Privacy Policy

Cykee — Privacy Policy

Effective Date: [DATE] Last Updated: [DATE]

SUMMARY (for user-facing top of page)

A short summary of what matters most:

We collect what you give us (profile, photos, voice intro, messages, gift orders), what we generate (matches, strikes, AI conversations), and basic diagnostic data.
We use it to run the dating service — match you with people, moderate content, process gifts, debug the app, and meet legal obligations.
We do NOT sell your data, share it for behavioral advertising, or train external AI models on your conversations, photos, or voice.
You can access, correct, delete, or export your data anytime via Settings or by emailing support@cykeeapp.com.
Cykee is 18+ only. We do not knowingly collect data from minors.

1. WHO WE ARE

Cykee ("Cykee," "we," "us," "our") is a dating application operated by [LEGAL_ENTITY_NAME], a [ENTITY_TYPE_E.G._LLC_OR_C_CORP] organized under the laws of [JURISDICTION], with its principal place of business at [BUSINESS_ADDRESS].

For privacy questions, data-subject requests, or to exercise any right described in this Policy, contact our Privacy team at support@cykeeapp.com.

For users in the European Union and United Kingdom, our representative under GDPR Art. 27 / UK GDPR is [EU_REPRESENTATIVE_OR_NOT_REQUIRED_BELOW_THRESHOLD].

A Data Protection Officer (DPO) has been appointed at [DPO_CONTACT_OR_NOT_REQUIRED].

2. SCOPE AND ACCEPTANCE

This Policy describes how we collect, use, share, retain, and protect personal information when you use the Cykee mobile application (the "App") and any related services (collectively, the "Service").

We do not currently operate a desktop product, public profile site, or advertising business. If we later add any of these, we will update this Policy and request renewed consent for material changes.

Cykee is intended for individuals 18 years of age and older. We do not knowingly collect personal information from anyone under 18. If we discover that we have collected information from a person under 18, we will delete it immediately and, where the content constitutes child sexual abuse material (CSAM), report it to the National Center for Missing & Exploited Children (NCMEC) consistent with 18 U.S.C. § 2258A.

3. INFORMATION WE COLLECT

We collect only the categories of personal information listed in this Section. We do not collect any category not listed here.

3.1 Information you provide directly

Category	Examples	When collected
Identifiers	First name, last name (revealed only on mutual match), email address, optional phone number, optional Instagram handle, optional WhatsApp number	Sign-up + onboarding step 4
Demographics	Date of birth / age, self-declared gender, sexual orientation (who you're interested in dating)	Onboarding steps 1 + 2
Visual content	Profile photo(s), additional photos	Onboarding step 6
Audio content	Voice introduction (~20–30 second recording)	Onboarding step 5
Open text content	"Between the Lines" soul cards: values & desires, an unpopular opinion, a current obsession, ideal Sunday, dream pursuit; occupation; bio	Onboarding steps 3, 6, and any later edit
Location	City name and corresponding latitude / longitude returned by Google Places Autocomplete when you select your city	Onboarding step 1
Schedule data	Availability slots (date/time windows you're free for a date)	Availability screen
Communications	Messages you send during a date session, conversations you have with Cupido AI and Practice mode	While in chat, Cupido, or Practice session
Reports & safety	Reports you submit about another user, blocks you place	Profile detail / settings
Age verification data	Document image, selfie, and verification result, when required	Age-verification prompt, if triggered

3.2 Information we collect automatically

Category	Examples	Purpose
Device identifiers	Pseudonymous device ID (PostHog distinctId), iOS or Android device model, OS version, app version, locale	Diagnostics + product analytics
Usage data	Screen views, key interactions (date request sent, vote cast), feature engagement counts	Product improvement
Crash data	Stack traces, breadcrumb logs surrounding a crash	Diagnostics
Network metadata	Approximate IP-derived country (Supabase logs only)	Security, fraud prevention

We do not use location-tracking SDKs. We do not access your device's GPS. The only location data we hold is the city you explicitly selected from a Places autocomplete dropdown.

