used solely to confirm that the User appears to be at least eighteen (18) years of age); (ii) comparing the verification selfie against your existing profile photographs via CompareFaces to confirm that those photographs depict the same person; (iii) searching the private Face Collection via SearchFacesByImage to detect attempts to create duplicate accounts; (iv) adding the resulting face vector to the private Face Collection via IndexFaces so that future duplicate-account searches can recognize you; (v) classifying profile photo uploads via DetectModerationLabels to enforce community standards regarding nudity, sexually explicit content, graphic violence, weapons, and hate symbols.
Retention: Verification selfies and ID document images uploaded for age verification are stored in a dedicated Amazon S3 bucket with a thirty (30) day automatic expiration lifecycle policy. The face vector stored in the Face Collection persists for as long as your account remains active and is permanently deleted (via DeleteFaces) when you exercise your right to permanent account deletion under Section 7.5.2. Profile photos submitted for moderation are not retained by Amazon Rekognition; only the moderation classification result (e.g., the names of any matched policy-violation labels) is logged on our servers for audit purposes.
Important — Model Training: Verification selfies, ID documents, profile photos, and the resulting face vectors are not used by Amazon Web Services to train or improve any Amazon Rekognition machine-learning models. The Company has elected not to participate in AWS's optional ML-improvement program for these services.

5.2.10 Identity Document Optical Character Recognition — Amazon Textract (Amazon Web Services, Inc.)

Information shared: Photographs of government-issued identity documents (United States driver's licenses, United States state identification cards, and United States passports) voluntarily uploaded by Users in two narrow circumstances: (a) when a User opts in to age verification, the initial selfie returns an estimated age between sixteen (16) and twenty-one (21), and the User chooses to confirm adult status by submitting an identity document; or (b) when a User submits an identity document as evidence in connection with an appeal of an age-verification soft-restriction.
Purpose: Extracting structured data fields from the submitted identity document via Amazon Textract AnalyzeID, including (i) the date of birth, used solely to confirm that you are at least eighteen (18) years of age, and (ii) the per-field confidence scores returned by the AnalyzeID service, used to determine whether the submission may be auto-approved or must be routed to manual administrative review by Company personnel.
Retention: Identity document images are stored in a dedicated Amazon S3 bucket with a thirty (30) day automatic expiration lifecycle policy. Extracted fields (first name, last name, date of birth, document type, expiration date, and per-field confidence scores) are persisted to our application database for the lifetime of the associated verification attempt or appeal record, and are subject to deletion under Section 7.5.2.
Important — Model Training: Identity document images and extracted fields are not used by Amazon Web Services to train or improve any Amazon Textract machine-learning models.

5.2.11 Push Notifications — Web Push Protocol (VAPID)

Information shared: Push subscription endpoint URLs, P256DH public encryption keys, and authentication secret keys associated with your browser or device.
Purpose: Delivering push notifications to your device or browser in accordance with your notification preferences.

5.3 Third-Party Service Providers (Marketing Website)

We engage the following third-party service providers in connection with the operation of the marketing website:

5.3.1 Email Marketing — MailerLite

Information shared: Email addresses of users who subscribe to marketing communications through the website subscription form.
Purpose: Managing email subscription lists and delivering marketing and update emails.

5.3.2 Form Processing — FluentForm and Elementor

Information shared: Form submission data (including name, email address, phone number, and message content) submitted through website contact forms and popup forms.
Purpose: Processing and managing form submissions on the marketing website.

5.3.3 Website Hosting

Information shared: Standard web server log data, including IP addresses, user agent strings, request URLs, and timestamps.
Purpose: Hosting and serving the marketing website.

5.4 Analytics and Advertising Partners (Marketing Website)

We share Information with the following analytics and advertising partners through pixel tracking and server-side Conversions APIs on the marketing website:

5.4.1 TikTok (ByteDance Ltd.)

Information shared (client-side via TikTok Pixel): Page views, clicks, form submissions, and other user interaction events, along with cookie-based identifiers.
Information shared (server-side via TikTok Conversions API): Hashed identifiers (such as hashed email addresses), event timestamps, event types, and associated metadata.
Purpose: Tracking and optimizing TikTok advertising campaigns; measuring advertising attribution and conversion events.

5.4.2 Google (Alphabet Inc.)

Information shared (client-side via Google Analytics and Google Tag Manager): Page views, session data, traffic sources, UTM parameters, page interactions, device and browser information, and anonymized IP addresses.
Information shared (server-side via Google API): Event data including UTM parameters and anonymized IP addresses for campaign effectiveness measurement.
Purpose: Understanding website traffic patterns, user engagement, and marketing campaign effectiveness; optimizing Google advertising campaigns.

5.4.3 Meta — Facebook/Instagram (Meta Platforms, Inc.)

Information shared (client-side via Meta Pixel): Page views, form submissions, registrations, and other on-site events, along with cookie-based identifiers.
Information shared (server-side via Meta Conversions API): Hashed identifiers (such as hashed email addresses), event timestamps, event types, UTM parameters, and associated metadata.
Purpose: Tracking and optimizing Meta (Facebook/Instagram) advertising campaigns; measuring advertising attribution and conversion events.

5.5 Law Enforcement and Legal Obligations

We may disclose your Information to law enforcement agencies, regulatory authorities, courts, governmental bodies, and other authorized entities in the following circumstances:

(a) In response to a valid and enforceable subpoena, court order, search warrant, national security letter, or other lawful legal process;
(b) When we reasonably believe that disclosure is necessary to comply with applicable law, regulation, or legal obligation;
(c) When we reasonably believe that disclosure is necessary to protect the rights, property, or safety of the Company, our Users, or the public;
(d) In emergency situations involving imminent danger of death or serious physical injury to any person, where we may disclose Information to appropriate law enforcement or emergency services without a prior legal process, in accordance with applicable law (including, without limitation, 18 U.S.C. § 2702(b)(8) and § 2702(c)(4) of the Stored Communications Act);
(e) In connection with the investigation, prevention, or detection of fraud, security incidents, or violations of our Terms and Conditions of Use.

