GENZA PRIVACY POLICY

Version: 1.0

Effective Date: March 31, 2026

This Privacy Policy (the “Policy”) explains in detail how GENZA collects, uses, discloses and protects information about you when you use our dating and social discovery services.

This Policy applies to the GENZA mobile application, the GENZA Telegram Mini App, the genza.io website and any related websites, pages or subdomains we operate that link to this Policy, and any other online products, features, content, communications or services provided by GENZA that link or refer to this Policy (collectively, the “Services”).

This Policy is intended to give you a clear understanding of:

This Policy does not describe every technical detail of our systems, but it is intended to be complete and accurate at the level required by applicable law (including, where applicable, U.S. state privacy laws, GDPR-style laws and similar frameworks).

By creating user account (the “Account”), accessing or using the Services, you:

If you do not agree with this Policy, you must not use the Services and should delete your Account (if you have one). If you have questions about any part of this Policy, you should contact us before continuing to use the Services.

This Policy is designed primarily for adults. The Services are intended only for individuals who are at least 18 years old, and we do not knowingly collect personal data from children. Further details are provided in the relevant section of this Policy.

1. WHO WE ARE AND WHO IS RESPONSIBLE FOR YOUR DATA

1.1. Data Controller / Business

GENZA currently uses a single controller / business model for users of the Services. The entity responsible for your personal data and your contractual counterparty under the Terms of Use is Genza Inc., a Delaware corporation, with a mailing address at 1201 N. Orange Street, Suite 7587, Wilmington, DE 19801-1186, United States.

In this Policy, “GENZA”, “we”, “us” or “our” refers to GENZA Inc., and any reference to “controller” or “business” should be read accordingly, depending on which privacy law applies in your jurisdiction.

“You”, “your”, “User” means the individual who accesses or uses the Services, irrespective of whether you have created a registered Account, and whose personal data is processed by GENZA.

1.2. No Country-Split Controller Structure

Unlike some multi-entity products, GENZA currently uses a single legal entity structure for this Policy. If that changes in the future, we may update this Policy and identify the relevant entity for future processing on a going-forward basis, where required by law.

The underlying infrastructure, systems and service providers may evolve over time, but responsibility and legal obligations for the processing described in this Policy currently sit with GENZA Inc.

1.3. Relationship with App Stores and Third Parties

This Policy covers how GENZA processes your data. It does not govern how independent third parties process your data when you interact with them, for example:

Those third parties are typically independent controllers of your data for their own purposes. You should review their privacy policies separately. GENZA is not responsible for how they handle your data.

1.4. How This Policy Relates to Other Documents

This Policy should be read together with:

If there is any inconsistency between this Policy and a more specific, jurisdiction-specific privacy notice or Consumer Health Data Privacy Policy, the more specific document will prevail for the scope and jurisdiction it covers, to the extent required by applicable law.

1.5. Contact Details for Privacy Matters

You can contact us about this Policy or our handling of your personal data using the contact details provided in the Section 16 and, where applicable, in any local privacy notice. In particular:

If you are located in a jurisdiction that requires a local representative or specific contact point (for example, a data protection officer, EU/UK representative or consumer contact), we will identify this in the relevant regional section or local notice.

2. SCOPE OF THIS POLICY; NOT FOR CHILDREN

2.1. Material Scope – When This Policy Applies

2.1.1. This Policy applies to the collection and processing of information about you in connection with your use of the Services, as defined in the preamble, including:

2.1.2. This Policy applies:

2.1.3. This Policy does not apply to:

When you access third-party services, their own privacy policies and terms apply, and you should review them separately.

2.2. Territorial Scope – Where This Policy Applies

2.2.1. This Policy applies to users worldwide, subject to Section 1 (who is responsible for your data) and any jurisdiction-specific sections or notices that we provide.

