GDPR
GDPR Information
Data Processing Notice under the General Data Protection Regulation (EU) 2016/679
Last updated: March 31, 2026
1. Data Controller Information
| Field | Details |
|---|---|
| Company Name | Encory |
| Address | Encory.app |
| Country | Czech Republic |
| privacy@encory.app | |
| Data Protection Officer | dpo@encory.app |
2. Categories of Personal Data
2.1 Data We Process
| Category | Data Types | Encrypted | Legal Basis |
|---|---|---|---|
| Identity Data | Email address | No | Contract |
| Authentication Data | Password hash, PIN hash | No (hashed) | Contract |
| Intimate Records | Encounter details, dates, activities | Yes (E2EE) | Consent |
| Partner Data | Names, photos, attributes | Yes (E2EE) | Consent |
| Profile Data | Public profile info, photos | Yes (E2EE) | Consent |
| Preference Data | Language, notification settings | No | Legitimate Interest |
| Membership Data | Tier, expiration, promo codes | No | Contract |
| Payment Data | Creem.io customer ID, subscription status, billing dates | No | Contract |
| Technical Data | IP address, browser info, logs | No | Legitimate Interest |
| Communication Data | Support tickets, feedback | No | Contract |
| Visit Analytics Data | Visitor hash, geolocation (country/city), device type, browser/OS | No | Legitimate Interest, Consent |
Note on Payment Data: Full payment card details are processed exclusively by our payment provider, Creem.io. We only receive a customer identifier and subscription metadata. We never receive or store your full card number.
2.2 Special Category Data
Under GDPR Article 9, data concerning sexual life is considered "special category data" requiring additional protection. We process this data:
- Only with your explicit consent
- Using end-to-end encryption (we cannot access it)
- With strict access controls
2.3 Visit Analytics Data (Premium Feature)
For users who create a public profile, we collect visitor analytics to help them understand their profile's reach:
Data Processing Characteristics:
| Aspect | Implementation | GDPR Compliance |
|---|---|---|
| Visitor identification | SHA-256 hash (IP + User-Agent + daily salt) | No raw IP storage |
| Geolocation | Vercel edge headers (country, region, city) | No precise coordinates |
| Device info | Parsed from User-Agent | Categories only |
| Data linkability | Daily salt rotation | Unlinkable after 24 hours |
| Tracking method | Request headers only | No cookies |
Legal Bases:
- Legitimate Interest (Article 6(1)(f)): Enable users to understand public profile reach
- Consent (Article 6(1)(a)): Implicit consent by choosing to make profile public
GDPR-Specific Protections:
- Raw IP addresses are never stored or logged for analytics
- Visitor hashes change daily, preventing long-term tracking
- No external tracking services or third-party analytics
- Visitors cannot be individually identified or contacted
- Owner visits are flagged and excluded from statistics
3. Legal Bases for Processing
3.1 Contract Performance (Article 6(1)(b))
Processing necessary to provide our Service:
- Account creation and authentication
- Service delivery
- Membership management
- Payment processing for subscriptions
- Customer support
3.2 Consent (Article 6(1)(a))
Processing based on your explicit consent:
- Storage of intimate encounter data
- Storage of partner information
- Marketing communications (optional)
- Push notifications (optional)
3.3 Legitimate Interest (Article 6(1)(f))
Processing for our legitimate business interests:
- Service improvement and analytics
- Fraud prevention and security
- Technical troubleshooting
3.4 Legal Obligation (Article 6(1)(c))
Processing required by law:
- Tax and accounting records
- Payment transaction records (7 years)
- Law enforcement requests (limited to unencrypted data)
4. Data Subjects' Rights
Under GDPR, you have the following rights:
4.1 Right of Access (Article 15)
You can request a copy of your personal data. Note:
- Encrypted data can only be exported by you via the in-app feature
- We will provide all unencrypted data within 30 days
- First request is free; subsequent requests may incur a fee
- For payment data held by Creem.io, contact them directly or request assistance from us
4.2 Right to Rectification (Article 16)
You can correct inaccurate data:
- Most data can be edited directly in the app
- For other corrections, contact us