When we receive a lawful request for your Information, we may place an evidence hold on relevant account data and communications to preserve such data for the duration of the legal proceeding or investigation. Evidence holds may include the preservation of messages, account data, transaction records, and other relevant Information, and may include a specified duration and reason for the hold.

5.6 Business Transfers

In the event that the Company undergoes a merger, acquisition, reorganization, bankruptcy, dissolution, sale of all or substantially all of its assets, or similar corporate transaction or proceeding, your Information may be transferred to the acquiring entity or successor as part of such transaction. In such event, we will make reasonable efforts to ensure that the acquiring entity or successor assumes the obligations set forth in this Privacy Policy with respect to your Information, or provides you with notice and an opportunity to opt out of such transfer to the extent required by applicable law.

5.7 Aggregated and De-Identified Data

We may share aggregated, de-identified, or anonymized data that cannot reasonably be used to identify you with third parties for analytical, research, business intelligence, or other purposes. Such data is not considered personal information under this Privacy Policy.

5.8 With Your Consent

We may share your Information with third parties when you have provided your express consent to such sharing, including but not limited to situations where you voluntarily share content from the Service on external platforms or provide authorization for a specific data transfer.

6. DATA STORAGE, RETENTION, AND SECURITY

6.1 Data Storage Infrastructure

Your Information is stored on secure servers utilizing PostgreSQL relational database management systems. User-uploaded files, including photographs, are stored in Amazon Web Services (AWS) S3 cloud storage infrastructure. The Company's infrastructure may utilize additional cloud services and content delivery mechanisms as necessary to provide the Service reliably and efficiently.

6.2 Message Encryption

The content of text messages transmitted through the dating application is encrypted using server-side encryption prior to storage in the database. The Company retains the capability to decrypt such messages as necessary for content moderation, compliance with legal obligations (including law enforcement requests and court orders), enforcement of the Terms and Conditions of Use, and other purposes described in this Privacy Policy. Voice notes and audio recordings are stored as encrypted files in AWS S3 storage. THE COMPANY DOES NOT PROVIDE TRUE END-TO-END ENCRYPTION; THE COMPANY RETAINS DECRYPTION CAPABILITIES FOR THE PURPOSES DESCRIBED HEREIN.

6.3 Hashing of Sensitive Data

Certain categories of sensitive data are hashed using industry-standard cryptographic algorithms prior to storage, including:

(a) Authentication tokens and verification codes (hashed using bcrypt or equivalent algorithms);
(b) Email addresses transmitted to third-party analytics providers via server-side Conversions APIs (hashed prior to transmission for privacy-preserving advertising attribution);
(c) Other sensitive credentials and tokens as appropriate.

6.4 Data Retention Periods

The Company retains your Information for the following periods:

(a) Active Account Data: For as long as your account remains active and for a reasonable period thereafter to fulfill the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law.
(b) Soft-Deleted Account Data: When you delete your account through the in-app account deletion feature, your account is "soft deleted," meaning your profile is hidden from other Users and your account is deactivated, but your data is retained in our systems. Soft-deleted data is retained for a reasonable period to enable account recovery, comply with legal obligations, resolve disputes, and enforce our agreements.
(c) Permanently Deleted Account Data: When you request permanent deletion of your data by emailing the Company at the address provided in Section 16 of this Policy, we will undertake commercially reasonable efforts to permanently delete your personal information from our active systems within a reasonable timeframe, subject to the exceptions described in Section 6.5.
(d) Security Event Logs: Security event data (including login attempts, authentication events, IP addresses, and user agent strings associated with such events) is retained for a period necessary to maintain the security of the Service, detect and prevent fraud, and comply with applicable legal requirements.
(e) Payment and Transaction Records: Payment transaction data is retained for the period required by applicable tax, accounting, and financial regulations, and as necessary to resolve payment disputes.
(f) Content Moderation Records: Reports, moderation actions, warnings, and enforcement records are retained for the period necessary to enforce our policies, resolve disputes, and comply with legal obligations. Where content is removed or disabled in response to a notice of claimed copyright infringement received pursuant to Section 21.4 of the Terms and Conditions of Use, the Company retains an internal administrative audit-log entry for that removal action — recording the identity of the administrator effecting the removal, the date and time of removal, the reason recorded, and the identifier of the removed content — in accordance with the safe-harbor provisions of 17 U.S.C. § 512. The Company does not retain copies of the underlying photograph, voice note, or other media bytes after removal.
(g) Evidence Holds: Where an evidence hold has been placed on your data in connection with a legal proceeding, law enforcement request, or regulatory investigation, your data subject to such hold will be retained until the hold is lifted, regardless of any deletion requests or other retention periods.
(h) Website Analytics and Marketing Data: Data collected through website analytics, pixels, and server-side Conversions APIs is retained according to each analytics provider's data retention policies (Google Analytics, Meta, and TikTok each maintain their own data retention schedules). Server-side hashed event logs are retained in accordance with such provider retention policies.
(i) Email Subscription Data: Email addresses and subscription preferences provided through the marketing website are retained for as long as you remain subscribed and for a reasonable period thereafter, unless you request deletion.
(j) Biometric Verification Data: Verification selfies and identity document images uploaded in connection with the optional age verification feature are stored in a dedicated Amazon S3 bucket subject to a thirty (30) day automatic expiration lifecycle policy. Face vectors stored in the private Amazon Rekognition Face Collection are retained for the lifetime of your account, subject to a maximum outer limit of three (3) years from your last interaction with the Service (in accordance with the Illinois Biometric Information Privacy Act, 740 ILCS 14/15(a)). Detailed retention rules for biometric Information are set forth in Section 14.3.3 of this Policy.
(k) Voice Moderation Audio and Transcripts: Audio segments captured during voice cafe sessions that match the Company's automated prohibited-content detection rules, together with their corresponding speech-to-text transcripts, are stored in dedicated Company-controlled cloud object storage subject to a thirty (30) day automatic expiration lifecycle policy. Audio segments that do not match the prohibited-content rules are discarded immediately after analysis and are not retained by the Company. Where a moderation review results in an enforcement record, the corresponding audio segment, transcript, and metadata are retained as part of the Content Moderation Records described in subsection (f) of this Section.

