Privacy Policy

Effective [effective date pending]

Draft pending legal review. This policy is a working draft and is not yet final. It does not constitute legal advice. Some items (the effective date and the postal address) are placeholders until counsel review.

The plain English version

You use Önduřř to find other people. We help you do that. To do it well, we need some information about you, and we hold on to it only as long as we need it. We never sell your data and we never share it with advertisers. We use a small number of well-known service providers to run the app, and we hold them to the same standards we hold ourselves.

If you want a copy of everything we know about you, sign in and visit /api/me/export. If you want us to forget you, open Settings and tap Delete account. Both are self-serve, no support ticket required.

1. Scope

This policy explains what personal data Önduřř collects, why, who we share it with, how long we keep it, and your rights. It applies to the Önduřř app and website. Önduřř is for adults 18 and older. The controller is Ondurr LLC.

2. Data we collect

  • Account: email address, password (stored hashed by our auth provider, never in plaintext), an optional phone number (only if you choose to complete phone verification, which is an optional secondary security step and is not required to use the Service), and, if you enable it, two-factor authentication settings. When you verify a phone number, we store a one-way hash of it plus the verification time rather than the raw number for ongoing use.
  • Profile: username, display name, date of birth and age, and optional details you choose to add (headline, description, physical attributes, tribes, interests, what you are looking for, availability). Some of these optional fields can reveal sensitive information about you; see Section 3.
  • Photos: images you upload. We strip embedded metadata (including GPS) server-side before display.
  • Approximate location: to power "nearby" and the map. Your device computes location; it is obfuscated (randomly offset) before it reaches us, so we store only an approximate position, with a short expiry. We do not store your precise coordinates.
  • Messages and interactions: the messages you send, plus blocks, favorites, reports, and reactions.
  • Ondurr trades: when you use the Ondurr trade feature in a conversation, we store the photos you trade, the category you assign them (for example face, body, or nude), how the photo was captured, and the trade and reveal timestamps.
  • Presence and activity: an online presence indicator and a last-active timestamp, so other users can see whether you are recently active and so your activity-based filters work. Presence is held briefly in our cache and the last-active time is stored on your profile.
  • Device and usage data: IP address, device and browser type, and activity needed to operate, secure, and debug the Service.
  • Analytics and error data: via the providers in Section 6, when those providers are enabled in the running build.

3. Sensitive information

Because Önduřř is a community for LGBTQ+ people, some information you provide can reveal special category data. This includes your sexual orientation (which can be revealed by fields such as tribes, what you are looking for, position, or simply your presence on the Service) and, if you choose to add it, health information such as HIV status. Under laws like the GDPR this is special category data, and under California law it is sensitive personal information. Health information such as HIV status is also consumer health data under certain state laws (for example Washington's My Health My Data Act); our separate Consumer Health Data Privacy Policy explains how we handle it. We do not sell consumer health data.

  • We process this information only with your explicit consent, which we ask for separately from accepting the Terms of Service. You can remove any of these details from your profile at any time in Settings, and you can ask us to stop processing them by contacting privacy@ondurr.com. Parts of the Service that depend on this information will stop working.
  • We do not use sensitive information for advertising, and we do not sell or share it.
  • We do not infer additional sensitive characteristics about you.
  • We already limit the use of your sensitive personal information to what is necessary to provide the Service (displaying it on your profile to the people you choose), and you can withdraw it any time by removing the field in Settings or contacting privacy@ondurr.com. See Your Privacy Choices. We offer this regardless of whether a particular state law requires it.

4. How we use your data

  • Provide and operate the Service (show your profile to other users, deliver messages, power discovery and the map).
  • Safety and integrity: moderation, anti-fraud and anti-fake-account measures, enforcing our Terms, responding to reports.
  • Security: authentication (including optional phone verification), rate limiting, abuse prevention.
  • Product analytics and reliability (aggregate and diagnostic).
  • Legal compliance and responding to lawful requests, including child safety reporting duties described in Section 8.

We do not use your data for advertising. We do not sell it. We do not share it with data brokers. We do not train machine learning models on it.

