Privacy Policy
Last updated: March 17, 2026
Kuppel Ltd ("we", "us", "our") operates the Kuppel mobile application and website. We are the data controller for the personal data we process through the Kuppel mobile application and website.
Kuppel Ltd is a company registered in England and Wales (company number 17073504). Registered office: 10 Shaws Road, Altrincham, WA14 1QU.
ICO registration: C1889958
Contact: Visit our support page
1. What data we collect
Account data you provide
| Data | Why we need it |
|---|---|
| Email address | Account creation, login, password resets, service emails |
| Password | Account authentication (stored as a cryptographic hash, never in plain text) |
| Phone number | Identity verification, preventing duplicate accounts (stored encrypted; a one-way hash is stored separately for duplicate detection) |
| First and last name | Display on your profile |
| Date of birth | Age verification (18+ only) |
Profile data you provide
| Data | Why we need it |
|---|---|
| Photos (up to 6) | Profile display, identity verification, content moderation |
| City and country | Location-based matching. We store city-level latitude and longitude coordinates derived from your selected city — we do not collect GPS coordinates from your device. |
| Gender identity | Profile display and matching preferences |
| Gender preferences (who you're interested in) | Matching preferences |
| Sexual orientation | Profile display (you can hide this from your public profile) |
| Relationship intentions and styles | Matching preferences |
| Bio and icebreaker text | Profile display |
| Languages spoken | Profile display and matching |
| Height | Profile display (you can hide this) |
| Work and job title | Profile display (you can hide these) |
| Education level and university | Profile display (you can hide these) |
| Ethnicity, nationality, religious beliefs | Profile display (you can hide these) |
| Lifestyle choices (children, drinking, smoking, drugs, pets) | Profile display (you can hide these) |
| Interests | Profile display and matching |
Many profile fields are optional. You can choose to hide individual fields from your public profile using the visibility controls in the app. Hidden fields are stored but not shown to other users.
Data generated through your use of Kuppel
| Data | Why we collect it |
|---|---|
| Swipe and match activity | To operate the matching system |
| Messages with matched users | To provide the messaging feature |
| Matchmaker connections and recommendations | To operate the matchmaker and recommendation features |
| Blocked users and contact blocks | To enforce your privacy and safety preferences |
| Referral code and referral relationships | To operate the referral programme and track reward eligibility |
Data we generate about you
| Data | Why we generate it |
|---|---|
| Face encoding (a mathematical representation of your facial features) | Identity verification: confirming your profile photos show you, detecting duplicate accounts, and badging verified photos. See Section 8 for details. |
| Age estimation result | To verify you are 18 or older. We store the result of the check (pass/fail) and an audit log of the check, not a precise age estimate. |
| Content moderation results | Each uploaded photo is scanned for inappropriate content before it is saved. Photos that pass are stored with an "approved" status. Photos that fail are rejected immediately and never saved — only a cumulative rejection count is recorded on your account. |
| Login audit records | We record each login attempt with a hashed email, IP address, user agent, platform, and timestamp. This helps us detect unauthorised access and investigate security incidents. |
Data from third-party sign-in
If you sign in with Google or Apple, we receive your email address and name from those services. We do not receive your Google or Apple password.
Device contacts
If you grant permission, Kuppel can access your phone contacts for two purposes: (1) to let you block specific contacts from finding you on Kuppel, and (2) to help you find friends already on Kuppel and invite those who are not. When you use the contact matching feature, your contacts' phone numbers are sent to our server, compared in real time against hashed phone numbers in our database, and are not stored. We only store a phone number from your contacts permanently when you actively choose to block a contact.
2. How we use your data
We use your data to:
- Provide the service: Create your account, display your profile, match you with other users, enable messaging, and operate the matchmaker system.
- Verify your identity: Check that your photos show the same person (photo verification), detect duplicate accounts using face encoding comparison, and confirm you are 18 or older using AI-based age estimation.
- Protect the community: Enforce our content moderation policies, detect and remove prohibited content (including child sexual abuse material), suspend accounts that violate our terms, and comply with legal obligations related to child safety.
- Communicate with you: Send password resets, match notifications, and service updates. We do not send marketing emails without your consent.
- Operate the referral programme: Track referral relationships, determine reward eligibility, and process reward payments.
- Maintain security: Record login attempts, detect unauthorised access, and investigate security incidents.
- Improve Kuppel: Fix bugs, monitor errors, and understand how people use the app so we can make it better.