6.5 Exceptions to Data Deletion

Notwithstanding any request for data deletion, the Company may retain certain Information where:

(a) Retention is required by applicable law, regulation, or legal obligation;
(b) An evidence hold has been placed on the data in connection with a legal proceeding or law enforcement request;
(c) Retention is necessary for the establishment, exercise, or defense of legal claims;
(d) Retention is necessary for fraud detection and prevention purposes;
(e) The data has been aggregated, de-identified, or anonymized such that it cannot reasonably be used to identify you;
(f) Retention is necessary to enforce the Company's Terms and Conditions of Use, including but not limited to maintaining records of bans and enforcement actions to prevent circumvention.

6.6 Security Measures

The Company implements commercially reasonable technical, administrative, and organizational security measures designed to protect your Information from unauthorized access, disclosure, alteration, destruction, and other forms of unlawful processing. Such measures include, without limitation:

(a) Encryption: Server-side encryption of message content; encrypted storage of files in AWS S3; encryption key management through AWS KMS; hashing of authentication tokens, verification codes, and sensitive credentials using industry-standard cryptographic algorithms (including but not limited to bcrypt); hashing of email addresses prior to transmission to third-party analytics APIs;
(b) Access Controls: Role-based access controls for administrative functions; JWT (JSON Web Token)-based authentication with token expiration and blacklisting upon logout; refresh token mechanisms with expiration tracking;
(c) Network Security: CORS (Cross-Origin Resource Sharing) protections configured to restrict API access to authorized origins; security headers (including but not limited to HSTS, X-Frame-Options, X-Content-Type-Options, and Content-Security-Policy); HTTPS/TLS encryption for all data in transit;
(d) Rate Limiting: Bucket4j-based rate limiting to prevent brute-force attacks, denial-of-service attacks, and other forms of automated abuse;
(e) Fraud Detection: Device fingerprinting; VOIP detection; IP address analysis; phone number history tracking; device ban enforcement;
(f) Input Sanitization: HTML and script injection prevention through content sanitization of user-generated content fields;
(g) Secure IP Extraction: Secure extraction of client IP addresses from request headers (including X-Forwarded-For) for accurate security logging and geolocation.

NOTWITHSTANDING THE FOREGOING, NO METHOD OF TRANSMISSION OVER THE INTERNET AND NO METHOD OF ELECTRONIC STORAGE IS COMPLETELY SECURE. THE COMPANY CANNOT AND DOES NOT GUARANTEE THE ABSOLUTE SECURITY OF YOUR INFORMATION. YOU ACKNOWLEDGE AND AGREE THAT YOU TRANSMIT YOUR INFORMATION AT YOUR OWN RISK, AND THE COMPANY SHALL NOT BE LIABLE FOR ANY UNAUTHORIZED ACCESS TO, DISCLOSURE OF, OR LOSS OF YOUR INFORMATION RESULTING FROM CAUSES BEYOND THE COMPANY'S REASONABLE CONTROL.

6.7 Suppression List for Banned Accounts

Where we permanently ban an account due to a confirmed chargeback, payment dispute filed in bad faith, or other material violation of our Terms and Conditions of Use, we retain a salted HMAC-SHA256 cryptographic hash of your email address, phone number, and device fingerprint, together with the IP address used at the time of the violation, in a separate "suppression list." These records:

(a) Are retained indefinitely;
(b) Cannot be reversed, decrypted, or otherwise transformed back into the original values from which they were derived;
(c) Are used exclusively to deny re-registration, prevent ban evasion, and protect the integrity, safety, and security of the Service;
(d) Are stored separately from your other Information and are not used for marketing, profiling, advertising, analytics, or any purpose unrelated to ban enforcement;
(e) Continue to apply even after you exercise a right of erasure, deletion, or "right to be forgotten" under applicable law.

This processing is necessary for our legitimate interests in operating a safe service, preventing fraud, and enforcing our agreements (GDPR Article 6(1)(f)), and is exempt from deletion under GDPR Article 17(3)(b) and 17(3)(e), CCPA / CPRA Section 1798.105(d)(2) (fraud-prevention exemption), and analogous provisions of other applicable privacy laws. When you exercise a right of erasure, all other personal data tied to your account is deleted in accordance with Section 6.4 and Section 7; suppression list entries are retained as described in this Section 6.7. The cryptographic pepper used to generate these hashes is stored separately under access controls and is not rotated, because the hashes are deterministic and rotating the pepper would render existing suppression entries non-matchable. The suppression list contains no plaintext personal information and cannot be used to recover, contact, identify, or profile any individual.

6.8 Machine Learning and Aggregated Model Parameters

The Company may use aggregated user data to train, evaluate, and improve internal machine-learning models that support the Service (for example, models that influence match suggestions, content ranking, or fraud detection). Where your Information has contributed to such models prior to your exercising a right of erasure or account deletion:

(a) The Company will delete the underlying records (the raw training samples, embeddings keyed to your account, and any feature stores indexed by your user identifier) in accordance with Sections 6.4 and 7.5;
(b) The Company will not include your Information in any future training run after the deletion request is processed;
(c) The aggregated model parameters (the trained weights themselves) will not be reversed, retrained from scratch, or otherwise modified solely to remove the residual statistical contribution of any single user's data. Once data has been incorporated into an aggregated model in this way, the resulting parameters do not contain identifiable information about you and cannot be used to recover, reconstruct, contact, or re-identify you. The European Data Protection Board has expressly recognised that aggregated model parameters meeting these conditions fall outside the scope of "personal data" (EDPB Opinion 28/2024, December 2024).

Where the Company periodically retrains models from scratch on a refreshed dataset, the residual contribution of deleted accounts is naturally removed from subsequent model versions through that retraining cycle. The Company does not currently engage in solely automated decision-making that produces legal effects concerning you within the meaning of GDPR Article 22; should this change, this Policy will be updated and (where required) explicit consent obtained.

7. YOUR RIGHTS AND CHOICES

7.1 Account Information and Profile

You may access, review, and update certain of your account and profile Information at any time through the dating application's in-app settings and profile editing features. You are responsible for maintaining the accuracy and completeness of your Information.

