Privacy Policy

Last updated: May 22, 2026

Hello, and welcome to Kuppel's Privacy Policy.

We know a privacy policy is not most people's idea of a good read. We have tried to write this one in plain English so you can actually find what you need. If anything is unclear, please get in touch (Section 12 tells you how).

This policy explains who we are, what personal data we collect about you when you use the Kuppel app and website, how and why we collect, store, use, and share it, your rights, and how to contact us or the Information Commissioner's Office (the UK regulator) if you have a complaint.

We are responsible for that personal data, and we are subject to the United Kingdom General Data Protection Regulation (UK GDPR).

Kuppel is intended for adults aged 18 and over. We verify age during sign-up using AI-based estimation and reject anyone we cannot confirm is an adult. If you become aware that anyone under 18 has created an account, please let us know so we can remove it. See Section 9 for full details of our child safety measures.

Kuppel Ltd ("we", "us", "our") operates the Kuppel mobile application and website. We are the data controller for the personal data we process through the Kuppel mobile application and website.

Kuppel Ltd is a company registered in England and Wales (company number 17073504). Registered office: 10 Shaws Road, Altrincham, WA14 1QU.

ICO registration: ZC104354

Contact: Visit our support page

We sometimes use AI-assisted tooling (Anthropic's Claude API) for safety, incident response, and support work. Section 4 has the details. If you would prefer we do not use AI tooling on your data, please tell us via our support page.

Throughout this policy we use the capitalised terms Single (a user with a dating profile who is shown potential matches) and Matchmaker (a user who recommends profiles to Singles they are linked with). Both are defined in full in our Terms of Service.

What data we collect
How we use your data
How we protect your data
Who we share your data with
International data transfers
How long we keep your data
Your rights
Automated decision-making and profiling
Children and age restriction
Cookies and tracking
Changes to this policy
Contact us

1. What data we collect

The personal data we collect about you depends on how you use the Kuppel app and website. We will collect and use the following personal data about you.

You must provide this personal data to use Kuppel and the services on it, unless we tell you that you have a choice.

Sometimes you can choose whether to give us your personal data and let us use it. Where that is the case we will tell you and give you the choice before you give the personal data to us. We will also tell you whether declining to share that personal data will affect your use of Kuppel or any of its services.

We collect and use this personal data for the purposes described below.

Account data you provide

Data	Why we need it
Email address	Account creation, login, password resets, service emails
Password	Account authentication (stored as a cryptographic hash, never in plain text)
Phone number	Identity verification, preventing duplicate accounts (stored encrypted; a one-way hash is stored separately for duplicate detection)
First and last name	Display on your profile
Date of birth	Age verification (18+ only)

Profile data you provide

Data	Why we need it
Photos (up to 6)	Profile display, identity verification, content moderation
City and country	Location-based matching. We store city-level latitude and longitude coordinates derived from your selected city. We do not collect GPS coordinates from your device.
Gender identity	Profile display and matching preferences
Gender preferences (who you're interested in)	Matching preferences
Sexual orientation	Profile display (you can hide this from your public profile)
Relationship intentions and styles	Matching preferences
Bio and icebreaker text	Profile display
Languages spoken	Profile display and matching
Height	Profile display (you can hide this)
Work and job title	Profile display (you can hide these)
Education level and university	Profile display (you can hide these)
Ethnicity, nationality, religious beliefs	Profile display (you can hide these)
Lifestyle choices (children, drinking, smoking, drugs, pets)	Profile display (you can hide these)
Interests	Profile display and matching (you can hide these)

Many profile fields are optional. You can choose to hide individual fields from your public profile using the visibility controls in the app. Hidden fields are stored but not shown to other users.

When you upload profile photos, only the photos you choose are sent to our servers. They are shown as your photos on your Kuppel profile. Every uploaded photo is also checked automatically for inappropriate content (for example, nudity) before it is saved. If you have turned on the verification badge, each photo is also compared against your stored face encoding (see Section 8) so that photos showing you can display a "verified" badge.