5. Our processing justifications

We currently offer the Service only in the United States (see Section 13), so laws like the EU and UK GDPR do not currently apply to our users. As a matter of good practice, here is the justification we rely on for each kind of processing; if we later serve a region whose law requires named legal bases, these are the bases we would rely on:

  • Performance of a contract: operating your account and the Service.
  • Explicit consent: processing of sensitive information described in Section 3. You may withdraw consent at any time.
  • Consent: location sharing and any non-essential analytics or cookies; you may withdraw consent at any time.
  • Legitimate interests: safety, security, fraud prevention, and improving the Service, balanced against your rights.
  • Legal obligation: retention and reporting where required (for example, child safety reporting and preservation).

6. Who we share data with

What other users can see

Önduřř is a discovery service, so some of your information is shown to other users by design: the profile fields you choose to fill in, your photos, your username and display name, your approximate (fuzzed) distance from them, and whether you are recently active. Other users never receive your exact location. Blocked users cannot see you and you cannot see them.

Service providers (sub-processors)

We share data with service providers strictly to run the Service, each bound by a data processing agreement and processing data only on our instructions. Current processors include (see our full sub-processor list for the current, authoritative version):

  • Supabase: authentication and database hosting.
  • Twilio: SMS delivery for optional phone verification.
  • Cloudflare R2: photo storage. Cloudflare Turnstile: bot protection.
  • Resend: transactional email.
  • Mapbox: map rendering.
  • Sightengine: automated photo moderation.
  • Yoti: facial age estimation at signup.
  • Stripe: identity verification for photo uploads and adult-content access.
  • PostHog: product analytics. Sentry: error monitoring (session replays mask all text and block all media, and identifying parts of page addresses are removed before events are sent).
  • Upstash: rate limiting and ephemeral cache.
  • Vercel and Railway: application hosting.

We may disclose data to law enforcement when legally required, and we report apparent child sexual abuse material and related offenses to the National Center for Missing and Exploited Children (NCMEC) and preserve related data as required by law (see Section 8). We do not sell your personal data, and we do not share it for cross-context behavioral advertising.

7. Automated moderation and decisions

We use automated tools to help keep the community safe.

  • Profile photos are screened automatically when uploaded. A photo our screening flags with high confidence may be rejected automatically without human review; photos flagged with lower confidence are placed in a queue for a human moderator. Photos shared in direct messages and in Ondurr trades are automatically classified for nudity so that explicit photos are only ever delivered between users who have both turned on the explicit-content setting; this classification routes the photo, it does not reject it, and no person views your private photos as part of it.
  • First messages to a new contact are automatically checked against the recipient's keyword and reply filters before delivery. Messages that do not pass are not delivered.

Account-level actions such as warnings, suspensions, and bans are made by a person on our team reviewing reports; we do not suspend or ban accounts through a solely automated process. If you believe a moderation decision was wrong, you can contact support@ondurr.com to request human review.

We do not currently run automated detection of child sexual abuse material. See Section 8 for how we handle child safety reports.

8. Child safety

Önduřř is for adults 18 and older. We do not knowingly permit anyone under 18 to use the Service.

  • Age is checked in two steps. Everyone provides a date of birth at signup and must pass a facial age-estimation check (processed by Yoti) before using the Service; we store the pass or fail outcome and the time, not the selfie. Uploading photos and enabling explicit content additionally require identity verification through Stripe Identity; we store the verification outcome, not your documents.
  • If you believe a minor is using the Service, report it in-app using the underage reason or contact privacy@ondurr.com. These reports are reviewed by a person. Please do not send us any images.
  • Where we obtain actual knowledge of apparent child sexual abuse material, child sex trafficking, or enticement offenses, we will report it to NCMEC's CyberTipline and preserve the related content and data as required by United States law (18 U.S.C. 2258A, as amended by the REPORT Act).
  • Data associated with child safety reports is retained and handled as the law requires and is not subject to ordinary deletion timelines.

9. Location data specifics

We never store your exact GPS coordinates. Your device offsets your location by a random distance before sending it, we store only that approximate point, and it expires after a short period. You can disable location in your device or app settings; discovery and map features will not function without it. Other users see approximate distance, never your exact position.

