Privacy Policy

Last updated: March 1, 2026

1. Introduction

touch irl, LLC ("Touch?", "we", "us") values your privacy. This Policy describes how we collect, use, store, and protect your personal data when you use the Touch? application and related services.

This Policy has been prepared in compliance with the California Consumer Privacy Act (CCPA/CPRA), the Children's Online Privacy Protection Act (COPPA), the General Data Protection Regulation (GDPR), Brazil's General Data Protection Law (LGPD), and other applicable legislation.

2. Data Controller

Company: touch irl, LLC
Jurisdiction: Delaware, United States
Email: privacy@touchirl.com
Website: touch-irl.com

3. Data We Collect

3.1. Data you provide

Data	Purpose	Legal basis
Nickname	Anonymous identification	Contract performance
Email	Authentication, communication	Contract performance
Date of birth	Age verification (18+), zodiac	Legal obligation
Profile photo	Personalization (optional)	Consent
Real name, Instagram, phone	Reveal feature (optional)	Consent

3.2. Data collected automatically

Data	Purpose	Legal basis
GPS location	Proximity and events	Consent
Ultrasonic audio	Proximity detection (processed locally)	Consent
Device data	Compatibility, security	Legitimate interest
Connection history	App functionality	Contract performance
Chat messages	User communication	Contract performance

3.3. Sensitive data (biometric)

Facial verification (selfie): Used optionally for identity verification. The image is stored securely and you may request its deletion at any time. This data is considered sensitive under GDPR, LGPD, and CCPA/CPRA, and requires specific consent.

4. How We Use Your Data

Provide and maintain the Touch? service
Verify you meet the minimum age requirement (18 years)
Detect proximity between users via ultrasound
Process payments (via Stripe)
Calculate astrological compatibility (based on date of birth)
Prevent fraud and abuse
Send service-related communications (never spam)
Improve the service with anonymized data

5. Data Sharing

We do not sell your personal data.

We share data only with:

Payment processors: Stripe -- only data necessary for the transaction
Infrastructure providers: Google Cloud/Firebase (storage), Render.com (hosting), Cloudflare (CDN/security)
AI providers: OpenAI and Anthropic -- for AI agent features within the app (anonymized data)
Other users: Only data you voluntarily choose to share (reveal feature)
Authorities: When required by law or court order

6. Data Retention

Data type	Retention period
Account data	While account is active + 30 days after deletion
Chat messages	24 hours (expire automatically with the connection)
Connection history	While account is active
Payment data	5 years (tax obligation)
Verification selfie	Until deletion request or account termination
Security logs	90 days

7. Your Rights (All Users)

Depending on your jurisdiction, you have the following rights:

Access: Know what data we have about you and obtain a copy
Correction: Correct incomplete or inaccurate data
Deletion: Request deletion of your personal data
Portability: Receive your data in a structured format
Withdraw consent: Withdraw consent at any time
Object: Object to processing based on legitimate interest
Non-discrimination: Not be discriminated against for exercising your rights

To exercise any right, email privacy@touchirl.com. We will respond within 15 business days (or as required by applicable law).

8. California Residents (CCPA/CPRA)

If you are a California resident, you have the right to: know what personal information we collect, request deletion of your data, not be discriminated against for exercising your rights, and opt out of the sale of your personal information. We do not sell personal information.

To exercise your rights, email privacy@touchirl.com with the subject "CCPA Request".

9. Protection of Minors

Touch? is intended exclusively for users aged 18 and older. We do not knowingly collect data from anyone under 18. If we identify that a minor is using the service, the account will be terminated and data deleted within 72 hours.

Parents or guardians who believe a minor has provided data to Touch? may contact us at safety@touchirl.com for immediate deletion.

10. Security

We implement technical and organizational measures to protect your data, including:

Encryption in transit (HTTPS/TLS)
Security headers (Helmet.js: CSP, HSTS, X-Frame-Options)
Rate limiting on sensitive endpoints
Authentication on all API endpoints
Payment processing through PCI-DSS certified providers
Ultrasonic audio processed locally (not transmitted to servers)

No system is 100% secure. In case of a security incident, we will notify affected users and competent authorities as required by law.

11. Cookies and Local Storage

Touch? uses browser localStorage to maintain your session and preferences. We do not use third-party tracking cookies. Locally stored data includes: session ID, language preferences, app settings.

12. Changes to This Policy

This Policy may be updated periodically. Significant changes will be communicated within the App. The last update date will always be indicated at the top of this document.

13. Contact

For privacy questions, exercising rights, or complaints:

Email: privacy@touchirl.com
Company: touch irl, LLC (Delaware, USA)