3.3 Information we generate

Category	Examples	Purpose
Activity history	Date requests sent/received/accepted/declined, dates you joined, votes cast, ratings, matches	Operating the Service
Financial records	For gift purchases: amount, Stripe payment intent ID, Goody order ID, transaction status. We do not see or store your card number.	Operating the Service + tax compliance
Safety records	Moderation events, strikes accumulated for no-shows, reports filed against you	Trust & safety
AI conversations	Cupido coach chat history, Practice mode transcripts	Service functionality

3.4 Information from third parties

We receive limited information from:

Apple / Google — your verified email and basic profile data, if you sign in with Apple ID or Google
Stripe — transaction status and risk signals related to your payments
Goody — order fulfillment status (shipped, delivered, returned)
Stripe Identity / Persona / Onfido (if used) — age and identity verification result (pass/fail), not your underlying documents (those are retained by the verification provider only)

3.5 Sensitive categories of personal information

Under CCPA §1798.140(ae) and GDPR Art. 9, the following are sensitive personal information:

Sexual orientation — your "interested in" selection, used to match you with the people you want to date
Precise geolocation — your city's lat/lng, used to calculate distance to other users for browse ranking; never shared with anyone outside Supabase
Voice biometric content — your voice introduction (see §3.6 below for specific handling)
Government-issued identifier data — if age verification is triggered, the verification result and document type (e.g., "U.S. driver's license — verified")

We process these categories solely for the purposes you would reasonably expect from a dating app (matching, distance ranking, age-gating, personalization), and only with your consent given by completing onboarding. We do not sell or share these categories with any third party other than the sub-processors enumerated in §9.

3.6 Voice biometric notice (BIPA / CUBI / Washington / NY)

If you reside in Illinois (BIPA), Texas (CUBI), Washington, New York, or any other state with a biometric privacy law:

Your voice recording is collected with your explicit consent at the voice intro step.
We do not use your voice to identify you, authenticate you, or train any biometric template. We transcribe it (via OpenAI Whisper API) for moderation purposes and store the audio file solely so other users can play it on your profile.
We retain it until you delete your account or replace the recording. Hard purge occurs 30 days after a deletion request (see §10).
We do not sell, lease, trade, or otherwise profit from biometric information.
You may withdraw your voice intro at any time by editing your profile.

4. COOKIES, PIXELS, SDKs, AND SIMILAR TECHNOLOGIES

The Cykee App is a native mobile application and does not use cookies as a website would. It does, however, use the following analogous technologies:

Technology	Provider	Purpose
PostHog SDK	PostHog, Inc.	Product analytics — screen views, event tracking, crash data. Uses a pseudonymous device ID, no advertising ID.
Apple Push Notification Service (APNs)	Apple Inc.	Sending iOS push notifications
Firebase Cloud Messaging (FCM)	Google LLC	Sending Android push notifications
Supabase client	Supabase, Inc.	Session management, real-time data sync
Stripe SDK	Stripe, Inc.	Payment-form rendering and tokenization

We do not use:

Advertising SDKs or tracking pixels
Cross-app or cross-device tracking
Apple's IDFA or Android's AAID for marketing purposes
Facebook SDK, Google Ads SDK, AppsFlyer, Adjust, or similar attribution networks

You may disable notification SDKs anytime in your device settings. Disabling PostHog analytics is available in Settings → Privacy → Analytics.

Do Not Track and Global Privacy Control (GPC)

Because Cykee operates only as a mobile app and does not deploy web cookies for tracking, browser-based Do Not Track and Global Privacy Control signals do not apply. For any future Cykee website, we will honor GPC signals as a valid opt-out of "sale" or "sharing" under CCPA.

5. HOW WE USE YOUR INFORMATION

We use the personal information described in §3 for the purposes below. We do not use it for any purpose not listed here.

