Privacy Policy

LoveLink UK is a dating platform for UK singles. We are the data controller for your personal information under UK GDPR.

Data controller contact: privacy@lovelink.uk

We collect the following categories of data:

Account & profile data

• Name, email address, date of birth
• Profile: age, city, occupation, bio, interests, photos
• Relationship preferences (looking for, gender preference)
• Availability windows (when you are free)
• Optional: height, education level, drinking/smoking habits, religion
• Profile prompts and answers

Location and address data

• UK postcode — collected at registration, validated against the Royal Mail database via postcodes.io. Used to confirm UK residency and derive your general area for matching. Your full postcode is never shown to other users — only your city/town.
• Latitude and longitude derived from your postcode (for distance-based matching)
• Precise device location (lat/lng from GPS) — collected only with your explicit permission via a browser consent prompt. Used to cross-check your postcode and detect location fraud.
• Approximate location from your IP address (city-level)

Device and technical data

• IP address — captured on every request for fraud prevention and UK-only enforcement
• Browser type, operating system, and version
• Screen resolution, timezone, and language setting
• Device fingerprint hash — a unique identifier generated from your browser's characteristics (screen, fonts, canvas rendering, WebGL, CPU) using FingerprintJS. This does not identify you by name but allows us to detect if a banned user creates a new account from the same device.
• Web push notification token — stored if you grant push notification permission, used only to deliver match and message alerts

Activity and safety data

• Likes, passes, matches, and messages (to provide the service)
• Profile views, super likes, boosts (to provide premium features)
• Security logs — login events, risk score, VPN/proxy detection results, IP, device info, timestamp
• Reports and blocks you have sent or received
• Verification selfies — stored securely, reviewed only by our admin team, deleted after verification is completed
• Message content — scanned server-side for fraud signals (money requests, phishing links, off-platform redirect). Flagged content is reviewed by our moderation team.

Payment data

• Subscription status, plan type, renewal date
• Boost credit balance
• Stripe customer ID (a reference token — we do not store card numbers)
• All payment card data is handled exclusively by Stripe

Your dating preferences (including gender and who you are looking for) constitute special category data under UK GDPR Article 9. We process this data solely with your explicit consent, given when you create your profile, and use it only to match you with compatible people on the platform. You may withdraw this consent at any time by deleting your account.

• To create and manage your account and profile
• To match you with compatible people based on location, preferences, and availability
• To generate AI icebreaker suggestions (your interests and city are passed to Claude AI / Groq — never your name or contact details)
• To screen uploaded photos for inappropriate content (Claude AI vision model)
• To scan messages for romance scam and fraud signals
• To send match, message, and activity notifications (email and web push — only if you have granted permission)
• To verify your identity and prevent fake profiles
• To detect and prevent fraud, ban evasion, and multiple accounts
• To enforce our UK-only restriction and block VPN/proxy access
• To comply with the Online Safety Act 2023 and other UK legal obligations
• To process payments for premium membership and boost credits

We share your data only with the following third-party processors, all under data processing agreements:

We never sell your data, share it with advertisers, or use it for any purpose other than those listed above.

We use FingerprintJS (open-source, client-side library) to generate a device fingerprint. This is a hash derived from your browser's characteristics — it does not capture your name, email, or any directly identifying information. The hash is stored in our database linked to your account and is used exclusively to:

• Detect when a banned user attempts to create a new account from the same device
• Identify unusual login patterns (e.g., account accessed from multiple countries within hours)

This processing is carried out under our legitimate interest in protecting users from harassment and fraud, and in compliance with the Online Safety Act 2023. You may object to this processing by contacting us at privacy@lovelink.uk, though we may be unable to continue providing the service if this processing cannot be carried out.

We collect location data at three levels:

• Postcode (required): Entered by you at registration. Validated by postcodes.io to confirm it is a real UK postcode. Used to derive your general area and match you with nearby people. Your postcode is never shown to other users.
• IP geolocation (automatic): Your approximate city is derived from your IP address on each login, via ProxyCheck.io. Used for fraud detection and to enforce our UK-only policy. This processing is under legitimate interest.
• GPS location (optional, consent-based): If you grant browser location permission, your precise coordinates are stored in our security logs for fraud detection — specifically to verify that your location matches your stated postcode. You may decline this without affecting core app functionality.

As required by the UK Online Safety Act 2023, we scan outgoing messages for signals associated with romance scams and financial fraud. This scanning is automated and looks for specific patterns such as requests for money, gift cards, cryptocurrency, or attempts to move conversations off-platform.

Messages flagged by this system are reviewed by our moderation team. We do not read your general conversations — scanning is targeted and limited to fraud pattern detection. This processing is conducted under legitimate interest and our legal obligations under the Online Safety Act.

We send the following types of notifications with your consent:

• Web push notifications: New match, new message, new like. Delivered only if you have granted browser notification permission. You can revoke this in your browser settings at any time.
• Email notifications: New match alert (immediate); weekly digest of who liked you; inactivity nudge if you have not visited in 3 days. You may unsubscribe from non-essential emails via your profile settings or by emailing us.

• Your profile and account data is retained for as long as your account is active
• Upon account deletion: profile removed within 30 days, messages purged within 90 days
• Security logs: retained for 12 months, then purged
• Device fingerprints: retained for 24 months to support ban enforcement
• Verification selfies: deleted within 30 days of a completed verification decision
• Payment records: retained for 7 years as required by HMRC tax obligations
• Banned account records: retained indefinitely to prevent re-registration

• Right of access — request a copy of all personal data we hold about you
• Right to rectification — correct inaccurate or incomplete data
• Right to erasure — request deletion of your account and personal data
• Right to data portability — receive your data in a machine-readable format (JSON)
• Right to object — object to processing based on legitimate interest (e.g., device fingerprinting)
• Right to restrict processing — ask us to pause processing while a dispute is resolved
• Right to withdraw consent — withdraw consent for special category data or notifications at any time

To exercise any right, email privacy@lovelink.uk. We will respond within 30 days. If you are not satisfied with our response, you have the right to lodge a complaint with the ICO (UK data regulator) at ico.org.uk or by phone on 0303 123 1113.

We use only essential cookies required for authentication (Supabase session tokens). We do not use advertising, analytics, or third-party tracking cookies. Our service worker (used for push notifications) stores no personal data.

All data is transmitted over HTTPS. Passwords are hashed and never stored in plain text (managed by Supabase Auth). Our database uses row-level security policies to ensure users can only access their own data. We conduct regular reviews of our security practices.

To report a security vulnerability, email security@lovelink.uk.

We may update this Privacy Policy to reflect changes in our practices or legal requirements. We will notify you of material changes by email and by a notice on the platform at least 14 days before changes take effect. Continued use of LoveLink UK after that date constitutes acceptance of the updated policy.