Privacy Policy

Last Updated: May 13, 2026

1. Introduction

Welcome to the Privacy Policy of Nutty Face s.r.o. ("GraceMeet", "we", "us", or "our"), a limited liability company (společnost s ručením omezeným) organized under the laws of the Czech Republic, with registered office at Hainemannova 2695/6, Dejvice, 160 00 Prague, Czechia.

This Policy applies to our website (www.gracemeet.com), our mobile application (the "App"), and related services (collectively, the "Service"). It applies to users worldwide, with specific provisions for users in the United States, European Economic Area (EEA), United Kingdom (UK), and other jurisdictions.

GraceMeet is a Christian dating service. We process faith-related information only when you actively enter it during profile creation or later in Settings. The act of entering and saving this information serves as your explicit consent to its processing for faith-based matching.

2. Data We Collect

2.1 Data You Provide to Us

• Account Data: Name, email address, phone number, date of birth, password (hashed), Apple Sign-in user identifier (if you use Apple SSO).
• Profile Data: Photos, gender, height, profession, education, biography, language, city of residence.
• Faith Data (Sensitive / Special Category): Christian denomination (e.g., Catholic, Anglican, Baptist, Orthodox), church attendance frequency, core values, faith preferences. Religious affiliation is "Sensitive Personal Information" under California CPRA, Virginia VCDPA, Colorado CPA, Connecticut CTDPA, and other US state laws, and "Special Category Data" under Article 9 of the GDPR. These fields are optional. We process them only when you actively enter them through the in-app profile screens. By entering and saving this information, you provide your explicit consent to its processing for faith-based matching. You can edit or remove faith information at any time in Settings.
• Lifestyle Data: Smoking habits, drinking habits, workout frequency, family planning intentions, number of children. Some of this information may be considered Sensitive Personal Information under state laws (notably Washington's My Health My Data Act).
• Personality Data: Myers-Briggs personality type, personality traits, zodiac sign, interests and hobbies. Used by our matching algorithm.
• Sexual Orientation / Matching Preferences: Gender preferences for matches. Sexual orientation context is "Sensitive Personal Information" under US state laws and "Special Category Data" under GDPR.
• Verification Data (Biometric Processing): If you use our optional Selfie Verification feature, AWS Rekognition Face Liveness (US-East-1) analyzes a short video selfie to confirm a live person is present (anti-spoof check). We do not store persistent face geometry vectors; we store only the liveness confidence score and a reference image. See Section 4 for full BIPA-compliant disclosure.
• Identity Verification Photos: If we require additional verification (anti-fraud or two-step), you may upload identity-verification photos which are stored in encrypted Amazon S3 and reviewed by our trust & safety team.
• Communications: Messages, photos, and content you send through the Service. We may use automated tools to detect spam, fraud, harassment, and policy violations. Human review occurs when content is reported, required for safety, or required by law.
• Reports You Submit: If you report another user, we collect the reported user's identifier, the reason you select, and any free-text explanation you provide.
• Subscription/Payment Data: If you purchase Premium, we receive transaction identifiers from Apple (transaction ID, original transaction ID) or Google Play (purchase token, order ID). Payment card details are processed by Apple or Google directly; we do not receive them.

2.2 Data Collected Automatically

• Device Information (collected at sign-up and during use):
  • IP address (collected at sign-up; logged for fraud prevention and ban evasion detection)
  • Device manufacturer, brand, model, hardware specifications, board, bootloader
  • Operating system platform (iOS / Android) and version
  • App software version
  • Device fingerprint (SHA1 hash) — used to prevent ban evasion
  • Apple/Google advertising identifier (IDFA on iOS / Google Advertising ID on Android) — only collected with your explicit consent and (on iOS) ATT authorization
  • Firebase Cloud Messaging push notification token
  • Browser type (when using website)
• Behavioral Data:
  • Swipe history (likes/dislikes) with timestamps
  • Match history and unmatch events
  • Block history (users you have blocked or who have blocked you)
  • Reports submitted (including text reasons)
  • Last active timestamp (online status indicator)
  • Daily swipe count and quota usage
  • Profile visibility and discovery settings
  • Premium subscription status
  • App usage patterns (which screens you visit, time spent, features used) — only with analytics consent via Firebase Analytics
• Geolocation: If you grant permission, we collect precise GPS coordinates to show you users nearby. Coordinates are sent to our backend with each swipe session and stored as a PostGIS geography point. You can revoke location permission at any time in your device settings, but matching functionality requires location.
• Crash Reports: Firebase Crashlytics automatically collects diagnostic data when the App crashes or encounters a non-fatal error. The data sent includes the stack trace, device model, operating system version, app version, time of the crash, IP address (used to derive approximate country only), and the Firebase Installation ID (a pseudonymous identifier that resets when the App is reinstalled). We do NOT link your account user ID to crash data, and we do NOT send your name, profile photos, faith information, profile answers, messages, match preferences, or precise location to Crashlytics. Crash data is processed under legitimate interest (Art. 6(1)(f) GDPR) for service stability, debugging, and security. Retention: 90 days (see Section 8). You may object to this processing as described in Section 9.

2.3 Data from Third Parties

• Apple Sign-In: If you log in via Apple, we receive your Apple user identifier and (if you choose to share) your email and name. Apple may provide a relay email to protect your privacy.
• AWS Pinpoint: When you sign up with a phone number, we use AWS Pinpoint to validate the phone type (mobile vs landline vs VoIP) to prevent fraud.
• Apple App Store / Google Play: When you make purchases, we receive subscription verification data from Apple or Google.
• Marketing Dashboards: We view aggregate, non-personal campaign performance reports in our advertising dashboards (Meta Ads Manager, Google Ads) — for example, total installs attributed to a campaign. These dashboards are operational tools and do not provide us with individual user data back from those platforms.

3. How We Use Your Data & Legal Bases

We use your data based on the following legal bases (GDPR Article 6 / 9):

Legitimate Interests Balancing (EU/UK): Where we rely on legitimate interests (safety, fraud prevention, crash reporting, ban evasion), we have conducted a balancing test weighing our interests against your fundamental rights. You may object to processing based on legitimate interests as described in Section 9.

Withdrawal of Consent: Where we rely on consent (analytics, marketing measurement, location, biometric verification), you may withdraw consent at any time in-app at Settings → Privacy & Tracking. Withdrawal does not affect the lawfulness of processing before withdrawal.

Storage of Your Privacy Choices. Your analytics and marketing-measurement consent choices are stored on our servers linked to your account so they apply consistently across all your devices. When you sign in on a new device or after reinstalling the App, your previous choices are restored automatically without re-prompting you. We retain a record of consent changes (timestamp, source — onboarding or Settings, and platform — iOS or Android) for compliance with GDPR Article 7(1). These records are removed within 30 days of account deletion.

4. Biometric Information Privacy (BIPA / Texas CUBI / Washington)

If you choose to use our optional Selfie Verification feature, we use AWS Rekognition Face Liveness to confirm a live person is present (anti-spoof check) for fraud prevention purposes only.

What happens during verification:

• You record a short video selfie (typically 5-10 seconds)
• AWS Rekognition Face Liveness analyzes the video to confirm a live person is present — it distinguishes a real human from a photo, video replay, or deepfake
• AWS returns a liveness confidence score (numeric value 0-100), which we store with your verification record
• A reference image from the session is stored for fraud review

What we do NOT do:

• We do NOT extract or store persistent face geometry templates or biometric vectors
• We do NOT compare your face against other users, your own profile photos, or any face database
• We do NOT use Selfie Verification for identification beyond confirming a live human at sign-up
• We do NOT use this data for advertising, marketing, profiling, behavioral analysis, or commercial purposes unrelated to fraud prevention

Purpose: Solely for fraud prevention — confirming that the person creating the account is a real, live human (not a fake account, bot, or spoof attempt). If the liveness check fails, the account is blocked from creating profile content.

Storage Location: The reference image from the verification session is stored in encrypted Amazon S3 in US-East-1 (Northern Virginia, USA) at the path verify_selfie_photos/{userId}/{sessionId}/. The liveness confidence score and verification status are stored in our database (US-East-1). AWS Rekognition Face Liveness processes the video frames in US-East-1; AWS does not return persistent face geometry vectors to us.