Purpose	Categories used	Legal basis (GDPR)
Create and manage your account	Identifiers, demographics, location, photos, voice	Contract — Art. 6(1)(b)
Match you with other users based on distance, age, and your "interested in" selection	Demographics, location, sexual orientation	Contract — Art. 6(1)(b); Art. 9(2)(a) for sensitive categories
Display your profile to users who may match with you	Photos, voice, soul cards, name (first only until mutual match)	Contract
Operate date sessions, chats, votes, and matches	Communications, activity history	Contract
Provide AI-powered features (Cupido, Practice mode)	AI conversation content, lightweight profile context as system prompt	Contract
Process gift purchases via Stripe and Goody	Identifiers, financial records	Contract
Trust & safety: moderation, abuse detection, no-show enforcement	All categories as needed	Legitimate interest — Art. 6(1)(f); protecting users from harm
Age verification when required	Identifiers, age-verification result	Legal obligation — Art. 6(1)(c); protecting minors
Diagnostics, debugging, product improvement	Usage data, crash data	Legitimate interest — Art. 6(1)(f)
Send transactional notifications (date confirmations, gift updates)	Identifiers, activity	Contract
Send optional marketing communications, if you opt in	Identifiers	Consent — Art. 6(1)(a)
Comply with legal obligations (tax retention, CSAM reporting, lawful requests)	Activity history, financial records, safety records	Legal obligation — Art. 6(1)(c)
Defend, exercise, or establish legal claims	Safety records, communications	Legal claims — Art. 9(2)(f)

We do NOT:

Use your information for behavioral advertising, retargeting, or any third-party ad network
Sell your personal information to data brokers or anyone else, as "sale" is defined under CCPA §1798.140(ad)
Share your personal information for cross-context behavioral advertising as defined under CCPA §1798.140(ah)
Train external AI models on your messages, soul cards, or voice (see §6)

6. AI FEATURES AND YOUR DATA

6.1 Where AI is used in Cykee

Feature	AI Provider	What's sent
Cupido coach	Google Gemini 2.5 Flash	Your message + rolling-summary memory + minimal profile context (first name, age, interests)
Practice mode	Google Gemini 2.5 Flash	Your message + the partner profile you're practicing with (read-only context)
Text moderation	OpenAI Moderation API	Chat and profile text
Image moderation	OpenAI GPT-4o-mini + AWS Rekognition	Profile photos, at upload only
Voice transcription for moderation	OpenAI Whisper	Voice introductions, at upload only
Matching and ranking	Cykee's own algorithm running on Supabase	No third-party AI involved in matching decisions

6.2 No training on your content — contractual commitments

We rely on the following contractual commitments from our AI providers:

OpenAI API Terms: API content is not used to train OpenAI models. ([OpenAI API data usage policy])
Google Gemini API Terms (paid tier): paid API content is not used to train Google models. ([Google API terms])

We hold these providers to those contractual terms. We do not consent on your behalf to any usage outside these terms.

6.3 Cykee's own commitment

Cykee does not train, fine-tune, or otherwise develop machine-learning models using your personal information. If we ever wish to, we will:

Update this Policy with at least 30 days' advance notice
Require renewed, explicit, opt-in consent
Not retroactively apply training to content predating the consent

6.4 Cupido memory

We retain a rolling-summary memory of your past Cupido conversations on our own infrastructure (Supabase) to give the coach context across sessions. You can delete this memory by:

Clearing Cupido memory in Settings → Cupido → Clear memory
Deleting your account (see §10.4)

7. AUTOMATED DECISION-MAKING AND PROFILING

Under GDPR Art. 22 and equivalent state laws, you have the right to be informed when significant decisions about you are made through automated processing.

What is automated in Cykee:

Profile ordering for browse and discovery — based on distance, mutual interest in dating each other, and recency of activity. Does not produce legal or similarly significant effects.
Strike accumulation for no-shows — automated by our server when you fail to attend a confirmed date. Results in cooldowns or eventually account termination. You have the right to appeal any strike by emailing support@cykeeapp.com with the date request ID.
Automated moderation actions — content blocking, post hiding, automatic profile hiding after 3 reports. You have the right to appeal any moderation decision that affects your account.
Age verification result — pass/fail from third-party verification.

What is NOT automated:

Account suspensions and permanent terminations involving safety concerns (always reviewed by a human)
Appeals (always reviewed by a human)
Refund decisions (always reviewed by a human)

If you believe an automated decision has significantly affected you and you want human review, email support@cykeeapp.com.