2.2.2. Certain provisions of this Policy apply only to residents of specific jurisdictions, for example:

Where required, we will provide additional state- or country-specific privacy notices that complement this Policy. If there is any conflict between such a specific notice and this Policy, the more protective provision for the user in the relevant jurisdiction will apply, to the extent required by law.

2.2.3. Nothing in this Policy is intended to limit any mandatory rights you may have under the laws of your place of residence that cannot be waived by contract. Where such rights exist, we will respect them.

2.3. Relationship with the Terms of Use and Other Notices

2.3.1. This Policy forms part of, and should be read together with, our Terms of Use. Capitalized terms used but not defined in this Policy have the meaning given to them in the Terms of Use.

2.3.2. In addition to this Policy and the Terms of Use, we may provide:

Those documents and notices complement this Policy and may provide further detail on specific processing activities or legal requirements.

2.4. Age Restrictions – Services Are Not for Children

2.4.1. The Services are intended solely for adults who are at least eighteen (18) years old. By using the Services, you represent and warrant that you are at least 18 years old, as set out in the Terms of Use.

2.4.2. We do not knowingly collect personal data from:

2.4.3. You must not create an Account or use the Services if:

2.5. If We Learn That a User Is Underage

2.5.1. If we become aware, or have reasonable grounds to believe, that a user is under 18, we may take appropriate measures, which can include:

2.5.2. If you are a parent or legal guardian and believe that your child has provided us with personal data or is using the Services in violation of this Policy and the Terms of Use, you should contact us immediately using the privacy contact details in Section 16. We will review the situation and take appropriate action, which may include:

2.6. Misrepresentation of Age

2.6.1. If you misrepresent your age in order to access the Services, you are in breach of the Terms of Use. In such cases, we may:

2.6.2. Where required by law, we may keep records of such incidents and, in serious cases (for example, involving High-Risk Categories or potential offences against minors), we may cooperate with law enforcement or relevant authorities, in line with applicable legal standards and our safety procedures.

2.7. No Deliberate Profiling of Children

2.7.1. We design and operate the Services on the basis that users are adults. We do not deliberately target, profile or personalize experiences for children, and we do not knowingly use personal data of anyone under 18 for any processing purpose.

2.7.2. If at any point we discover that personal data of a child has been processed contrary to this Policy, we will take reasonable steps to:

3. INFORMATION WE COLLECT

3.1. Overview

3.1.1. In connection with providing the Services, we collect information about you that can be grouped into the following broad categories:

3.1.2. Some of this information may be considered sensitive under certain laws (for example, information about sexual life or orientation, precise location, certain health-related information, or government-issued IDs). Where required by law, we will only process such information with your consent or under another legal basis allowed by applicable law. Additional details are in Section 3.5 and in any jurisdiction-specific notices.

3.1.3. We describe how and why we use these categories of information in Section 4 (How We Use Your Information) and in other parts of this Policy.

3.2. Information You Provide to Us

3.2.1. Account Registration and Profile Data

When you create or update an Account, you may provide:

If you register or access the Services through the GENZA Telegram Mini App, we receive certain information made available by Telegram, such as your Telegram ID, username/display name, profile photo, interface language, device and operating system details, Telegram Premium status and theme settings. Your name, age, profile data and related Account information are stored in our database (PostgreSQL) in structured format (JSONB) together with other player data associated with your Account. This data is retained for the lifetime of your Account and deleted upon Account deletion, subject to limited retention for safety, legal and fraud prevention purposes as described in Section 6.

3.2.2. Photos, Videos and Other Profile Content

You may upload or otherwise provide:

By choosing to upload photos, videos or text, you understand that they may reveal information about you, including sensitive information (for example, sexual orientation, religion, ethnicity or health status), depending on what you decide to share. You are not required to provide such information, but if you choose to do so, it will be processed in accordance with this Policy and applicable law.

