PlayRoom Couples & Singles — Privacy Policy

This Privacy Policy describes how PlayRoom collects, uses, shares, and protects your personal data when you use the PlayRoom Couples & Singles iOS application (the "Application") and related services (the "Services"). It forms an integral part of the End User License Agreement ("EULA") available at https://playroom-v2.web.app/eula and is provided in accordance with Articles 12 to 14 of Regulation (EU) 2016/679 ("GDPR"), Lei n.º 58/2019, and Decreto-Lei n.º 7/2004.

Launch territories. PlayRoom is currently available in Portugal and Spain only.

1. Data Controller

The data controller for personal data processed through the Application is:

PlayRoom has not appointed a Data Protection Officer under Article 37 GDPR. Data-protection enquiries should be addressed to the email above.

2. Adults-Only; Children's Data

The Application is an adults-only platform and is not intended for, marketed to, or designed for use by any person under 18 years of age. PlayRoom does not knowingly collect personal data from minors. If you become aware that a minor has provided personal data to PlayRoom, contact sandro.correia.dev@gmail.com and PlayRoom will delete the data without undue delay.

3. Categories of Personal Data Processed

PlayRoom processes the following categories of personal data:

• (a) Account data: email address, account identifier, authentication tokens, password hash;
• (b) Profile data: display name, age, gender, relationship preferences, sexual-orientation indicators, lifestyle preferences, geographic city/region, profile photographs and gallery images, public-profile fields;
• (c) User-generated content: moments-feed posts, event listings, event RSVPs, community posts, competition entries, direct messages and attachments, comments, reports submitted to moderation;
• (d) Device and technical data: device identifier, iOS version, app version, IP address (transient, for security and rate-limiting), App Check device-attestation tokens, push-notification tokens;
• (e) Usage data: timestamps of logins, sessions, posts, message events, friend-request activity, notification reads, feature use;
• (f) Moderation data: records of reports, moderation decisions, statements of reasons issued under EULA §6A, account warnings, suspensions, and terminations;
• (g) Age-assurance data (where age verification is performed by a third-party provider): a binary verification result and, where required for record-keeping, a verification reference identifier. PlayRoom does not retain document images or biometric templates;
• (h) Communications data: emails, support tickets, withdrawal notices, and complaints you send to PlayRoom.

PlayRoom does not knowingly collect government-issued identification numbers, payment-card data, precise location coordinates, biometric templates (other than as processed by an age-assurance provider on its own basis), or special-category data beyond what is covered in Section 4.

4. Special-Category Personal Data (Article 9 GDPR)

Because PlayRoom is an adults-only platform for the consensual non-monogamy / swinger / lifestyle community, your use of the Application may reveal personal data concerning your sex life or sexual orientation within the meaning of Article 9(1) GDPR.

Such data is processed only on the basis of your explicit consent under Article 9(2)(a) GDPR, obtained at onboarding separately from your acceptance of the EULA. You may withdraw consent at any time in Settings → Privacy; withdrawal does not affect the lawfulness of processing before withdrawal (Article 7(3) GDPR) and may make continued use of the Application impossible.

5. Lawful Bases for Processing (Article 6 GDPR)

PlayRoom processes personal data on the following lawful bases:

• (a) Performance of a contract (Art. 6(1)(b)) — to create and operate your account, deliver the Services, process in-app purchases (when activated), and provide customer support;
• (b) Legitimate interests (Art. 6(1)(f)) — to secure the Application, prevent fraud and abuse, conduct content moderation, detect and respond to safety threats, and improve the Services. You may object at any time under Article 21 GDPR;
• (c) Legal obligation (Art. 6(1)(c)) — to comply with tax, consumer-law, Digital Services Act, child-safety reporting, and law-enforcement obligations;
• (d) Consent (Art. 6(1)(a)) — for optional features and communications, and as the basis for processing special-category data under Article 9(2)(a);
• (e) Vital interests (Art. 6(1)(d)) — in the limited case of credible threats to life or bodily integrity.