10. How long we keep data

We hold on to the minimum data for the minimum time. If you delete your account, a 30-day grace period applies (you can cancel during this window), after which we erase your personal data through our deletion pipeline. Some records survive because law requires it.

DataActive retentionAfter you delete
Profile (bio, photos, preferences)Until you change itErased within 30 days
Photos180 days, then auto-purgedErased; CDN cache up to 30 days
Messages you sentUntil the recipient deletesSender shown as 'Deleted account'; body purged about 12 months after your deletion
Location10 minute TTL, never stored as historyNothing to erase; we never had history
Blocks (permanent, two-way)Retained while both accounts existRetained as a deliberate safety choice; separation cannot be undone
Reports filed against youUp to 2 years for minor; longer for seriousRetained as moderation and safety evidence under our safety policy and applicable US law
Safety records under federal CSAM law1 year minimumRetained on legal hold per 18 U.S.C. 2258A (REPORT Act)
Auth and sign-in logsUp to 2 years for security and abuse preventionAuth identity deleted with your account; residual security logs age out on our provider's standard schedule

11. Your rights

Depending on where you live, you may have rights to access, correct, delete, export (data portability), restrict or object to processing, withdraw consent, opt out of sale or sharing of personal information, and limit the use of sensitive personal information. We extend the core set of these rights to all users regardless of location. You can:

  • Edit your profile and privacy settings in the app.
  • Export your data from Settings (a downloadable copy) or at /api/me/export.
  • Delete your account from Settings.
  • Add or remove sensitive profile details (such as orientation or HIV status) at any time by editing your profile, and contact us to limit their use (see Section 3).
  • Contact privacy@ondurr.com for any request.

We will respond to requests within the time required by applicable law, and in any case we aim to respond within 30 days. Where California law applies, we acknowledge requests within 10 business days and complete them within 45 calendar days, with extensions where the law allows. We keep a record of data subject requests. We will not discriminate against you for exercising your rights. You may also complain to your local data protection authority.

We do not sell your personal information and we do not share it for cross-context behavioral advertising, so there is no sale or sharing for you to opt out of. We honor Global Privacy Control (GPC): when your browser sends the signal we do not load product analytics for that session. See Your Privacy Choices for these controls in one place.

12. Cookies and similar technologies

  • Strictly necessary (always active): authentication and session, security and rate limiting, and the 18+ age-gate acknowledgment. These cannot be turned off without breaking the Service.
  • Functional: storing your preferences, including a local-only value in your browser used to keep your location fuzzing offset stable (this value never leaves your device).
  • Analytics: PostHog, to understand product usage. Analytics run with autocapture disabled, and identifying parts of page addresses (such as profile handles) are removed before events leave your browser. Analytics do not load until you accept them on the consent banner shown on your first visit, and never load when your browser sends a Global Privacy Control signal. You can change your choice any time on Your Privacy Choices.
  • Marketing: none. We do not currently use advertising or marketing cookies.

13. Where we operate; international users

Önduřř is offered only to users in the United States (including its territories). We do not offer the Service to, or knowingly register, users located outside the United States, and we block registration from outside the United States. Because we do not serve users in the European Union, the European Economic Area, or the United Kingdom, we do not currently rely on the EU or UK GDPR and have not appointed an Article 27 representative. Your data is processed in the United States. If we later begin serving other regions, we will update this policy and put the required safeguards in place first.

14. Security

We apply technical and organizational measures including encryption in transit (HTTPS), encryption at rest provided by our database and storage providers, Row-Level Security on our database, server-side metadata stripping on photos, rate limiting, bot protection, optional two-factor authentication, and audit logging on administrative actions. At-rest protection is the default disk-level encryption offered by our providers; we do not currently apply application-level field encryption to specific columns. No system is perfectly secure. If a breach affecting your personal data occurs, we will notify you and regulators as applicable law requires.

15. Changes

We may update this policy. We will post the new effective date and, for material changes, provide reasonable notice.

16. Contact

Privacy questions or data subject requests: privacy@ondurr.com

EU / UK representative: not applicable; we do not serve EU or UK users (see Section 13).

Postal address: [Ondurr LLC registered California address pending]