4.3 Right to Erasure (Article 17)
You can request deletion of your data ("right to be forgotten"):
- Delete your account via Settings → Delete Account
- All data will be permanently deleted within 30 days
- Backups are purged within 30 days of deletion
- Payment records may be retained by Creem.io per legal requirements
4.4 Right to Restriction (Article 18)
You can request we limit processing in certain circumstances:
- While we verify accuracy of disputed data
- If processing is unlawful but you oppose erasure
- If we no longer need the data but you need it for legal claims
4.5 Right to Data Portability (Article 20)
You can export your data in a machine-readable format:
- Use the in-app export feature (Plus/Premium)
- Export includes all your decrypted data
- Format: JSON
4.6 Right to Object (Article 21)
You can object to processing based on legitimate interests:
- Marketing communications
- Analytics and profiling
- We will cease processing unless we have compelling grounds
4.7 Right to Withdraw Consent (Article 7)
You can withdraw consent at any time:
- Notification preferences in Settings
- Delete your account to withdraw all consent
- Withdrawal doesn't affect prior lawful processing
4.8 Right to Lodge a Complaint (Article 77)
You can complain to a supervisory authority:
- Your local Data Protection Authority
- Czech: ÚOOÚ (see Section 15)
5. Data Processing Details
5.1 Purpose Limitation
We only process data for specified, explicit, and legitimate purposes:
| Purpose | Description |
|---|---|
| Service Provision | Enable you to track intimate encounters |
| Authentication | Verify your identity and secure your account |
| Payment Processing | Process subscription payments via Creem.io |
| Communication | Send service-related notifications |
| Improvement | Analyze usage to improve the Service |
| Legal Compliance | Meet our legal obligations |
5.2 Data Minimization
We collect only data necessary for each purpose:
- Email is required for authentication
- PIN is required for encryption
- Intimate data is optional but core to the service
- Payment data is processed only when you subscribe
5.3 Storage Limitation
We retain data only as long as necessary:
| Data Type | Retention Period | Justification |
|---|---|---|
| Account data | Until deletion | Service provision |
| Encrypted data | Until deletion | Service provision |
| Subscription records | Until deletion | Service provision |
| Payment transaction logs | 7 years | Legal requirement |
| Server logs | 90 days | Security & troubleshooting |
| Support tickets | 2 years | Legal compliance |
| Deleted account data | 30 days | Backup recovery |
| Visit analytics records | Until deletion | Premium feature |
| Visitor hashes | Unlinkable after 24h | Daily salt rotation |
5.4 Integrity and Confidentiality
We protect data through:
- End-to-end encryption (TweetNaCl)
- TLS 1.3 for data in transit
- Database encryption at rest
- Row Level Security (RLS)
- PCI-compliant payment processing via Creem.io
- Regular security audits
6. Data Processors (Sub-processors)
We use the following third-party processors:
| Processor | Purpose | Location | Safeguards |
|---|---|---|---|
| Supabase | Database, Authentication | EU (Ireland) | DPA, SOC 2 |
| Vercel | Application Hosting | EU (Frankfurt) | DPA, SOC 2 |
| Resend | Email Delivery | EU (Ireland) | DPA, SOC 2 |
| Creem.io | Payment Processing | EU | DPA, PCI DSS |
All processors are bound by Data Processing Agreements and appropriate safeguards.
6.1 Creem.io Payment Processing
Creem.io (Creem Technologies Ltd.) processes payments on our behalf. When you subscribe:
- Creem.io collects and processes your payment card details
- Creem.io stores payment information securely (PCI DSS compliant)
- We receive only a customer identifier and transaction confirmations
- Creem.io processes data according to their Privacy Policy
7. International Transfers
7.1 EU-Only Processing
All personal data is processed exclusively within the European Union. Our service providers operate EU-based data centers:
| Processor | Location |
|---|---|
| Supabase | Ireland |
| Vercel | Frankfurt, Germany |
| Resend | Ireland |
| Creem.io | European Union |
7.2 No Third-Country Transfers
No personal data is transferred outside the EU/EEA. All data processing occurs within EU jurisdiction, ensuring full GDPR compliance without the need for additional transfer mechanisms.
