PotentialSpouse
Sign in

Legal · Privacy Policy

The Privacy Posture.

Version 1 · Effective 2026-05-09

1. Summary

PotentialSpouse does not collect your email address, real name, or photograph. We do not run analytics, advertising, or third-party trackers. The only persistent identifier we hold for your Google account is a one-way hash that cannot be reversed without a secret kept off the database. Your profile is visible only to other users who reciprocally match you, and only at the level of detail described in this policy.

This Privacy Policy explains in detail what we collect, why, who we share it with, how long we keep it, and the rights you have.

2. Who is the data controller

PotentialSpouse is the controller of the personal data described in this policy. Contact for data-protection questions, requests, and complaints: fedhaly@gmail.com.

3. What we collect

  • One-way hash of your Google account identifier. When you sign in with Google, Google sends us an ID token containing a stable per-account identifier (the "sub" claim). We immediately compute the HMAC-SHA256 hash of that identifier using a secret kept only in our deployment environment, and store the 64-character hex digest as users.google_id_hash. The original identifier, your email address, your name, and your profile photo are discarded the moment the hash is computed and never written to the database. A breach of our database without the environment secret cannot reverse this hash to recover your Google identity.
  • Codename. A three-word identifier auto-generated from the EFF Large Wordlist at sign-up. This is the only identity other users see. You may change it once within thirty (30) days of account creation; after that it is permanent.
  • Profile data you enter. Gender, date of birth, nationality, country of residence, marital status, whether you have or want children, relationship goal, timeline, education, employment status, height, lifestyle preferences (alcohol, smoking, exercise, diet, willingness to relocate), and any optional advanced-mode tags you choose to add. Every field is provided by you, displayed only to other users who reciprocally match you, and editable from Settings at any time.
  • Three questions. The free-text questions you write for prospective matches. Visible to anyone whose profile matches yours; visible to a partner once they initiate a connection.
  • Connections, answers, and chat messages. Records of whom you have connected with, the answers each side provides to the other's three questions, and chat messages exchanged after a connection is mutually accepted. Stored as plain text in our database; protected in transit by HTTPS/WSS and at the storage layer by our hosting provider's at-rest encryption.
  • Notifications. System-generated records of new matches, incoming messages, and platform events. Capped at one hundred (100) per user; older notifications are pruned automatically as new ones arrive.
  • IP address — for rate-limiting only. When you sign in, your IP is held in a short-lived in-memory bucket to enforce a "no more than three new accounts per IP per twenty-four hours" rule. The bucket expires after 24 hours; we do not persist your IP address to the database.
  • Web Push subscriptions (only if you opt in). If you turn on browser notifications in Settings, the browser issues us an opaque push-service URL plus two short cryptographic keys. We store these so we can send you "you have a new match / message / connection" alerts when PotentialSpouse isn't open. The push payload we send is encrypted end-to-end (RFC 8291) and carries only the notification type, a generic body line, and a click-through URL — never your match's codename, message body, or any other identifier. The browser-issued endpoint is not attached to your real identity. Turning the toggle off deletes the row.
  • Audit log entries. When a moderator takes action on your account (a profile-hide, a ban, a tag confirmation), we record the action, the moderator's identifier, the affected user's identifier, a timestamp, and any free-text reason. Retained for accountability even after account deletion, with personal data anonymised.

4. What we do not collect

  • Your email address. Google never sends it to us; we never request it.
  • Your real name.
  • Your phone number.
  • Your profile photograph or any media uploads. The Service is text-only.
  • Browser fingerprints, advertising identifiers, precise location, or device identifiers beyond what is required to maintain your session cookie.
  • Behavioural analytics. We do not run Google Analytics, Mixpanel, Amplitude, Hotjar, FullStory, Segment, or any equivalent.
  • Third-party advertising trackers. We do not run advertising on the Service.
  • Sensitive categories of data we do not need to operate the Service: race, ethnic origin (beyond what you explicitly add as an advanced tag), political opinions, religious or philosophical beliefs (beyond denomination tags you explicitly add), trade-union membership, genetic data, biometric data, or data concerning health.