7.2 Notification Preferences

You may manage your notification preferences, including enabling or disabling specific notification types and delivery methods (Email, SMS, Push Notification, In-App Notification), through the in-app notification settings. For SMS notifications specifically, you may opt out at any time by replying STOP to any SMS message received from the Company; to re-enable SMS notifications, reply START. The following SMS keywords are recognized: STOP, STOPALL, UNSUBSCRIBE, CANCEL, END, and QUIT to opt out; START, YES, and UNSTOP to opt back in. Please note that you cannot opt out of transactional communications that are essential to the operation and security of your account (including, without limitation, authentication codes, verification messages, and critical account security alerts). Marketing and promotional communications may be opted out of exclusively through the in-app notification settings or by using the unsubscribe mechanism provided in such communications. THE COMPANY'S SUPPORT TEAM DOES NOT PROCESS OPT-OUT REQUESTS; ALL NOTIFICATION PREFERENCE CHANGES MUST BE MADE THROUGH THE IN-APP SETTINGS, UNSUBSCRIBE LINKS PROVIDED IN COMMUNICATIONS, OR BY REPLYING STOP TO ANY SMS MESSAGE.

7.3 Email Marketing (Website)

If you subscribed to marketing emails through the website subscription form, you may opt out of future marketing emails by clicking the "unsubscribe" link included in any such marketing email. Unsubscribing from website marketing emails does not affect transactional or notification emails sent through the dating application.

7.4 Location Data

You may disable GPS-based location services by revoking the dating application's access to your device's location capabilities through your device settings. However, as described in Section 2.2.4, disabling GPS access will cause degradation of Service functionality, including but not limited to impaired proximity-based matchmaking and the inability to access location-dependent features. IP-based geolocation data is collected automatically when you access the Service and cannot be disabled without ceasing use of the Service.

7.5 Account Deletion

7.5.1 In-App Account Deletion (Soft Delete)

You may initiate account deletion through the in-app account deletion feature. This action constitutes a "soft delete" whereby:

(a) Your profile is hidden from other Users;
(b) Your account is deactivated and you will be unable to access the Service;
(c) Your data is retained in our systems as described in Section 6.4(b);
(d) You may be able to recover your account within a reasonable period by contacting the Company.

7.5.2 Permanent Data Deletion (Hard Delete)

You may permanently delete your account and personal data directly within the dating application by navigating to Settings → Privacy & Data → Request permanent deletion. The action is irreversible. Upon confirmation, the Company will permanently delete your personal data from active systems, subject only to the exceptions described in Section 6.5 (including, without limitation, the limited suppression-list retention described in Section 6.7 and the aggregated-model-parameter exemption described in Section 6.8), and will send a confirmation email to the email address associated with your account. If you are unable to access the application (for example, because you have lost access to your phone number or your account has been suspended), you may instead submit a written deletion request via email to the address specified in Section 16, and the Company will respond within thirty (30) days. To exercise your rights of access or data portability, navigate to Settings → Privacy & Data → Download my data.

7.6 Push Notification Subscription

You may unsubscribe from push notifications by revoking push notification permissions through your browser or device settings, or by managing your push notification preferences within the dating application's in-app settings.

7.7 Cookie and Analytics Controls

You may manage your cookie preferences and limit analytics data collection as described in Section 3.2 of this Policy, including through browser cookie settings, browser-based privacy tools, and platform-specific opt-out mechanisms provided by Google, Meta, and TikTok.

7.8 Social Login Disconnection

If you registered or authenticated via a third-party social login provider, you may manage the connection between the Service and that provider through the provider's own settings and permissions interfaces. Disconnecting a social login provider may affect your ability to authenticate to the Service using that method.

8. STATE-SPECIFIC PRIVACY RIGHTS

8.1 California Residents (California Consumer Privacy Act / California Privacy Rights Act)

If you are a resident of the State of California, you may have additional rights under the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (collectively, the "CCPA"), including but not limited to:

(a) Right to Know: The right to request that the Company disclose the categories and specific pieces of personal information it has collected about you, the categories of sources from which such information was collected, the business or commercial purpose for collecting such information, and the categories of third parties with which such information was shared;
(b) Right to Delete: The right to request the deletion of personal information the Company has collected from you, subject to certain exceptions under the CCPA;
(c) Right to Correct: The right to request correction of inaccurate personal information the Company maintains about you;
(d) Right to Opt-Out of Sale or Sharing: The right to opt out of the "sale" or "sharing" of your personal information, as such terms are defined under the CCPA. The Company does not sell your personal information. To the extent that any data sharing described in this Privacy Policy constitutes "sharing" under the CCPA (including, without limitation, the transmission of hashed identifiers to analytics and advertising platforms via pixels and Conversions APIs), you may exercise your right to opt out by contacting us at the email address specified in Section 16;
(e) Right to Non-Discrimination: The right not to receive discriminatory treatment for exercising any of your CCPA rights.

To exercise any of these rights, please submit a verifiable consumer request to the Company using the contact information provided in Section 16. The Company will verify your identity before processing any request and will respond within the timeframes required by the CCPA.

Do Not Sell or Share My Personal Information: The Company does not sell your personal information. California residents who wish to request that the Company refrain from sharing their personal information for cross-context behavioral advertising purposes may submit such request by contacting us at the email address specified in Section 16.

California "Shine the Light" Law: Pursuant to California Civil Code Section 1798.83, California residents who have provided personal information to the Company may request certain information regarding the Company's disclosure of personal information to third parties for their direct marketing purposes. The Company does not disclose personal information to third parties for their direct marketing purposes.

Notice at Collection: Pursuant to CCPA Section 1798.100(b), the categories of personal information the Company collects and the purposes for which such information is used are described in Sections 2 and 4 of this Privacy Policy, respectively.

Sensitive Personal Information — Biometric Data: Pursuant to CCPA Section 1798.121, you have the right to limit the Company's use and disclosure of your sensitive personal information, including biometric Information used to identify a consumer (such as the face vector described in Section 14.3 of this Policy), to those uses that are necessary to perform the services reasonably expected by an average consumer who requests those services. The Company's use of biometric Information is already strictly limited to the enumerated purposes described in Section 14.3.2, all of which are necessary to perform the age verification service that you opted in to. The Company does not use biometric Information to infer characteristics about you, for cross-context behavioral advertising, or for any other purpose beyond those expressly enumerated. You may at any time withdraw your consent to biometric processing as described in Section 14.3.6.

8.2 Virginia Residents (Virginia Consumer Data Protection Act)

If you are a resident of the Commonwealth of Virginia, you may have additional rights under the Virginia Consumer Data Protection Act ("VCDPA"), including the right to access, correct, delete, and obtain a copy of your personal data, as well as the right to opt out of the processing of personal data for purposes of targeted advertising, the sale of personal data, and profiling in furtherance of decisions that produce legal or similarly significant effects. To exercise any of these rights, please contact us using the information provided in Section 16.

8.3 Colorado Residents (Colorado Privacy Act)

If you are a resident of the State of Colorado, you may have additional rights under the Colorado Privacy Act ("CPA"), including the right to access, correct, delete, and obtain a portable copy of your personal data, as well as the right to opt out of the processing of personal data for purposes of targeted advertising, the sale of personal data, and profiling. To exercise any of these rights, please contact us using the information provided in Section 16.

8.4 Connecticut Residents (Connecticut Data Privacy Act)

If you are a resident of the State of Connecticut, you may have additional rights under the Connecticut Data Privacy Act ("CTDPA"), including the right to access, correct, delete, and obtain a portable copy of your personal data, as well as the right to opt out of the processing of personal data for purposes of targeted advertising, the sale of personal data, and profiling. To exercise any of these rights, please contact us using the information provided in Section 16.

8.5 Utah Residents (Utah Consumer Privacy Act)

If you are a resident of the State of Utah, you may have additional rights under the Utah Consumer Privacy Act ("UCPA"), including the right to access and delete your personal data, as well as the right to opt out of the processing of personal data for purposes of targeted advertising and the sale of personal data. To exercise any of these rights, please contact us using the information provided in Section 16.

8.6 Other State Privacy Laws

As additional state privacy laws come into effect, the Company will endeavor to comply with such laws as applicable. If you are a resident of a state that has enacted a comprehensive consumer privacy law not specifically addressed in this Section 8, you may contact us at the email address provided in Section 16 to inquire about and exercise any applicable rights.

8.7 Exercising Your Rights

To exercise any privacy right described in this Section 8:

(a) You may submit a request via email to the address specified in Section 16;
(b) The Company will verify your identity prior to processing any request by requiring you to confirm information associated with your account;
(c) The Company will respond to verified requests within the timeframes required by the applicable state law (typically forty-five (45) days, with extensions as permitted by law);
(d) You may designate an authorized agent to submit requests on your behalf, provided the agent presents written authorization and the Company can verify both the agent's authority and your identity;
(e) If the Company denies your request, you may appeal such denial by contacting us at the email address specified in Section 16, and the Company will respond to your appeal within the timeframe required by applicable law.

9. INTERNATIONAL DATA TRANSFERS

9.1 Territorial Availability of the Service

The Service is currently made available only to Users located within the United States of America and Canada. Eligibility checks at registration include verification of a +1 telephone number and a server-side IP geolocation gate; non-US/Canada IP addresses are denied registration. The Company does not knowingly accept registrations from, or direct the Service to, Users located in the European Economic Area, the United Kingdom, Switzerland, or any other jurisdiction outside the United States and Canada. If you are located outside the United States or Canada, the Service is not intended for you, and you should not register an account or submit any personal information.

9.2 Location of Processing

The Company is based in the United States, and the Service is operated from and directed to Users within the United States and Canada. Your Information is processed by the following infrastructure providers in the locations indicated:

(a) Cloudflare R2 (object storage for photos, identity-document images, and database backups) — Eastern North America jurisdiction (default), with data primarily resident in Virginia, United States.
(b) Amazon Web Services (Amazon Rekognition DetectFaces / CompareFaces / DetectModerationLabels / IndexFaces / SearchFacesByImage, Amazon Textract AnalyzeID) — us-east-1 region (Northern Virginia, United States).
(c) Hetzner Online GmbH (application servers, PostgreSQL database) — operated by the Company on a single dedicated server located in Hetzner's data center facility. The hypervisor layer provides ISO/IEC 27001 and SOC 2 attestation. The disk is encrypted at the hypervisor / Ceph storage layer rather than at the operating-system layer; this approach is permitted as an "appropriate technical and organisational measure" under GDPR Art. 32 and analogous Canadian provincial law (PIPEDA, Quebec Law 25).
(d) PayPal, Twilio, Zoho Corporation (ZeptoMail and Zoho Campaigns), Cookiebot (Usercentrics A/S), Google (Analytics 4 and Gmail SMTP), Meta (Conversions API), and TikTok (Events API) as further described in Sections 3 and 4 of this Policy. These third-party processors may store and process your Information in jurisdictions outside the United States and Canada in accordance with their respective privacy policies and the Company's data processing agreements with each provider.

9.3 Safeguards for International Transfers

The Company maintains a vendor data processing agreement (DPA) with each of the third-party processors enumerated in Section 9.2(d), and relies on the processor's standard contractual measures (such as standard contractual clauses, the EU-US Data Privacy Framework where applicable, and the corresponding UK/Swiss addenda) for any cross-border transfer initiated by that processor. Where your Information is transferred across international borders, the Company takes commercially reasonable steps to ensure that your Information receives an adequate level of protection, including through the use of contractual safeguards, certification mechanisms, or other transfer mechanisms recognized under applicable data protection laws.

10. THIRD-PARTY LINKS AND SERVICES

10.1 Third-Party Websites and Services

The Service, including the marketing website and the dating application, may contain links to or integrations with third-party websites, applications, or services that are not owned or controlled by the Company. This Privacy Policy does not apply to any third-party websites, applications, or services, and the Company is not responsible for the privacy practices, data collection methods, or content of any such third parties. We encourage you to review the privacy policies of any third-party websites, applications, or services that you visit or interact with.

10.2 Giphy Content

When you search for and send GIF images through the dating application's Giphy integration, your search queries are transmitted to Giphy (a subsidiary of Meta Platforms, Inc.). Giphy's collection, use, and disclosure of your data is governed by Giphy's own privacy policy, which is separate from and independent of this Privacy Policy.