Data generated through your use of Kuppel

Data	Why we collect it
Swipe and match activity	To operate the matching system
Messages with matched users	To provide the messaging feature
Matchmaker connections and recommendations	To operate the Matchmaker and recommendation features
Blocked users and contact blocks	To enforce your privacy and safety preferences
Referral code and referral relationships	To operate the referral programme and track reward eligibility

Data we generate about you

Data	Why we generate it
Face encoding (a mathematical representation of your facial features)	Identity verification: confirming your profile photos show you, detecting duplicate accounts, and badging verified photos. See Section 8 for details.
Age estimation result	To verify you are 18 or older. We store the result of the check (pass/fail) and an audit log of the check, not a precise age estimate.
Content moderation results	Each uploaded photo is scanned for inappropriate content before it is saved. Photos that pass are stored with an "approved" status. Photos that fail are rejected immediately and never saved. Only a cumulative rejection count is recorded on your account.
Login audit records	We record each login attempt with a hashed email, IP address, user agent, platform, and timestamp. This helps us detect unauthorised access and investigate security incidents.

Usage analytics

To understand how people use Kuppel and to improve the app, we collect pseudonymised usage data. This data cannot be used to identify you personally.

Data	Why we collect it
A pseudonymous user identifier (a one-way hash of your internal account ID)	To understand usage patterns over time without knowing who you are. This hash cannot be reversed to reveal your identity.
Feature usage (which screens you visit, which buttons you tap)	To understand which features are popular and where people get stuck
Onboarding progress (which registration steps you complete or skip)	To identify where new users drop off so we can improve the sign-up experience
Gender	To understand usage patterns across genders
Age bracket (for example, 18–24, 25–34)	To understand usage patterns across age groups. We store only the bracket, not your exact age.
Country and region	To understand where our users are and tailor the experience to different regions
Education level	To understand usage patterns across education levels
Relationship goal (for example, long-term, casual, friendship)	To understand what users are looking for

What we do not collect in analytics: We do not store your name, email address, phone number, exact age, exact location, or any photographs in the analytics data. We also do not collect sexual orientation, ethnicity, religious beliefs, or nationality in analytics. These are sensitive personal data under data protection law and we deliberately exclude them.

No third parties: All analytics data stays in our own database. We do not share it with any third-party analytics provider, advertiser, or data broker.

No cookies or device storage: We do not write any cookies, local storage entries, or device identifiers for analytics purposes.

When you delete your account: Your internal account ID is permanently deleted, which means the pseudonymous hash in the analytics data can never be linked back to you. The analytics data effectively becomes fully anonymous at that point.

If you sign in with Google or Apple, we receive your email address and name from those services. We do not receive your Google or Apple password.

Data collected when you tap a referral link

If you tap a Kuppel referral link before installing the app, our website temporarily collects the following information to connect your installation to the person who referred you:

Data	Why we collect it
IP address	Primary matching signal (captured server-side from your request, not sent by the web page)
Browser user-agent string	Device identification for matching
Screen dimensions (width and height)	Device identification for matching
Browser language	Supporting matching signal
Timezone	Supporting matching signal

This data is used solely to pre-fill your referral code during registration, so you do not have to type it manually. If a match is found, the referral code field is filled in for you. You can still change or remove it. If no match is found, you enter the code yourself as normal.

No cookies, local storage, or device identifiers are written to your device. The data is deleted automatically within 24 hours regardless of whether a match is found. This data is never shared with third parties, never used for advertising, and never correlated with any other browsing activity.

Device contacts

If you grant permission, Kuppel can access your phone contacts for two purposes: (1) to let you block specific contacts from finding you on Kuppel, and (2) to help you find friends already on Kuppel and invite those who are not. When you use the contact matching feature, your contacts' names and phone numbers are sent to our server and compared in memory against the phone numbers of Kuppel users (which are held encrypted at rest) for the duration of the request only. Nothing about your contacts is written to our database during this process. We only store a phone number from your contacts permanently when you actively choose to block a contact. For each block we store the contact's phone number (encrypted at rest) and the account that created the block. We keep these blocks for as long as your Kuppel account is active. When you delete your account, all blocks created by you are deleted with it. You can remove a specific block at any time from your account settings in the app. Your contacts are not shared with any third-party service provider, and we do not send contact data to any analytics, advertising, or marketing provider. The lawful basis we rely on, and the opt-out route for non-users of Kuppel, are explained in Section 2.