5. Why we collect what we collect (lawful basis)

We process the data described above on the following legal bases under the EU General Data Protection Regulation, the Kenya Data Protection Act, 2019, and equivalent laws in other jurisdictions:

  • Performance of a contract — most data collection (your profile, questions, connections, chat messages, notifications) is necessary to provide the matching and communication service you signed up for.
  • Legitimate interests — IP-based rate limiting, abuse moderation, security incident response, and the moderator audit log. Our legitimate interest in protecting the Service and its users is balanced against the limited personal-data impact: we hold IPs only in memory and only briefly, and audit log entries are accountability records, not behavioural profiles.
  • Legal obligation — in narrow cases (a valid court order, a subpoena from competent authority), we may be required to retain or disclose data. We will resist over-broad requests and notify you where the law permits us to.
  • Consent — for the click-wrap acceptance of these Terms and Privacy Policy at first sign-in (we record the timestamp of acceptance and the version accepted), and for any future feature that explicitly requires opt-in.

6. Who we share data with

We do not sell or rent your data. We do not share data with advertisers. The only third parties that process your data on our behalf are the infrastructure providers below, each in a clearly bounded role:

  • Google LLC — OAuth identity provider. Receives your sign-in attempt; sends us an ID token. Google knows that you signed in to PotentialSpouse; we do not relay any of your PotentialSpouse activity back to Google. Subject to Google's own Privacy Policy.
  • Anthropic, PBC (when our environment is configured with an API key) — moderates new tags and parses natural-language search queries on our behalf. Receives the candidate tag string and the top existing tags in that category. Receives no profile data, no chat content, and no Google identity. Subject to Anthropic's terms.
  • Voyage AI (when our environment is configured with an API key) — generates embeddings used by our fuzzy-autocomplete feature. Receives tag display strings only. Receives no profile data, no chat content, and no Google identity.
  • Cloudflare, Inc. (when our environment is configured to use Turnstile) — verifies the bot-detection challenge on the sign-in page. Receives a challenge token and your IP address; does not see profile data and does not track you across sites for advertising purposes.
  • Browser push services (Mozilla, Google, Apple — only if you enable browser notifications). When we send you a push, it goes through the push service your browser registered with. The payload is encrypted end-to-end so the push service sees only ciphertext and timing — never the notification's content. We do not authenticate you to these services with any identifier tied to your real identity.
  • Our hosting provider — runs the application server and database. Has access to data at rest (subject to the provider's at-rest encryption) and to the running application; their personnel do not access your data, and we restrict access via standard identity-and-access-management controls.

We will name our hosting provider in this section once the production deployment is finalised. If you require this information before signing up, write to support.

7. International transfers

If your data is transferred outside your country of residence in the course of being processed (for example, by our hosting provider or by an AI processor named above), we rely on the appropriate safeguards required by your local law. For data subjects in the European Economic Area or the United Kingdom, this means Standard Contractual Clauses (where the receiving party is in a country without an adequacy decision) or an adequacy decision (where one applies). For data subjects in Kenya, this means the equivalent safeguards required by Section 49 of the Data Protection Act, 2019.

8. How long we keep your data

  • Active accounts — for as long as your account exists.
  • Inactive accounts — hard-deleted after ninety (90) days without sign-in activity. We bump users.last_active_at on each authenticated request (throttled to about once per hour) so that the moment you're no longer using the Service, the clock starts on removing your data. Administrators are exempt. There is no opt-out: the guarantee that we don't keep ghost data is the point.
  • IP rate-limit buckets — twenty-four hours, in memory only, never written to disk.
  • Notifications — capped at one hundred per user; older entries are pruned automatically.
  • Connection history — retained for the relationship-history feature so you can see who you have previously connected with. Visible only to the parties to that connection. Removed when you delete your account.
  • Deleted accounts — when you delete your account through Settings → Danger zone, your codename is anonymised and your profile, three questions, connections, chat messages, and notifications are removed from the database within thirty (30) days. Snapshots of your three questions and your answers that have already been sent to a partner persist in that partner's connection history, because deleting them would silently rewrite a conversation they were part of.
  • Moderator audit log — retained for accountability after your account is deleted, with your codename anonymised. Retention period: three (3) years from the date of the action, then deleted.
  • Backups — operational backups of the database may temporarily contain data that has been deleted from the live database. Backups are rotated on a thirty (30)-day cycle; deleted data is purged from backups no later than thirty days after deletion.

