Privacy Policy.

§ 01 — Who we are

Controller. DelbarMe v/Rahmat Mozafari
Address: Gunnulvs vei 6, 0670 Oslo, Norway
Email: hello@delbarme.com

Data Protection Officer. Because we process special-category data (sexual orientation, religious beliefs) at scale, we appoint a DPO under GDPR Art. 37(1)(c). Reach our DPO at hello@delbarme.com.

Supervisory authority. You can lodge a complaint with the Norwegian Data Protection Authority (Datatilsynet, postboks 458 Sentrum, 0105 Oslo, datatilsynet.no).

§ 02 — Data we collect

Account & identity

• Email address and password (for sign-in and account recovery).
• Date of birth, used to confirm you are 18 or older.
• Display name, gender, and the gender(s) you wish to meet.
• Selfie photo and metadata for identity verification.

Profile content

• Photos you upload (public + private galleries).
• Voice intro — a 15-second audio recording you record at signup. It is part of your public profile and is mandatory; you can re-record it at any time under Profile → Voice intro.
• Free-text fields: bio, occupation, city, origin.
• Structured attributes: education, height, intent (friendship / serious / paywand), values, language preference.
• Special-category data under GDPR Art. 9: religious belief, religious practice level, and the gender of people you wish to meet (which can imply sexual orientation). We process these on the basis of your explicit consent (Art. 9(2)(a)). You may withdraw consent at any time by editing your profile or deleting your account.

Activity

• Daawats — 10-second voice introductions you send to other users as your first contact, plus the daawats sent to you. Each daawat is a small audio file attached to a sender / recipient pair and a status (pending, accepted, declined).
• Matches (naseeb) created when a daawat is accepted, and farewells (khodahaafez) when either side ends a match.
• Messages you send and receive inside a chat (text, voice clips, image attachments), including reactions and replies.
• Reports and blocks you submit, plus reports filed against you.
• Online status / last active timestamp (you can hide this in Settings).

Coarse location (optional)

If you opt in via Settings, we ask iOS / Android for your approximate location once and round it to two decimal places (about 1.1 km of precision) before storing it. We use it only to compute distance buckets ("≤ 5 km", "≤ 25 km") for discovery. We never store or display your exact position.

Device & technical

• Push notification token (Apple / Google / Expo).
• App version, OS version, device model, language, timezone.
• Crash and performance diagnostics.

§ 03 — Why we use it (purpose & lawful basis)

We process the data above for the purposes below. Each is mapped to a lawful basis under GDPR Art. 6 (and Art. 9 for special categories).

• Run the matchmaking service (account, profile, photos, voice intros, daawats, messages, matches): Art. 6(1)(b) — performance of our contract with you.
• Process special-category profile attributes (religion, practice level, gender preference): Art. 9(2)(a) — your explicit consent.
• Verify identity and moderate photos / messages for safety: Art. 6(1)(f) — legitimate interest in preventing fraud, abuse, and unlawful content; balanced against your rights via the moderation appeal process described in §10.
• Send security and account notifications (OTP, security alerts): Art. 6(1)(b).
• Send optional product notifications (new matches, messages): Art. 6(1)(a) — your consent, configurable per category in Settings.
• Comply with legal obligations (CSAM reporting, accounting records, lawful requests): Art. 6(1)(c).

§ 04 — Who we share it with (sub-processors)

We do not sell your data. We share specific categories with named sub-processors who provide infrastructure on our behalf, bound by written data processing agreements:

• Supabase, Inc. (database, file storage, authentication, realtime). EU region; Standard Contractual Clauses for any sub-processor transfer to the United States.
• Anthropic, PBC (United States). We send uploaded photos to Anthropic's Claude vision model to detect inappropriate content before it reaches other users. Anthropic does not train its models on this content. Transfer governed by EU Standard Contractual Clauses + Transfer Impact Assessment.
• group.ONE A/S (one.com) (Denmark). Delivers transactional emails: account confirmation codes, password-reset codes, and security notifications. Processing within the European Economic Area; no transfer outside the EEA.
• Expo, Inc. (United States). Routes push notifications to Apple and Google. SCCs apply.
• Apple Inc. and Google LLC. Distribute the app and operate the platform-level push services (APNs, FCM).

