Privacy Policy

1. Who We Are

Gramsy is a dating platform. This Policy takes effect on 26 March 2026. We act as data controller under the GDPR. For data-related queries:

Email address, name or nickname, date of birth, gender.

City, description, preferences, relationship format, photos.

IP address, browser and device type, session data, cookies.

Transaction information via payment processor. We do not store card data.

Content of messages between users.

To operate the Platform and provide its features
For security and fraud prevention
For content moderation — reviewing descriptions, nicknames, limits, photos and avatars for compliance with the rules. When you edit moderated fields we keep previous versions of the text and moderator decisions (when and why content was rejected) — for audit and to let us show other users the last approved version while a new one is pending. These internal records are not shown to other users.
To send notifications and service communications
To improve the Platform using aggregated analytics We do not sell your data to third parties or use it for targeted advertising.

Contract performance (Art. 6(1)(b)) — to operate your account and Platform features
Legitimate interests (Art. 6(1)(f)) — for security and abuse prevention
Consent (Art. 6(1)(a)) — for marketing communications (if you opted in)

Payment processors — to the extent required for payment processing
Hosting providers — for data storage and processing
AI service providers (OpenAI, United States) — user-written text (profile descriptions, nicknames, preferences) may be sent to OpenAI for translation while moderators review content. Only the text is transmitted; no identifiers, account metadata or profile links. Processing basis: legitimate interest (Art. 6(1)(f) GDPR) in platform safety and moderation quality. OpenAI does not train its models on API data per its published data-usage policy.
Law enforcement — upon lawful request

Account data: retained while the account is active, plus 30 days after a deletion request (grace period).
Payment data: 7 years (legal requirement).
Messages: text content is erased upon account deletion. Message records (without content) may be retained for conversation integrity.
Security logs: IP addresses and user agents in security event logs are retained for fraud prevention (legitimate interest, Art. 6(1)(f) GDPR). Other personal data in logs is erased upon account deletion.
Moderation history: previous versions of moderated fields and moderator decision records (text snapshots, rejection notes) are retained while the account is active. On account deletion, your snapshots and moderator's personal comments are scrubbed during the 30-day grace period; aggregated metadata (fact of review, verdict, timestamp) without your content is retained — this is necessary for anti-fraud and to prevent re-registration after sanctions (legitimate interest, Art. 6(1)(f) GDPR).

Users may request account deletion at any time from their account settings. Upon request:

The account enters a 30-day grace period. During this time, the deletion can be cancelled by signing in.
During the grace period, the profile and other user content are no longer shown to other users, and a neutral label is displayed in chats instead of the profile name.
After 30 days, the account deletion is completed and cannot be reversed.
Profile data and other personal content are deleted, including email, password, name, date of birth, profile description, preferences, photos, avatars, and message attachments.
Message text is deleted, while the conversation structure may be retained for the user's contacts.
Certain technical records, including irreversibly hashed contact identifiers, may be retained for fraud prevention, service security, and legal compliance.
The moderation log for the deleted account is anonymised: text snapshots and personal comments from moderators are cleared, leaving only the facts of review (field, verdict, timestamp) to prevent re-registration after sanctions.
A reminder is sent 3 days before the final deletion.

Right to access, rectify, erase, restrict, port your data, and to object to processing. Contact: . We respond within 30 days.

Encryption in transit (TLS) and at rest, least-privilege access controls, regular security reviews.

We do not collect data from persons under 18. Notify us if a minor has registered:

For material changes we will notify you by email at least 14 days before they take effect.