Support and contact requests

When you contact us through our support page, we receive whatever you choose to send us, typically your message and any details you provide to identify your account. We use this data only to respond to your request, investigate the issue, and keep a record of the correspondence. Support messages are retained for as long as needed to resolve the matter and for a reasonable period afterwards in case you contact us again about the same issue. The maximum retention period is 2 years from the resolution of the matter, unless a longer retention is required under our legal-hold procedure, by an active complaint or regulator enquiry, or by the child-safety and safeguarding workflows that retain CSAM-related correspondence for 7 years.

Research and feedback

From time to time we may invite you to participate in optional in-app surveys, beta feedback forms, or product-research invitations. Participation is always optional, and if you choose to respond we receive whatever you choose to send us, typically your answers and any free-text comments. We use this data only to understand user experience and improve Kuppel. We do not currently run any such surveys. If we introduce them, we will tell you what we collect and how long we keep it at the moment we ask for your response, and you can decline without affecting your use of Kuppel.

Payment and billing data

Kuppel is currently free to use. We do not collect payment cards, bank details, or billing addresses from users. If we introduce paid features in future, we will update this policy and notify you before any payment data is collected. Payments would be processed by a regulated payment provider. We would not store full card details ourselves.

2. How we use your data

We use your data to:

Provide the service: Create your account, display your profile, match you with other users, enable messaging, and operate the Matchmaker system.
Operate the Matchmaker feature: If you have a dating profile, Matchmakers who are connected to their Single friends may view your public profile information (including your name, photos, city, bio, and any profile fields you have not hidden) and recommend your profile to the Singles they are linked with. Matchmakers cannot see your contact details, your private messages, or any fields you have hidden using the visibility controls.
Verify your identity: Check that your photos show the same person (photo verification), detect duplicate accounts using face encoding comparison, and confirm you are 18 or older using AI-based age estimation.
Protect the community: Operate the systems we are required to maintain under the UK Online Safety Act 2023, including content moderation, user reporting and blocking, suspension of accounts that breach our rules, removal of prohibited content, detection and reporting of child sexual abuse material, and a route for users to appeal moderation decisions. See Section 8 for how automated decisions work, and our Child Safety Standards page for our full safety approach. Our Acceptable Use Policy sets out the rules for using Kuppel.
Communicate with you: Send service messages (password resets, match notifications, security alerts, safety notices, and important updates about your account or our terms). Service messages are operational. We send them because you have an account with us, and they are not subject to marketing consent. We do not currently send marketing messages through any channel (email, push notification, in-app banner, or SMS). If we introduce marketing in future, we will ask for your consent first and provide a clear opt-out for that channel. The Kuppel referral programme (see Section 1, "Data collected when you tap a referral link") is voluntary participation. Sharing a referral code with a friend is your choice and is not treated as a marketing channel operated by us.
Operate the referral programme: Track referral relationships, determine reward eligibility, and process reward payments.
Maintain security: Record login attempts, detect unauthorised access, and investigate security incidents.
Improve Kuppel: Fix bugs, monitor errors, and understand how people use the app so we can make it better.

Under data protection law, we can only use your personal data if we have a proper reason, e.g.:

where you have given consent;
to comply with our legal and regulatory obligations;
for the performance of a contract with you or to take steps at your request before entering into a contract;
for the purposes of a recognised legitimate interest; or
for our legitimate interests or those of a third party.

A legitimate interest is when we have a business or commercial reason to use your personal data, so long as this is not overridden by your own rights and interests. We will carry out an assessment when relying on legitimate interests, to balance our interests against your own. You can obtain details of this assessment by contacting us (see 'Contact us' below).

The table below explains what we use your personal data for and why.