6. Sources of Personal Data

PlayRoom collects personal data:

• (a) Directly from you when you create an account, complete your profile, upload content, send messages, submit reports, or contact support;
• (b) From your device automatically when you use the Application (device identifier, app version, App Check tokens, push-notification tokens);
• (c) From other Users when another User submits a report concerning you, sends you a message, mentions you in content, or interacts with your account;
• (d) From third-party processors acting on PlayRoom's instructions (for example, age-assurance results from a verification provider, when applicable; receipt validation results from Apple).

PlayRoom does not purchase or scrape personal data from public sources or data brokers.

7. Recipients and Processors

PlayRoom shares personal data only with the following categories of recipients, each acting under a data-processing agreement or equivalent safeguards:

• (a) Apple Inc. — App Store distribution, In-App Purchase processing (when activated), receipt issuance and refund administration. Apple acts as an independent controller for the data it collects directly from you in the App Store;
• (b) Google LLC / Firebase / Google Cloud Platform — authentication, database (Firestore), serverless functions (Cloud Functions), hosting, App Check device attestation, push notifications (Firebase Cloud Messaging);
• (c) Cloudflare, Inc. — content delivery network and edge storage (R2) for User photographs and media;
• (d) Age-assurance provider (where age verification is required by your jurisdiction of access) — acting as an independent or joint controller for document and biometric data it processes on its own basis;
• (e) Transactional email provider (when paid in-app purchases are activated) — used to send durable-medium confirmations required by Article 8(7) Directive 2011/83/EU. This processor is not engaged at this time;
• (f) Competent authorities — where PlayRoom is required by applicable law or lawful process to disclose personal data (for example, reports to the Portuguese Polícia Judiciária, DSA Article 18 reports of suspected criminal offences, court orders, subpoenas, and INHOPE / Linha Alerta referrals for child-safety reports).

PlayRoom does not sell personal data and does not engage in cross-context behavioural advertising.

8. International Transfers (Articles 44–49 GDPR)

Several recipients listed in Section 7 are established outside the European Economic Area, including in the United States. PlayRoom relies on the following safeguards for transfers outside the EEA:

• (a) Standard Contractual Clauses adopted by the European Commission under Article 46(2)(c) GDPR (Commission Implementing Decision (EU) 2021/914), incorporated into the processing agreements with each non-EEA processor;
• (b) Adequacy decisions under Article 45 GDPR where applicable (for example, the EU–U.S. Data Privacy Framework, where the recipient is certified);
• (c) Supplementary measures (encryption in transit and at rest, access controls) where appropriate.

A copy of the relevant safeguards is available on request to sandro.correia.dev@gmail.com.

9. Retention

PlayRoom retains personal data for the periods necessary to fulfil the purposes set out in this Policy, subject to the following:

• (a) Account data and profile data: retained while your account is active. On account deletion (Section 11), data is erased from active production systems within a reasonable period;
• (b) Operational backups: retained typically for up to 30 days after deletion from active systems, in accordance with PlayRoom's backup-rotation schedule;
• (c) Child-safety reports: where PlayRoom reports suspected child sexual abuse material to a competent authority or hotline, the report and associated content are preserved for the minimum period required by applicable law or by order of the requesting authority;
• (d) Legal-hold and dispute records: retained for the duration of any legal hold, dispute, investigation, or limitation period required by applicable law;
• (e) Tax and accounting records: retained for the periods required by Portuguese tax law where paid transactions are processed;
• (f) Moderation records: retained for a reasonable period after the underlying account is closed, for the purposes of safety investigations and DSA transparency.

Anonymised or aggregated data that no longer identifies you may be retained indefinitely for analytics purposes (Recital 26 GDPR).

10. Your Rights (Articles 12 to 22 GDPR)

Subject to the conditions set out in the GDPR, you have the right to:

• (a) Access (Art. 15) — obtain confirmation of whether PlayRoom processes your personal data and a copy of that data;
• (b) Rectification (Art. 16) — correct inaccurate or incomplete data;
• (c) Erasure (Art. 17, "right to be forgotten") — request deletion of your personal data, subject to the exceptions in Article 17(3);
• (d) Restriction (Art. 18) — restrict the processing of your data in defined situations;
• (e) Data portability (Art. 20) — receive your data in a structured, commonly used, machine-readable format;
• (f) Object (Art. 21) — object to processing based on legitimate interests;
• (g) Withdraw consent (Art. 7(3)) — withdraw any consent you have given, at any time, without affecting the lawfulness of processing before withdrawal;
• (h) Not be subject to automated individual decision-making (Art. 22) — including profiling that produces legal or similarly significant effects, except as permitted by Article 22(2);
• (i) Lodge a complaint (Art. 77) — with the supervisory authority of your country of habitual residence: in Portugal, the Comissão Nacional de Proteção de Dados (CNPD) at https://www.cnpd.pt, geral@cnpd.pt; in Spain, the Agencia Española de Protección de Datos (AEPD) at https://www.aepd.es;
• (j) Compensation (Art. 82) — for material or non-material damage caused by an infringement of the GDPR.

To exercise any of these rights, email sandro.correia.dev@gmail.com or use the in-app controls in Settings → Privacy. PlayRoom will respond within one month, extendable by two further months for complex requests in accordance with Article 12(3) GDPR.

11. Account and Data Deletion

You may delete your account at any time via Settings → Account → Delete account in the Application. Deletion erases your profile, posts, messages, and account data from active production systems within a reasonable period, subject to the retention rules in Section 9. This deletion path satisfies Apple App Store Review Guideline 5.1.1(v).

Where your content has been viewed, screenshotted, downloaded, or shared by other Users in good faith before your deletion request, PlayRoom may be technically unable to recall those copies. PlayRoom will take reasonable steps under Article 17(2) GDPR to inform other controllers of an erasure request where relevant.

12. Automated Processing and Profiling

PlayRoom uses automated tools to: (a) detect spam, abuse, fraud, and prohibited content; (b) pre-screen uploaded media against known harmful-content signals where available; (c) prioritise reports and trigger statements of reasons under EULA §6A.

These automated processes do not produce legal or similarly significant effects without human review, except in cases requiring immediate action to prevent harm or to comply with law. Where an automated moderation decision affects you, you have the right to obtain human review under EULA §6A(c).

PlayRoom does not use personal data to make automated decisions about credit, insurance, employment, or similarly significant matters.

13. Security

PlayRoom maintains technical and organisational measures appropriate to the nature of the processing, including encryption in transit (TLS), authenticated access controls, App Check device attestation, server-side input validation, and segmented storage of sensitive content. No security measure is perfect; PlayRoom cannot guarantee absolute security.

If a personal-data breach is likely to result in a risk to your rights and freedoms, PlayRoom will notify the Comissão Nacional de Proteção de Dados within 72 hours under Article 33 GDPR and, where required, notify affected Users under Article 34 GDPR.

14. Cookies and Similar Technologies

The Application is a native iOS app and does not use HTTP cookies. The Application uses platform-provided storage (iOS Keychain, app sandbox) for authentication tokens and local state. The publicly hosted Privacy Policy and EULA pages at playroom-v2.web.app may use strictly necessary technical cookies set by the hosting provider; no advertising, analytics, or tracking cookies are set by PlayRoom.

15. Marketing and Communications

PlayRoom does not send marketing communications by default. Push notifications relating to the Services (friend requests, messages, event invitations, moderation decisions, material changes to the EULA) are sent in reliance on your installation of the Application and may be controlled through iOS Settings → Notifications. You may opt out of all push notifications at any time.

16. Changes to this Privacy Policy

PlayRoom may amend this Privacy Policy from time to time. Material changes will be notified to you by email and/or in-app notice at least thirty (30) days before they take effect, except where a shorter period is required by law or to address an urgent security or compliance issue.

17. Contact