We may also disclose data to law enforcement in response to a valid legal request, and to NCMEC and equivalent national hotlines where required by law for child-safety reporting.

§ 05 — International transfers

Where data leaves the European Economic Area, we rely on the European Commission's 2021 Standard Contractual Clauses combined with a Transfer Impact Assessment for each US sub-processor. A copy of the TIA summary is available on request.

§ 06 — How long we keep it

• Active accounts: for as long as your account exists.
• Deleted accounts: we erase your profile, photos, messages, and activity within 30 days of your deletion request, except for the items listed below.
• Moderation logs and safety records: up to 24 months after account closure to defend against repeat abuse.
• CSAM reports and related evidence: retained as required by applicable child-safety law; preserved for and reported to NCMEC and equivalent authorities.
• Accounting records: 5 years (Norwegian Bookkeeping Act, bokføringsloven §13).

§ 07 — Your rights

You can exercise the rights below by emailing hello@delbarme.com. We will respond within one month (extendable by two months for complex requests) and at no charge for the first request in any 12-month period.

• Access — get a copy of the data we hold about you.
• Rectification — correct inaccurate data.
• Erasure — delete your account and data ("right to be forgotten"), subject to retention items in §6.
• Portability — receive your data in a structured, machine-readable format.
• Restriction and objection — pause certain processing.
• Withdraw consent — for any processing based on consent (e.g., special-category profile attributes, marketing notifications). Withdrawal does not affect lawfulness of prior processing.
• Lodge a complaint with Datatilsynet (Norway) or your local supervisory authority.

§ 08 — Account deletion

You can delete your account directly in the app under Settings → Delete my account. You can also request deletion on the web at https://delbarme.com/delete (no app reinstall required). Deletion removes your profile, photos, voice intro, daawats, matches, messages, and reactions within 30 days. Items listed in §6 may persist for the periods stated there.

§ 09 — Children

DelbarMe is for people aged 18 or older. We do not knowingly collect data from anyone under 18. If we learn that an account belongs to a minor we delete it immediately and preserve the minimum information required for legal reporting.

§ 10 — Automated content moderation

We use Anthropic's Claude vision model to screen photo uploads for nudity, weapons, violence, depictions of minors, and other unacceptable content. Image messages in chat go through the same screen. Where the model rejects content, the file is deleted from storage. Where the model is uncertain, the item is queued for human review by our trust-and-safety team.

Under GDPR Art. 22, you have the right to request human review of an automated moderation decision that materially affects you. Email hello@delbarme.com with the date and a brief description.

§ 11 — Security

Data is transmitted over TLS. Stored data is encrypted at rest by our infrastructure providers. Access to production systems is restricted to a small operations team with multi-factor authentication. Photos go through magic-byte verification and size limits before they reach storage. We log administrative access for audit. Note: we do not offer end-to-end encryption — this is intentional so that abusive content can be detected and reported per law.

§ 12 — Breach notification

If we discover a personal-data breach we will notify Datatilsynet within 72 hours of becoming aware, in line with GDPR Art. 33. If the breach is likely to result in a high risk to your rights and freedoms, we will notify you directly without undue delay.

§ 13 — Cookies and trackers

The mobile app does not set browser cookies. We do not use any third-party advertising or analytics SDKs. The Apple Identifier for Advertisers (IDFA) and Android Advertising ID are not collected.

§ 14 — Changes to this policy

We may update this policy as the service evolves. Material changes are highlighted in-app on next launch and the previous version is archived at https://delbarme.com/privacy/archive. Continued use after the effective date of an update means you accept it.

Contact: hello@delbarme.com · hello@delbarme.com