Privacy Policy

1. About this policy

GraceMeet ("GraceMeet", "we", "us", or "our") is committed to protecting your personal data. This privacy policy explains how we collect, use, share, and safeguard information about you when you use our matchmaking service (the "Service").

We process personal data in accordance with the UK General Data Protection Regulation ("UK GDPR") and the Data Protection Act 2018.

2. Data controller

The data controller for personal data processed via the Service is GraceMeet Ltd, a private limited company registered in England and Wales (company number 17192031), with registered office at Hoxton Mix Ltd, 66 Paul Street, London EC2A 4NA.

GraceMeet Ltd is registered with the UK Information Commissioner's Office (ICO) as a data controller. Registration reference: ZC144781.

Contact for data protection matters: gracemeetapp@gmail.com.

3. Personal data we collect

Information you provide

• Account information: email address, full name, date of birth, gender, gender you are seeking, city, country.
• Profile information: occupation, denomination, church attendance, faith values, marriage vision, dealbreakers, hobbies, communication style, love language, lifestyle preferences, children preferences, spiritual leadership view.
• Heart answers: free-text responses to onboarding questions about faith, family vision, conflict, growth, hopes for a partner, and what has carried you through hardship.
• Photos: profile photos (up to 6) and verification selfies.
• Voice intro (optional): a short audio recording (up to 60 seconds) that you can record in-app. It forms part of your profile and is played to people you are suggested to as a potential match, so they can hear you before deciding whether to connect. You can delete it any time.
• Messages: content of messages you send to other users via the Service.
• Match feedback: which matches you accepted or passed on, and reasons given for passing.

Information collected automatically

• Authentication tokens to keep you signed in.
• Last-seen timestamp to identify inactive accounts.
• Verification attempt timestamps and outcomes.

Information from third parties

We do not purchase or receive personal data from third parties.

4. How we use your personal data

We process your personal data for the following purposes:

Purpose	Legal basis
Providing the matching service (including AI-powered match generation)	Performance of contract
Verifying your identity and preventing fraud	Legitimate interests; legal obligation
Sending service-related emails (matches, messages, account)	Performance of contract
Processing subscription payments	Performance of contract
Investigating reports and moderating the platform	Legitimate interests; legal obligation
Improving our matching algorithm via aggregate analysis	Legitimate interests
Complying with legal obligations	Legal obligation

5. How the AI matching works (transparency)

GraceMeet uses artificial intelligence — specifically, large language models provided by Anthropic (Claude) — to recommend potential matches. We believe you have a right to understand how this works.

What the AI considers

When generating a weekly batch of match recommendations for you, the AI is given the following information about you and each candidate from the pool of eligible users:

• Faith alignment: denomination, church attendance frequency, prayer life, spiritual practices, theological views (e.g. spiritual leadership in marriage), favourite scripture, the heart-question answers you provide during onboarding.
• Values: the faith-values you select, your view on marriage, your view on children, your dealbreakers, your marriage vision.
• Life stage: age, location (city and country), occupation, lifestyle, life-stage match (e.g. someone seeking marriage soon vs. seeking marriage eventually).
• Personality: love language, communication style, hobbies and interests.
• Your past feedback: if you've previously passed on candidates and given reasons (e.g. "different faith depth," "location too far"), those reasons inform future recommendations specifically for you.
• Aggregated learned patterns: patterns from anonymised outcome data across our wider userbase about what predicts flourishing relationships (e.g. if "same denomination" correlates strongly with successful matches in our data, the AI weights this more heavily).

What the AI does NOT do

• It does not pre-screen you based on attractiveness, photos, or appearance.
• It does not consider your political views, ethnic background, or financial information (we do not collect these for matching).
• It does not contact anyone, message anyone, or take any action on your behalf.
• It does not decide whether you can use the Service or access any feature.
• It does not memorise individual users — it processes information at the time of matching and is given fresh context each run.

Hard safety filters applied before the AI sees candidates

Before the AI is ever shown a candidate's profile, we apply hard filters at the database level to exclude:

• Anyone whose age differs from yours by more than 15 years.
• Anyone under 18 (we do not knowingly process data of minors).
• Anyone outside your selected gender preference, or who has not selected you in theirs.
• Anyone whose account is deleted or suspended.
• Anyone you have previously been matched with.