Purpose	Legal basis
Creating and managing your account, and providing the dating and Matchmaker service	Performance of contract (our Terms of Service)
Displaying your profile to other users and Matchmakers	Performance of contract
Photo verification and face encoding for identity confirmation	Explicit consent (obtained during onboarding before verification begins)
Face encoding comparison for duplicate account detection	Legitimate interest (platform integrity and fraud prevention)
AI-based age estimation	Legal obligation (UK Online Safety Act) and legitimate interest (child safety)
Content moderation (NSFW detection)	Legitimate interest (community safety) and legal obligation (UK Online Safety Act)
CSAM detection and reporting	Legal obligation (UK Online Safety Act, Protection of Children Act 1978)
Service communications (password resets, match notifications)	Performance of contract
Login audit logging	Legitimate interest (security and fraud detection)
Referral programme	Performance of contract
Referral link attribution (temporary device fingerprinting before registration)	Legitimate interest (improving referral experience and reducing onboarding friction). Data is minimal, purpose-limited, and deleted within 24 hours. See Section 1, "Data collected when you tap a referral link".
Matching your contacts' phone numbers against Kuppel user accounts (at your request)	Legitimate interest (connecting you with people you know and enabling privacy controls such as contact blocks). Data is processed in memory only for the comparison, not stored unless you actively block a contact, and not shared with third parties. See Section 1, "Device contacts".
Error tracking and bug fixes	Legitimate interest (service reliability)
AI-assisted incident response, operational corrections, and maintenance	Legitimate interest (operating the service safely and lawfully, and triaging incidents)
Usage analytics (feature usage, onboarding funnels, demographic trends)	Legitimate interest (improving the service and understanding user needs). You have the right to object at any time. See Section 7.
Establishing, exercising, or defending legal claims, complying with court or tribunal orders, and otherwise enforcing or protecting our legal rights	Legitimate interest (protecting our legal position) and, where applicable, legal obligation
Personalising your experience based on the profile preferences and choices you provide (for example, who you want to be matched with)	Performance of contract
Protecting the security and integrity of the systems, networks, and data we use to provide Kuppel, including detecting, preventing, and investigating unauthorised access, abuse, fraud, and technical attacks	Legitimate interest (security, fraud prevention, and platform integrity)
Statistical analysis to understand our user base, plan capacity, and inform business decisions	Legitimate interest (running and improving the service). You have the right to object. See Section 7.
Disclosures and other activities necessary to comply with legal and regulatory obligations that apply to our business, including recording and demonstrating evidence of your consents and choices where relevant	Legal obligation (UK GDPR accountability principle and other applicable laws)
Internal and external audits of our systems, accounts, security controls, and compliance with our obligations	Legitimate interest (governance, assurance, and accountability)
Sharing your personal data with third parties that will or may take control or ownership of some or all of our business (and professional advisors acting on our or their behalf) in connection with a significant corporate transaction or restructuring, including a merger, acquisition, asset sale, initial public offering, or in the event of our insolvency. In such cases information will be anonymised where possible and only shared where necessary	Legitimate interest (business continuity and protecting the value of the business)
Voluntarily sharing relevant personal data with public authorities, regulators, or other bodies exercising official functions in response to written requests, where we consider disclosure is necessary and appropriate	Legitimate interest (cooperating with legitimate official requests)

Contact matching and your contacts' data

When you choose to use contact matching, we process the names and phone numbers in your address book to find friends already on Kuppel and to let you block specific contacts from finding you. For your contacts who are not Kuppel users, we rely on our legitimate interests in helping you connect with people you already know and in letting you block specific contacts. We have weighed this against their rights and freedoms, and the processing is narrow by design: phone numbers are compared in memory for the duration of the request only, never stored except where you actively block someone, and never used for marketing, advertising, or any other purpose. If you are a non-user and would prefer to be excluded from contact matching, contact us via our support page. This opt-out applies to the find-friends matching only. For the safety of our users, we will still honour any Kuppel user's decision to block your number from finding them on Kuppel.

Special category data

Several fields on your dating profile are "special category" personal data under UK data protection law. These are: gender identity, sexual orientation, ethnicity, and religious beliefs. They are collected only from users who create a dating profile; Matchmaker-only accounts are not asked for any of them. Where you do share any of these fields, we process them on the basis of your explicit consent.

The biometric data we generate during AI-based age estimation at signup is also special-category personal data, but it is processed on a different basis. At signup you take two short selfies on your phone, and we send these selfies to our servers to run the age check and the liveness check described below. We rely on two safeguarding conditions in UK data protection law that do not depend on consent: stopping under-18s from creating an account on an adults-only service, and safeguarding children flagged as possibly underage. We do not retain any biometric data from age estimation. The photo is consumed by the check, the result is recorded as a pass or fail, and the photo and intermediate output are discarded. Age verification also includes a liveness check that compares the two selfies to confirm a single live person, rather than a stolen photo. This uses a transient face pattern computed from the selfies. The pattern is encrypted and returned to your device while you choose whether to also enable the verified badge. If you choose not to, no face pattern is stored on Kuppel's servers.