9. Your rights

Depending on your jurisdiction, you have some or all of the following rights. We honour all of them globally regardless of where you live:

  • Access. Download a complete JSON snapshot of everything we hold about you at any time from /settings/data-export.
  • Rectification. Every field on your profile is editable from Settings. If something we hold about you is wrong and you cannot fix it from the interface, write to support.
  • Erasure. Delete your account from Settings → Danger zone. Subject to the retention notes above.
  • Restriction of processing. Turn off your profile's visibility (Settings → Visibility) so it does not appear on any wall while you decide what to do.
  • Data portability. The /settings/data-export endpoint serves a structured, machine-readable JSON file you can transfer to another service.
  • Objection. Write to support to object to processing based on legitimate interests. We will explain the lawful basis for any processing you object to and discontinue where required by law.
  • Withdraw consent. Where processing is based on consent, withdraw it at any time by writing to support.
  • Lodge a complaint with your local data protection authority. For data subjects in Kenya, the Office of the Data Protection Commissioner; for data subjects in the EEA / UK, your national supervisory authority.

We will respond to data subject requests within thirty (30) days. If your request is complex or you have made multiple requests, we may extend this by up to two further months and will tell you the reason within the original thirty days.

10. Cookies and similar technologies

We use exactly one cookie:

  • _potential_spouse_web_user_remember_me — a signed session cookie that keeps you logged in for up to sixty (60) days. Strictly necessary for the Service to work. Article 5(3) of the EU ePrivacy Directive (and equivalent rules elsewhere) exempts strictly-necessary cookies from the consent banner requirement.

We do not set advertising cookies, analytics cookies, or any third-party cookies. If we ever introduce a non-functional cookie, we will display a consent banner and obtain your consent before doing so.

11. Security

The technical and organisational measures we apply:

  • HTTPS and WSS in transit on every page of the Service.
  • One-way HMAC-SHA256 pseudonymisation of your Google account identifier at rest.
  • At-rest encryption of the database disk by our hosting provider.
  • Per-user rate limits on sign-up, tag creation, message sending, and connection initiation.
  • A bot-detection challenge on the sign-in page (Cloudflare Turnstile) when configured.
  • Secrets stored in the deployment environment, not in the source code.
  • Quality-gate checks on every code change, including a security scan that flags common web-application vulnerabilities.

No system is perfectly secure. If we discover a personal data breach affecting your data, we will notify the competent supervisory authority within seventy-two (72) hours where required by law and notify affected users without undue delay where the breach is likely to result in a high risk to your rights and freedoms.

12. Children

PotentialSpouse is intended for adults aged eighteen (18) and over. Profile creation rejects dates of birth that imply you are under 18. We do not knowingly collect data from children under 18. If you believe a child has created an account, or we have collected data from a child by mistake, write to support and we will delete the account and the data.

13. Automated decision-making

Our matching engine uses your stated preferences to compute which other users appear on your wall. This is rule-based and deterministic: it filters using the criteria you explicitly set. The matching engine does not profile you for risk scoring, does not score your suitability for credit or employment, and does not produce decisions with legal or similarly significant effects within the meaning of Article 22 of the GDPR.

14. Changes to this Privacy Policy

Material changes to data collection, processing, sharing, retention, or your rights will trigger a new version of this policy. You will be prompted to review and accept the new version on your next sign-in. Cosmetic changes (typos, formatting, broken-link fixes, clarifying language) do not trigger a new version.

If you do not accept a new version, you may delete your account at any time from Settings → Danger zone.

15. Contact

For privacy questions, data subject access requests, deletion requests, objections to processing, or to lodge an internal complaint, write to fedhaly@gmail.com.