Privacy Policy – Soul – 31.01.20266

Privacy Policy (EN)

Effective date: 2026-02-14 Last updated: 2026-02-14

Important: This is a publication-ready template for your current stack and GDPR-oriented implementation. It is not legal advice. Have local counsel review before going live.

1. Data Controller

Service name: Soul / SoulDay / Heartly

Controller: [INSERT LEGAL ENTITY NAME]

Registration no.: [INSERT REGISTRATION NUMBER]

Address: [INSERT ADDRESS]

Contact email: [INSERT PRIVACY EMAIL]

DPO (if appointed): [INSERT DPO CONTACT OR "Not appointed"]

2. Scope

This Policy explains how we collect, use, share, store, and protect personal data when you use our website and application.

3. Categories of Personal Data

Depending on your use, we may process:

  • account data (name, username, email, phone, password hash, login metadata);
  • profile data (age, gender, language, location, interests, preferences, lifestyle);
  • verification data (profile photos, identity image/selfie, CV/income files and related fields);
  • messaging and interaction data (chat messages, likes, matches, reports);
  • support and contact data (contact forms and customer support communications);
  • subscription/payment references (plan and payment provider identifiers);
  • technical/security data (IP address, device token, audit logs, CSRF/security metadata);
  • cookie/consent data (locale, authentication cookies, consent status logs).

4. Data Sources

We collect data:

  • directly from you (forms, profile updates, verification uploads, support messages);
  • automatically from your device/browser (cookies, logs, security and usage telemetry);
  • from service providers you use through the platform (for example payment providers).

5. Purposes and Legal Bases (GDPR Art. 6)

We process data for:

  • account creation, login, and profile management (contract);
  • matching, chat, and core service features (contract);
  • fraud prevention, abuse detection, moderation, and platform security (legitimate interest);
  • legal compliance, dispute handling, and law-enforcement cooperation (legal obligation / legitimate interest);
  • subscription billing and payment operations (contract / legal obligation);
  • optional analytics/marketing technologies (consent);
  • optional push messaging (consent/permission where required).

6. Cookies and Tracking

Essential cookies are used for authentication, security, and technical operation.

Analytics/marketing technologies are activated only where required consent is given.

You can change consent settings in the platform's cookie preferences.

7. Recipients and Processors

We may share data with processors/sub-processors needed to operate the Service, such as:

  • hosting/infrastructure provider(s);
  • payment processor(s) (for example Stripe);
  • email provider(s);
  • push messaging provider(s) (for example Firebase);
  • analytics/marketing providers (only where consent is valid);
  • customer support tooling providers.

We may disclose data if required by law or to defend legal rights.

8. International Transfers

If data is transferred outside the EEA/UK/Switzerland, we apply appropriate safeguards, such as adequacy decisions or Standard Contractual Clauses (SCCs), as required by law.

9. Retention

We retain data only as long as necessary for the purposes in this Policy, legal obligations, and dispute handling.

  • active account data: retained while account is active;
  • security and audit logs: retained per internal security retention policy;
  • account deletion requests: profile-related data is deleted or anonymized according to implemented deletion workflows and legal obligations.

10. Data Subject Rights (GDPR)

Where applicable, you can request:

  • access (Art. 15),
  • rectification (Art. 16),
  • erasure (Art. 17),
  • restriction (Art. 18),
  • portability (Art. 20),
  • objection (Art. 21),
  • withdrawal of consent at any time (Art. 7(3)).

You can also lodge a complaint with your local supervisory authority.

11. Automated Decisions / Profiling

The Service may use profile attributes and quiz/personality data for matching and recommendation logic.

This is designed to improve relevance and user experience and does not create fully automated legal decisions with comparable legal effect.

12. Security Measures

We apply technical and organizational safeguards, including authentication controls, rate limiting, CSRF protections, access checks, and secure cookie settings in production.

No system can guarantee absolute security.

13. Children

The Service is intended for adults (18+).

We do not knowingly provide the Service to children.

14. Changes to this Policy

We may update this Policy.

The latest version and effective date will be published on the website/app.

15. Privacy Contact

For privacy requests (access, deletion, correction, portability, objection), contact: [INSERT PRIVACY EMAIL].

Cookie Preferences

Current analytics/marketing consent: Not set