If the candidate pool contains nobody who passes these filters, you simply receive zero matches that week. The AI is explicitly instructed that returning zero matches is preferable to suggesting a weak match.

You make the final decision

The AI recommends; you decide. No conversation begins until both parties have independently accepted a match. You can pass on any recommendation for any reason, without explanation. The AI's role is to suggest people you might find compatible — not to determine who you should be with. This means our matching does not produce "solely automated decisions" under Article 22 of UK GDPR, because there is always a human (you) in the loop.

Your rights

You always have the right to:

• Decline any match recommendation without explanation.
• Provide feedback that influences your future recommendations (via the "pass reason" prompts or free-text notes).
• Request human review: if you have concerns about how the AI has matched you, or believe a recommendation was unfair or inappropriate, email gracemeetapp@gmail.com and a human (currently the founder, Raymond Twum-Barima) will personally review and respond.
• Withdraw from AI training: see Section 6 below for how your data is or is not used to improve the AI.

The model we use

As of this policy's date, matching uses Claude Sonnet 4.5, an AI model produced by Anthropic. We may update the model in future as better versions become available. Any change will be reflected in this policy. Claude is operated under Anthropic's Acceptable Use Policy and Usage Policies — we are a customer of Anthropic, not the developer of the underlying model.

6. Training of AI models (optional consent)

We may use your profile data, heart answers, match decisions, conversation patterns, and (where applicable) relationship outcomes to train and improve our AI matching models. This may include fine-tuning open-source language models on our dataset to produce successor versions of the matching system.

This is strictly optional. We will only use your data for AI training purposes if you have given explicit, separate consent — either by ticking the dedicated "Help us improve" checkbox at sign-up, or by enabling the corresponding toggle in your account's privacy settings.

If you do not consent:

• Your data will not be used for training future models;
• Logs of AI matching decisions involving your data are automatically deleted within 30 days of generation;
• Your experience of the Service is not affected in any way.

If you do consent:

• Your data will be anonymised before training — direct identifiers (name, email, photos, contact details) are removed;
• Trained models are designed not to memorise individual users — they learn statistical patterns, not personal details;
• We will not sell or share training data with third parties unrelated to model development;
• You may withdraw consent at any time from your privacy settings. Withdrawal is processed within 30 days. Models that have already been trained on your data cannot be retroactively "untrained" — but no further training will use your data.

This consent is recorded with a timestamp and version, so we have a clear record of what you agreed to and when.

7. Sharing your personal data

Visible to other users

Your name, photos, age, city, denomination, occupation, faith values, hobbies, and selected profile fields are visible to users with whom you are matched. Once a mutual match occurs, conversation messages are exchanged directly between you.

Service providers (data processors)

• Supabase Inc. (United States) — database hosting, authentication, file storage. Processes profile and conversation data.
• Anthropic, PBC (United States) — AI matching and identity verification analysis. Receives profile summaries for matching purposes; receives selfie and profile photo for verification.
• Resend, Inc. (United States) — email delivery. Receives email address and message content for transactional emails.
• Netlify, Inc. (United States) — frontend hosting.

All processors are bound by data processing agreements requiring UK GDPR-equivalent protections. International transfers to the United States rely on appropriate safeguards including Standard Contractual Clauses.

Other disclosures

We may disclose your personal data:

• To comply with legal obligations, court orders, or regulatory requests;
• To protect our rights, property, or safety, or that of our users or others;
• In connection with a merger, acquisition, or sale of assets.

We do not sell your personal data.

8. Photo and selfie processing

• Profile photos are stored in our public storage and visible to matched users.
• Verification selfies are stored in private storage, analysed by AI to confirm your identity, and automatically deleted after a verification decision is made (or within 30 days at the latest).

9. Retention

We retain your personal data for as long as your account is active.

Account inactivity policy

Inactive accounts are progressively wound down in line with the UK GDPR storage-limitation principle (Article 5(1)(e)). The thresholds are:

• 60 days inactive: your profile is hidden from new match recommendations. You will receive a gentle "still looking?" email. Simply logging back in fully reactivates your account.
• 90 days inactive: you will receive a final warning email letting you know your account will be deleted in 30 days unless you log back in. Account-management emails of this nature are essential and are sent regardless of your email-preference settings.
• 120 days inactive: your account enters the standard 14-day soft-deletion grace window. Logging in during those 14 days restores your account fully.
• 134 days inactive: if you have not returned, your account is permanently deleted as described below.