You may upload images for the purpose of generating a 3D avatar. Source images used solely for avatar generation are processed by our avatar generation infrastructure and are typically retained for up to twenty-four (24) hours after processing, then deleted, unless longer retention is necessary for safety or technical reasons. Generated avatar assets and derivative files (accessories, customizations) are linked to your profile and persist for the lifetime of your Account.

Photos you upload for your profile are stored in our object storage infrastructure. Links (URLs) to those photos are stored in the database (PostgreSQL, JSONB format) alongside your other Account data. Photos are retained for the lifetime of your Account.

3.2.3. Content and Communications with Other Users

When you use the Services, you may generate or provide:

We process this information to operate the Services (for example, delivering messages and matches), maintain safety, and enforce our Terms of Use and policies.

3.2.4. Communications with Us

If you contact us directly, you may provide:

We keep records of these communications as part of our legitimate business interests (e.g., support, compliance, dispute handling), subject to applicable retention rules.

3.2.5. Surveys, Research and Feedback

We may invite you to participate in:

If you participate, we collect the information you provide in your responses. You can decline to participate; this does not affect your use of the core Services.

3.2.6. Payment and Billing Information

If, now or in the future, you purchase Paid Services directly from GENZA (not through an App Store Provider), we may collect:

If your purchase is made through an App Store Provider (Apple, Google, etc.), that provider will collect and process your payment information under its own terms; GENZA typically receives only limited data (e.g., transaction ID, product purchased, country, and basic status information).

3.3. Information We Collect Automatically When You Use the Services

3.3.1. Usage and Log Information

When you access or use the Services, we automatically collect certain usage information, such as:

We use this information to operate, secure and improve the Services, troubleshoot problems and understand how users interact with GENZA.

3.3.2. Device and Technical Information

We may collect information about the device and software you use, such as:

This information is used for security, fraud prevention, compatibility, analytics and, where applicable, advertising/measurement (for details of cookies/SDKs see Section 3.3.4 and the Cookie Policy).

3.3.3. Location-related Information

Depending on your device settings, permissions and use of location features, we may collect or process:

We use location-related information primarily to:

You can control the App’s access to device-derived location through your device settings. If you disable location services, some location-based features may be limited or unavailable. User-set location data may remain associated with your account until changed or deleted, subject to Section 6.

When you set your location in the Services (for example, by selecting a city or placing a pin on a map), that location data is stored in our database (PostgreSQL, JSONB format) alongside your other Account data. This manually set location is retained for the lifetime of your Account and used solely for matchmaking, discovery and distance-based features.

We do not display your exact location, GPS coordinates, IP address or precise position to other Users. Distances and location-related information shown in the Services are approximate and may be deliberately rounded or obfuscated for safety reasons.

GENZA does not continuously track your real-time location in the background. Location data is collected at specific points (for example, when you manually set your location, when you open the App with location permission enabled, or when you use location-dependent features). We do not sell, rent or otherwise monetize your location data to third parties.

3.3.4. Cookies, SDKs and Similar Technologies

When you visit genza.io or use the App, we and our partners may use:

These technologies may collect information such as:

We use these technologies for purposes including:

Details of our use of cookies and similar technologies, and your options to manage them (including consent where required), are set out in our Cookie Policy.

3.4. Information We Receive from Other Users and Third Parties

3.4.1. Other Users

We may receive information about you from other users of the Services, for example:

We process this information to maintain safety, enforce our Terms and Community Guidelines, and respond to reports and disputes.

3.4.2. App Store Providers and Payment Partners

From App Store Providers and payment processors, we may receive:

We do not receive your full payment card details from App Store Providers.

3.4.3. Analytics, Advertising and Measurement Partners

Where permitted by law and by your settings, we may receive aggregated or pseudonymous data from analytics or advertising partners, such as:

This helps us understand how users discover and use the Services and how effective our marketing is. More details are provided in the Cookie Policy and any applicable state-specific privacy notices (e.g., “Your Privacy Choices”).