When we investigate safety reports or keep records of accounts we have suspended, we sometimes need to handle similar sensitive information (for example, race, religion, or sex life data appearing in a reported message). We rely on the same safeguarding conditions used for age estimation.

Gender identity. Providing your gender identity is optional. When you set up a dating profile you can select "Prefer not to say", in which case we do not store a gender identity for you, only a marker that you have declined to provide one. You will still be able to use Kuppel: you will appear in results for users who have also chosen "Prefer not to say" in their matching preferences, but not for users who have selected a particular gender. If you do provide a value, we store and process it on the basis of your explicit consent. You can withdraw consent at any time by changing your selection to "Prefer not to say", and we will delete the stored value.

Sexual orientation. Providing your sexual orientation is optional. You can add, change, or remove it from your profile at any time. If you do not share it, the field will not appear on your profile. Today this has no effect on who can find you or whom you can match with: sexual orientation is not used as a matching filter. If we ever introduce optional filters that use this field, we will update this policy first so you can decide whether to share it.

Ethnicity and religious beliefs. Providing your ethnicity and religious beliefs is optional. You can add, change, or remove either at any time. If you do not share these, the fields will not appear on your profile, and they have no effect on who can find you or whom you can match with. Neither field is used as a matching filter. If we ever introduce optional filters that use these fields, we will update this policy first so you can decide whether to share them.

Visibility vs processing. The visibility controls in the app let you hide individual profile fields. Hiding is a display choice: the data is still stored, and for gender identity it is still used to determine who sees you in search results. To stop us processing a special-category field altogether, leave it blank or use "Prefer not to say".

Biometric data: The face encoding we generate during photo verification is biometric data under UK GDPR. We process this on the basis of your explicit consent, obtained before the verification process begins. You can request deletion of your face encoding at any time by contacting us via our support page. When we receive your request, we will delete the encoding entirely. This removes your photo verification badge, and the encoding will no longer be available to us for any purpose, including duplicate-account detection.

3. How we protect your data

We have appropriate security measures to prevent personal data from being accidentally lost, or used or accessed unlawfully. We limit access to your personal data to those who have a genuine need to access it.

We also have procedures for handling a suspected data security breach. If a breach is likely to put your rights and freedoms at serious risk, we will tell you without undue delay. If a breach is notifiable to the Information Commissioner's Office (ICO), we will report it within 72 hours of becoming aware of it. The detailed security measures we use are set out below.

Personal data is encrypted at rest in the database using Fernet symmetric encryption. This includes your email address, name, date of birth, phone number, bio, messages, location coordinates, and sensitive profile fields such as sexual orientation, ethnicity, and religious beliefs. A separate one-way hash is stored for email and phone number to enable account lookup and duplicate detection. These hashes cannot be reversed to obtain the original values.
All data transmitted between your device and our servers uses HTTPS/TLS encryption.
Photos are stored in Cloudflare R2 with access restricted to authenticated requests. File paths use randomly generated identifiers to prevent enumeration.
Passwords are stored using a cryptographic hashing algorithm, never in plain text.
Login audit logs store a hashed version of your email address, not the plain text.
Database backups are encrypted before being stored offsite, using a separate encryption key from the application data.
We use structured logging that excludes direct identifiers such as names, email addresses, phone numbers, dates of birth, IP addresses, and message content.
Error tracking uses Sentry, configured in Sentry's EU region. Before any data is sent to Sentry, we strip out direct identifiers (names, email addresses, phone numbers, dates of birth, IP addresses) and the contents of requests in flight. Internal account references may still appear in error logs, but on their own they cannot identify anyone without our user database, which Sentry does not have access to.
The Django admin panel is protected by a randomised URL, two-factor authentication, and brute-force login protection.
Access to production systems is restricted to a limited set of authorised personnel with a demonstrated operational need.

We do not sell your personal data to anyone. We do share it with a small set of trusted service providers (sub-processors) who help us run Kuppel, with other Kuppel users through your profile, and in the limited other circumstances set out below.

Service providers (sub-processors)

We only allow those organisations to handle your personal data if we are satisfied they take appropriate measures to protect your personal data. We also impose contractual obligations on them to ensure they can only use your personal data to provide services to us and to you.