8. EU DIGITAL SERVICES ACT (DSA) — TRANSPARENCY

For users in the European Union, the following additional disclosures apply under the EU Digital Services Act (Regulation 2022/2065):

Cykee is an "online platform" under the DSA but is not classified as a Very Large Online Platform (VLOP).
Recommender systems: Our profile-ordering algorithm uses the parameters described in §7 above. You may not currently change these parameters within the App; we will add user-controllable parameters as required by law.
Content moderation: We use both automated tools and human review (see §13). Statements of reasons for content removals are provided in-app under Settings → Account Activity.
Trusted flaggers: We honor reports from trusted flaggers designated under DSA Art. 22.
EU contact point for authorities: dsa@cykeeapp.com
Transparency reports: We will publish an annual transparency report consistent with DSA Art. 15 once we reach reportable scale.

9. HOW WE SHARE — SUB-PROCESSORS AND RECIPIENTS

We share personal information only with the processors listed below, and only for the purposes shown. Each is bound by a data-processing agreement (DPA) at least as protective as this Policy.

Sub-processor	Purpose	Categories processed	Location
Supabase, Inc.	Database, authentication, file storage, edge functions	All categories	United States (AWS us-east-1)
Stripe, Inc.	Gift payment processing	Identifiers, financial records	United States
Goody Cards, Inc. (OnGoody)	Gift fulfillment — Cykee never sees the recipient's shipping address	Sender: identifiers, gift selection. Recipient: name, email	United States
OpenAI, L.L.C.	Text, image, and voice moderation	Photos, chat messages, voice recordings	United States
Google LLC (Gemini API)	Cupido coach + Practice mode	AI conversation content + lightweight profile context	United States
Google LLC (Places API)	City autocomplete during onboarding	Free-text input ("New Yor…"), returned city + lat/lng	United States
AWS (Amazon Web Services)	Image moderation via Rekognition; backend hosting via Supabase	Photos, infrastructure data	United States
PostHog, Inc.	Product analytics (event stream, crash data)	Pseudonymous device ID, screen views, app version	United States and EU
Apple, Inc.	App distribution, push notifications (APNs)	Device identifier, notification payload	United States
Google LLC (Firebase Cloud Messaging)	Android push notifications	Device identifier, notification payload	United States
Stripe Identity / Persona / Onfido (one provider, TBD)	Age and identity verification	Document image, selfie, verification result	United States
Termly or iubenda (one provider, TBD)	Privacy policy hosting, consent management	Aggregate consent data only	United States or EU

Aggregated and de-identified data may be shared with third parties for research, product development, or industry analysis, but only after personal identifiers have been removed and the data cannot reasonably be re-identified.

Legal disclosures

We may disclose information when required by law:

In response to subpoenas, court orders, or other lawful process, after evaluating the request for facial validity and overbreadth
To NCMEC where required by 18 U.S.C. § 2258A (suspected CSAM)
To protect the rights, property, or safety of Cykee, our users, or the public — including to investigate fraud or imminent harm

We will not voluntarily provide bulk access to law enforcement and will challenge overbroad demands.

Business transfers

If Cykee is acquired, merged, or otherwise undergoes a business-transfer event, your personal information may be transferred as part of the transaction. We will notify you and update this Policy if a successor entity intends to process your information for new purposes.

10. DATA RETENTION

We retain personal information only as long as needed for the purposes described in §5. Specific windows:

Data type	Retention window	Why
Profile data (name, photos, voice, soul cards)	Until you delete your account, then 30 additional days for the grace period	Restore window; then hard purge
Chat messages	Until either party deletes their account; on hard purge of one party, the sender_id is anonymized but message content remains for the other party	Other party's right to their conversation history
Cupido + Practice AI transcripts	Until you delete your account, then 30 additional days	Service functionality + restore window
Cupido memory summaries	Until you clear them in settings, or delete your account	Cross-session continuity
Gift purchase records	7 years from the transaction date	IRS Pub. 583 record-retention requirement
Safety strikes and reports filed against you	7 years from creation, or until you delete your account, whichever is longer	Defense of legal claims — GDPR Art. 17(3)(e) + protecting other users
Moderation event logs	24 months	Tuning the moderation pipeline; false-positive review
Age verification records	7 years	Defending against minor-on-platform claims
Account deletion audit row	Indefinitely (UUID with no PII linkage after hard purge)	Demonstrating compliance to regulators
Diagnostics, crash data, product analytics	12 months rolling	Product improvement
Supabase logs	7 days (Supabase default)	Operational debugging
Marketing-communication opt-out records	Indefinitely	Demonstrating compliance with opt-out

If a longer retention is required by law (regulator preservation order, ongoing legal claim), we may retain only the necessary data and only for the time required.