Legal bases for processing (UK GDPR)
| Purpose | Legal basis |
|---|---|
| Providing the dating and matchmaker service | Performance of contract (our Terms of Service) |
| Displaying your profile to other users and matchmakers | Performance of contract |
| Photo verification and face encoding for identity confirmation | Explicit consent (obtained during onboarding before verification begins) |
| Face encoding comparison for duplicate account detection | Legitimate interest (platform integrity and fraud prevention) |
| AI-based age estimation | Legal obligation (UK Online Safety Act) and legitimate interest (child safety) |
| Content moderation (NSFW detection) | Legitimate interest (community safety) and legal obligation (UK Online Safety Act) |
| CSAM detection and reporting | Legal obligation (UK Online Safety Act, Protection of Children Act 1978) |
| Service communications (password resets, match notifications) | Performance of contract |
| Login audit logging | Legitimate interest (security and fraud detection) |
| Referral programme | Performance of contract |
| Error tracking and bug fixes | Legitimate interest (service reliability) |
Special category data: Gender identity and sexual orientation are special category data under UK GDPR. We process this data on the basis of your explicit consent, which you provide when you enter this information during profile setup. You can withdraw consent at any time by deleting these fields from your profile or deleting your account.
Biometric data: The face encoding we generate during photo verification is biometric data under UK GDPR. We process this on the basis of your explicit consent, obtained before the verification process begins. You can request deletion of your face encoding by contacting us via our support page; however, this will remove your photo verification badge.
3. How we protect your data
- Personal data is encrypted at rest in the database using Fernet symmetric encryption. This includes your email address, name, date of birth, phone number, bio, messages, location coordinates, and sensitive profile fields such as sexual orientation, ethnicity, and religious beliefs. A separate one-way hash is stored for email and phone number to enable account lookup and duplicate detection — these hashes cannot be reversed to obtain the original values.
- All data transmitted between your device and our servers uses HTTPS/TLS encryption.
- Photos are stored in Cloudflare R2 with access restricted to authenticated requests. File paths use randomly generated identifiers to prevent enumeration.
- Passwords are stored using a cryptographic hashing algorithm, never in plain text.
- Login audit logs store a hashed version of your email address, not the plain text.
- Database backups are encrypted before being stored offsite, using a separate encryption key from the application data.
- We use structured logging that never records personal information such as names, emails, phone numbers, or message content.
- Error tracking (via Sentry) is configured with EU data residency and automatic personal data scrubbing.
- The Django admin panel is protected by a randomised URL, two-factor authentication, and brute-force login protection.
- Access to production systems is restricted to the company director.
4. Who we share your data with
We do not sell your personal data. We share data only with the service providers necessary to operate Kuppel:
| Provider | Purpose | Data shared | Location |
|---|---|---|---|
| Cloudflare | Photo storage, CDN, CSAM scanning, email routing | Photos, website traffic, inbound email | Global (EU-inclusive) |
| Render | Backend hosting, database | All account data (encrypted at rest) | EU (Frankfurt) |
| Firebase (Google) | Phone number verification (SMS), push notifications | Phone number (for SMS delivery), device tokens, notification content | US |
| Sentry | Error tracking | Error logs, request metadata (personal data automatically scrubbed) | EU |
| Resend | Transactional emails | Email address, email content | US |
| Tremendous | Referral reward payments | Email address and name of reward recipients only | US |
| Google (OAuth) | Sign-in authentication | Email, name (during sign-in only) | US |
| Apple (OAuth) | Sign-in authentication | Email, name (first sign-in only) | US |
Other users
Your profile information (name, photos, city, bio, age, and preferences you have not hidden) is visible to other Kuppel users through the matching and browsing features. If you are a single, matchmakers who are helping their friends may also browse your profile and recommend it to their linked single. Your phone number and email address are never shown to other users. Matchmakers cannot see your private messages, contact details, or any fields you have chosen to hide.
Law enforcement
We may disclose data if required by law, court order, or to comply with child safety reporting obligations. Where permitted by law, we will notify you before making such a disclosure.
5. International data transfers
Your data is primarily stored in the EU (Frankfurt, Germany) on Render's infrastructure. However, some of our service providers are based in the United States. When your data is transferred to the US, it is protected by the data processing agreements provided by each service provider, which include Standard Contractual Clauses (SCCs) approved by the European Commission as part of their standard terms.