Disclosure to Third Parties: We do NOT sell, lease, trade, or otherwise profit from biometric-related information. We disclose this information ONLY to:

• Amazon Web Services (our service provider, contractually bound to data protection standards)
• Law enforcement, only pursuant to valid subpoena, court order, or imminent safety emergency

We do NOT share Selfie Verification data with Meta, Google, advertisers, data brokers, or any other third parties.

Retention Schedule (BIPA-compliant): The reference image, liveness score, and verification record are retained until the FIRST of the following:

• You request deletion via email to support@gracemeet.com
• One (1) year from your last interaction with the Service
• Account deletion (all Selfie Verification data permanently destroyed within 30 days)

Written Consent: By tapping "Verify my profile" in the App, you provide your written, informed consent under the Illinois Biometric Information Privacy Act (BIPA, 740 ILCS 14), the Texas Capture or Use of Biometric Identifier Act (CUBI), Washington's biometric privacy law, and equivalent laws — even though we do not store persistent biometric templates, AWS Face Liveness internally analyzes face geometry to perform the liveness check, which is treated as biometric processing under these statutes.

Your Right to Deletion: You may request immediate deletion of Selfie Verification data without affecting your account by emailing support@gracemeet.com with subject "Delete Selfie Verification Data".

5. Automated Decision Making & AI

We use automated systems and AI algorithms in the following ways:

• Matching Algorithm: Suggests potential matches based on your profile, location, denomination, preferences, and shared interests. The algorithm only orders suggestions — you remain free to interact with anyone shown. This does not produce legal effects or significantly affect you.
• Content Moderation: AI classifiers detect prohibited content (nudity, spam, harassment, suspected CSAM matched against NCMEC database, bot patterns). Significant moderation decisions (account ban, removal of content on first appeal) include human review.
• Fraud Detection: Automated systems detect suspicious account activity, payment fraud, and ban evasion. Triggered actions are appealable through human review.
• Liveness Detection: AWS Rekognition AI confirms the selfie video shows a live person (not a static photo or video replay).

EU Users — Article 22 GDPR: You have the right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects, except where we obtain your explicit consent or it is necessary for contract performance. You may request human review of any automated decision that significantly affects you (e.g., account ban) by emailing support@gracemeet.com.

EU AI Act Transparency: Per Regulation (EU) 2024/1689 (EU AI Act), we provide transparency about our automated recommendation and content moderation systems described above. Our content moderation includes human oversight for decisions that significantly affect your account. We do NOT use prohibited AI practices such as social scoring, emotion recognition, biometric categorization based on sensitive attributes (beyond face liveness for fraud prevention), or subliminal manipulation.

6. Data Sharing and Service Providers

We do not sell your personal data to data brokers for money. We share data with the following categories of recipients:

6.1 Service Providers (Data Processors)

All service providers are bound by data processing agreements that limit their use of your data to providing services to GraceMeet. They act as our processors and may not use your data for their own purposes (except Meta, which acts as a controller for advertising data with your consent).

6.2 Optional Analytics and Marketing (with your consent)

If you grant consent through our in-app Privacy Choices dialog, we share data with the partners below. Each consent toggle is independent — you can grant analytics without marketing, marketing without analytics, both, or neither.

Meta (Facebook) — Marketing measurement (with marketing consent). When you allow marketing measurement, we share limited app usage and conversion events with Meta to measure how you found GraceMeet and the effectiveness of our advertising campaigns. This includes events such as app installation, app open, sign-up, profile completion, premium screen views and purchases, and match creation. These events are accompanied by your IP address, device model, OS version, app version, and (where you have allowed it through ATT on iOS or AAID consent on Android) your platform advertising identifier.

What we do NOT send to Meta: your name, profile photos, faith information or denomination, profile answers, messages, match preferences, or precise location.

Google (Firebase Analytics) — Usage analytics (with analytics consent). When you allow analytics, we share app usage data with Google (Firebase Analytics) to understand how the App is used, identify issues, and improve the experience. This includes lifecycle events (such as first open, session start, screen views, app removal), conversion events (such as sign-up, profile completion, premium activity, and match creation), and in-app purchase events from platform billing. These events are accompanied by a pseudonymous Firebase app instance ID, device model, OS version, app version, country (derived from IP), and language.

To enable attribution and cohort analysis, we also link a pseudonymous user identifier (your internal GraceMeet account ID) to your Firebase Analytics data. This identifier is internal to GraceMeet — it is not your name, email, phone number, or any other directly identifying information. When you delete your account or withdraw analytics consent, we remove this link and reset analytics data in the App; residual data held by Google is purged according to Google's retention policy (typically 14 months).

What we do NOT send to Google: your name, profile photos, faith information or denomination, profile answers, messages, match preferences, precise location, or message content.

Independently of analytics consent, a Firebase App Check token-fetch failure event may be logged for security and anti-fraud purposes (legitimate interest under GDPR Article 6(1)(f)).

6.3 Law Enforcement and Legal Compliance

We may disclose data when required by law:

• NCMEC CyberTipline (USA): Per 18 U.S.C. § 2258A, we are required to report apparent child sexual abuse material (CSAM) to the National Center for Missing & Exploited Children (NCMEC). We preserve content and associated user data, report to NCMEC, and cooperate with law enforcement.
• FOSTA-SESTA (USA): We report trafficking-related content to relevant authorities.
• EU DSA Article 18: We notify EU law enforcement of serious crimes threatening life or safety.
• Subpoenas, court orders, and lawful requests: We disclose data when compelled by valid legal process.
• Imminent safety emergencies: We may disclose data to prevent imminent physical harm.

6.4 Corporate Transactions

In the event of a merger, acquisition, sale of assets, bankruptcy, or similar transaction, your data may be transferred to the successor entity, subject to this Privacy Policy.

7. Data Storage and International Transfers

GraceMeet's primary infrastructure operates in the United States (AWS US-East-1, Northern Virginia). While Nutty Face s.r.o. is incorporated in the Czech Republic, our backend services and data storage are primarily located in the United States.

If you access the Service from outside the United States, your information will be transferred to and processed in the United States.

7.1 Transfer Mechanisms (EU/UK to US)

For EU/EEA/UK personal data transferred to the United States, we rely on:

7.2 Schrems II Safeguards

Beyond SCCs, we implement supplementary measures including:

• Encryption in transit (TLS 1.2+) and at rest
• Access logging and minimization
• Pseudonymization where technically feasible
• Vendor commitments to challenge unlawful US government access requests
• Transfer Impact Assessments conducted for each US transfer

You may request a copy of our Transfer Impact Assessments by contacting support@gracemeet.com.

8. Data Retention Schedule

We retain personal data only as long as necessary for the purposes described in this Policy and as permitted by applicable law:

Account Deletion: Once you confirm account deletion in the App, your account is immediately deactivated. The following data is deleted within 30 days: profile, photos, matches, messages, biometric data, location, device tokens, registration details, premium subscription records. The exceptions above (banned identifiers, IP logs for fraud prevention, payment/tax records, safety reports) apply per their listed retention periods.

9. Your Rights (Global Baseline)

Subject to applicable law, you have the following rights regardless of your location:

• Access: Request a copy of your personal data
• Correction: Correct inaccurate data
• Deletion: Request deletion of your account and data
• Portability: Receive your data in a machine-readable format
• Withdrawal of Consent: Withdraw consent for processing based on consent
• Object/Restrict: Object to processing based on legitimate interests
• Complain: File a complaint with your supervisory authority (see Section 11.4 for EU/UK; Section 10 for U.S. residents)

To exercise these rights, contact support@gracemeet.com or use in-app controls at Settings → Privacy. We respond within 30 days (extendable to 90 days for complex requests, with notification).

10. U.S. Privacy Rights and Disclosures

This section describes the privacy rights and disclosures that apply to U.S. residents. Where a specific U.S. federal or state law applies to GraceMeet, we comply. We extend additional rights to U.S. residents on a good-faith basis where they are not strictly mandatory.

10.1 Universal Rights for U.S. Users

Regardless of your state of residence, we offer the following rights:

• Right to Access: Request a copy of the personal information we hold about you.
• Right to Correct: Correct inaccurate or outdated information.
• Right to Delete: Request deletion of your account and associated data.
• Right to Withdraw Consent: Withdraw consent for analytics and marketing data sharing in our in-app Privacy Choices (Settings → Privacy & Tracking) at any time.

To exercise these rights, contact support@gracemeet.com with a clear subject line (e.g., "Access Request" or "Delete My Data"). We respond within applicable legal timelines (typically 45 days, extendable once with notification).

10.2 California Disclosures (CalOPPA / CCPA)

If you are a California resident, the following disclosures apply pursuant to the California Online Privacy Protection Act (CalOPPA) and, where applicable, the California Consumer Privacy Act / California Privacy Rights Act (CCPA/CPRA):

Categories of Personal Information Collected. The categories we collect from California residents are described in Section 2 of this Policy.

Sensitive Personal Information. We process the following categories that may be considered "Sensitive Personal Information" under California law:

• Religious or philosophical beliefs (Christian denomination and related faith data)
• Sexual orientation context (gender preferences for matching)
• Precise geolocation (GPS coordinates)
• Biometric information (face geometry, when you use Selfie Verification)
• Health-adjacent information (smoking, drinking habits, family planning)

We use this Sensitive Personal Information solely to provide the Service (faith-based matching and verification). We do NOT use it for inferring characteristics about you beyond matching, cross-context behavioral advertising, profiling for unrelated commercial purposes, or sale to third parties.

Sale and Sharing. GraceMeet does not "sell" personal information for monetary consideration. Our limited app-event sharing with Meta (Facebook) for advertising attribution — described in Section 6.2 — may be considered "sharing" under California law. To opt out, withdraw marketing consent in our in-app Privacy Choices (Settings → Privacy & Tracking) or email support@gracemeet.com with subject "Do Not Sell or Share My Info".

Global Privacy Control (GPC). Where legally required and technically applicable, we honor opt-out preference signals such as the Global Privacy Control. GPC is primarily a web-browser signal; for our mobile App, the equivalent opt-out is the in-app Privacy Choices toggle.

CCPA/CPRA Applicability Note. GraceMeet may not yet meet the revenue and data-volume thresholds to be a "covered business" under CCPA/CPRA. Where the law applies to us, we comply. We extend the rights in Section 10.1 to California residents on a good-faith basis regardless of strict applicability.

10.3 Texas Privacy Rights (TDPSA)

The Texas Data Privacy and Security Act (TDPSA) may apply to GraceMeet depending on our size, activities, and whether we process or sell covered data. The TDPSA contains a small-business exemption (per the U.S. Small Business Administration definition) with a specific carve-out: small businesses must still obtain consumer consent before selling sensitive personal data.

We do not sell sensitive personal data. We extend the following Texas privacy rights to Texas residents on a good-faith basis:

• Confirm and access the personal data we process about you
• Correct inaccuracies
• Delete your data
• Portability — receive a copy in a portable, machine-readable format
• Opt out of:
  • Targeted advertising
  • Sale of personal data
  • Profiling in furtherance of decisions that produce legal or similarly significant effects
• Sensitive Data: we obtain consent before processing sensitive data (religion, biometric, etc.) where required; withdrawing marketing consent in our in-app Privacy Choices stops sensitive data sharing with Meta

To exercise these rights, email support@gracemeet.com. We respond within 45 days. You may appeal a denied request; if we deny the appeal, you may contact the Texas Attorney General.

