Privacy Policy

Last updated: February 27, 2026

1. Introduction

Ayarel ("we", "our", "us") operates a proximity-based social platform that lets people discover others nearby. This Privacy Policy explains what personal data we collect, why, how we protect it, and what rights you have over it.

We are committed to protecting your privacy. Because our app involves location and personal information, we apply strict security and data-minimisation principles throughout.

2. Data Controller

The data controller for the purposes of applicable data protection law is Ayarel. For privacy-related enquiries, contact us at support@ayarel.me.

3. What Data We Collect

3.1 Account Data

When you create an account, we collect:

  • Email address — for authentication, account recovery, and security notifications.
  • Name — your legal name (stored securely, not displayed to other users).
  • Date of birth — to verify you are 18 or older. Only your age (not your exact birthday) may be visible to others.
  • Gender — for preference matching in discovery.
  • Password — stored as a one-way cryptographic hash. We never store or have access to your plaintext password.

3.2 Profile Data

Information you choose to share on your profile:

  • Display name, bio, and status text
  • Profile photos and gallery images
  • Tags and interests
  • Discovery preferences (who you want to see and who can see you)

3.3 Location Data

Location is the most sensitive data we handle, and we treat it accordingly:

  • Your location is used only for proximity-based discovery (showing you people nearby).
  • Location data is held in-memory only (Redis) with a 5-minute automatic expiry. It is never written to a database and never logged.
  • Other users see only an approximate distance (e.g. "~200m away"), never your exact coordinates.
  • When you deactivate your profile or close the app, your location data expires automatically within minutes.

3.4 Face Verification Data

If you use face verification to earn a verified badge:

  • A mathematical representation (embedding) of your face is generated and stored encrypted with application-level encryption.
  • The original photos used for verification are not retained after processing.
  • Face embeddings are used only to verify that your profile photo matches your face. They cannot be used to reconstruct your image.

3.5 Device & Security Data

  • Device identifiers — a unique device ID and platform type (iOS/Android) for session management.
  • Login history — hashed IP address, hashed device fingerprint, country code, and platform. Used for suspicious login detection. Raw IP addresses are hashed and cannot be reversed. Retained for 90 days.
  • Push notification tokens — if you enable push notifications.

3.6 User-Generated Reports

If you report another user or are reported, we store the report details (reason, description) for moderation and safety purposes.

4. How We Use Your Data

We process your data for the following purposes:

  • Service delivery — enabling discovery, profile viewing, and social features (legal basis: contract performance).
  • Safety & moderation — content moderation, abuse prevention, and user blocking (legal basis: legitimate interest).
  • Security — login anomaly detection, fraud prevention, rate limiting (legal basis: legitimate interest).
  • Communication — account verification emails, password reset, security alerts (legal basis: contract performance / legitimate interest).
  • Identity verification — face matching for verified badge (legal basis: consent).

We do not sell your personal data. We do not use your data for advertising or profiling. We do not share your data with data brokers.

5. Third-Party Services

We use a limited number of third-party services to operate the platform. Each receives only the minimum data necessary:

  • Cloud hosting (Google Cloud Platform) — our servers run on Google Cloud Run in the EU (europe-west1). Google processes requests on our behalf under a data processing agreement.
  • Image storage (Cloudflare R2) — profile photos and uploaded images are stored on Cloudflare R2. Cloudflare acts as a data processor.
  • Image moderation (AWS Rekognition) — uploaded images may be scanned by AWS Rekognition for content moderation (detecting inappropriate content). Only image data is sent; no personally identifying information is included.
  • Email (Resend) — we use Resend to deliver transactional emails (verification, password reset, security alerts). Your email address is shared with Resend for this purpose.
  • Database (Neon) — our database is hosted on Neon (PostgreSQL) in the EU (eu-central-1). Neon acts as a data processor.

We do not use any analytics, advertising, or tracking SDKs in the mobile app.

6. Data Retention

  • Account data — retained until you delete your account.
  • Location data — automatically expires after 5 minutes. Never persisted.
  • Login history — retained for 90 days, then automatically deleted.
  • Notifications — read notifications are deleted after 30 days.
  • Face verification data — retained (encrypted) until you delete your account or request removal.
  • Reports & moderation actions — retained for safety and legal compliance purposes.
  • Deleted images — removed from storage within 24 hours of deletion.

7. Your Rights (GDPR)

Under the General Data Protection Regulation and similar laws, you have the following rights:

  • Right of access — you can request a copy of all personal data we hold about you. Use the "Export my data" feature in the app or contact us.
  • Right to rectification — you can update your profile and account information at any time through the app.
  • Right to erasure — you can delete your account at any time from within the app. This permanently removes all your data from our systems, including images from storage and location data from cache.
  • Right to restriction — you can deactivate your profile to stop appearing in discovery without deleting your account.
  • Right to data portability — you can export your data in a machine-readable format (JSON).
  • Right to object — you can object to processing based on legitimate interest by contacting us.
  • Right to withdraw consent — where processing is based on consent (e.g. face verification), you can withdraw consent at any time.

To exercise any of these rights, contact us at support@ayarel.me. We will respond within 30 days.

8. Data Security

We protect your data with industry-standard measures:

  • All data is encrypted in transit (TLS/HTTPS) and at rest (database-level and storage-level encryption).
  • Face verification embeddings are additionally encrypted with application-level encryption.
  • Passwords are hashed with bcrypt (one-way, irreversible).
  • IP addresses in login history are hashed (cannot be reversed).
  • Location data is never written to disk — it exists only in volatile memory with automatic expiry.
  • We enforce rate limiting, brute force protection, and suspicious login detection.
  • API access requires authentication. Other users never see your real user ID — we use anonymised discovery tokens.

9. International Data Transfers

Our primary infrastructure is located in the European Union (Germany and Belgium). Some data may be processed by third-party services with servers outside the EU (e.g. AWS Rekognition for image moderation). In such cases, appropriate safeguards are in place, including Standard Contractual Clauses.

10. Children's Privacy

Ayarel is strictly for users aged 18 and over. We enforce age verification at registration. If we discover that a user under 18 has created an account, we will immediately delete it and all associated data.

11. Cookies

The Ayarel mobile app does not use cookies. Our web application uses a single secure, HTTP-only cookie for authentication (refresh token). We do not use any tracking, analytics, or advertising cookies.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes via email or an in-app notification. Your continued use of the service after changes constitutes acceptance of the updated policy.

13. Contact & Complaints

If you have questions about this Privacy Policy or wish to exercise your rights, contact us at support@ayarel.me.

If you believe we have not adequately addressed your concerns, you have the right to lodge a complaint with your local data protection authority.