11. YOUR PRIVACY RIGHTS

The rights available to you depend on where you live. Regardless of jurisdiction, you can exercise any right by emailing support@cykeeapp.com from the email associated with your account, or using in-app tools where available.

We respond within the windows required by law:

CCPA: 45 days, extendable once by 45 days
GDPR / UK GDPR: 30 days, extendable by 60 days for complex requests
PIPEDA: 30 days
Other state laws: per the applicable statute

11.1 California (CCPA / CPRA)

Right to know the categories collected (§3), purposes (§5), and recipients (§9)
Right to access the specific pieces of personal information we hold about you
Right to deletion, subject to the statutory exceptions in CCPA §1798.105(d)
Right to correction of inaccurate personal information
Right to opt out of sale or sharing: not applicable — we do not sell or share for cross-context behavioral advertising
Right to limit use of sensitive personal information: not applicable as the statute contemplates — we use sensitive categories only for the dating service you signed up for, with no further-use restriction available
Right to non-discrimination for exercising any right
Authorized agent: you may designate an agent under §999.326 of the CCPA regulations; we will verify the agent and confirm with you before responding
Right to a portable copy of your information
California Civil Code §1789.3: California residents may report complaints to the California Department of Consumer Affairs, Consumer Information Division, 1625 N. Market Blvd., Suite N112, Sacramento, CA 95834, or (800) 952-5210

11.2 Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), and Oregon (OCPA)

Residents of Virginia, Colorado, Connecticut, Utah, and Oregon have the right to:

Confirm whether we process their personal data, and access it
Correct inaccuracies
Delete personal data
Obtain a portable copy
Opt out of "targeted advertising" (not applicable — we do not engage in this), "sale" (not applicable), or "profiling" that produces legal or similarly significant effects (also not applicable — see §7)
Appeal a denial of any of the above by emailing privacy-appeals@cykeeapp.com

11.3 Texas (TDPSA)

Texas residents have rights substantially equivalent to Virginia (VCDPA), including right to know, access, correct, delete, portability, and to opt out of targeted advertising, sale, or significant-effect profiling. Same appeal process as §11.2.

11.4 Florida (FDBR)

Florida residents have rights including right to access, delete, correct, port, opt out of sale and targeted advertising, and an additional right to opt out of the collection or processing of sensitive data and personal data for purposes of profiling. Same appeal process as §11.2.

11.5 Tennessee (TIPA)

Tennessee residents (where Cykee is operated) have rights under the Tennessee Information Protection Act including access, correct, delete, port, and opt out of sale, targeted advertising, and significant-effect profiling. Appeals to privacy-appeals@cykeeapp.com.

11.6 Other US states with comprehensive privacy laws

Residents of additional states with active comprehensive privacy laws — including but not limited to Iowa (ICDPA), Indiana (INCDPA), New Jersey (NJDPA), Delaware (DPDPA), Maryland (MODPA), New Hampshire (NHCDPA), Kentucky (KCDPA), Minnesota (MCDPA), Rhode Island (RIDTPPA), Nebraska (NDPA), Montana (MCDPA) — have rights substantially equivalent to those described in §11.2. Same exercise and appeal process.

11.7 EU, UK, and Switzerland (GDPR / UK GDPR / FADP)

Right of access (Art. 15)
Right to rectification (Art. 16)
Right to erasure (Art. 17), subject to Art. 17(3) exceptions
Right to restrict processing (Art. 18)
Right to data portability (Art. 20) — available in-app at Profile → Download my data
Right to object to processing based on legitimate interest (Art. 21)
Right to withdraw consent at any time, where processing is based on consent (Art. 7(3))
Right not to be subject to solely automated decisions producing legal or similarly significant effects (Art. 22) — see §7
Right to lodge a complaint with your local supervisory authority. EU residents may find their authority at https://edpb.europa.eu/about-edpb/about-edpb/members_en. UK residents may contact the Information Commissioner's Office (ICO) at https://ico.org.uk

11.8 Brazil (LGPD)

Brazilian residents have rights including confirmation of processing, access, correction, anonymization or deletion, portability, information about sharing, and revocation of consent. Contact the Autoridade Nacional de Proteção de Dados (ANPD) for complaints.

11.9 Canada (PIPEDA + provincial laws)

Right of access to your personal information and to know how it's been used
Right to challenge accuracy of your personal information
Right to withdraw consent, subject to legal or contractual restrictions
Complaints may be filed with the Office of the Privacy Commissioner of Canada (https://www.priv.gc.ca)

11.10 Australia (Privacy Act 1988)

Australian residents may access and correct their personal information and may lodge complaints with the Office of the Australian Information Commissioner (OAIC) at https://www.oaic.gov.au

11.11 Japan, South Korea, and Other Regions

Users in additional jurisdictions have rights as provided under their applicable laws. Contact support@cykeeapp.com to exercise rights or learn about the regulatory authority in your country.

11.12 Verification and authorized agents

To protect your information, we will verify your identity before fulfilling a rights request. Verification may include:

Confirming the email address on file
Asking for information matching what we hold (account creation date, last activity, etc.)
Requesting age-verification confirmation for sensitive requests

Authorized agents must provide proof of authority. We may contact you to confirm the agent's authority before disclosing information.

11.13 Appeals

If we deny a rights request, you may appeal by emailing privacy-appeals@cykeeapp.com with the original request ID. Appeals are reviewed by a different team member than the original decision-maker. We will respond within 45 days. If we deny on appeal, we will provide a written explanation and inform you of your right to file a complaint with your state Attorney General or relevant regulator.

12. CONSUMER HEALTH DATA NOTICE (WA, NV, CT)

This Section is a separate disclosure required by:

Washington My Health My Data Act (RCW 19.373)
Nevada SB 370
Connecticut Public Act 22-15 (CTDPA health data provisions)

12.1 Consumer health data we may collect

Depending on what you choose to share, Cykee may collect data that qualifies as "consumer health data" under these laws, including:

Sexual orientation and dating preferences (which can imply reproductive or sexual health information)
Self-reported information in your soul cards or bio that could relate to physical or mental health
Use of Cupido AI for conversations that touch on emotional wellbeing

12.2 How we use consumer health data

We use this data solely:

To operate the dating Service
To moderate prohibited content (e.g., promotion of self-harm)
For trust and safety

We do not share consumer health data with any third party except the sub-processors listed in §9, all of whom are bound by DPAs.

12.3 Your specific consumer health data rights

Right to confirm whether we collect, share, or sell consumer health data about you
Right to access that data
Right to delete that data — we will honor deletion to the maximum extent consistent with legal-retention obligations
Right to withdraw consent at any time
Right not to be discriminated against for exercising any right above

To exercise these rights, email health-data@cykeeapp.com.

12.4 We do not sell consumer health data

We do not sell consumer health data, full stop, and have no plans to do so.

13. CONTENT MODERATION (DSA TRANSPARENCY)

We moderate content using the combination described in §6 (automated tools) plus human review of appeals and edge cases.

13.1 Statements of reasons

When we remove content or take action against an account, we provide a statement of reasons to the affected user, including:

What content or behavior triggered the action
Which rule of these Terms or our Community Guidelines applies
Whether automated tools were used in detection
Your right to appeal

13.2 Reporting bad actors

You may report any user, content, or behavior using the in-app Report function. Reports are reviewed within 7 days for normal cases and within 24 hours for cases involving threats, CSAM, or imminent harm.

13.3 Repeat violators

Users who repeatedly violate our policies are subject to permanent account termination. See §7 (Strike System) and §14 of our Terms.

14. INTERNATIONAL DATA TRANSFERS

Cykee is operated from [JURISDICTION] and our sub-processors are primarily located in the United States. If you use Cykee from outside the United States, your personal information will be transferred to and processed in the United States.

14.1 EU, UK, Switzerland transfer mechanisms

For users in the EU, UK, or Switzerland, we rely on:

Standard Contractual Clauses (SCCs) approved by the European Commission under Decision 2021/914
The UK International Data Transfer Addendum issued by the ICO
The Swiss FDPIC-approved SCCs for Swiss data subjects
Where the sub-processor offers it, the EU–U.S. Data Privacy Framework (and UK Extension, Swiss-U.S. Framework)

A copy of the SCCs in force is available on request to support@cykeeapp.com.