If you participate in a GENZA referral or invitation program, we may collect and process referral identifiers (referral links, referral codes), attribution data linking an inviter to an invitee, referral reward tracking data (such as earned coins, crystals or other virtual items), and the channel through which the invitation was sent. This data is used to operate the referral program, attribute rewards, prevent fraud and abuse, and comply with applicable law. Details of the referral program are set out in the Referral Program Terms.

3.4.4. Safety, Fraud Prevention and Law-Enforcement Sources

To maintain safety and comply with legal obligations, we may receive information from:

We use this information to assess risk, detect prohibited conduct under our Terms of Use, prevent or respond to suspected fraud, abuse, illegal activity or security incidents, and comply with legal requirements.

3.4.5. Social Media and Integration Partners

If, now or in the future, we introduce optional integrations with social networks or other platforms and you choose to connect them, we may receive information from those third parties in accordance with their privacy policies and your settings, such as:

You can always choose not to connect such integrations; they are optional.

3.5. Sensitive and Special Categories of Personal Data

3.5.1. Sexual Life, Orientation and Relationship Information

Because GENZA is a dating and social discovery Service, some information you choose to provide or display may relate to your:

This information can be considered “sensitive” or “special category” data under certain laws. You are not required to provide such information, but if you do, we will process it:

3.5.2. Location and Geolocation Data

Location and geolocation data can be considered sensitive under certain laws. GENZA may process user-set location data and, where you explicitly grant permission, device-derived location data for the purposes described in this Policy.

You can revoke device-location permission at any time via device settings. If you do so, some location-based features may not be available, but user-set location records may remain stored as part of your account data subject to Section 6.

3.5.3. Consumer Health and Well-Being Information

In some cases, users may share information related to their emotional well-being, mental health, or aspects of sexual health (e.g., preferences regarding safer sex, STI status, or certain boundaries) in profiles or messages. Depending on applicable law, such information may be considered:

We do not require you to disclose such information to use the Services. If you choose to do so, it is processed in line with this Policy, and, where applicable, with our Consumer Health Data Privacy Policy and any specific consent requirements.

3.5.4. Government IDs and Identity Verification Data

GENZA does not routinely verify user identities through government-issued documents as part of ordinary onboarding or ordinary use of the Services.

Unless and until such a feature is expressly introduced, ordinary GENZA use is not based on document identity verification.

We do not claim that an ordinary GENZA profile has been document-verified unless we explicitly say so in a specific feature or notice.

Any age-gating, selfie or liveness checks, verification badges or similar indicators available through the Services are limited verification measures only. They do not constitute a criminal background check, sex offender registry check, or comprehensive identity verification. They do not guarantee that a User is who they claim to be, that they have no criminal record, or that they are safe to interact with. You should not rely on any verification feature as a substitute for your own judgment and precautions.

3.5.5. Handling of Sensitive Data

Where laws require specific bases or additional safeguards for processing sensitive data, we will:

3.6. Inferences and Derived Data

3.6.1. Based on the information described above, we may create derived data or inferences, such as:

3.6.2. These inferences are used to:

3.6.3. We do not use profiling or automated decision-making in a way that produces legal or similarly significant effects on you without ensuring that such processing is carried out in accordance with applicable law (including any required notices, safeguards and rights). Where such processing exists and is regulated, we will describe it in the relevant jurisdiction-specific sections of this Policy.

4. HOW WE USE YOUR INFORMATION

4.1. Overview

4.1.1. We use the information described in Section 3 to operate, secure and improve the Services, to enable core dating functionality, to protect users and GENZA from harm and fraud, and to comply with legal and regulatory requirements.

4.1.2. Depending on your location, applicable law may require us to identify the legal bases on which we process your personal data. Where such laws apply (for example, in the EEA, UK or similar jurisdictions), we generally rely on one or more of the following legal bases:

4.1.3. In the subsections below we describe the main purposes for which we use your information and, where relevant, the corresponding legal bases under data protection laws that require them. For users in jurisdictions where such detail is not mandatory, this section still explains how and why we process your information.

4.2. Providing and Operating the Services

4.2.1. We use your information to provide the core functionality of the Services, including to:

4.2.2. Categories of data used:

4.2.3. Legal bases:

4.3. Safety, Security, Abuse and Enforcement

4.3.1. Safety is a core element of the Services. We use your information to:

4.3.2. For these purposes we may use:

4.3.3. This may include:

4.3.4. Legal bases (where applicable):

4.4. Communications with You

4.4.1. We use your information to communicate with you about the Services, including to:

4.4.2. Depending on your settings and applicable law, we may also send you:

4.4.3. You can manage certain communication preferences (for example, marketing emails or push notifications) through the mechanisms described in Section 10.5 of the Terms and in this Policy. Some service communications (e.g., security alerts, key legal notices) are required for the operation of the Services and cannot be fully opted out of while you maintain an Account.

4.4.4. Legal bases:

4.5. Personalization, Matching and Recommendations

4.5.1. We use your information to personalize your experience on GENZA, for example to:

4.5.2. For these purposes, we may use:

4.5.3. We do not guarantee any particular outcome or number of matches. Personalization is intended to improve relevance and efficiency but does not constitute a guarantee of any specific result (see Terms of Use Sections 4.7 and 12.3).

4.5.4. The Services may use artificial intelligence (AI), machine learning, algorithmic systems and other automated technologies in connection with matching, compatibility scoring, content recommendations, AI-generated prompts and conversation starters, content moderation and safety screening. You acknowledge that: (a) AI-generated content, suggestions and recommendations are provided for informational and entertainment purposes only and may contain errors, inaccuracies or biases; (b) AI features do not constitute professional advice of any kind; (c) automated systems may be used to moderate content and detect policy violations, and such decisions may not always be reviewed by human moderators; and (d) the algorithms and models used in the Services may change at any time, which may affect how your profile is presented, whom you are shown or matched with, and how content is ranked or filtered.

4.5.5. To the extent required by applicable law (including the EU AI Act, the Colorado AI Act or similar legislation), GENZA will provide disclosures regarding the use of AI and automated decision-making systems. Where required by law, you may have the right to request human review of significant automated decisions affecting you.

4.5.6. Legal bases:

4.6. Analytics, Service Improvement and Product Development

4.6.1. We use information about how you and others use the Services to:

4.6.2. For these purposes, we rely on:

4.6.3. Wherever reasonably possible, we use aggregated or de-identified data for analytics and product improvement.

4.6.4. Legal bases:

4.7. Advertising, Marketing and Measurement

4.7.1. GENZA may use certain information for marketing and advertising purposes, including to:

4.7.2. For these purposes we may use, in compliance with applicable law:

4.7.3. For how we handle any “sale” or “sharing” of personal data under U.S. state privacy laws (including additional disclosures and opt-out choices), see Sections 5.1 and 12.

4.7.4. Legal bases:

4.8. Compliance with Legal Obligations and Protection of Rights

4.8.1. We use your information to comply with legal, regulatory and judicial obligations, including to:

4.8.2. We may also process information to:

4.8.3. Legal bases:

4.9. Aggregated, De-identified or Anonymized Data

4.9.1. We may create aggregated, de-identified or otherwise anonymized data derived from your information and from other users’ information. For example, we may aggregate usage data to publish general statistics (e.g., number of users in a city, average app usage time) without identifying you.

4.9.2. We may use and disclose such aggregated or de-identified data for any lawful purpose, including for:

4.9.3. Where we de-identify data, we will not attempt to re-identify individuals from such data, except as permitted or required by law (for example, to test or demonstrate the effectiveness of de-identification processes).

4.10. Automated Decision-Making and Profiling

4.10.1. The Services use forms of profiling and automated decision-making, primarily to:

4.10.2. These automated processes are used to:

4.10.3. We do not use automated decision-making to produce legal or similarly significant effects about you, without ensuring that such processing is carried out in accordance with applicable law (including any required safeguards and rights). Where local law grants you specific rights in relation to automated decision-making (e.g., to obtain human review), those rights are described in the jurisdiction-specific sections of this Policy.

5. HOW WE SHARE YOUR INFORMATION

5.1. Overview

5.1.1. We do not sell your personal data in the ordinary sense of the word (for example, we do not sell lists of users with names and phone numbers for money).

5.1.2. We do share information with selected third parties in order to operate the Services, enable core functionality (such as showing your profile to others), improve safety and comply with the law.

5.1.3. In some jurisdictions (for example, certain U.S. states), the legal definitions of “sale” or “sharing” of personal information are broad and may treat certain analytics or advertising uses as a “sale” or “sharing”. Where such laws apply, we will provide additional disclosures and choices (for example, “Your Privacy Choices” links or opt-out mechanisms), as required by those laws.

5.1.4. When we share personal data, we do so:

5.2. With Other Users of the Services

5.2.1. Profile and discovery. The core purpose of GENZA is to show your profile to other users and to show you other users’ profiles. When you use the Services, the following information may be visible to other users, depending on your settings, your use of features, and our product design:

5.2.2. Matches and messages. When you like or interact with another user, we show that interaction to them as part of the matching and messaging experience. If you match or exchange messages with another user, your name/display name, age, profile photos and the content of those communications become visible to that other user.

5.2.3. Shared content. Any content that you intentionally post or share in a way that is visible to others (for example, photos in your profile, text prompts, emojis, reactions) can be seen, copied, saved or re-shared by them. We cannot control what other users do with content they have received.

5.2.4. Information NOT shown to other Users. We do not show your exact location, GPS coordinates, IP address, email address, phone number, Telegram ID, device identifiers or financial information to other Users through the Services. Approximate distance information (e.g., “5 km away”) may be displayed, but is deliberately approximate and does not reveal your precise location.

5.2.5. Public or semi-public features. In the future, the Services may offer features that are more public or semi-public (for example, visibility in certain lists, events, or discovery formats). If you choose to use such features, additional information may be visible to a wider audience within the Services, as described at the point of use.

5.3. Within the GENZA Group, Affiliates and Successors

5.3.1. We may share your information within the GENZA corporate group, if and to the extent such group entities, parent companies, affiliates, or successor entities exist now or in the future and need the information for the purposes described in this Policy.

5.3.2. Such intra-group sharing is done for purposes including:

5.3.3. Where required by law, intra-group transfers will be subject to appropriate safeguards for international transfers (see the section on international data transfers below).

5.4. Service Providers and Processors

5.4.1. We engage third-party companies and individuals to perform functions on our behalf (“Service Providers”). These Service Providers may access your information only as necessary to perform their functions and are contractually obligated to handle personal data in line with this Policy and applicable law.

5.4.2. Categories of Service Providers may include:

5.4.3. These Service Providers process data on our instructions and are not allowed to use your personal data for their own unrelated purposes.

5.5. App Store Providers and External Payment Platforms

5.5.1. When you download the App or make in-app purchases, certain data is shared directly between you and the relevant App Store Provider (e.g., Apple App Store, Google Play). This may include:

5.5.2. We receive limited information from App Store Providers to enable us to:

5.5.3. App Store Providers act as independent controllers of the data they collect. Their processing of your data is governed by their own privacy policies and terms, not by this Policy.

5.5.4. If we enable direct payments in the future (for example, via card payments or other external payment services), those payment processors will receive the information necessary to process your transaction (e.g., card details, billing address) and will process it according to their own privacy policies and applicable law.

