Privacy Policy

This Privacy Policy explains how Aphrodite (“Aphrodite,” “we,” “us,” or “our”) collects, uses, shares, and protects personal data when you visit, register, or use our websites, applications, and services (collectively, the “Services”). By accessing or using the Services, you acknowledge that you have read this Policy. If you do not agree, do not use the Services.

We provide an adult-only social platform for couples and singles that includes profiles, messaging, community groups, events, location-based discovery, and account verification. Because of the nature of the platform, some of the data we process is sensitive (see “Sensitive Data” below) and we treat it accordingly: we minimise what we collect, restrict who can access it, and delete it when it is no longer needed.

1. Controller and Contact

The data controller is Aphrodite S.L. [TO BE COMPLETED BY LEGAL: confirm exact registered name and company form], [TO BE COMPLETED BY LEGAL: registered street address], 29006 Málaga, Spain. You can reach us on any privacy matter, including to exercise your rights, at aphrodite@aphrodite.is. Our Data Protection Officer can be reached at jon@aphrodite.is.

The controller is established in Spain (EU); our lead supervisory authority is the Spanish Data Protection Agency (AEPD), so no EU Article 27 representative is required. Because we also offer the Services to users in the United Kingdom, our UK GDPR Article 27 representative is [TO BE COMPLETED BY LEGAL: UK representative name, address, and contact]. [Legal to confirm entity incorporation/establishment and DPO appointment.]

2. Information We Collect

• Account & profile data: name, nickname, date of birth, gender, email, phone, and profile content you add. Couple profiles may have a login and details for each partner.
• Verification data: to verify your account you provide a live selfie holding a passport or national ID, plus the details on it. See retention in §6 — we delete the ID image once verification is complete.
• Location data: your address and approximate coordinates, used for discovery and activity features.
• Messages: direct messages are end-to-end encrypted; we cannot read their content. We process only the metadata needed to deliver them, plus anything you explicitly submit through reporting/SOS.
• Payments & transactions: subscription tier and billing status (via Stripe), and records of tickets, orders, and venue charges.
• Technical data: device identifiers, push tokens, and—when an administrator performs an action—the request IP address for security auditing.

3. Sensitive Data

Given the nature of the Services, your profile and activity may reveal data concerning your sex life or sexual orientation, which is a special category of personal data under the GDPR. We process this data only with your explicit consent, which you give during registration and can withdraw at any time by editing or deleting your profile or account.

4. How We Use Information and Legal Bases

• Provide the Services (accounts, profiles, messaging, discovery) — performance of our contract with you; explicit consent for sensitive data.
• Verify accounts — our legitimate interest and legal obligations in keeping the platform adults-only and safe.
• Safety, moderation, fraud and abuse prevention — legitimate interests.
• Payments and tax/accounting records — performance of contract and compliance with legal obligations.
• Service emails — contract; marketing/sign-up follow-up emails — consent.

5. Sharing and Sub-processors

We do not sell personal data. We share data only as needed to run the Services:

• Google (Firebase / Google Cloud Platform) — hosting, database, file storage, authentication, and push messaging (FCM). Our primary data region is the EU (europe-west4).
• Google Maps Platform — geocoding of addresses and map display for location-based discovery; relevant location/address data is sent to Google for this purpose.
• Google reCAPTCHA Enterprise — bot, fraud, and abuse prevention; processes device, network (including IP address), and interaction signals.
• Stripe — payment processing, subscription billing, and partner payouts (Stripe Connect).
• Resend — delivery of transactional account and notification emails.
• Legal/regulatory authorities — where required by law or to protect rights and safety.
• Other users — to the extent you choose to share information through your profile or interactions.

A current list of sub-processors and their roles is maintained on our sub-processors page.

6. Data Retention

We keep personal data only as long as needed for the purpose it was collected:

• Identity/passport images: deleted as soon as verification is approved or rejected — we keep only the fact that you were verified, not the image.
• Verification records: identifying details are removed within 90 days of the decision; only a minimal audit record remains.
• Incomplete sign-ups: if you started registering and gave consent, your email is kept up to 90 days, then deleted. Completed sign-up funnel records are kept up to 30 days.
• Administrator security/audit logs (including IP): up to 12 months.
• Payment and transaction records: retained for the period required by tax and accounting law (up to ~7 years). After you delete your account these are kept without your identifying details, then deleted.
• Account data: erased promptly when you delete your account (see §7); we keep only a minimal record that the account was deleted.

7. Your Rights and How to Exercise Them

You can view and edit most data in your account settings. You can delete your account at any time from Account settings; this permanently erases your profile, verification data and ID images, photos, and messaging keys (payment records are retained as described in §6).

Depending on where you live, you also have rights to access, correct, delete, restrict, object to, or port your data, and to withdraw consent. EU/UK users may lodge a complaint with their supervisory authority; California and other US-state residents have rights under applicable state laws (including access and deletion, and the right not to be discriminated against for exercising them). To make a request, contact aphrodite@aphrodite.is. We respond within the timeframe required by applicable law — generally within one month (EU/UK GDPR) or 45 days (California), and we will tell you if we need an extension permitted by law. You may also request a copy of your data in a portable format.

8. Security

We apply administrative, technical, and organisational safeguards, including access controls scoped to the account owner and administrators, encrypted direct messages (we cannot decrypt live chats; moderation access occurs only when a participant explicitly submits content through reporting/SOS), and identity documents restricted to the account owner and administrators and deleted after verification. No system is perfectly secure, but we continuously evaluate and improve our protections.

9. International Transfers

Our primary data region is the EU (europe-west4). Some providers process data in the United States — including Stripe, Resend, and Google services such as Maps Platform and reCAPTCHA Enterprise. Where data leaves the EU/UK, transfers are covered by appropriate safeguards, namely the EU Standard Contractual Clauses (and the UK International Data Transfer Addendum) and, where applicable, certification under the EU–US and UK Extension to the Data Privacy Framework. [Legal to confirm the exact mechanism on file for each provider and keep this list current.]

10. Cookies and Tracking

We use cookies and similar technologies for authentication, security, functionality, analytics, and marketing. Strictly necessary cookies (for example, your sign-in session and bot protection) are always active because the Services cannot work without them. Optional analytics and marketing cookies are used only with your consent, which you give and can withdraw at any time through the cookie banner. For a full list of the cookies and technologies we use, their purposes, and durations, see our Cookie Policy.

11. Adult-Only Services

The Services are restricted to adults aged 21 and over. We do not knowingly collect data from anyone under this age, and we do not knowingly collect data from children (and in particular comply with COPPA in the United States, which protects children under 13). If you believe a minor has provided data, contact us at aphrodite@aphrodite.is and we will take appropriate action. See also our Child Safety Standards.

12. Changes to This Policy

We may update this Policy to reflect changes in our practices or the law. Updates are posted here and the “Last updated” date is revised accordingly.