← Back to home

Privacy Policy for the "Lunadate" Mobile Application

Version: 1.0 | Effective date: 06.03.2026

§1. General Information

  • This Privacy Policy describes the rules for processing personal data in connection with the use of the Lunadate mobile application ("Application").
  • The Data Controller is:
    LUNADATE Karolina Bobrecka
    ul. Łąkowa 20/4, 87-100 Toruń, Poland
    Tax ID (NIP): 6762584801, REGON: 38691709600000
  • Privacy (GDPR) contact: support@lunadate.app. General support: support@lunadate.app.
  • The Application is intended for persons aged 18 or over. We do not knowingly process data of persons under 18 years of age.
  • Providing data is voluntary; however, it is required to the extent necessary for creating a profile and using the basic features of the Application (matching, chat).

§2. What Data We Process

Depending on how you use the Application, we process the following categories of data:

Account data (login)

  • account identifier in the Application;
  • email address received from the login provider (Apple or Google) — in the case of Apple, this may be a "relay" address if the User chooses to hide their email;
  • first name (if provided by the login provider or entered in the Application).

Profile and dating preference data

  • gender (e.g., male/female/other);
  • preferences regarding the gender of persons you want to see in matches;
  • profile photos (min. 2, max. 5);
  • bio/profile description (up to 250 characters);
  • interests/hobbies (1–5);
  • vibe (1 of 6 types);
  • match filters (e.g., age, search range).

Birth data for astrological compatibility

  • date of birth, time of birth, place of birth (city);
  • geographic coordinates of the birth city and birth timezone (determined automatically based on the specified location);
  • calculated data: zodiac sign (Sun), Moon sign, ascendant, and other compatibility elements.

Relationship test data

  • test question answers (A/B/C/D);
  • result (e.g., Dreamer/Connector/Flame), score, test completion date.

Location data

  • current GPS location (lat/lng) — only while using the Application (no background tracking);
  • distance from other Users (calculated based on location).

Communication and activity data

  • likes/rejections (swipe), matches;
  • chat messages (content and metadata, e.g., send/read time);
  • blocks, unblocks, reports (including report reason).

Technical data

  • platform (iOS/Android), OS version, Application version;
  • language and theme settings;
  • push notification tokens (e.g., FCM) and notification settings;
  • technical logs necessary for security and proper operation.

Subscription data

  • plan identifier (e.g., Premium/Gold), activity status, expiration date, product identifiers in Stores;
  • identifiers used by the subscription management provider (e.g., RevenueCat).

§3. Special Category Data (Art. 9 GDPR) and Sensitive Data

  • As a rule, we do not require the provision of special category data (e.g., health data, political opinions, religious beliefs).
  • At the same time, some data processed in the context of a dating application may — depending on profile configuration and Application usage — reveal or relate to sex life or sexual orientation (e.g., preferences regarding the gender of persons you want to see in matches, as well as content provided in your profile or messages).
  • If we process special category data, this is done on the basis of your explicit consent (Art. 9(2)(a) GDPR) — given by voluntarily providing such data and actively using Application features. You may withdraw your consent at any time by changing/deleting such data or deleting your Account.
  • We recommend that you do not share information in your profile and messages that you do not wish to disclose to other Users.

§4. Purposes and Legal Bases of Processing

We process your data for the following purposes and on the following legal bases:

Purpose of processing Example data Legal basis
Account creation and management, onboarding email (Apple/Google), profile data (name, photos, bio, interests, preferences) Art. 6(1)(b) GDPR (contract performance)
Matching, profile presentation, compatibility, relationship test, horoscope preferences, application activity, birth data, test results Art. 6(1)(b) GDPR (contract performance)
Chat and communication between Users messages and metadata, matches Art. 6(1)(b) GDPR (contract performance)
Location and distance current location while using the application Art. 6(1)(a) GDPR (consent)
Push notifications FCM token, notification type Art. 6(1)(a) GDPR (consent)
Security, abuse prevention, moderation reports, blocks, security logs Art. 6(1)(f) GDPR (legitimate interest)
Complaint and claim handling contact data, case history Art. 6(1)(c) and/or Art. 6(1)(f) GDPR
Subscription management subscription status, transaction identifiers Art. 6(1)(b) GDPR (contract performance)
Purpose of processing Example data categories Legal basis
Account creation and management, onboarding, and provision of core Application features (profile, matching, chat, relationship test, compatibility). account data, profile data, birth data, test results, Application activity, messages Art. 6(1)(b) GDPR (contract performance); for special category data — additionally Art. 9(2)(a) GDPR (explicit consent).
Enabling location-based matching and displaying distance. current GPS location, distance Art. 6(1)(a) GDPR (consent — system permission).
Push notification handling (e.g., new matches and messages). notification token (e.g., FCM), notification settings Art. 6(1)(a) GDPR (consent).
Subscription status verification and access to paid features. Subscription status, purchase/entitlement identifiers Art. 6(1)(b) GDPR (contract performance).
Ensuring Application and User security; abuse prevention; moderation, report handling; pursuing or defending claims. reports, blocks, technical logs, activity data Art. 6(1)(f) GDPR (legitimate interest of the Controller).
Handling correspondence, inquiries, and complaints. contact data, submission content, metadata Art. 6(1)(f) GDPR (legitimate interest) and — where applicable — Art. 6(1)(c) GDPR.