10.3 Social Login Providers

When you use a third-party social login provider (Google, Apple, or Facebook) to register or authenticate, the exchange of information between the Service and that provider is governed in part by that provider's privacy policy and your privacy settings on that platform.

10.4 Analytics and Advertising Platforms

The data collection and processing practices of Google Analytics, Meta (Facebook/Instagram), and TikTok on the marketing website are governed in part by each platform's respective privacy policy. The Company encourages you to review the privacy policies of these platforms:

(a) Google Privacy Policy: https://policies.google.com/privacy
(b) Meta Privacy Policy: https://www.facebook.com/privacy/policy/
(c) TikTok Privacy Policy: https://www.tiktok.com/legal/privacy-policy

11. CHILDREN'S PRIVACY

The Service is not intended for use by individuals under the age of eighteen (18). The Company does not knowingly collect, solicit, store, or process personal information from individuals under the age of eighteen (18). If the Company becomes aware that it has collected personal information from an individual under the age of eighteen (18), the Company will take prompt steps to delete such information from its systems. If you believe that a minor has provided personal information to the Company, please contact us immediately at the email address provided in Section 16, and we will investigate and take appropriate action.

12. LAW ENFORCEMENT AND LEGAL DISCLOSURES

12.1 Lawful Requests

The Company will comply with lawful requests from law enforcement agencies, courts, regulatory authorities, and other governmental bodies for the disclosure of User Information, provided that such requests are served through proper legal channels, including but not limited to:

(a) Valid and enforceable subpoenas (civil or criminal);
(b) Court orders;
(c) Search warrants;
(d) National security letters;
(e) Other legal processes authorized under applicable law.

12.2 Evidence Preservation

Upon receipt of a lawful preservation request or litigation hold notice, the Company will take reasonable steps to preserve the relevant User Information, including placing evidence holds on specified account data, communications, and transaction records. Evidence holds may be maintained for the duration specified in the preservation request or for such longer period as may be required by applicable law.

12.3 Emergency Disclosures

In situations involving imminent danger of death or serious physical injury to any person, the Company may, in its sole discretion, disclose relevant User Information to appropriate law enforcement agencies or emergency services without requiring a prior legal process, in accordance with applicable federal and state law (including, without limitation, 18 U.S.C. § 2702(b)(8) and § 2702(c)(4) of the Stored Communications Act).

12.4 User Notification

Where legally permitted and not prohibited by the terms of the legal process, the Company will make reasonable efforts to notify the affected User of a law enforcement request for their Information. However, the Company is under no obligation to provide such notification where doing so would be prohibited by law, would interfere with a law enforcement investigation, or would pose a risk to the safety of any person.

13. DATA BREACH NOTIFICATION

13.1 Breach Response

In the event of a data breach involving unauthorized access to, acquisition of, or disclosure of your personal information, the Company will:

(a) Take prompt steps to investigate and contain the breach;
(b) Assess the scope and nature of the breach and the categories of Information affected;
(c) Notify affected Users and applicable regulatory authorities within the timeframes required by applicable state and federal data breach notification laws;
(d) Provide affected Users with information about the nature of the breach, the categories of Information involved, and the steps the Company is taking to mitigate the breach and prevent future occurrences;
(e) Offer identity theft prevention and mitigation services to affected Users where required by applicable law or where the Company deems such services appropriate given the nature and scope of the breach.

14. SENSITIVE INFORMATION

14.1 Categories of Sensitive Information

The Company recognizes that certain categories of Information it collects may be considered "sensitive" under applicable privacy laws, including but not limited to:

(a) Precise geolocation data (as described in Section 2.2.4);
(b) Information revealing racial or ethnic origin, religious beliefs, or sexual orientation (to the extent voluntarily disclosed in profile content);
(c) Biometric data, collected only with your prior, separate, informed, and explicit opt-in consent in connection with the optional age verification feature, consisting of (i) a self-captured verification selfie, (ii) a non-reversible mathematical face vector derived from that selfie and stored in a private Face Collection scoped solely to the Service, and (iii) where applicable, photographs of government-issued identity documents and the structured fields extracted therefrom. The collection, use, storage, and disclosure of this category of Information is described in detail in Sections 5.2.9 and 5.2.10 of this Policy. You are not required to use the age verification feature in order to use the Service, and you may decline at any time;
(d) Health-related information (note: the Company does not collect health information; however, Users may voluntarily disclose health-related information in profile content or messages).

14.2 Processing of Sensitive Information

To the extent that the Company processes sensitive Information, such processing is conducted solely for the purposes of providing the Service as described in this Privacy Policy and is not used for any purpose other than those disclosed herein. Where applicable law requires your consent or provides additional protections for the processing of sensitive Information, the Company will comply with such requirements.

14.3 Biometric Information Privacy — Specific Notice

This Section 14.3 provides additional disclosures applicable to the Company's collection and processing of biometric Information through the optional age verification feature, in furtherance of the Company's obligations under the Illinois Biometric Information Privacy Act (740 ILCS 14, "BIPA"), the Texas Capture or Use of Biometric Identifier Act (Tex. Bus. & Com. Code § 503.001, "CUBI"), the Washington Biometric Privacy Act (Wash. Rev. Code § 19.375), the California Consumer Privacy Act of 2018 as amended by the California Privacy Rights Act of 2020 (collectively, the "CCPA"), the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR") Article 9, and any other applicable biometric or special-category data laws.