You can step away from GraceMeet at any time without triggering the inactivity timers by using the Pause my account option in Settings. Paused accounts are hidden from matching, receive no automatic emails, and are retained indefinitely until you choose to resume.

When you delete your account (or it is auto-deleted after inactivity)

• Profile data, photos, voice intro, faith details, interests, preferences, and matches are deleted from production within 14 days of soft-deletion;
• Conversation messages are retained for up to 90 days for safety/abuse investigation, then permanently deleted;
• Aggregate, anonymised data may be retained indefinitely for service improvement (and only if you previously consented to AI training — see Section 6);
• Database backups are overwritten on a rolling 7-day window;
• We may retain certain information longer if required by law (e.g., financial records, breach records).

10. Your rights

Under UK GDPR, you have the right to:

• Access the personal data we hold about you;
• Rectify inaccurate personal data;
• Erase your personal data ("right to be forgotten");
• Restrict processing of your personal data;
• Data portability — receive your data in a structured, machine-readable format;
• Object to processing based on legitimate interests;
• Withdraw consent where processing is based on consent;
• Lodge a complaint with the Information Commissioner's Office (ico.org.uk).

To exercise any of these rights, contact us at gracemeetapp@gmail.com. We will respond within one calendar month.

11. Security

We take security seriously and implement appropriate technical and organisational measures, including:

• Encryption in transit: all traffic between your device and our service uses HTTPS / TLS 1.3.
• Encryption at rest: our database (operated by Supabase) encrypts all stored data using AES-256.
• Access controls: row-level security policies on every database table ensure users can only access their own data; only authorised admins (currently the founder) can access aggregate data.
• Authentication: email confirmation required at signup, leaked-password protection enabled, and identity verification (selfie comparison) for every user.
• Daily backups: the database is backed up nightly by our infrastructure provider.
• Limited data retention: AI match-generation logs are automatically deleted within 30 days for users who have not consented to AI training (see Section 6).

However, no method of transmission or storage is completely secure. You are responsible for keeping your password confidential. In the unlikely event of a data breach affecting your personal data, we will notify you and the UK Information Commissioner's Office within 72 hours of becoming aware, as required by UK GDPR Article 33.

12. Cookies and similar technologies

We use only strictly necessary cookies — the minimum required for the Service to function. Specifically:

• Authentication cookies: set by our backend provider (Supabase) to keep you logged in across page loads. Without these the app would not function.
• Session cookies: temporary in-browser storage used to remember your current screen and unsaved form inputs while you use the app.

We do not use:

• Advertising cookies, tracking pixels, or third-party advertising networks.
• Analytics cookies (e.g. Google Analytics, Mixpanel) — we do not currently use any analytics provider.
• Social media plug-in cookies (we do not embed Facebook, Twitter, Instagram, or similar third-party widgets).

Because we only use strictly necessary cookies, no consent banner is required under the UK Privacy and Electronic Communications Regulations (PECR). If we ever introduce analytics or non-essential cookies in the future, we will display a clear consent banner and update this policy before doing so.

You can disable or delete cookies in your browser settings, but doing so will prevent the Service from functioning correctly (specifically, you will be unable to stay logged in).

13. Children

GraceMeet is exclusively for adults aged 18 or over. We do not knowingly collect data from anyone under 18. If you believe a minor has provided personal data, contact us immediately.

14. Changes to this policy

We may update this policy from time to time. Material changes will be communicated by email to your registered address at least 14 days before they take effect.

15. Contact

For privacy questions, requests, or complaints:

GraceMeet Ltd
Company number 17192031 (registered in England and Wales)
Registered office: Hoxton Mix Ltd, 66 Paul Street, London EC2A 4NA
ICO registration: ZC144781
Email: gracemeetapp@gmail.com

You also have the right to complain to the UK Information Commissioner's Office (ICO):

• Online: ico.org.uk
• Phone: 0303 123 1113
• Post: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF