Privacy Policy
Product name: Meltt
Version: 1.0 — Private Beta
Effective date: [DATE — add the day you send your first TestFlight link]
Contact: it@meltt.app
Operated by: Meltt, Barcelona, Spain
⚠️ Private Beta Notice: Meltt is not publicly available. This app is in closed private beta with invited participants only. By participating, you agree to this Privacy Policy.
1. Who We Are
Meltt is a real-life dating application that connects people who are physically present in the same place at the same time. We operate from Barcelona, Spain, and are subject to the General Data Protection Regulation (GDPR).
For any privacy questions, contact us at: it@meltt.app
2. Our Commitment to Your Privacy
- We collect only what we need to make the app work
- We never sell your data to anyone
- We never use your data for advertising
- We are transparent about what we collect and why
- You are always in control of your data
3. What Data We Collect
3.1 Account & Identity Data
- Email address
- Authentication credentials via Supabase Auth, Google Sign-In, or Apple Sign-In
- Account creation date and last login timestamp
3.2 Profile Data
- Display name
- Date of birth and age
- Gender
- Sexual preference (“interested in”) — special category data under GDPR Article 9
- What you are looking for (relationship type)
- Interests and hobbies
- Languages spoken
- Profile photos
- Lifestyle information you voluntarily provide: alcohol, smoking, and drug use habits — may also constitute special category data under GDPR
You are never required to provide lifestyle or preference data. You can update or delete it at any time in your profile settings.
3.3 Precise Location Data
Location is central to how Meltt works. We collect:
- Your precise GPS coordinates when you check in to a venue — to verify you are physically present
- Your GPS coordinates passively while the app is open and you are checked in — to detect when you leave
- On supported devices, we may use your OS geofencing API to detect departure while the app is in the background. We request a separate explicit permission for this.
- All check-in attempts, including rejected ones, are logged for security and anti-abuse purposes
We do not collect background location for any purpose other than detecting venue departure. We do not use your location for advertising or tracking.
3.4 Interaction & Behavioural Data
- Likes and passes made within a venue or event
- Matches with other users
- Messages exchanged with matches
- Check-in and check-out history
- Events you mark as “going” to
- Blocks and reports you submit, and those submitted about you
3.5 Device & Technical Data
- Device type, model, and operating system version
- App version
- Push notification token
- Crash reports and error logs
3.6 Permission States
- Whether you have granted or denied location permission (foreground and background)
- Whether you have granted or denied notification permission
3.7 Consent Records
- A record of your acceptance of this Privacy Policy, including version and timestamp
- Your marketing communication preference
4. Why We Collect Your Data (Legal Basis under GDPR)
| Data | Purpose | Legal Basis |
|---|---|---|
| Account & identity data | Create and manage your account | Contract |
| Profile data | Display your profile to nearby users | Contract |
| Location (foreground) | Verify venue presence, enable check-in | Contract |
| Location (background geofence) | Auto-checkout when you leave a venue | Contract, Legitimate interests |
| Interaction data | Enable matching and chat | Contract |
| Block and report data | Safety and abuse prevention | Legal obligation, Legitimate interests |
| Check-in attempt logs | Anti-abuse and security | Legitimate interests |
| Device & technical data | App performance and bug fixing | Legitimate interests |
| Push notification token | Send match and message notifications | Consent |
| Consent records | GDPR compliance | Legal obligation |
We do not make automated decisions with legal or significant effects on you.
5. Sensitive Data (GDPR Article 9)
Meltt processes data that qualifies as special category personal data under GDPR Article 9:
- Sexual orientation and preferences — derived from the gender preference you select
- Lifestyle habits — alcohol, smoking, and drug use information you voluntarily provide
We process this data only because you have explicitly provided it as part of your profile. You may update or delete it at any time in your profile settings.
📌 Before public launch: We will obtain explicit Article 9 consent for this data and have our legal basis reviewed by a qualified lawyer. This is a private beta with invited participants only.
6. How We Use Your Data
We use your data to:
- Operate the app — create your account, enable check-ins, show you nearby users, facilitate matches and chat
- Keep the community safe — detect and prevent abuse, fake profiles, fraud, and policy violations
- Improve the product — understand how users interact with the app and fix problems
- Communicate with you — send match and message notifications, respond to support requests
- Comply with legal obligations — meet our obligations under GDPR
We do not use your data to serve personalised ads, sell data to third parties, or build profiles for data brokers.
7. Who Sees Your Data
7.1 Other Users
Your profile — name, age, photos, gender, interests, lifestyle, languages, and what you are looking for — is visible only to users who are physically present and checked in at the same venue as you. It is not visible to remote users or anyone outside the app.
Your precise GPS coordinates are never shown to other users. They only know you are present at the same venue.
7.2 The Meltt Team
Team members may access your data when necessary to operate the service, investigate abuse reports, or fix technical issues. Access is limited and controlled.
7.3 Service Providers
We use the following trusted third-party services, all acting as data processors under data processing agreements:
- Supabase (USA) — database, authentication, file storage, and server-side logic. SOC 2 compliant.
- Google LLC — authentication via Google Sign-In; Android push notifications via FCM
- Apple Inc. — authentication via Sign in with Apple; iOS push notifications via APNs
- Expo / EAS — app build and delivery infrastructure
7.4 Legal Requirements
We may disclose data if required by law, court order, or to protect the safety of our users or others.
8. International Data Transfers
Supabase infrastructure is hosted primarily in the United States. If you are in the EEA, your data is transferred to the US. We rely on Standard Contractual Clauses (SCCs) and Supabase's data processing agreement as the legal transfer mechanism, in compliance with GDPR.
9. How We Protect Your Data
- Encryption in transit — all data is encrypted using TLS/HTTPS
- Encryption at rest — data is encrypted in our database
- Row Level Security (RLS) — users can only access their own data
- Server-side operations — sensitive actions like check-ins are processed via Edge Functions, not directly from the client
- Blocked user enforcement — blocked users are excluded at the database query level
- Access controls — only authorised team members can access user data
If you discover a security vulnerability, please report it responsibly to it@meltt.app and we will treat it as an immediate priority.
10. How Long We Keep Your Data
| Data | Retention Period |
|---|---|
| Account and profile data | Until you delete your account, plus 30 days |
| Profile photos | Deleted within 30 days of account deletion |
| Chat messages | Deleted when you delete your account |
| Check-in and interaction history | 12 months, then deleted or anonymised |
| Security and anti-abuse logs | 90 days |
| Consent records | 3 years from date of consent |
| Marketing opt-out records | Indefinitely |
| Beta data | May be reset at end of beta — we will notify you in advance |
11. Your Rights Under GDPR
- Access — request a copy of your personal data
- Rectification — ask us to correct inaccurate data
- Erasure — request deletion of your account and all data
- Restriction — ask us to pause processing in certain circumstances
- Portability — receive your data in a machine-readable format
- Object — object to processing based on legitimate interests
- Withdraw consent — for any consent-based processing, at any time
To exercise any of these rights, email it@meltt.app. We will respond within 30 days.
If you believe we are not handling your data correctly, you can lodge a complaint with the Spanish data protection authority:
12. Children's Privacy
Meltt is strictly for users aged 18 and over. We do not knowingly collect data from anyone under 18. If we discover a minor has registered, we will immediately delete their account and all associated data.
If you believe a minor is using Meltt, please report it to it@meltt.app immediately.
13. Changes to This Policy
We may update this Privacy Policy as the product evolves. For significant changes, we will notify you via the app or email before they take effect. The version number and date at the top always reflect the most recent revision.
14. Contact Us
it@meltt.app
Barcelona, Spain
We aim to respond to all privacy enquiries within 30 days.
Meltt is built by a small team that genuinely cares about doing this right. If anything in this policy is unclear, just email us.
Meltt Privacy Policy — Version 1.0 | Private Beta | Barcelona, 2026