14.2 Additional safeguards

We supplement transfer mechanisms with:

TLS 1.2+ encryption in transit
AES-256 encryption at rest
Access controls limiting which Cykee staff can view user data
Contractual commitments from sub-processors not to disclose data in response to legal demands without first attempting to redirect the demand to us

15. SECURITY

We use the following security measures:

TLS 1.2+ for all in-transit data
AES-256 at-rest encryption for Supabase Storage and Postgres
Row-level security policies enforcing that one user can never read another user's private data
Stripe and Goody handle financial data on PCI-DSS Level 1 infrastructure; Cykee never sees raw card data
Image and voice content are scanned at upload and quarantined if flagged before being made viewable
Multi-factor authentication for administrative access to production systems
Regular vulnerability scans and dependency updates
Incident response plan with defined escalation paths

No system is perfectly secure. We will notify affected users without undue delay if we become aware of a personal data breach affecting their information, consistent with GDPR Art. 33–34, applicable state breach-notification laws, and the FTC Health Breach Notification Rule where applicable.

15.1 Reporting a security vulnerability

If you've discovered a security vulnerability in Cykee, please email security@cykeeapp.com. We respond within 5 business days and follow a coordinated-disclosure model. We will not pursue legal action against good-faith security researchers acting under our published responsible-disclosure guidelines.

16. MARKETING COMMUNICATIONS

We send two types of communications:

16.1 Transactional / service messages

These include date confirmations, match notifications, gift status updates, security alerts, account changes, and policy updates. You cannot opt out of these while using the Service — they are necessary to operate the App.

16.2 Optional marketing / promotional messages

We may, with your consent, send occasional marketing emails or push notifications about new features, product updates, or events. You may:

Opt out by clicking "Unsubscribe" in any marketing email
Disable promotional push notifications in Settings → Notifications
Email support@cykeeapp.com with subject "Marketing Opt-Out"

We respect opt-outs within 10 business days.

17. CHILDREN'S PRIVACY

Cykee is strictly an 18+ service. We:

Require date-of-birth attestation at sign-up
Run every uploaded photo through an automated check that flags images where a minor appears to be the main subject; flagged photos are blocked and not stored
May require third-party age verification for any user we suspect of being under 18
Honor any report that a user appears to be under 18 by immediately hiding the profile pending review
Permanently terminate any account confirmed to belong to someone under 18

We do not knowingly collect personal information from anyone under 18. If you believe we have, contact us immediately at support@cykeeapp.com — we will delete the information without delay and, where it constitutes CSAM, report to NCMEC under 18 U.S.C. § 2258A.

This Service is not directed to children under 13 in any context, consistent with COPPA, and we do not knowingly collect from this group. Where state or national law sets a higher minimum (e.g., 16 in some EU member states for digital services), the higher minimum applies.

18. CHANGES TO THIS POLICY

We will revise this Policy from time to time. We will:

Update the Last Updated date at the top
Maintain a Changelog at the bottom listing every material change in the prior 12 months (CCPA §1798.130(a)(5)(C))
For changes that materially expand the categories collected, the purposes of processing, or the sub-processors involved, request your renewed consent before the change takes effect for you
Provide at least 30 days' advance in-app notice for material changes affecting EU/UK users

19. CONTACT US

For privacy questions or to exercise any right described above:

General privacy: support@cykeeapp.com Rights appeals: privacy-appeals@cykeeapp.com Consumer health data: health-data@cykeeapp.com Security vulnerabilities: security@cykeeapp.com EU DSA authorities: dsa@cykeeapp.com Mailing address: [LEGAL_ENTITY_NAME], [BUSINESS_ADDRESS]

EU/UK Representative (GDPR Art. 27 / UK GDPR Art. 27): [EU_REPRESENTATIVE_OR_NOT_REQUIRED_BELOW_THRESHOLD]

Data Protection Officer (where required): [DPO_CONTACT_OR_NOT_REQUIRED]

Supervisory authorities:

California residents — California Department of Consumer Affairs
EU residents — your national Data Protection Authority (https://edpb.europa.eu)
UK residents — Information Commissioner's Office (ico.org.uk)
Canadian residents — Office of the Privacy Commissioner of Canada (priv.gc.ca)

CHANGELOG

Date	Summary
[DATE]	Initial published version