The US-based services that may process your data are: Firebase (Google), Resend, Tremendous, Google OAuth, and Apple OAuth. We review our data processing arrangements periodically to ensure appropriate safeguards remain in place.
6. How long we keep your data
| Data | Retention period |
|---|---|
| Active account data | For as long as your account is active |
| Deleted account data | 30 days after deletion request, then permanently removed |
| Photos of deleted accounts | Removed from storage within 30 days of account deletion |
| Messages | Retained while both accounts are active; removed when either account is deleted |
| Face encoding | Retained while your account is active; deleted with your account |
| Age verification audit logs | Retained for the life of your account plus 1 year after deletion (for regulatory compliance) |
| Login audit logs (successful) | 90 days |
| Login audit logs (failed attempts) | 30 days |
| Error logs (Sentry) | 90 days |
| Suspended account data | 1 year minimum (for legal compliance and to prevent re-registration), then reviewed |
| Accounts under legal hold (e.g. law enforcement request) | Retained until the hold is lifted, regardless of other retention periods |
7. Your rights
Under UK GDPR, you have the right to:
- Access your personal data — request a copy of everything we hold about you.
- Rectify inaccurate data — update your profile at any time in the app, or contact us for data we don't expose in the app.
- Delete your data — delete your account from Settings in the app or via our account deletion page. We process deletion within 30 days.
- Restrict processing — ask us to limit how we use your data while a complaint is being resolved.
- Data portability — request your data in a machine-readable format.
- Object to processing based on legitimate interest. If you object, we will stop processing unless we have compelling grounds that override your interests.
- Withdraw consent at any time where consent is the legal basis (for example, for photo verification or special category data). Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
To exercise any of these rights, visit our support page and select "Privacy Request". We will respond within 30 days. If your request is complex, we may extend this by a further two months and will inform you if so.
If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.
8. Automated decision-making and profiling
Kuppel uses automated systems in the following ways:
Age estimation
During onboarding, an AI model analyses your selfie to estimate whether you are 18 or older. This is a legal requirement under the UK Online Safety Act. If the system estimates you are under 18, your account creation is blocked. You can request a manual review by emailing us with a selfie and photo ID. We store the outcome of the check (pass or fail) and an audit record, but we do not store a precise age estimate.
Content moderation
An AI model scans every uploaded photo for nudity and explicit content. Photos classified as inappropriate are rejected automatically. Your account may be suspended if you repeatedly upload content that violates our guidelines. Moderation decisions are logged per photo.
Photo verification and face encoding
When you complete photo verification, our system generates a mathematical representation of your facial features (a "face encoding") from your selfies. This encoding is used to:
- Confirm that your profile photos show you (photos that match receive a "verified" badge)
- Detect whether the same face has been used to verify multiple accounts (to prevent fraud)
The face encoding is stored on your profile for as long as your account is active. It is a numerical array — it cannot be used to reconstruct an image of your face. You can request deletion of your face encoding by contacting support; this will remove your verification badge and any photo badges.
CSAM detection
All photos served through our infrastructure are automatically scanned by Cloudflare against a database of known child sexual abuse material (CSAM) maintained by the National Center for Missing & Exploited Children (NCMEC). If a match is detected, the content is blocked, the account is suspended, and we report to the relevant authorities as required by law. This scanning happens at the infrastructure level and is not optional.
If you believe any automated decision about your account or content was made in error, contact us via our support page and we will manually review your case.
9. Children and age restriction
Kuppel is exclusively for users aged 18 and over. We verify age during registration using AI-based estimation and reject anyone estimated to be under 18. If we learn that a user under 18 has created an account, we will delete it immediately and, where required by law, report the matter to the relevant authorities.
For more information about our child safety measures, see our Child Safety Standards page.
10. Cookies and tracking
The Kuppel mobile app does not use cookies. The Kuppel website (kuppel.app) uses only essential cookies required for the website to function. We do not currently use any analytics or advertising trackers on either the app or the website.
If we add analytics in future, we will update this policy and, where required, ask for your consent before tracking.
11. Changes to this policy
We may update this policy from time to time. If we make significant changes, we will notify you through the app or by email at least 14 days before the changes take effect. The "last updated" date at the top of this page always shows the current version.
12. Contact us
For any questions about this privacy policy or your personal data, please visit our support page and select "Privacy Request".
You can also contact us by email at legal@kuppel.app.
Kuppel Ltd
Company number: 17073504
Registered office: 10 Shaws Road, Altrincham, WA14 1QU
ICO registration: C1889958