Privacy Policy
Effective: 10.07.2026
1. Data controller
Controller under GDPR is OM OceanMedia Ltd, Oum Charam, Pelagos Court, Office 01, 6027 Larnaca, Cyprus, represented by Till Parniewski. Contact: om.oceanmedia.ltd@googlemail.com.
2. What data we process
On registration
- Email address
- Password (stored hashed)
- First name / display name
- Date of birth (age verification)
- Gender and match preference
On profile completion
- Photos (stored on our servers)
- Self-description (bio, job, hobby, favourite drink, favourite dish)
- Island and town (free text)
- Spoken languages
- App language
During app use
- Likes, passes, matches
- Chat messages (text, image, audio)
- Event registrations and attendance history
- Attendance rate
- Optional: push notification token (OneSignal)
- Server logs (IP, user agent, requested pages) — up to 30 days
On payment
- Stripe handles payment data. We only store the Stripe customer ID and subscription status — no credit card data directly.
When using AI features
- Photo enhancement: your photo is sent to Replicate/Black Forest Labs (USA).
- Text improvement and chat suggestions: your draft and the conversation context are sent to Anthropic (USA).
- Profile translation: your profile text is sent to DeepL (Germany).
- These providers contractually may not use the data for their own training.
3. Purposes and legal bases
- Providing the service (matching, chat, events) — Art. 6(1)(b) GDPR (contract)
- Security and abuse prevention — Art. 6(1)(f) GDPR (legitimate interest)
- Push notifications — Art. 6(1)(a) GDPR (consent, revocable at any time)
- AI processing — Art. 6(1)(b) GDPR (contract fulfilment on active request)
- Legal obligations (e.g. bookkeeping) — Art. 6(1)(c) GDPR
4. Recipients (processors)
- Supabase Inc. (USA) — database, auth, file storage
- Vercel Inc. (USA) — hosting, edge network
- Stripe Payments Europe Ltd (Ireland) — payment processing
- OneSignal Inc. (USA) — push notifications (only with consent)
- Anthropic PBC (USA) — text AI
- Replicate Inc. and Black Forest Labs GmbH — image AI
- DeepL SE (Germany) — translations
- Email sender Resend / other SMTP provider
Data processing agreements under Art. 28 GDPR exist or will be signed before launch. For US transfers we rely, where possible, on the EU-US Data Privacy Framework or Standard Contractual Clauses.
5. Storage duration
We store your data as long as your account is active. On cancellation we delete personal data within 30 days, unless legally required to retain (e.g. tax records 10 years). Chat messages are deleted on account deletion — the chat partner then only sees „user deleted".
6. Your rights
You have the right to:
- Access data stored about you (Art. 15)
- Rectification of incorrect data (Art. 16)
- Erasure of your data (Art. 17)
- Restriction of processing (Art. 18)
- Data portability (Art. 20)
- Object to processing (Art. 21)
- Withdraw consent with effect for the future
Requests can be sent to om.oceanmedia.ltd@googlemail.com. You also have the right to complain to a data protection supervisory authority.
7. Cookies and local storage
We use only technically necessary cookies (session cookie for login). No tracking, no advertising cookies. Browser local storage is used to remember which intro screens you've seen and your app language.
8. Security
We use HTTPS encryption. Passwords are stored hashed. Data is protected via Supabase Row-Level Security based on user roles.
9. Changes to this policy
We update this policy when new features are added or legal bases change. Material changes are communicated in the app.