Privacy Policy

Last Updated: February 10, 2026

1. Introduction

Welcome to the Privacy Policy of Nutty Face s.r.o. ("GraceMeet", "we", "us", or "our"), a company organized under the laws of the Czech Republic. We respect your privacy and are committed to protecting your personal data.

This Policy applies to our website (www.gracemeet.com), our mobile application (the "App"), and related services (collectively, the "Service"). It applies to users worldwide, with specific provisions for users in the European Economic Area (EEA), United Kingdom (UK), and the United States (US).

2. Data We Collect

We collect data to help you match with other users and to ensure the safety of our platform.

2.1 Data You Provide to Us

• Account Data: Name, email address, phone number, date of birth, password.
• Profile Data: Photos, gender, sexual orientation, interests, bio, job title, education. Note: Sexual orientation is considered "Special Category Data" (GDPR) or "Sensitive Data" (US State Laws). By providing it, you explicitly consent to our processing of this data.
• Verification Data (Biometrics): If you use our "Selfie Verification" feature, we collect your face geometry to verify you are a real person.
• Communications: Messages and content you send through the Service. We may use automated tools to detect spam, fraud, and policy violations. Human review typically occurs only when content is reported, required for safety, or required by law.

2.2 Data Collected Automatically

• Device Information: IP address, device ID (IDFA/GAID), device model, operating system, browser type.
• Usage Data: Logins, swipes, matches, time spent, features used.
• Geolocation: If you grant permission, we collect precise geolocation (GPS) to show you users nearby.

2.3 Data from Third Parties

• Social Logins: If you log in via Apple, Google, or Facebook, we receive data such as your email and public profile info depending on your settings.
• Partners: We may receive data from advertising partners to measure ad performance.

3. How We Use Your Data & Legal Bases

We use your data based on the following legal bases (GDPR/UK):

Legitimate Interests (EU/UK): Where we rely on legitimate interests (e.g., safety, fraud prevention, service improvement, analytics), we have considered and balanced those interests against your rights. You may object to processing based on legitimate interests as described in Section 9.

Cookies & SDKs: We use cookies and similar technologies (including mobile SDKs). Where required (e.g., in the EEA/UK), we request your consent for analytics and marketing technologies. See our Cookie Policy for more information.

U.S. Users: We process personal data for business and commercial purposes described in this Policy (including providing the Service, security, and marketing). U.S. state privacy rights and opt-out options are described in Section 10.

4. Biometric Data Policy (Texas, Illinois, Global)

If you choose to use our photo verification feature, we will scan your face geometry from a video selfie and compare it to your profile photos. This allows us to place a "Verified" badge on your profile.

• Consent: We only collect this data with your express, opt-in consent.
• Purpose: Solely for identity verification and fraud prevention.
• No Sale/Disclosure: We do not sell biometric identifiers or biometric information. We disclose it only to service providers who process it for verification and fraud prevention purposes under strict contract and security requirements.
• Retention: We retain biometric information only as long as necessary to fulfill the purpose of collection (verification and fraud prevention), and we delete it when that purpose is satisfied, upon verified deletion request, or as required by applicable law.
• Deletion: You can request deletion of your biometric data at any time by contacting support. Upon account deletion, this data is permanently removed.

5. Automated Decision Making & AI

We use automated systems and AI algorithms to:

• Matching: Analyze your profile and activity to suggest relevant users.
• Moderation: Detect nudity, spam, or offensive language in photos and messages.

EU Users: Under the GDPR, you have the right to object to profiling. However, basic algorithmic matching is essential to the functioning of a dating app.

6. Data Sharing and Disclosures

We do not sell your personal data to data brokers for money. However, we share data with:

• Service Providers: We use trusted third-party service providers to facilitate our Service (e.g., Google Cloud/Firebase for infrastructure, AWS, Zendesk for support, Twilio for SMS). They act as our processors/service providers and may process personal data only on our instructions. These providers are contractually bound to protect your data.
• Marketing Partners: We may share hashed identifiers (such as advertising IDs) with partners like Meta or Google for marketing and measurement, subject to your choices and opt-out rights (see Section 10, including “Do Not Sell or Share My Info”).
• Law Enforcement: We may disclose data if compelled by court order, subpoena, or to prevent imminent physical harm or suspected child exploitation (NCMEC reporting).
• Corporate Transactions: In the event of a merger, sale, or bankruptcy.

7. International Data Transfers

GraceMeet is operated from the Czech Republic (EU). Data collected from users outside the EU may be transferred to servers in the EU or the US.

To ensure protection, we rely on:

• EU-US Data Privacy Framework (DPF): Where our U.S. recipients are certified under the DPF.
• Standard Contractual Clauses (SCCs): Where applicable, together with supplementary measures as required by GDPR.

You may request a copy of relevant transfer safeguards by contacting us at support@gracemeet.com.

8. Data Retention

We keep your personal data only as long as we need it for legitimate business purposes and as permitted by applicable law.