Provider	Purpose	Data shared	Location
Cloudflare	Photo storage, CDN, CSAM scanning	Photos, website traffic	Global (EU-inclusive)
Zoho	Email hosting (inbound @kuppel.app email)	Inbound email	EU
Render	Backend hosting, database	All account data (encrypted at rest)	EU (Frankfurt)
Firebase (Google)	Push notifications	Device tokens; generic notification titles and bodies rendered on device lockscreens (containing no personal data); encrypted data payloads delivered to the app containing user first names, short message previews (up to 50 characters), and reference identifiers, used by the app for in-app rendering only	Ireland (data may flow to US)
Twilio	Phone number verification (SMS and voice)	Phone number (for SMS/voice delivery)	Ireland (data may flow to US)
Sentry	Error tracking	Error logs, request metadata (direct identifiers excluded)	EU
Resend	Transactional emails	Email address, email content	US
Tremendous	Referral reward payments	Email address and name of reward recipients only	US
Google (OAuth)	Sign-in authentication	Email, name (during sign-in only)	Ireland (data may flow to US)
Apple (OAuth)	Sign-in authentication	Email, name (first sign-in only)	Ireland (data may flow to US)
Anthropic	AI-assisted incident response, operational corrections, and maintenance	Support requests submitted via kuppel.app/support and operational data needed to investigate a specific issue (special category data excluded)	US

For the full legal entity name, registered address, company number, current data processing agreement reference (or, for identity providers, the governing terms, see below), and transfer safeguard that applies to each provider, see our Sub-processor list. The Sub-processor list is published with a "Last updated" date so you can see when it was last changed. We will update this privacy policy whenever we add or remove a sub-processor.

Identity provider relationships. Google and Apple OAuth are used only when you choose to sign in with those providers. These relationships differ from traditional data-processor arrangements. They are governed by the providers' standard developer and privacy terms (Apple Developer Programme Licence Agreement; Google's API Services User Data Policy and associated terms) rather than a conventional Data Processing Agreement. The data exchanged is limited to your email and name, received from the provider during sign-in only.

Other users

Your public profile information (including your name, photos, city, bio, and any profile fields you have not hidden) is visible to other Kuppel users through the matching and browsing features. If you are a Single, Matchmakers who are recommending profiles to their friends may also browse your profile and recommend it to their linked Single. Your phone number and email address are never shown to other users. Matchmakers cannot see your private messages with anyone, including messages with people they have introduced you to. They also cannot see your contact details or any fields you have chosen to hide.

Other recipients

We or the third parties mentioned above occasionally also share personal data with:

our and their external auditors, e.g. in relation to the audit of our or their accounts, in which case the recipient of the information will be bound by confidentiality obligations;
our and their professional advisors (such as lawyers and other advisors), in which case the recipient of the information will be bound by confidentiality obligations;
law enforcement agencies, courts, tribunals and regulatory bodies to comply with our legal and regulatory obligations;
public authorities, regulators and other bodies exercising official functions, where they make a written request for personal data they need for their public task or official functions and we decide it is necessary and appropriate to disclose it; and
other parties that have or may acquire control or ownership of our business (and our or their professional advisers) in connection with a significant corporate transaction or restructuring, including a merger, acquisition, asset sale, initial public offering or in the event of our insolvency. Usually, information will be anonymised but this may not always be possible. The recipient of any of your personal data will be bound by confidentiality obligations.

We may share your personal data with law enforcement, public authorities, or regulators where we are required to by law or where we consider disclosure is necessary and appropriate. Where the law permits us to do so, we will notify you before making any such disclosure.

If you would like more information about who we share our data with and why, please contact us (see Section 12, 'Contact us').

5. International data transfers

Countries outside the UK have differing data protection laws, some of which may provide lower levels of protection of privacy.

It is sometimes necessary for us to transfer your personal data to countries outside the UK. In those cases we will comply with applicable UK laws designed to ensure the privacy of your personal data.

Under data protection laws, we can only transfer your personal data to a country outside the UK where:

the UK government has decided the particular country ensures an adequate level of protection of personal data (known as an 'adequacy regulation'). A list of countries the UK currently has adequacy regulations in relation to is available on the ICO website. We rely on adequacy regulations for transfers to countries in the EEA;
there are appropriate safeguards in place, together with enforceable rights and effective legal remedies for you; or
a specific exception applies under relevant UK data protection law.

Where we transfer your personal data outside the UK we do so on the basis of an adequacy regulation or (where this is not available) legally-approved standard data protection clauses recognised by the ICO. In the event we cannot or choose not to continue to rely on either of those mechanisms at any time, we will not transfer your personal data outside the UK unless we can do so on the basis of an alternative mechanism or exception provided by UK data protection law and reflected in an update to this policy.

Your data is primarily stored in the EU (Frankfurt, Germany) on Render's infrastructure; transfers to the EU rely on the UK's adequacy regulation covering EEA countries. Some of our service providers are based in the United States. When your data is transferred to the US, it is protected by the data processing agreements provided by each service provider, which include the UK's International Data Transfer Agreement (IDTA), or EU Standard Contractual Clauses with the UK Addendum issued by the ICO, depending on the provider. We review our data processing arrangements periodically to ensure appropriate safeguards remain in place.

For the specific transfer safeguard that applies to each provider, see our Sub-processor list.

If you would like further information about data transferred outside the UK, please contact us (see Section 12, 'Contact us').

6. How long we keep your data

We will not keep your personal data for longer than we need it for the purpose for which it is used. Different retention periods apply for different types of personal data. Following the end of the relevant retention period, we will delete or anonymise your personal data.

Data	Retention period
Active account data	For as long as your account is active
Inactive accounts (no login for 3 years)	Warning emails sent at 33, 35, and 36 months. Account soft-deleted after 36 months of no login. Permanent deletion 30 days after soft-deletion, per the standard deletion process.
Deleted account data	Following a deletion request, your data is erased within 60 days
Photos of deleted accounts	Erased within the same window as the deleted account
Backup copies of your data	Retained for up to 7 days (daily snapshots) or 28 days (weekly snapshots), after which they automatically expire. Backups are only accessed to restore service, never reprocessed.
Messages	Conversation hidden from both users immediately when either party deletes their account. Message data is erased within the same window as the deleted account.
Face encoding	Retained while your account is active; deleted with your account
Age verification audit logs	Retained for the life of your account. Deleted when your account is permanently deleted, unless preserved under a legal hold (for example, an active regulatory enquiry).
Consent-window encoding token (encrypted, signed)	Held on your device for up to 1 hour after the age check; never persisted on Kuppel's servers
Records of your acceptance of our Terms of Service, Privacy Policy, and Acceptable Use Policy (at signup and on later re-acceptance)	Retained for the life of your account; deleted when your account is permanently deleted
Login audit logs (successful)	90 days
Login audit logs (failed attempts)	30 days
Error logs (Sentry)	90 days
Usage analytics data	Retained indefinitely in pseudonymised form. Becomes irreversibly anonymous when you delete your account (see Section 1, "Usage analytics").
Referral link click data (IP address, device characteristics)	Automatically deleted after 24 hours
Suspended account data	1 year minimum and 5 year maximum from the date of suspension, with annual review in between (retained for legal compliance and to prevent re-registration)
Accounts under legal hold (e.g. law enforcement request)	Retained until the hold is lifted, regardless of other retention periods

7. Your rights

Under UK GDPR, you have the right to:

Access your personal data. Request a copy of everything we hold about you. See ICO guidance on subject access requests.
Rectify inaccurate data. Update your profile at any time in the app, or contact us for data we don't expose in the app. See ICO guidance on rectification.
Delete your data. Delete your account from Settings in the app or via our account deletion page. We process deletion within 30 days. See ICO guidance on erasure.
Restrict processing. Ask us to limit how we use your data while a complaint is being resolved. See ICO guidance on restriction.
Data portability. Request your data in a machine-readable format. See ICO guidance on portability.
Object to processing based on legitimate interest. If you object, we will stop processing unless we have compelling grounds that override your interests. See ICO guidance on objection.
Withdraw consent. If you have provided us with a consent to use your personal data you have a right to withdraw that consent easily at any time (for example, for photo verification or special category data). Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
Rights in respect of automated decision-making. Where significant decisions (those which produce a legal or similarly significant effect on you) are made using your personal data and based on solely automated processing with no meaningful human involvement, you have the right to certain safeguards. These include being told about the decision, being able to make representations, obtaining human intervention, and contesting the decision. See ICO guidance on automated decisions. In addition, where significant automated decisions are made using special category personal data, additional rules apply (for example, your explicit consent is generally required). Kuppel uses automated processing in three places: AI-based age estimation during sign-up, automated photo content moderation, and CSAM scanning. We have built in a human-review route for age estimation. See Section 8 for details and how to request a manual review.

To exercise any of these rights, visit our support page and select "Privacy Request". When contacting us please:

provide enough information to identify yourself (for example, your registered email address and any details that help us locate your account). If we have reasonable doubt about who is making the request, we may ask for additional identity information to verify you before acting; and
let us know which right(s) you want to exercise and the information to which your request relates.

We will respond as soon as possible. If your request is complex, we may extend the response period, and will inform you if so.

If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO). They may be contacted using the details at ico.org.uk/make-a-complaint or by telephone on 0303 123 1113.

8. Automated decision-making and profiling

Kuppel uses automated systems in the following ways:

Age estimation

During onboarding, an AI model analyses your selfie to estimate whether you are 18 or older. This is a legal requirement under the UK Online Safety Act. If the system estimates you are under 18, your account creation is blocked. You can request a manual review by emailing us with a selfie and photo ID. To start, please contact us via our support page and we will send you instructions. We store the outcome of the check (pass or fail) and an audit record, but we do not store a precise age estimate.

Content moderation

An AI model scans every uploaded photo for nudity and explicit content. Photos classified as inappropriate are rejected automatically. Your account may be suspended if you repeatedly upload content that violates our guidelines. Moderation decisions are logged per photo.

Photo verification and face encoding

When you complete photo verification, our system generates a mathematical representation of your facial features (a "face encoding") from your selfies. This encoding is used to:

Confirm that your profile photos show you (photos that match receive a "verified" badge)
Detect whether the same face has been used to verify multiple accounts (to prevent fraud)

The face encoding is stored on your profile for as long as your account is active. It is a numerical array. It cannot be used to reconstruct an image of your face. You can request deletion of your face encoding by contacting support; this will remove your verification badge and any photo badges.

CSAM detection

All photos served through our infrastructure are automatically scanned by Cloudflare against a database of known child sexual abuse material (CSAM) maintained by the National Center for Missing & Exploited Children (NCMEC). NCMEC's database is the global industry standard and is used by UK, US, and international law-enforcement partners. If a match is detected, the content is blocked, the account is suspended, and we report the incident to the Internet Watch Foundation (IWF), the UK's statutory hotline for CSAM. Where a match involves a user based in the United States, we will also report directly to NCMEC as required under US law. Scanning happens at the infrastructure level and is not optional.

If you believe any automated decision about your account or content was made in error, contact us via our support page and we will respond.

9. Children and age restriction

Kuppel is exclusively for users aged 18 and over. We verify age during registration using AI-based estimation and reject anyone estimated to be under 18. If we learn that a user under 18 has created an account, we will delete it immediately and, where required by law, report the matter to the relevant authorities.

For more information about our child safety measures, see our Child Safety Standards page.

10. Cookies and tracking

The Kuppel mobile app does not use cookies. The Kuppel website (kuppel.app) uses only strictly necessary cookies required for the site to function. No analytics cookies, no advertising trackers, and no third-party tracking of any kind. Full details are in our Cookie Policy.

Internal usage analytics

We collect pseudonymised usage data within the app to understand how people use Kuppel and to improve the service. This data is described in detail in Section 1 under "Usage analytics".

Our analytics system is entirely internal. We built it ourselves and all data stays in our own database. We do not use any third-party analytics tools (such as Google Analytics or similar services) and we do not share analytics data with anyone outside Kuppel.

We identify usage patterns using a pseudonymous hash of your account ID, not your name, email, or any other personal information. No session identifiers or device identifiers are stored on your device for analytics purposes.

You have the right to object to this processing. If you do, we will stop collecting analytics data about your account. To exercise this right, visit our support page and select "Privacy Request".

11. Changes to this policy

We may update this policy from time to time. If we make significant changes, we will notify you through the app or by email at least 14 days before the changes take effect. The "last updated" date at the top of this page always shows the current version.

12. Contact us

For any questions about this privacy policy or your personal data, please visit our support page and select "Privacy Request".