10.4 Washington Consumer Health Data (MHMDA)

Washington's My Health My Data Act treats certain data as "Consumer Health Data," including data revealing reproductive or sexual health information, gender-affirming care information, and precise geolocation that could indicate health-related visits. If you are a Washington resident:

• We obtain your opt-in consent before collecting or sharing Consumer Health Data — provided through active profile entry and the in-app Privacy Choices dialog
• You have the right to withdraw consent at any time via Settings → Privacy & Tracking
• You have the right to delete this data and have it deleted from any third parties to whom we shared it
• We do NOT use geofencing around healthcare facilities
• We do NOT sell Consumer Health Data
• You may file a complaint with the Washington Attorney General: atg.wa.gov

10.5 How to Exercise Your Rights

You may submit a request to exercise your privacy rights by:

• In-App: Settings → Privacy
• Email: support@gracemeet.com (use a clear subject line)
• Web: gracemeet.com/delete_account.html

We may need to verify your identity before fulfilling your request. We respond within applicable legal timelines (typically 45 days, extendable once with notification).

10.6 Authorized Agents (California)

California residents may use an authorized agent to submit requests on their behalf. We may require proof that the agent is authorized and may also require you to verify your identity directly with us.

10.7 Non-Discrimination

We will not discriminate against you for exercising your privacy rights. Note that certain features of the Service may not be available if you delete your account or withdraw consent for processing necessary to provide the Service.

10.8 Appeals

If we deny your privacy request, you may appeal by emailing support@gracemeet.com with subject line "Privacy Appeal". Where state law provides further appeal rights (e.g., to the Texas Attorney General), we will inform you of those rights in our denial response.

11. EU/EEA/UK GDPR Notice

11.1 Identity of Controller

Controller: Nutty Face s.r.o.
Registered office: Hainemannova 2695/6, Dejvice, 160 00 Prague, Czechia
Company ID (IČO): 03169901
Tax ID (DIČ): CZ03169901
Contact: support@gracemeet.com
Privacy contact: support@gracemeet.com

11.2 Data Protection Officer / Privacy Contact

While not strictly required for our scale under GDPR Article 37, given that we process Special Category Data (religious affiliation, sexual orientation, biometric data) systematically as a core service feature, we have designated a Privacy Contact:

Email: support@gracemeet.com

11.3 Lead Supervisory Authority

As Nutty Face s.r.o. is established in the Czech Republic, our lead supervisory authority for cross-border processing is:

Úřad pro ochranu osobních údajů (ÚOOÚ)
Pplk. Sochora 27, 170 00 Prague 7, Czech Republic
Phone: +420 234 665 111
Email: posta@uoou.cz
Web: uoou.gov.cz

11.4 Right to Lodge a Complaint

You may lodge a complaint with the supervisory authority in your EEA/UK country of residence, place of work, or where an alleged infringement occurred:

• Czech Republic: Úřad pro ochranu osobních údajů (uoou.gov.cz)
• Slovakia: Úrad na ochranu osobných údajov SR (dataprotection.gov.sk)
• Germany: BfDI (bfdi.bund.de) plus state DPAs
• France: CNIL (cnil.fr)
• Italy: Garante per la Protezione dei Dati Personali (garanteprivacy.it)
• Spain: Agencia Española de Protección de Datos (aepd.es)
• Netherlands: Autoriteit Persoonsgegevens (autoriteitpersoonsgegevens.nl)
• Poland: UODO (uodo.gov.pl)
• UK: Information Commissioner's Office (ico.org.uk)
• Other EEA: See EDPB Members list

11.5 Right to Object to Automated Decision-Making (Article 22)

You have the right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects. See Section 5 for details. Request human review at support@gracemeet.com.

11.6 Right to Withdraw Consent

For processing based on consent (Art. 6(1)(a)) or explicit consent (Art. 9(2)(a)), you may withdraw consent at any time:

• In-app: Settings → Privacy & Tracking
• Email: support@gracemeet.com

Withdrawal does not affect the lawfulness of processing before withdrawal.

12. EU Digital Services Act (DSA) Compliance

12.1 Single Point of Contact (Article 11) and SME Status

Our single point of contact for EU users and authorities:

Email: support@gracemeet.com
Languages: English

SME Status (DSA Article 19). GraceMeet currently qualifies as a micro/small enterprise within the meaning of Recommendation 2003/361/EC. Pursuant to DSA Article 19, certain online-platform-specific obligations (Articles 20-24 — internal complaint-handling system, out-of-court dispute settlement, trusted flaggers, measures against misuse, and additional transparency reporting for online platforms) do not apply to us. We comply with all other DSA obligations applicable to our service, and we will adopt the additional Article 20-24 obligations if our scale ever exceeds the SME threshold.

12.2 Notice and Action Mechanism (Article 16)

Anyone (user or non-user) may report illegal content via:

• In-app: tap the report button on any profile, photo, or message
• Email: support@gracemeet.com

When you submit a notice, we will:

• Acknowledge receipt without undue delay
• Review the report in a timely, diligent, non-arbitrary, and objective manner
• Provide a Statement of Reasons (see Section 12.3) for any moderation decision affecting the reported content or user

12.3 Statement of Reasons (Article 17)

When we restrict your account, remove or demote your content, suspend access, or terminate your account, we will provide a statement of reasons including:

• The decision taken and its territorial scope
• Facts and circumstances relied upon
• Whether automated means were used in the decision
• The legal or contractual ground for the decision
• Information about how to contact us regarding the decision

12.4 Reporting of Suspicions of Criminal Offences (Article 18)

If we become aware of information giving rise to a suspicion of a criminal offence involving a threat to the life or safety of a person, we will report it to the relevant law enforcement authority (Police of the Czech Republic for cases involving Czech jurisdiction, or the relevant Member State authority). For suspected child sexual abuse material (CSAM), we additionally report to the U.S. National Center for Missing & Exploited Children (NCMEC) per 18 U.S.C. § 2258A.

12.5 Transparency Information (Article 15)

As required under DSA Article 15, we publish information about our content-moderation activities periodically, scaled to our size as a micro/small enterprise. Current information is available at gracemeet.com/transparency.

12.6 Online Interface Design (Article 25)

Our user interface does not deceive or manipulate users into making decisions against their interests. We do not employ "dark patterns" in our consent flows or subscription cancellation processes.

12.7 Recommender Systems (Article 27)

Our matching algorithm uses the following main parameters:

• Geographic distance between you and other users
• Age preferences you set
• Religious denomination (with your consent)
• Mutual interests, core values, and shared lifestyle preferences
• Activity recency (recently active users prioritized)

You can adjust these by modifying your profile and search preferences in-app.

12.8 Advertising Transparency (Article 26)

GraceMeet does NOT display third-party advertising within the App. We may run our own advertising campaigns on external platforms (Meta, Google) using a limited set of app events shared with your consent (see Section 6.2).

12.9 Protection of Minors (Article 28)

GraceMeet is restricted to users 18 years and older. We do not knowingly process personal data of minors. We do not display advertising based on profiling using personal data of minors. See Section 15 for our adult-only policy and age-verification methods.

13. Cookies and SDKs (ePrivacy)

For users in the EEA and UK, we comply with the ePrivacy Directive (2002/58/EC) as implemented in your country.

13.1 Strictly Necessary (no consent required)

• Authentication tokens (Firebase Auth, AWS Cognito, session tokens)
• Session management
• Security (Firebase App Check, anti-abuse signals)
• Real-time messaging (Firebase Realtime Database)
• Push notifications (Firebase Cloud Messaging)
• Crash reporting (Firebase Crashlytics — legitimate interest)
• Feature flags (Firebase Remote Config)

13.2 Optional (explicit consent required)

• Firebase Analytics (Google) — usage analytics
• Meta SDK (Facebook) — advertising measurement
• Advertising identifier collection (IDFA on iOS / Google Advertising ID on Android)

Default state: All optional SDKs are disabled by default. They activate only after you provide explicit consent through our in-app "Your Privacy Choices" dialog.

Withdrawal: Withdraw consent in-app at Settings → Privacy & Tracking.

15. Adult-Only Service (18+) and Children's Privacy

Service Restriction: GraceMeet is an 18+ adult-only service. We do not knowingly:

• Collect personal information from anyone under 18
• Allow account creation by users under 18
• Permit users under 18 to use any feature of the Service

Age Verification Methods:

• Platform age signals (Apple DeclaredAgeRange / Google Play Age Signals): Where available, we request a platform-provided age signal — Apple's DeclaredAgeRange API on iOS 17+ or Google Play Age Signals on Android — to confirm you are 18 or older. If the signal indicates an adult, you proceed; if it indicates underage, sign-up is blocked. If you decline to share, the signal is unavailable, or your platform does not support it, we fall back to manual age affirmation.
• Date of birth: You enter and affirm your date of birth during sign-up. Users who indicate they are under 18 are blocked from creating an account.
• Manual age affirmation: All users explicitly confirm they are 18 or older as part of the sign-up flow.
• Phone verification: SMS-based phone verification helps reduce fake and bot accounts (does not directly verify age).
• Selfie liveness (optional): If you choose Selfie Verification, AWS Rekognition confirms you are a live person rather than a deepfake or static photo. This is a fraud-prevention measure, not a primary age check.

We do not currently require government-issued ID verification. Where additional age verification measures become legally required for our Service, we will update this Policy and our methods accordingly.

If a Child Has Provided Data: If we learn that a person under 18 has created an account or provided personal information, we will:

• Immediately suspend the account
• Delete all personal information within 30 days
• Cooperate with law enforcement as required

Report suspected underage users at support@gracemeet.com.

Federal COPPA Notice: We comply with the Children's Online Privacy Protection Act (COPPA, 15 U.S.C. §§ 6501-6506). We do not knowingly collect information from anyone under 13.

California Age-Appropriate Design Code: While GraceMeet is restricted to 18+, we have implemented data minimization and age verification consistent with California AADC principles.

EU/UK Children's Protection: We comply with GDPR Article 8 and UK Age Appropriate Design Code regarding data of minors.

16. Member Safety and Background Information

No Background Checks: GraceMeet does NOT conduct criminal background checks on users. You are responsible for assessing the trustworthiness of people you interact with.

Sex Offender Registry Representation: Users represent that they are not required to register as sex offenders (per Terms Section 2). However, we do not independently verify this representation.

Anti-Catfishing Measures: To prevent fake profiles and impersonation, we implement:

• Phone verification for all accounts
• Optional selfie verification with face liveness check (AWS Rekognition)
• AI detection of stolen profile photos (where applicable)
• User reporting tools for suspected catfishing
• Block and report tooling

We may share data with law enforcement investigating impersonation, fraud, romance scams, or trafficking.

Safety Resources:

• In-app: Settings → Safety Center
• USA: National Domestic Violence Hotline 1-800-799-7233; National Human Trafficking Hotline 1-888-373-7888
• EU: 116 006 victim support (most EU countries)
• Czech Republic: 116 006 (Pomoc obětem trestných činů)
• Slovakia: 0907 706 060 (Linka pre ženy)

17. Security

We implement administrative, technical, and physical security measures to protect your data, including:

• TLS 1.2+ encryption for data in transit
• Encryption at rest for sensitive data (S3, database)
• Access controls and authentication (Firebase App Check, multi-factor for staff)
• Logging and monitoring of access to personal data
• Regular security reviews and penetration testing
• Vendor security assessments for service providers

However, no transmission over the internet is 100% secure. If we become aware of a security breach affecting your personal data, we will notify you and relevant authorities as required by law (e.g., GDPR 72-hour notification).

18. Changes to this Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via:

• In-app notification
• Email to your registered email address
• Updated "Last Updated" date at the top of this Policy

Continued use of the Service after material changes constitutes acceptance of the updated Policy. If you do not agree to changes, you should delete your account.

19. Contact Us

Data Controller: Nutty Face s.r.o.

Address: Hainemannova 2695/6, Dejvice, 160 00 Prague, Czechia

Company ID (IČO): 03169901

Tax ID (DIČ): CZ03169901

General Support: support@gracemeet.com

Privacy Requests: support@gracemeet.com

Privacy Officer / Data Protection Contact: support@gracemeet.com

EU DSA Single Point of Contact: support@gracemeet.com

Legal Notices (DMCA, court orders): support@gracemeet.com

Moderation Appeals: support@gracemeet.com

Safety Reports (underage users, abuse): support@gracemeet.com