Privacy Policy

Single & Active / CupidX is the data controller. Reach us at info@singlemingle.io. We will respond to data-protection enquiries within 30 days as required by GDPR Article 12(3).

We process the following personal data:

• Phone number (required). To send you your ticket confirmation, reminders, and the hike URL. Legal basis: performance of contract (GDPR Art. 6(1)(b)).
• Email address (required, via Stripe checkout). For receipts, refunds, and support. Legal basis: performance of contract.
• Full name (via Stripe checkout). For check-in and emergency contact purposes. Legal basis: performance of contract.
• Age range attestation (within 25–45 or outside). For event eligibility. Legal basis: performance of contract.
• Profile photo (optional, user-uploaded). For in-app matching visible to other participants at the same event only. Legal basis: your explicit consent (GDPR Art. 6(1)(a)) — you can delete or replace it at any time in the app.
• Match preferences (Spark / Connect / Skip responses, intent selection). To produce post-event mutual matches and group dynamics. Legal basis: performance of contract.
• Chat messages (between mutually matched participants, post-event). For in-app messaging within a 24-hour window after the event. Legal basis: performance of contract.
• Payment information (processed by Stripe). We never see or store full card data; Stripe is the processor. Legal basis: performance of contract.
• Event attendance + check-in timestamps. Operational — to manage group arrival and no-show follow-up. Legal basis: legitimate interest (GDPR Art. 6(1)(f)) in running a safe event.
• Reports against other users (if you use the report feature). For safety and moderation. Legal basis: legitimate interest in user safety; may be shared with police if a criminal act is alleged.

We do not process special-category data (health, sexuality, religion etc.) as defined by GDPR Art. 9. Intent options (romance / friends / hiking) are treated as preference metadata, not sexuality data, and are visible only within the service to produce matches.

We share the minimum data needed with these processors, each bound by a data-processing agreement:

• Stripe (Ireland) — payment processing. Receives name, email, phone, card details. See Stripe Privacy Policy.
• Twilio (Ireland) — SMS delivery. Receives phone number and message body. See Twilio Privacy Notice.
• Meta / Facebook (Ireland) — event publishing + advertising. Meta receives event metadata (venue, date, city), not your personal data. No user data is shared with Meta for ad targeting.
• Railway (USA) — hosting provider for our backend and database. Data at rest is stored in Railway's EU region where possible; cross- border transfers to the US happen under Railway's Standard Contractual Clauses (SCCs).
• Sentry (USA, if enabled) — error tracking. Receives anonymised stack traces. Configured with send_default_pii=False.

We do not sell your personal data. We do not share your data with advertisers.

• Active account data (phone, email, name): for the duration of the event you bought + 30 days post-event for operational follow-up (refunds, disputes, reports).
• Profile photo: until you delete it or until 30 days post-event, whichever first.
• Match responses + chats: deleted 24 hours after the event.
• Payment records + invoices: 5 years, as required by the Norwegian Bookkeeping Act (bokføringsloven §13).
• Reports filed against a user: retained for 2 years for pattern detection and safety, or longer if required by a legal/regulatory inquiry.
• Sentry error data: 90 days default retention on Sentry's platform.

You can exercise the following rights by emailing us:

• Access — a copy of the data we hold about you (Art. 15).
• Rectification — correction of inaccurate data (Art. 16).
• Erasure — deletion of your data, subject to our retention obligations above (Art. 17).
• Restriction of processing (Art. 18).
• Portability — your data in a machine-readable format (Art. 20).
• Objection to processing based on legitimate interest (Art. 21).
• Withdraw consent for anything we rely on consent for (photo, promotional SMS). Withdrawal does not affect lawful processing before withdrawal.

We respond to valid requests within 30 days. Email info@singlemingle.io with the subject line [Privacy] to expedite.

We use automated scoring to pick venues and times for events (weather, difficulty, etc.) and automated algorithms to produce mutual matches after an event (counting your Spark / Connect choices against other participants').

Neither process produces a legal or similarly significant effect on you (GDPR Art. 22). Matches are informational; you choose whether to chat.

Passwords for the service use secure hashing. Database connections use TLS. Payment data is handled by Stripe (PCI DSS Level 1). In the event of a data breach likely to result in risk to your rights, we will notify Datatilsynet within 72 hours (GDPR Art. 33) and notify you without undue delay (Art. 34).

If we haven't resolved your concern, you have the right to complain to the Norwegian Data Protection Authority:

Datatilsynet
Postboks 458 Sentrum, 0105 Oslo
datatilsynet.no

When data is transferred outside the EU/EEA (primarily to US processors like Railway, Sentry, Stripe-US operations), the transfer is covered by Standard Contractual Clauses (SCCs) approved by the European Commission, supplemented by the EU-US Data Privacy Framework where the processor is certified.

If we change this policy materially, we will update the “Last updated” date and notify active users by SMS or email before the change takes effect.