§5. Profiling and Matching

  • The Application uses matching and profile recommendation mechanisms, and may present compatibility indicators and sort profiles (e.g., "Soulmate" mode available in paid plans).
  • This may involve data analysis (e.g., preferences, activity, relationship test results, birth data) to present matches more aligned with your settings.
  • We do not make decisions about you based solely on automated processing that would produce legal effects or similarly significantly affect you (within the meaning of Art. 22 GDPR).

§6. Data Recipients and Processors

We use service providers (data processors) to the extent necessary for the operation of the Application, in particular:

Provider Role Purpose Notes / Location
Supabase (self-hosted, Supabase Auth / GoTrue) data processor (in the self-hosted model, processing is carried out in your own infrastructure) user authentication and session (Supabase Auth / GoTrue) Self-hosted. Location depends on server configuration. The software provider (Supabase) generally does not have access to data if you do not use their cloud.
DigitalOcean (DigitalOcean, LLC) data processor infrastructure hosting (server, databases, running backend services and self-hosted Supabase) Processing in the region you select in DigitalOcean. Possible transfer outside EEA depending on region. In the event of transfer outside EEA, appropriate safeguards are applied (e.g., SCCs).
Google (Google LLC / Google Ireland Limited) data processor / independent provider Google Sign-In, Firebase Cloud Messaging (push notifications) Processing depends on Google/Firebase service configuration. Possible transfer outside EEA. Transfer safeguards applied per provider documentation (e.g., SCCs, DPF where applicable).
Apple (Apple Inc.) independent provider Apple Sign-In Apple acts as an independent login service provider. Processing per Apple policies. Possible transfers outside EEA.
RevenueCat (RevenueCat, Inc.) data processor subscription status and entitlements, in-app purchase verification (webhook + API) HQ: USA. Possible transfer outside EEA. Appropriate transfer safeguards applied (e.g., SCCs, DPF where applicable).
Cloudflare (Cloudflare, Inc.) — Cloudflare R2 data processor profile photo storage (S3-compatible, presigned URLs) HQ: USA. Processing depends on Cloudflare configuration and regions. Possible transfer outside EEA. Appropriate transfer safeguards applied (e.g., SCCs, DPF where applicable).
  • Data may also be disclosed to public authorities when required by law.
  • We do not sell your personal data and do not share it with third parties for advertising purposes.

§7. Data Transfers Outside the EEA

  • Some service providers may process data outside the European Economic Area (EEA), in particular in the United States.
  • In such cases, we apply safeguards required by law, in particular Standard Contractual Clauses (SCCs) and — where necessary — supplementary measures.

§8. Data Retention Period

  • We process data for the duration of your Account use and for the time necessary to fulfil the purposes described in §4.
  • After Account deletion: (a) the profile is deactivated and ceases to be visible to other Users; (b) data is deleted or anonymized as quickly as possible, no later than 30 days, unless retention is necessary for security, report handling, pursuing or defending claims, or a legal obligation.
  • Chat messages and interaction data may be retained longer to the extent necessary for User safety (e.g., in the case of reports) and for pursuing or defending claims, but no longer than 12 months from Account deletion, unless the exceptions in point 2 apply.
  • Technical logs related to security and Application stability are retained as a rule for up to 12 months, unless longer retention is justified.
  • Subscription data is retained for the duration of the Subscription and for the time needed for complaint handling and accounting.

§9. Your Rights

You have the following rights under the GDPR, in particular:

  • right of access to data;
  • right to rectification;
  • right to erasure ("right to be forgotten");
  • right to restriction of processing;
  • right to data portability;
  • right to object to processing based on legitimate interest;
  • right to withdraw consent (if processing is based on consent);
  • right to lodge a complaint with the President of the Polish Data Protection Authority (UODO).
  • To exercise your rights, contact us at: support@lunadate.app. To protect your data, we may ask for identity verification.
  • If you do not have access to the Application (e.g., after uninstalling), you may submit a request to exercise your rights (including data deletion) by emailing support@lunadate.app. In the message, provide the email address associated with your Account and a brief description of your request.
  • If we do not yet provide an automatic data export feature in the Application, you may submit a data portability request by email; we will provide data in a structured format (e.g., JSON/CSV), if technically feasible and lawful.

§10. Application Permissions and On-Device Data

  • The Application may request access to: (a) photo library — for selecting profile photos; (b) location "while using the app" — for distance-based matching; (c) notifications — for informing you about activity (e.g., new match, new message).
  • You can change granted system permissions at any time in your device settings. Withdrawing a permission may limit the functionality of certain features.
  • The Application may store certain technical data and preferences on the device (e.g., language, theme, notification settings) for proper Application operation. This data is not used for advertising tracking.

§11. Security

  • We apply technical and organizational measures adequate to the risk, including encryption of data in transit (TLS/HTTPS), authorization mechanisms, and access control.
  • Despite the measures in place, no data transmission or storage system provides a 100% guarantee of security.

§12. Analytics and Advertising

  • As of the publication of this Privacy Policy, the Application does not display advertisements and does not use external advertising analytics tools for marketing profiling.
  • If we introduce analytics or advertising solutions in the future, we will update the Privacy Policy and — if required — implement appropriate consent mechanisms.

§13. Changes to the Privacy Policy

  • The Privacy Policy may be updated in the event of legal, organizational, or technical changes related to the Application.
  • We will inform you of significant changes within the Application. The current version of the Privacy Policy is available in the Application.