8. Automated Decision-Making
8.1 Profiling
We do not engage in automated decision-making that produces legal effects or similarly significantly affects you.
8.2 Analytics
We use anonymized, aggregated analytics for service improvement. This does not constitute profiling under GDPR.
9. Data Protection by Design
9.1 Privacy by Design (Article 25)
We implement data protection from the outset:
- End-to-end encryption as default
- Minimal data collection
- Anonymous photo storage paths
- Time-limited signed URLs
- Payment data segregation (handled by Creem.io)
9.2 Privacy by Default
Default settings protect privacy:
- Email notifications off by default
- Push notifications require opt-in
- Public profile is optional
10. Data Breach Procedures
10.1 Detection and Response
In case of a data breach:
- We detect and contain the breach
- Assess risk to individuals
- Notify supervisory authority within 72 hours (if required)
- Notify affected individuals without undue delay (if high risk)
10.2 Encryption Consideration
Due to end-to-end encryption:
- Encrypted data breaches pose minimal risk (data is unreadable)
- We will still notify authorities and assess impact
- We cannot determine what specific encrypted data was affected
10.3 Payment Data Breaches
For breaches involving payment data:
- Creem.io has primary responsibility for payment data security
- We will coordinate with Creem.io on notifications
- We will notify affected users promptly
11. Children's Data
11.1 Age Verification
- Service is strictly for users 18+
- Age verification gate on public profiles
- We do not knowingly collect children's data
11.2 Discovery of Minor's Data
If we discover data from a minor:
- Immediately delete all associated data
- Notify the individual if possible
- Report to authorities if required
12. Cookie Policy
See our Privacy Policy for detailed cookie information.
Summary:
| Cookie Type | Purpose | Consent Required |
|---|---|---|
| Essential | Authentication, security | No |
| Functional | Language preferences | No |
| Analytics | Service improvement | Yes (if implemented) |
13. How to Exercise Your Rights
13.1 In-App Options
Most rights can be exercised directly:
- Access/Export: Settings → Export Data (Plus/Premium)
- Rectification: Edit your data in the app
- Erasure: Settings → Delete Account
- Preferences: Settings → Notifications
- Cancel Subscription: Membership → Cancel
13.2 Contact Us
For requests we cannot handle in-app:
Email: privacy@encory.app Subject: GDPR Request - [Your Right] Include: Your account email, specific request, identity verification
Response Time: Within 30 days (may extend to 60 days for complex requests)
13.3 Identity Verification
To protect your data, we may request verification:
- Confirmation from registered email
- Additional information to confirm identity
13.4 Payment Data Requests
For requests concerning payment data held by Creem.io:
- Contact us at privacy@encory.app and we will coordinate
- Or contact Creem.io directly via their privacy contact
14. Updates to This Notice
We review and update this notice periodically. Changes are communicated via:
- Email notification for material changes
- In-app notification
- Updated "Last modified" date
15. Supervisory Authority
If you believe we have not adequately addressed your concerns, you may contact:
Office for Personal Data Protection (ÚOOÚ) Pplk. Sochora 27 170 00 Prague 7 Czech Republic https://www.uoou.cz posta@uoou.cz
Quick Reference Card
| I want to... | How? |
|---|---|
| See my data | Settings → Export Data |
| Correct my data | Edit directly in the app |
| Delete my account | Settings → Delete Account |
| Change notifications | Settings → Notifications |
| Cancel subscription | Membership → Cancel Subscription |
| Stop marketing emails | Unsubscribe link in email |
| Make a complaint | privacy@encory.app or DPA |
This GDPR Information Notice is available in English and Czech.
Sources and References
This document was prepared in accordance with GDPR requirements. For more information: