Privacy Policy

1. Who We Are

Qrious Technologies Inc. is a Delaware C-Corporation headquartered at 251 Little Falls Drive, Wilmington, DE 19808, USA. We operate the QRIOUS mobile application, the qrious.social website, and related services.

For privacy-related inquiries, contact us at privacy@qrious.social.

2. What This Policy Covers

This policy applies to both the QRIOUS mobile application and the qrious.social website (collectively, the “Service”). qrious.social is the public home for our app: it carries the same privacy practices and is the canonical place for app-related legal documents.

It applies to all users of the Service regardless of location, though additional rights may apply depending on your jurisdiction (see Your Rights below).

3. Age Requirement

QRIOUS is designed for users aged 18 and older. We do not knowingly collect personal information from anyone under 18. If we become aware that a user is under 18, we will promptly delete their account and associated data. If you believe a minor has provided us with personal information, please contact us at privacy@qrious.social.

4. What We Collect

Account Information

When you create an account, we collect your email address, phone number, name, date of birth, and gender. This information is required to provide the Service and verify your eligibility.

Profile Content

You choose what to share in your profile. This includes photos, biographical text, and persona details you create for each of QRIOUS’s seven contexts (Romance, Community, Career, Adventure, Learn, Create, and Family). Each persona is independently configured by you.

Location Data

We collect location data to power matching, discovery, and venue recommendations. Location is collected while the app is in active use. Background location tracking is not enabled unless you explicitly opt in through your device settings. You can revoke location permissions at any time.

Meeting Data

QRIOUS uses QR code confirmations (IRL Bridge) to verify in-person meetings between users. We collect meeting confirmation data (timestamps and participating users) to calculate trust tiers and improve match quality.

Device & Technical Information

We automatically collect device identifiers, operating system version, app version, IP address, and crash and diagnostic logs. This data helps us maintain, troubleshoot, and improve the Service.

Usage Data

We collect information about how you interact with the Service: feature usage patterns, context switches, matching interactions, and session data. This data is used for analytics and product improvement.

Communications

Messages you send to other users through the Service are stored to deliver them and provide message history. Support requests and communications with our team are also retained.

Payment Information

If you make purchases through the Service, payment transactions are processed by Apple, Google, or Stripe. We never see or store your credit card number, expiry date, or full payment credentials. We receive limited transaction information from our payment processors (confirmation of payment, subscription tier, renewal date, platform of purchase).

5. What We Don’t Collect

Some things we have deliberately chosen not to collect or store:

• Your card number. Payments run through Apple, Google, or Stripe. We never see the card itself, only confirmation that a purchase happened.
• Your contacts, calendar, or full photo library. We do not import your contact list, read your calendar, or scan your photo library. The only photos that reach us are the ones you explicitly choose to upload to your profile.
• Biometric data. We never receive your Face ID or fingerprint. Device biometrics stay on your device and unlock the app locally. They are never transmitted to us.
• Health or fitness data. We do not request or read Apple Health, Google Fit, HealthKit, or any health data store on your device.
• Cross-app browsing or advertising IDs. We do not use the iOS Advertising Identifier (IDFA) or Android Advertising ID for cross-app tracking. We do not sell or share personal data with ad networks.
• Your message content for advertising. We do not analyze the content of your conversations to target ads or build a profile of your interests for advertisers.

6. How We Use Your Information

• Matching & Discovery: To connect you with other users across QRIOUS’s contexts based on your personas, preferences, and location.
• Trust Tier Calculation: To determine trust levels from confirmed in-person meetings via IRL Bridge, improving the quality and safety of connections.
• Venue Recommendations: To suggest relevant places and venues based on your location and preferences.
• Safety & Moderation: To detect and prevent fraud, abuse, harassment, and other violations of our terms of service.
• Analytics & Improvement: To understand how the Service is used and to improve features, performance, and user experience.
• Communications: To send you service-related notifications, respond to support requests, and deliver updates about the Service.
• Legal Compliance: To comply with applicable laws, regulations, legal processes, or governmental requests.

7. Legal Basis for Processing (GDPR)

For users in the European Economic Area, United Kingdom, and other jurisdictions that require a legal basis for processing personal data, we rely on the following:

• Consent (Art. 6(1)(a)): You give consent when creating your account and when opting into optional features such as background location tracking or specific data sharing.
• Contractual Necessity (Art. 6(1)(b)): Processing required to provide the Service you have requested: account management, matching, messaging, and venue recommendations.
• Legitimate Interest (Art. 6(1)(f)): Processing necessary for our legitimate interests, including platform safety, fraud prevention, abuse detection, and service analytics, where those interests are not overridden by your rights.
• Legal Obligation (Art. 6(1)(c)): Processing required to comply with applicable laws, including responses to valid legal requests from law enforcement or regulatory authorities.

8. Services We Use

We are honest about who else touches your data. Each provider below has a specific job, receives only what it needs, and is bound by a data processing agreement that prohibits using your data for any other purpose.

• Supabase: database, authentication, file storage. Stores your account, profile data, photos, and message content. Our Supabase project is hosted on AWS us-east-1 (Northern Virginia, United States).
• Firebase Cloud Messaging (Google): push notifications. Delivers push notifications to your device. Receives a device token, the notification payload, and timing metadata. Operated by Google on Google Cloud infrastructure.
• PostHog: product analytics. Records anonymized usage events to help us understand which features are used and where users get stuck. We do not send PostHog your message content, photos, or profile details.
• Sentry: crash and error reporting. When the app crashes or hits an unexpected error, Sentry receives a stack trace, app state, and device info (OS version, model, app version) to help us diagnose the bug. We scrub personal data (emails, message content, profile fields) from error reports before sending. Sentry is hosted in the United States.
• RevenueCat: subscription management. Manages your Flash, Glow, and Aura subscription state across iOS, Android, and the web. Receives an anonymized user ID, your subscription tier, renewal date, and platform of purchase. Never receives your payment card number. That stays with Apple, Google, or Stripe. RevenueCat is hosted in the United States.
• Apple App Store, Google Play, Stripe: payment processing. All purchases run through one of these three. They handle the card number, billing address, and tax. We receive only a confirmation that the purchase succeeded, the tier purchased, and the renewal date.
• Nominatim (OpenStreetMap): location lookups. Resolves coordinates into human-readable place names. Receives only an anonymized request with the coordinates.
• Google Places API: venue data. Used to surface bars, restaurants, and other venues in the Places feature. Receives only the location query, not your account or identity.
• Klipy: GIF library. Provides the GIF picker inside chat. Receives the search term you type, not your account or message context.
• Brevo: transactional email. Sends transactional emails (account confirmation, password reset, important notices). Receives your email address and the email content. Operated by Sendinblue SAS in France. Legal basis: Art. 6(1)(b) contractual necessity.
• Brevo: marketing list signup. When you sign up on qrious.social to receive launch updates, we add your email to a Brevo marketing list using a double opt-in confirmation. Legal basis: Art. 6(1)(a) consent. You can unsubscribe at any time from any email.
• AWS Amplify (Amazon Web Services): website hosting. qrious.social is hosted on AWS Amplify in the ap-southeast-1 region (Singapore). Receives only what is needed to serve the site: request URL, IP address, user agent. Legal basis: Art. 6(1)(f) legitimate interest in delivering and securing our website.
• Cloudflare: content delivery network. We use Cloudflare, Inc. (US) as a CDN in front of our website hosting for static asset delivery, edge routing, and DDoS protection. Cloudflare sees the request URL, your IP address, and standard request headers, but does not have access to your account or message content. Legal basis: Art. 6(1)(f) legitimate interest in delivering and securing the website.
• Sub-processor changes. When we add, remove, or replace a sub-processor that handles personal data, we update this list. Where required, we will give EU/UK customers reasonable advance notice.

9. Where Your Data Lives

Qrious Technologies Inc. is based in the United States, but the Service runs on infrastructure in multiple regions. Our primary data centers are in the European Union (Frankfurt) and in the Asia-Pacific region (Singapore), with some providers operating in the United States.

For users in the European Economic Area, United Kingdom, and Switzerland, we ensure that international transfers of personal data are conducted in compliance with applicable data protection laws, using appropriate safeguards: the European Commission’s Standard Contractual Clauses (SCCs), the UK International Data Transfer Addendum (IDTA), and (for transfers to the United States) reliance on providers self-certified under the EU-U.S. Data Privacy Framework (DPF) and its UK and Swiss extensions where available. Additional technical and organizational measures are applied where required.

10. Your Rights

EEA, UK, and Switzerland (GDPR & UK GDPR)

Depending on your jurisdiction, you have the following rights regarding your personal data:

• Access: Request a copy of the personal data we hold about you.
• Rectification: Request correction of inaccurate or incomplete personal data.
• Erasure: Request deletion of your personal data, subject to legal retention requirements.
• Portability: Request your data in a structured, commonly used, machine-readable format.
• Withdraw Consent: Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.
• Object to Processing: Object to processing based on legitimate interests, including profiling.
• Restrict Processing: Request that we limit the processing of your data in certain circumstances.
• Automated decisions: Not be subject to a decision based solely on automated processing (including profiling) that produces legal effects concerning you or similarly significantly affects you (Art. 22). See section 11 below for how this applies to QRIOUS.
• Lodge a Complaint: File a complaint with your local data protection authority. UK users may contact the Information Commissioner’s Office (ICO) at ico.org.uk.

California (CCPA / CPRA)

If you are a California resident, the California Consumer Privacy Act gives you additional rights:

• Categories collected: Identifiers, account details, geolocation, internet activity, and inferences drawn from the above.
• Sources: Directly from you, automatically from your device, and from our service providers listed above.
• Purposes: To operate the Service, communicate with you, protect against fraud and abuse, and comply with the law.
• Recipients: Only the service providers listed in section 8. We do not sell or share personal information for cross-context behavioral advertising.
• Your rights: Right to know, right to delete, right to correct, right to opt-out of sale or sharing (we do not sell), right to non-discrimination for exercising these rights.
• Sensitive personal information (Cal. Civ. Code §1798.121): We process precise geolocation and inferences about your romance-context preferences. You have the right to limit our use of this sensitive personal information to what is necessary to provide the Service. Email privacy@qrious.social with subject line “Limit SPI” to exercise this right.
• 12-month lookback (§1798.130(a)(5)): The categories of personal information described above reflect what we have collected, used, and disclosed for a business purpose in the twelve months preceding the effective date of this policy. We have not sold or shared personal information for cross-context behavioral advertising in that period.
• Global Privacy Control (GPC): We treat a Global Privacy Control signal from your browser as a valid request to opt out of any sale or sharing of personal information for cross-context behavioral advertising, in line with the California Attorney General's guidance. We do not currently sell or share, but the signal is recorded against your session.

To exercise any of these rights, email privacy@qrious.social. We will respond within 30 days.

11. Special Category Data & Automated Decisions

Special Category Data (GDPR Art. 9)

QRIOUS includes a Romance context. Your decision to share content in this context may, by inference, reveal information about your sexual orientation, which is considered special category data under Article 9 of the GDPR. We process this data only on the basis of your explicit consent under Art. 9(2)(a). That consent is collected through a dedicated in-app ceremony when you first activate the Romance persona: the screen explains what is being inferred, why we ask, and that you can withdraw consent at any time by deactivating the Romance persona or deleting your account. Without that consent, the Romance context simply does not turn on.

Automated Decision-Making (GDPR Art. 22)

We do not make solely automated decisions that produce legal or similarly significant effects on you. Two systems use algorithms in a decision-support role: (a) our Trust Tier score, which is computed from confirmed IRL Bridge meetings and a small set of behavioral signals, and (b) our match ranking, which suggests potential connections within a context. Both can be reviewed by a human on request. Account moderation actions (warnings, suspensions, bans) are reviewed by a human before they become permanent. You can request human review of any decision that affects you by emailing privacy@qrious.social.

