Privacy Policy

Aurino is a dating app for gay men, built on the belief that every interaction should leave you feeling more human, not less. We take your privacy seriously — not because the law requires it, but because trust is the foundation this app is built on.

The data controller responsible for your personal data is Aurino. You can reach us at privacy@aurino.app.

This policy applies to all users of the Aurino application and website. By creating an account, you acknowledge that you have read and understood this policy.

We collect only what is necessary to provide and improve the service:

• —Account data: email address, hashed password, username, and the date your account was created.
• —Profile data: display name, biography, values, intentions, what you are looking for, communication style, pace preference, and discovery mode preferences.
• —Photos: a single profile photo you upload, and any photos shared within conversations (subject to your consent settings).
• —Messages: the content of messages you exchange with other users, including text, voice notes, and photos.
• —Check-in responses: your responses to wellbeing check-ins, date reviews, relationship check-ins, and recovery reflections. These are stored privately and never shared with other users.
• —Interaction data: swipe decisions (pass or interested) and match records, which are necessary to operate discovery and matching.
• —Conduct data: reports you submit or that are submitted about your account, and any conduct warnings issued.
• —Technical data: IP address, browser type, operating system, and access logs. This data is retained for 90 days.

We do not collect your precise location, contacts, or any data from third-party apps. We do not track you across other websites.

Under GDPR, we rely on the following legal bases:

• —Contract performance (Art. 6(1)(b) GDPR): Account data, profile data, messages, and interaction data are processed to provide you with the Aurino service you have signed up for.
• —Legitimate interests (Art. 6(1)(f) GDPR): Technical logs and safety data are processed to protect the security and integrity of the platform and its users.
• —Consent (Art. 6(1)(a) GDPR): Check-in responses and recovery reflections are processed with your explicit consent, given through your active participation in these features. You can withdraw consent at any time by deleting your responses or your account.
• —Legal obligation (Art. 6(1)(c) GDPR): We may retain certain data where required to comply with applicable law.

• —Account and profile data: Retained until you delete your account. Deletion is permanent and processed within 30 days of your request.
• —Messages and conversation history: Retained until you delete your account. When a match is closed, messages remain accessible to both participants until one deletes their account.
• —Check-in responses and reflections: Retained until you delete your account. These are never shared with other users.
• —Technical access logs: Automatically deleted after 90 days.
• —Conduct reports: Retained for up to 3 years to protect the safety of the community, even after account deletion, where required by legitimate interests.
• —Backup copies: May persist for up to 30 days after deletion in encrypted backups, after which they are permanently removed.

If you are based in the European Economic Area, you have the following rights:

• —Right of access (Art. 15): You can request a copy of all personal data we hold about you. You can download your data directly from Settings → Privacy → Download my data.
• —Right to rectification (Art. 16): You can correct inaccurate personal data at any time by editing your profile in the app.
• —Right to erasure (Art. 17): You can permanently delete your account and all associated data from Settings → Privacy → Delete account.
• —Right to data portability (Art. 20): You can export your data in a machine-readable JSON format from Settings → Privacy → Download my data.
• —Right to object (Art. 21): You can object to processing based on legitimate interests. Contact us at privacy@aurino.app.
• —Right to restriction (Art. 18): You can request that we restrict processing of your data in certain circumstances.
• —Right to withdraw consent: Where processing is based on consent, you can withdraw it at any time without affecting the lawfulness of prior processing.

You also have the right to lodge a complaint with your national data protection authority. In Germany, this is the Bundesbeauftragte für den Datenschutz und die Informationsfreiheit (BfDI).

Most rights can be exercised directly within the app — profile editing, data download, and account deletion are all available in Settings.

For requests that cannot be completed in-app (objection to processing, restriction requests, complaints), contact us at privacy@aurino.app. We will respond within 30 days. Identity verification may be required before we can action your request.

We do not sell your personal data. We do not use your data for advertising. We do not share your data with third parties for their own marketing purposes.

We share data only with the following categories of processors, under binding data processing agreements:

• —Supabase Inc.: Our primary data processor, providing database, authentication, and storage infrastructure. Data is stored on EU-region servers (Frankfurt, Germany). Supabase processes data under a Data Processing Agreement compliant with GDPR Chapter V.
• —Vercel Inc.: Our hosting provider. Application code runs on Vercel's edge infrastructure. We have a Data Processing Agreement in place with Vercel.
• —Anthropic PBC: We use the Claude API to generate conversation starters, assess intention alignment, and generate recovery prompts. Text content from your profile (bio, values, intention) may be sent to the Claude API for these features. Anthropic does not use your data to train their models under our enterprise agreement.

We may disclose data if required by law, court order, or to protect the safety of users in emergency situations.

Aurino uses essential cookies only. We do not use tracking cookies, advertising cookies, or third-party analytics.

The cookies we set are:

• —Authentication session cookies: Set by Supabase to keep you logged in securely. These are essential for the app to function and cannot be disabled.

We do not use Google Analytics, Facebook Pixel, or any other third-party tracking technology.

All data is encrypted in transit (TLS 1.3) and at rest (AES-256). Passwords are never stored — only cryptographic hashes via Supabase Auth. Database access is controlled by Row Level Security policies ensuring users can only access their own data.

Profile photos and voice notes are stored in access-controlled Supabase Storage buckets. Direct URLs are not publicly guessable.

If we become aware of a data breach that affects your rights and freedoms, we will notify you and the relevant supervisory authority within 72 hours, as required by Art. 33–34 GDPR.

We may update this Privacy Policy from time to time. When we do, we will update the "Last updated" date at the top of this page. For material changes, we will notify you via email or an in-app notice at least 14 days before the changes take effect.

Continued use of Aurino after a policy update constitutes acceptance of the updated policy.

For any questions, concerns, or requests regarding your personal data, please contact our privacy team:

• —Email: privacy@aurino.app
• —Response time: We aim to respond within 5 business days, and will always respond within 30 days as required by GDPR.