Privacy Policy

Effective: • Version 1.0
Privacy‑first Clean & respectful

This Privacy Policy explains how Heartstead (the “Service”) collects, uses, and protects your information. It applies to all users of our website and apps. If you do not agree, please do not use the Service. This document is for general information and is not legal advice.

On this page 1. Who we are 2. What we collect 3. How we use data 4. Legal bases (GDPR) 5. Photos & moderation 6. Cookies 7. Sharing & processors 8. International transfers 9. Retention 10. Your rights 11. Children 12. Security 13. Changes 14. Contact

1) Who we are

Heartstead (“we”, “us”) is the controller of your personal data for this Service. For inquiries, please contact us. If we provide apps in your region through a local entity, that entity may be a controller or joint controller.

2) Information we collect

  • Account & Profile: email/phone, name, gender, age, location, relationship preference/type, marital status, education, occupation, languages, motivations, bio, values and interests.
  • Photos & Media: user‑uploaded images, visibility settings (public/private/approved‑only). Women’s photos are blurred/private by default.
  • Device & Usage: IP, device/browser type, pages viewed, actions, timestamps (standard web logs and security telemetry).
  • Communications: interests you send/receive, messages (after mutual consent), notifications and support requests.
  • Verification: contact verification (OTP); optional ID verification status (if you choose to complete it).
  • Cookies & similar: please see the Cookies section below.

3) How we use your information

  • Provide, personalize and improve the Service (profiles, search, suggestions, messaging after mutual interest).
  • Protect safety and integrity (moderation, fraud/abuse prevention, rate‑limiting, incident response).
  • Operate privacy features (blur/consent, anonymous browsing, blocking, delete account).
  • Communicate with you (verification, notifications about interests/messages, policy updates).
  • Comply with law and enforce our Terms.

4) Legal bases (GDPR/UK GDPR)

  • Contract: to provide the Service you request.
  • Legitimate interests: safety, fraud prevention, product improvement (balanced with your rights).
  • Consent: for optional features (e.g., marketing emails, showing private photos to a match you approve). You can withdraw consent at any time.
  • Legal obligation: to comply with applicable laws and lawful requests.

5) Photos, privacy & automated moderation

  • Blur‑by‑default: Women’s photos are blurred/private by default; access is granted only after mutual interest or explicit approval.
  • Moderation: We may use automated tools (e.g., Google Cloud Vision API) and limited human review to detect nudity or policy violations. This helps keep the platform respectful.
  • Controls: You can set visibility to approved‑only, private, or public to matches, and you can delete photos anytime.

6) Cookies & similar technologies

We use essential cookies to run the site, and (optionally) analytics/functional cookies to improve it.

Cookie preferences
California (CPRA)

Residents may opt‑out of “sale or sharing” of personal information.

Do Not Sell or Share My Personal Information

7) Sharing & processors

We do not sell your personal information. We share data with trusted processors solely to provide the Service—for example:

  • Authentication & notifications: Firebase Auth, transactional email/SMS providers.
  • Storage/CDN: Cloudinary for photos (with your chosen visibility), secure object storage/CDN.
  • Moderation: Google Cloud Vision API (modesty checks).
  • Database & hosting: MongoDB Atlas, cloud hosting (e.g., Vercel/Heroku).

Processors are bound by contracts to use data only on our instructions and to protect it appropriately.

8) International data transfers

If we transfer your data internationally, we use appropriate safeguards such as Standard Contractual Clauses (SCCs) and additional security measures.

9) Data retention

  • Account & profile: kept while your account is active; deleted upon request or after inactivity policies.
  • Messages & interests: kept while your account is active, then deleted or anonymized per policy.
  • Logs & security telemetry: typically 12 months.
  • Backups: rolling backups typically 30–90 days.

10) Your rights

Depending on your region, you may have the right to:

  • Access a copy of your data (portability available where applicable).
  • Correct inaccurate data.
  • Delete your account and personal data (“right to be forgotten”).
  • Restrict or object to certain processing; withdraw consent at any time.
  • Appeal or complain to your supervisory authority.

To make a request, contact us or use in‑app controls (Settings → Privacy).

11) Children

The Service is for adults 18+ only. We do not knowingly collect data from children. If you believe a child has provided us data, contact us to delete it.

12) Security

  • Encryption in transit (HTTPS/TLS) and at rest (provider‑level encryption for storage/databases).
  • Access controls, audit logging, and least‑privilege principles.
  • Vulnerability management and incident response procedures.

13) Changes to this Policy

We may update this Policy from time to time. Changes take effect when posted with a new “Effective” date. If changes are material, we will make a reasonable effort to notify active users (e.g., email or in‑app notice).

14) Contact

Questions or requests? Contact Us