12. Data Retention

• Active Accounts: We retain your data for as long as your account is active and as needed to provide the Service.
• Deleted Accounts: When you delete your account, we delete your profile data, personas, and matches within 30 days. Some data may be retained longer where required by law or for legitimate safety purposes (e.g., records related to abuse reports).
• Messages: Messages are deleted when both participants have deleted their accounts. If only one participant deletes their account, the remaining user retains access to the conversation.
• Anonymized Data: Aggregated, anonymized data that cannot be used to identify you may be retained indefinitely for analytics and product improvement.

13. Data Security

We implement industry-standard security measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction:

• Encryption of data in transit (TLS) and at rest.
• Access controls and authentication for internal systems.
• Regular security assessments and monitoring.
• Incident response procedures for potential data breaches.

No method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security but are committed to promptly addressing any incidents.

Personal data breaches: where we are required to notify a supervisory authority under Article 33 GDPR, we will do so without undue delay and, where feasible, within 72 hours of becoming aware of the breach. Where the breach is likely to result in a high risk to your rights and freedoms, we will also notify affected users without undue delay under Article 34, describing the nature of the breach, likely consequences, measures taken, and a contact point for further information. Equivalent notifications are made under UK GDPR, PDPA Thailand, and California Civ. Code § 1798.82 where those laws apply.

14. Cookies & Local Storage (Website Only)

This section applies to the qrious.social website. The QRIOUS mobile application does not use cookies. On first visit you see a consent banner with three buttons (Accept all, Reject all, Customize). Your choice is stored in your browser only and can be changed at any time through “Manage cookies” in the footer.

What runs today on qrious.social:

All four are strictly necessary for the site to work. No analytics or marketing cookies are set today. When a provider is added, it will only load if you have given consent.

Consent categories shown in the banner:

• Strictly necessary: Required for the site to function (the four shown above). These cannot be disabled.
• Analytics, off by default: Would let us understand which pages load and which break. No analytics provider is installed today.
• Marketing, off by default: Would let us measure the effect of campaigns. No marketing scripts run today.
• No advertising cookies, no cross-site tracking. We do not run third-party ad cookies and do not allow cross-site behavioral tracking. This is independent of the choice above.

Where required by law (EEA, UK), we ask for your consent before setting non-essential cookies and we do not assume consent from continued browsing. You can withdraw consent at any time from the “Manage cookies” link in the footer.

15. EU Representative (GDPR Art. 27)

As a company established outside the European Union but offering the Service to people in the EU, we have designated a representative under Article 27 of the GDPR. EU data subjects and supervisory authorities can address our representative on all matters relating to the processing of personal data.

Representative: Pablo Daniel Oba

Address: Berlin, Germany

Email: dpo@qrious.social

16. Contact

If you have questions, concerns, or requests related to this Privacy Policy or our data practices, contact us at:

Privacy inquiries: privacy@qrious.social

Mail: Qrious Technologies Inc., 251 Little Falls Drive, Wilmington, DE 19808, USA

17. Thailand (PDPA)

If you access the Service from Thailand, the Personal Data Protection Act B.E. 2562 (2019) applies in addition to the rights listed above. The Thai-language version of this policy will follow; in the meantime, this section summarizes the rights and bases applicable to users in Thailand.

• Legal basis (Secs. 24 and 26). We process personal data on the basis of your consent, contractual necessity, our legitimate interest, or another lawful basis recognized under the PDPA.
• Your rights. You may request access, correction, deletion, restriction or objection to processing, data portability, and withdrawal of consent. You may lodge a complaint with the Personal Data Protection Committee (PDPC) of Thailand.
• Cross-border transfers (Sec. 28). We transfer personal data to providers in the United States, Singapore, and the European Union. Transfers rely on adequacy, your consent, contractual necessity, or appropriate safeguards as permitted under Section 28 PDPA.
• Sensitive personal data (Sec. 26). Information that may be inferred about your sexual orientation through your Romance persona is processed only on the basis of your explicit consent.

Privacy contact: privacy@qrious.social