14.3.1 Categories of Biometric Information Collected

For Users who voluntarily opt in to age verification, the Company collects:

(a) Verification selfie: A self-captured photograph of the User's face, captured through the User's device camera and uploaded to a dedicated Amazon S3 bucket;
(b) Face vector: A non-reversible numerical representation of the geometry of the User's face (sometimes referred to as a "biometric template" or "face print"), generated by Amazon Rekognition's IndexFaces service from the verification selfie and stored in a private Amazon Rekognition Face Collection that is scoped solely to the Service. The face vector cannot be used to reconstruct the original photograph and is used exclusively to detect attempts by the same individual to create multiple accounts;
(c) Identity document images (only for Users whose initial selfie returns an estimated age between sixteen (16) and twenty-one (21), and who elect to submit such a document; or for Users submitting evidence in support of an age-verification appeal): photographs of a United States driver's license, United States state identification card, or United States passport, and the structured fields extracted therefrom by Amazon Textract AnalyzeID (date of birth, first name, last name, document type, expiration date, and per-field confidence scores). Where the back of a United States driver's license or state identification card is captured, the Company additionally decodes the PDF417 barcode printed on that document and parses the AAMVA-standard subfields contained therein (full name, date of birth, license number, expiration date, and issuing state) for the sole purpose of cross-checking those fields against the optical-character-recognition output described above;
(d) Liveness signals (a "passive" liveness check): the same verification selfie described in subsection (a), passed through an in-house, self-hosted convolutional neural network distributed under a permissive open-source license that returns a numerical score between 0 and 1 indicating the likelihood that the captured image depicts a live human face rather than a printed photograph, screen replay, mask, or other spoofing artifact. The model executes entirely on a Company-controlled container co-located with the application backend; the verification selfie is not transmitted to any third party for this purpose. Where the passive check is inconclusive, the User may be prompted to record a brief (approximately two (2) second) self-captured video clip in which they perform a head-turn motion ("active" liveness); the individual JPEG frames sampled from that clip are submitted to the same in-house container, which uses an open-source facial-landmark detection model to estimate the head-yaw delta between frames and verify that the captured movement is consistent with a live person. Both the passive score and the active head-yaw delta are persisted as part of the verification attempt record. Liveness frames are processed in memory and are not retained beyond the single request that produced them, except as part of the verification selfie or appeal-evidence images already governed by subsection (a) of this Section 14.3.1. Specific model names and versions are intentionally not disclosed in this Policy as a content-safety hardening measure.

14.3.2 Specific Purposes of Collection

The Company collects, captures, receives, and otherwise obtains the foregoing biometric Information solely for the following enumerated purposes:

(a) Estimating the User's apparent age range to confirm that the User is at least eighteen (18) years of age, as required by the Terms and Conditions of Use of the Service;
(b) Comparing the verification selfie against the User's existing profile photographs to confirm that those photographs depict the same individual (anti-impersonation);
(c) Searching the private Face Collection to detect duplicate accounts (anti-fraud);
(d) Adding the resulting face vector to the private Face Collection so that future duplicate-account searches can recognize the User;
(e) For identity documents only: extracting and verifying the date of birth printed on the document for the sole purpose of confirming that the User is at least eighteen (18) years of age, and verifying that the document's expiration date (where present in the extracted fields) has not lapsed;
(f) For identity documents only: cross-checking the optically-recognized name and date of birth against the corresponding fields decoded from the PDF417 barcode on the back of the document, for the sole purpose of detecting tampering or alteration of the front of the document;
(g) For verification selfies and any frames captured for the active head-turn fallback: detecting presentation attacks (printed photographs, screen replays, masks, and similar spoofing artifacts) so as to confirm that the verification selfie depicts a live human being physically present at the time of capture. This liveness analysis is performed exclusively on infrastructure operated by the Company and is not transmitted to any third party.

The Company does not use biometric Information for any purpose other than those expressly enumerated above. The Company does not use biometric Information for advertising, marketing, profiling, training of machine-learning models, or any other secondary purpose. In particular, neither the verification selfie nor the active-fallback head-turn frames are retained, used, or made available for the purpose of training, fine-tuning, or otherwise improving any machine-learning model, whether operated by the Company or by any third party.

14.3.3 Retention Schedule

The Company retains biometric Information only for the periods strictly necessary to fulfill the purposes set forth in Section 14.3.2, and in no event longer than the periods set forth below:

(a) Verification selfies and identity document images stored in Amazon S3 are subject to a thirty (30) day automatic expiration lifecycle policy, after which the original image files are permanently deleted from S3 storage;
(b) Face vectors stored in the private Amazon Rekognition Face Collection are retained for as long as your account remains active and you continue to use the Service. Face vectors are permanently deleted via Amazon Rekognition's DeleteFaces API when (i) you exercise your right to permanent account deletion under Section 7.5.2 of this Policy, (ii) the initial purpose for which the biometric Information was collected has been satisfied, or (iii) within three (3) years of your last interaction with the Service, whichever occurs first (this three-year outer limit being adopted to align with the maximum retention period permitted under BIPA Section 15(a));
(c) Extracted identity document fields (date of birth, first name, last name, document type, expiration date, and per-field confidence scores), together with PDF417-decoded barcode fields (where applicable) and liveness signals (passive score, active head-yaw delta, and the model version that produced them), are persisted in our application database for the lifetime of the associated verification attempt or appeal record, and are deleted upon permanent account deletion or upon expiration of the three-year outer limit referenced in subsection (b), whichever occurs first;
(d) Active-fallback head-turn frames are not persisted to durable storage. They are processed in memory by the Company's in-house liveness container, the resulting yaw-delta and pass/fail outcome are recorded as described in subsection (c), and the underlying frame bytes are discarded at the conclusion of the request that submitted them.

14.3.4 Disclosure of Biometric Information

The Company does not sell, lease, trade, or otherwise profit from biometric Information. The Company does not disclose, redisclose, or otherwise disseminate biometric Information to any third party other than:

(a) Amazon Web Services, Inc., acting as the Company's service provider for the operation of Amazon Rekognition and Amazon Textract, solely to perform the technical functions described in subsections (a) through (f) of Section 14.3.2, and contractually prohibited from using such Information for any other purpose;
(b) Where required by, or in response to, a valid subpoena, court order, search warrant, or other lawful legal process compelling disclosure;
(c) With your written consent, if such consent is provided by you separately and specifically for the proposed disclosure.

For clarity: the liveness-detection processing described in subsection (g) of Section 14.3.2 is performed exclusively on infrastructure operated by the Company and is not disclosed, transmitted, or otherwise shared with any third party for that purpose. The models that perform that processing are open-source neural-network weights distributed under permissive open-source licenses and are executed locally; neither the verification selfie nor the active-fallback head-turn frames leave the Company's controlled environment in connection with liveness analysis.