• Active Accounts: We retain data while your account is active.
• Deleted Accounts: We delete your data within 30 days of account closure, EXCEPT:
  • Transaction data (kept for 10 years for tax/accounting).
  • Banned accounts (we retain limited identifiers and device/account signals to prevent ban evasion and protect the Service).
  • Verification data (as per Section 4).

9. Your Rights (GDPR / UK / Canada)

If you are in the EEA, UK, Switzerland, or Canada, you have the right to:

• Access: Request a copy of your data.
• Rectification: Correct inaccurate data.
• Erasure: Request deletion (Right to be Forgotten).
• Restriction/Objection: Limit how we use your data.
• Portability: Get your data in a machine-readable format.
• Right to Lodge a Complaint: If you are in the EEA/UK, you have the right to lodge a complaint with the supervisory authority in your habitual residence, place of work, or where an alleged infringement occurred.

To exercise these rights, contact us at support@gracemeet.com.

10. U.S. State Privacy Notice

This section applies to residents of U.S. states that provide privacy rights to consumers, including (but not limited to) California, Virginia, Colorado, Connecticut, Utah, Texas, Oregon, and Montana.

10.1 Notice at Collection (California - CCPA/CPRA)

In the past 12 months, we have collected the following categories of Personal Information:

• Identifiers: Name, email, IP address, device ID.
• Protected Characteristics: Gender, age, sexual orientation.
• Biometric Information: Face geometry (if verified).
• Geolocation: Precise GPS data.
• Internet Activity: App usage logs.

10.2 Sensitive Personal Information

We collect "Sensitive Personal Information" (e.g., sexual orientation, precise geolocation, biometrics). We use this strictly to provide the Service (matching and verification) and not for inferring characteristics for unrelated purposes.

10.3 Sale and Sharing of Data

GraceMeet does not "sell" data in the traditional sense (for money). However, sharing data with advertising networks (like Google/Meta) for cross-context behavioral advertising may be considered "sharing" or "selling" under California/US laws.

Your Right to Opt-Out: You have the right to opt-out of the "sale" or "sharing" of your personal information. You can do this by navigating to Settings > Privacy > Do Not Sell or Share My Info in the App.

If you use our website, you may also exercise this opt-out through a “Do Not Sell or Share My Personal Information” link (where available) or by contacting us at support@gracemeet.com.

Global Privacy Control: Where required by applicable law, we honor opt-out preference signals such as the Global Privacy Control (GPC) for the sale/sharing of personal information.

Limit the Use of Sensitive Personal Information: California residents may have the right to request that we limit the use and disclosure of Sensitive Personal Information to what is necessary to provide the Service, subject to legal exceptions. You can manage this in the App under Settings > Privacy or by emailing support@gracemeet.com.

10.4 State Specific Rights

Depending on your state, you have the right to:

• Confirm if we process your data and access it.
• Correct inaccuracies.
• Delete your data.
• Opt-out of certain profiling (where it produces legal or similarly significant effects), as provided by applicable state law.
• Texas Residents: You have the right to opt out of (i) targeted advertising, (ii) the sale of personal data, and (iii) profiling in furtherance of decisions that produce legal or similarly significant effects. We do not sell Sensitive Data (such as precise geolocation, biometric identifiers, or sexual orientation). Where required by law, we obtain your opt-in consent before processing Sensitive Data.

10.5 How to Exercise Your Rights

You may submit a request to exercise your privacy rights by (i) using in-app controls under Settings > Privacy or (ii) emailing support@gracemeet.com. We may need to verify your identity before fulfilling your request. We will respond within the time required by applicable law (typically within 45 days). Where permitted, we may extend our response time once by an additional period and will notify you if an extension is required.

10.6 Authorized Agents & Non-Discrimination

Authorized Agents (California): California residents may use an authorized agent to submit requests on their behalf. We may require proof that the agent is authorized and may also require you to verify your identity directly with us.

Non-Discrimination: We will not discriminate against you for exercising your privacy rights. However, certain features of the Service may not be available if you request deletion or limit certain processing that is necessary to provide the Service.

10.7 Appeals

If we deny your privacy request, you may appeal by contacting support@gracemeet.com. If legally applicable in your state (e.g., Virginia, Colorado), we will provide a reason for the denial and instructions for further appeal to the Attorney General.

11. Children's Privacy

Our Service is restricted to users who are 18 years of age or older. We do not knowingly collect personal information from anyone under the age of 18. If we become aware that a child has provided us with personal data, we will delete it immediately.

12. Security

We implement robust administrative, technical, and physical security measures (including SSL encryption and access controls) to protect your data. However, no transmission over the internet is 100% secure.

13. Changes to this Policy

We may update this policy. If we make material changes, we will notify you via the App or email. The "Last Updated" date at the top indicates the latest revision.

14. Contact Us

Data Controller: Nutty Face s.r.o.

Address: Hainemannova 2695/6, Dejvice, 160 00 Prague, Czechia

Email: support@gracemeet.com

Privacy Officer: support@gracemeet.com