Privacy Policy

Who we are

Oxytocin is operated by Andreas Ninevebri, based in Sweden, with the intent to incorporate as a Swedish Aktiebolag (AB) prior to public launch. Throughout this document, "Oxytocin", "we", "us", and "our" refer to this entity.

For privacy-related questions, you can reach us at support@oxytocinapp.com.

What this policy covers

This policy describes the personal data we collect when you use the Oxytocin mobile app (the "Service"), why we collect it, how we use it, who we share it with, and what choices you have about it.

By creating an account or using the Service, you confirm that you have read this policy and understand how we handle your personal data.

Data we collect

Information you give us directly

When you create an account and use the Service, you provide us with:

• Account information: email address, password (stored hashed, never in plain text), date of birth (used to verify you are 18+).
• Profile information: name or display name, gender, sexual orientation, languages you speak, interests, fun-fact answers, photographs, and other details you choose to add.
• Communications: messages you send to other users, reports you submit about other users, and any communications you have with our support team.
• Subscription information: if you purchase a premium subscription, payment is processed by Apple (App Store) or Google (Play Store); we receive a transaction confirmation but never see your full payment details.

Information collected automatically

• Device information: device type, operating system, app version, language, time zone.
• Usage information: features you use, swipes, matches, login times, crash reports.
• Location information: with your permission, your approximate location (city or region) is used to show you nearby matches. You can revoke this permission in your device settings at any time.

Information from third parties

• Authentication providers: if you sign in using a third-party service (e.g., Apple Sign-In), we receive only the basic information you authorize that service to share.

How we use your data

We use your personal data to:

• Create and operate your account.
• Show you potential matches based on your preferences and location.
• Enable communication between you and other users.
• Verify your age and identity to keep our community safe (18+ only).
• Process subscription payments via app stores.
• Detect, prevent, and respond to fraud, abuse, harassment, and policy violations.
• Improve the Service through analytics on aggregated, non-identifiable usage patterns.
• Communicate with you about your account, security, and important updates.
• Comply with our legal obligations.

We do not sell your personal data to third parties. We do not use your photos, profile content, or messages to train generative AI models.

Legal bases (GDPR)

If you are in the European Economic Area (EEA), United Kingdom, or Switzerland, we rely on the following legal bases under the General Data Protection Regulation (GDPR):

• Performance of a contract: processing your account and profile data is necessary to provide the Service you signed up for.
• Consent: for optional features such as location-based matching and certain notifications. You can withdraw consent at any time.
• Legitimate interests: for keeping the platform safe, preventing fraud, and improving the Service. Where we rely on legitimate interests, we have weighed these against your rights.
• Legal obligation: when required to comply with applicable law (e.g., responding to lawful requests from authorities).

Sharing your data

We share data only with:

• Other users: the profile information you choose to make visible (photos, bio, interests, etc.) is visible to other users, including those you match with.
• Service providers: companies that help us operate the Service:
  • Supabase — database, authentication, and file storage.
  • RevenueCat — subscription management.
  • Apple and Google — payment processing for subscriptions.
  • Expo — push notifications.
  These providers are bound by data processing agreements limiting their use of your data to the services they provide to us.
• Authorities: when required by law (court orders, regulatory requests, etc.) or when necessary to protect users from imminent harm.
• Successors: if Oxytocin is acquired, merged, or transfers operations to another entity, your data may transfer with the business. We will notify you in advance of any such transfer.

International transfers

Some of our service providers (notably Supabase and RevenueCat) operate servers outside Sweden, including in the United States. When data is transferred outside the European Economic Area, we ensure adequate protection through:

• Standard Contractual Clauses approved by the European Commission, or
• The provider's certification under recognized adequacy frameworks (such as the EU-US Data Privacy Framework), or
• Other lawful safeguards required by GDPR.

How long we keep data

• Active accounts: we keep your data as long as your account exists.
• Deleted accounts: when you delete your account, we delete or anonymize your personal data within 30 days, except where retention is required by law (e.g., transaction records for tax compliance) or necessary to resolve disputes, prevent abuse, or enforce our Terms.
• Reports and moderation records: may be retained for up to 12 months after account deletion to enable us to investigate harassment or repeated abuse.
• Server logs and security data: kept for up to 90 days.

Your rights

Depending on where you live, you have the following rights regarding your personal data:

• Access: request a copy of the personal data we hold about you.
• Correction: ask us to correct inaccurate or incomplete data.
• Deletion: ask us to delete your data (you can also delete your account directly in the app).
• Restriction: ask us to limit how we use your data in certain circumstances.
• Portability: receive your data in a structured, machine-readable format.
• Objection: object to certain types of processing, including direct marketing.
• Withdraw consent: where we rely on your consent, you can withdraw it at any time.

To exercise any of these rights, contact us at support@oxytocinapp.com. We will respond within 30 days.

If you are in the EEA and feel we have not adequately addressed your concerns, you have the right to lodge a complaint with your local data protection authority. In Sweden, that is the Integritetsskyddsmyndigheten (IMY).

Children

Oxytocin is intended only for adults aged 18 and older. We do not knowingly collect personal data from anyone under 18. If you believe a minor has created an account, please contact us at support@oxytocinapp.com and we will investigate and delete the account.

Security

We take reasonable technical and organizational measures to protect your personal data, including:

• Encryption of data in transit (TLS/HTTPS).
• Encryption of sensitive data at rest.
• Hashed password storage (we never see your password).
• Access controls limiting who can view personal data.
• Regular review of our security practices.

No system is perfectly secure. While we work hard to protect your data, we cannot guarantee absolute security. If we ever discover a data breach affecting your personal data, we will notify you and the relevant authorities as required by law.

Changes to this policy

We may update this Privacy Policy as the Service evolves or as legal requirements change. When we make material changes, we will notify you through the app or by email and update the "Last updated" date at the top of this document. Continued use of the Service after changes take effect constitutes acceptance of the updated policy.

Contact

If you have questions about this Privacy Policy or how we handle your personal data:

Andreas Ninevebri
Aktiebolag (in formation)
Sweden
Email: support@oxytocinapp.com