14.3.5 Storage and Protection

Biometric Information is stored using a reasonable standard of care within the Company's industry, and in a manner that is the same as or more protective than the manner in which the Company stores, transmits, and protects other confidential and sensitive Information, including by application of encryption-in-transit (TLS 1.2 or higher) for all transmissions, encryption-at-rest for storage in Amazon S3 (AES-256, server-side managed), strict IAM access controls limiting access to the Face Collection and S3 bucket to a small number of authorized backend services, and audit logging of all access to verification records.

14.3.6 Right to Withdraw Consent

You may withdraw your consent to the Company's continued processing of your biometric Information at any time by exercising your right to permanent account deletion under Section 7.5.2, or by sending a written request to the contact address specified in Section 16. Upon receipt of a valid withdrawal request, the Company will delete all biometric Information associated with your account within a commercially reasonable period not to exceed thirty (30) days, except to the extent that retention is required by an exception described in Section 6.5.

15. OPT-OUT INSTRUCTIONS

For your convenience, the following is a consolidated summary of the available opt-out mechanisms described throughout this Privacy Policy:

15.1 Email Marketing (Website)

Click the "unsubscribe" link in any marketing email received from the Company to stop future marketing communications from the website email subscription list.

15.2 In-App Marketing and Promotional Notifications

Manage your notification preferences through the dating application's in-app notification settings. You may disable promotional and re-engagement notifications while retaining essential transactional notifications.

15.3 Analytics and Tracking (Website)

To limit analytics data collection on the marketing website, you may:

(a) Adjust your browser's cookie settings to block or delete analytics and advertising cookies;
(b) Use browser-based privacy tools and extensions;
(c) Install the Google Analytics Opt-Out Browser Add-On: https://tools.google.com/dlpage/gaoptout
(d) Manage Meta (Facebook/Instagram) advertising preferences: https://www.facebook.com/settings/?tab=ads
(e) Review TikTok privacy settings: https://www.tiktok.com/legal/privacy-policy

15.4 SMS Notifications

You may opt out of SMS notifications at any time by:

(a) Replying STOP to any SMS message received from the Company (also recognized: STOPALL, UNSUBSCRIBE, CANCEL, END, QUIT);
(b) Disabling SMS as a delivery method in the dating application's in-app notification preferences. To re-enable SMS notifications after opting out, reply START (also recognized: YES, UNSTOP) to any message, or re-enable SMS in your notification preferences. Note: SMS messages required for account verification and authentication (one-time passcodes) cannot be opted out of while your account remains active. Standard carrier message and data rates may apply to all SMS messages.

15.5 Push Notifications

Revoke push notification permissions through your browser or device settings, or disable push notifications through the dating application's in-app notification settings.

15.6 Do Not Sell or Share My Personal Information (CCPA)

The Company does not sell your personal information. California residents may request that the Company refrain from sharing their personal information for cross-context behavioral advertising purposes by contacting us at the email address specified in Section 16.

16. CONTACT INFORMATION

16.1 Data Controller Contact

If you have any questions, concerns, or requests regarding this Privacy Policy, the Company's data practices, or your privacy rights, you may contact us at:

Kream & Sugar Dating LLC Email: admin@kreamandsugardating.com Mailing Address: 210 N Church St, Unit 1706, Charlotte, NC 28202

16.2 Privacy Requests

All requests to exercise privacy rights described in this Policy (including requests for access, deletion, correction, or portability of personal data) should be directed to the email address specified in Section 16.1. The Company will acknowledge receipt of your request and respond within the timeframe required by applicable law.

16.3 Complaints

If you believe that the Company has violated your privacy rights or has not adequately addressed your privacy concerns, you may file a complaint with:

(a) The Company, using the contact information provided above;
(b) The applicable state attorney general's office or consumer protection agency in your state of residence;
(c) Any other applicable regulatory authority.

17. MISCELLANEOUS PROVISIONS

17.1 Governing Law

This Privacy Policy shall be governed by and construed in accordance with the laws of the State of North Carolina, without regard to its conflict of laws principles, to the extent not preempted by applicable federal law.

17.2 Severability

If any provision of this Privacy Policy is held to be invalid, illegal, or unenforceable by a court of competent jurisdiction, such invalidity, illegality, or unenforceability shall not affect any other provision of this Privacy Policy, and the remaining provisions shall continue in full force and effect. The invalid, illegal, or unenforceable provision shall be modified to the minimum extent necessary to make it valid, legal, and enforceable while preserving its original intent.

17.3 Entire Privacy Agreement

This Privacy Policy, together with the Terms and Conditions of Use (to the extent they address data practices), constitutes the entire agreement between you and the Company with respect to the collection, use, disclosure, and protection of your Information in connection with the Service.

17.4 Assignment

The Company may assign or transfer this Privacy Policy and its rights and obligations hereunder, in whole or in part, to any successor, affiliate, or assignee in connection with a merger, acquisition, reorganization, or sale of assets, without your prior consent, provided that the assignee agrees to be bound by the terms of this Privacy Policy.

17.5 No Waiver

The failure of the Company to enforce any provision of this Privacy Policy shall not constitute a waiver of such provision or the Company's right to enforce it at a later time.

18. ACKNOWLEDGMENT

BY ACCESSING OR USING THE SERVICE — INCLUDING BY VISITING THE MARKETING WEBSITE, SUBMITTING FORMS, SUBSCRIBING TO UPDATES, OR USING THE DATING APPLICATION — YOU ACKNOWLEDGE THAT YOU HAVE READ THIS PRIVACY POLICY IN ITS ENTIRETY, THAT YOU UNDERSTAND ITS TERMS AND CONDITIONS, AND THAT YOU AGREE TO THE COLLECTION, USE, DISCLOSURE, STORAGE, RETENTION, AND PROTECTION OF YOUR INFORMATION AS DESCRIBED HEREIN. YOU FURTHER ACKNOWLEDGE THAT YOUR CONTINUED USE OF THE SERVICE FOLLOWING ANY MODIFICATIONS TO THIS PRIVACY POLICY SHALL CONSTITUTE YOUR ACCEPTANCE OF SUCH MODIFICATIONS.

This Privacy Policy is effective as of April 20, 2026.