Privacy Policy

1. Introduction & Scope

PickPlanDate (“PPD,” “we,” “us,” or “our”) operates the PickPlanDate application and website (collectively, the “Service”). This Privacy Policy describes how we collect, use, share, retain, and protect personal information when you use the Service.

This Policy applies to all users worldwide. Where local law grants additional rights—such as the General Data Protection Regulation (“GDPR”) in the European Economic Area (“EEA”) or the California Consumer Privacy Act (“CCPA”) in California—those rights apply in addition to the baseline rights described here.

2. Information We Collect

• Identity & Account: Name, email address, date of birth, gender identity, phone number (for verification), and authentication credentials.
• Profile: Photos, bio, approximate location (city or neighborhood), occupation, education, lifestyle preferences, relationship goals, and answers to questionnaire prompts. Optional fields such as sexual orientation are provided at your discretion.
• Location: Approximate location at city or neighborhood level, used to surface relevant matches. We do not continuously track your precise GPS coordinates.
• Communications: Messages and interactions you have with other users on the platform; reports you submit about other users.
• Payment: The Service is currently free to use. If and when paid features are offered and you make a purchase, payment information is processed by a third-party payment processor. We store only a payment token provided by that processor—not full card numbers, CVVs, or bank account details.
• Device & Usage: IP address, device type and model, operating system, browser type, session duration, features used, and interaction events. This data is collected via our analytics provider (PostHog) and is pseudonymized.
• Third-Party Sign-In: If you authenticate via Google or Apple, we receive limited profile data (name, email, profile photo) from that provider, subject to your privacy settings with that provider.
• Cookies & Tracking:See Section 11 (Cookies & Tracking) for details.

3. How We Use Information

We use your information to:

• Provide the Service and suggest potential matches based on your preferences and profile;
• Authenticate your identity and maintain your account;
• Communicate with you regarding your account, matches, and planned dates;
• Detect and prevent fraud, abuse, harassment, and unauthorized access;
• Comply with applicable law and respond to lawful legal requests;
• Analyze aggregate usage patterns to improve and develop the Service;
• Send promotional communications, only if you have opted in; and
• Enforce our Terms of Service and Community Guidelines.

4. Legal Basis for Processing (GDPR)

For users in the European Economic Area or United Kingdom, we process personal data under the following legal bases:

• Contract: Processing necessary to perform the Service you requested (e.g., account creation, matching, messaging).
• Consent: Processing based on your explicit consent (e.g., marketing emails, optional sensitive profile fields).
• Legitimate Interests: Processing for our legitimate business interests where those interests are not overridden by your rights (e.g., fraud prevention, platform security, analytics).
• Legal Obligation: Processing necessary to comply with a legal obligation.

5. How We Share Information

• Other Users: Your profile is visible to other users according to your visibility settings. Messages are visible only to the intended recipient(s).
• Service Providers: We share data with vetted third-party service providers (cloud hosting, email delivery, payment processing, analytics, push notifications) under data processing agreements that restrict them from using your data for their own independent purposes.
• Business Transfers: In the event of a merger, acquisition, or sale of substantially all assets, your data may be transferred to the successor entity. We will notify you via email or a prominent notice on the Service before your data is transferred and becomes subject to a different privacy policy.
• Law Enforcement & Legal Process: We may disclose data when required by law, court order, subpoena, or government request, or when we reasonably believe disclosure is necessary to protect the safety of any person, prevent fraud, or enforce our Terms.

We do not sell your personal data to third parties.

6. Third-Party Service Categories

• Cloud Infrastructure: DigitalOcean (primary hosting); Vercel (deployment).
• Analytics: PostHog — pseudonymized usage analytics; you may opt out in Settings → Privacy.
• Payment Processing: If paid features are enabled, a PCI-compliant third-party payment processor; we store only a payment token, never full card details. Any processor we engage will be governed by its own privacy policy, which we will identify here at that time.
• Authentication: Google OAuth; Apple Sign In — governed by their respective privacy policies.
• Mapping: Google Maps Platform — venue search in plan proposals; governed by Google’s Privacy Policy.
• Email Delivery: Resend (transactional email — verification + notifications). We share only the recipient address and message content.
• Push Notifications: Self-hosted Web Push (VAPID) — delivered directly from our servers; no third-party push provider.

7. International Data Transfers

We are based in the United States. Your personal data is processed and stored on servers located in the United States. If you are located in the EEA, United Kingdom, or Switzerland, your personal data may be transferred to a country whose data protection laws differ from those in your home country.

We implement appropriate safeguards for such transfers, including Standard Contractual Clauses (“SCCs”) approved by the European Commission or equivalent mechanisms as required by applicable law.

8. Data Retention

• Active accounts: We retain personal data for as long as your account is active plus a grace period of 30 days, during which you may reactivate your account.
• Deleted accounts:When you delete your account, we immediately anonymize your personal data — your name, photos, bio, contact details, location, and other identifying information are removed or irreversibly obfuscated — and we delete your uploaded photos and media from our storage. To protect the community, we retain a one-way (irreversible) hashed version of your phone number for safety and fraud-prevention purposes, such as enforcing bans, and we retain a limited record of any safety reports where required for legal compliance. Any remaining records cannot reasonably be used to identify you.
• Legal holds: We may retain data beyond standard retention periods when required by law, a pending legal matter, or to protect against fraud or abuse.
• Anonymized data: Aggregate or anonymized data that cannot reasonably be used to identify you may be retained indefinitely for analytics and product improvement purposes.

9. Your Rights

GDPR Rights (EEA/UK users)

• Access: Request a copy of the personal data we hold about you.
• Rectification: Request correction of inaccurate or incomplete data.
• Deletion: Request deletion of your personal data (“right to be forgotten”), subject to legal retention requirements.
• Portability: Receive your data in a structured, machine-readable format.
• Restriction: Request that we limit how we process your data in certain circumstances.
• Objection: Object to processing based on legitimate interests or direct marketing.
• Withdraw Consent: Withdraw consent at any time where processing is based on consent, without affecting the lawfulness of prior processing.

To exercise any of these rights, contact [email protected]. We will respond within 30 days (extendable to 60 days for complex requests with notice to you).

CCPA Rights (California residents)

• Right to Know: Know what personal information we collect, use, disclose, or sell about you.
• Right to Delete: Request deletion of your personal information.
• Right to Opt Out of Sale: We do not sell personal information. If this practice changes, we will update this Policy and provide a prominent opt-out mechanism.
• Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights.

To submit a CCPA request or for “Do Not Sell My Personal Information” inquiries, contact [email protected].

10. Children’s Privacy

PickPlanDate is intended exclusively for users who are 18 years of age or older. We do not knowingly collect personal information from anyone under 18. Users under 13 are absolutely prohibited from using the Service in accordance with the Children’s Online Privacy Protection Act (“COPPA”).

If we discover that a user is under 18, we will immediately terminate the account and delete associated personal data. If you believe a minor has created an account, please contact us at [email protected].

11. Cookies & Tracking

We use the following categories of cookies and similar tracking technologies:

• Necessary: Authentication cookies and session tokens required for the Service to function. These cannot be disabled without impairing the Service.
• Functional: Preference cookies that remember your settings and customizations.
• Analytics: PostHog analytics that help us understand how users interact with the Service. Data is pseudonymized. You may opt out in Settings → Privacy.
• Advertising: We do not currently use third-party advertising cookies.

You can manage or disable non-necessary cookies through your browser settings. Note that disabling necessary cookies will impair the functionality of the Service.

12. Automated Decision-Making

PickPlanDate uses automated algorithms to suggest potential matches based on your preferences, activity, and profile data. This algorithmic matching does not produce legal effects or similarly significant effects on your rights.

Under GDPR Article 22, EEA/UK users have the right to request human review of any automated decision that significantly affects them. To make such a request, contact [email protected].

13. Security

We implement commercially reasonable technical and organizational security measures to protect your personal data from unauthorized access, disclosure, alteration, and destruction. These measures include encryption in transit (HTTPS/TLS), hashed credentials, role-based access controls, and periodic security reviews.

No security system is impenetrable, and we cannot guarantee that your data will never be accessed by an unauthorized party. In the event of a data breach that is likely to result in a high risk to your rights and freedoms, we will notify you and applicable supervisory authorities as required by applicable law.

Photo watermarking.To protect members' privacy, profile photos are displayed with a faint watermark identifying the person viewing them. If a screenshot of someone's profile is shared without permission, this watermark allows us to trace it back to the account that captured it. By using the app you agree to treat other members' photos and personal information as private and not to share, distribute, or publish them outside the app.

14. California Privacy Rights (Additional Disclosures)

Under California Civil Code § 1798.83 (“Shine the Light”), California residents may request information about third parties to whom we have disclosed personal information for direct marketing in the past calendar year. We do not share personal information with third parties for direct marketing purposes.

Categories of personal information collected in the past 12 months (CCPA § 1798.140):

• Identifiers (name, email address, phone number, IP address);
• Internet or other network activity (usage data, device information);
• Geolocation data (approximate city-level location);
• Commercial information (subscription and payment records);
• Characteristics of protected classifications (age, gender — voluntarily provided); and
• Profile and inferred data (preferences, match history, behavioral signals).

15. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or by posting a notice on the Service. The date of the most recent revision appears at the top of this page. Your continued use of the Service after such notice constitutes your acceptance of the updated Policy.

16. Contact & Data Protection Officer

• Privacy inquiries: [email protected]
• Mailing address: [Physical address — to be confirmed with counsel before launch]
• EU/UK Representative: [To be designated if GDPR Art. 27 applies — confirm with counsel]
• Urgent legal/safety matters: [email protected]