5.5.5. If you access the Services through the GENZA Telegram Mini App, certain data is exchanged between GENZA and Telegram as part of the Mini App functionality. This may include your Telegram ID, username, profile photo, interface language, device information and Telegram Premium status (received by GENZA from Telegram), as well as limited session and interaction data transmitted through the Telegram Mini App platform. Payments processed through Telegram payment infrastructure (including Telegram Stars, where applicable) are handled by Telegram under its own terms and privacy policy; GENZA receives only limited transaction confirmations. Telegram acts as an independent controller for the data it processes in its own ecosystem.

5.6. Third-Party Sign-In and Integrations

5.6.1. If you choose to sign up or log in through a third-party Account (for example, Apple ID, Google), we may receive identifiers and limited profile information (such as a verified email address) from that provider, as allowed by their settings and your choices.

5.6.2. In such cases:

5.6.3. If the Services include other integrations (for example, links to external content or safety resources), any data you provide directly to those third parties is governed by their privacy policies, not by this Policy.

5.7. Advertising, Attribution and Measurement Partners

5.7.1. Where permitted by law and platform policies, we may share limited information with advertising, attribution and measurement partners to:

5.7.2. The categories of data shared for these purposes may include:

5.7.3. We do not provide your name, message content or detailed profile information to advertising partners for their own independent targeting of third-party ads, unless we clearly explain this and obtain required consents.

5.7.4. In jurisdictions where laws treat certain analytics or advertising as “sale” or “sharing” of personal information, we will provide appropriate notices and mechanisms to opt out or limit such activity, as required by those laws.

5.8. Safety, Protection of Rights and Legal Compliance

5.8.1. We may disclose information about you if we reasonably believe that such disclosure is necessary to:

5.8.2. This may include sharing information with:

5.8.3. Where we receive a request from authorities for user information, we will assess it in accordance with applicable law and our internal policies. We may challenge or narrow requests that we consider overly broad or not properly grounded in law, where we are permitted to do so.

In accordance with 18 U.S.C. § 2258A and applicable law, GENZA will report to the National Center for Missing and Exploited Children (NCMEC) and, where required, to relevant law enforcement authorities, any apparent violations involving child sexual abuse material (CSAM) or the sexual exploitation of minors of which GENZA becomes aware through the Services. GENZA may preserve and disclose related Account data, User Content and metadata as required for such reporting.

5.9. Business Transfers

5.9.1. We may share your information with third parties in connection with a corporate transaction or reorganization involving GENZA, including:

5.9.2. In such cases, your information may be transferred as part of the transaction, subject to confidentiality obligations and, where required by law, subject to notifying you and providing appropriate choices.

5.9.3. Any successor entity will be required to handle your personal data in accordance with this Policy (or a policy that, at minimum, offers comparable protections), unless and until you are informed otherwise.

5.10. With Your Consent or at Your Direction

5.10.1. We may share your information with third parties when you ask us to, or where you have clearly consented to such sharing. Examples include:

5.10.2. In these cases, we will generally explain at the time what information will be shared and with whom, and will rely on your consent or explicit direction as the legal basis for the sharing.

5.11. Aggregated or De-Identified Information

5.11.1. As described in Section 4.9, we may also share aggregated, de-identified or otherwise anonymized information with:

6. HOW LONG WE KEEP YOUR INFORMATION

6.1. General principle

6.1.1. We keep your information only for as long as it is reasonably necessary for the purposes described in this Policy or as required by applicable law, regulation, legal process or law enforcement requests.

6.1.2. When deciding how long to keep information, we consider, among other things:

(a) the type of information and the sensitivity of the data;

(b) the purpose for which the information was collected and whether that purpose is still relevant;

(c) legal, regulatory, tax, accounting and reporting obligations;

(d) security, fraud prevention and abuse detection needs;

(e) the existence of actual or potential disputes, complaints, investigations or claims.

6.2. Main retention scenarios (high-level overview)

Subject to the principles in Section 6.1 and any longer periods required or permitted by law, we generally apply the following approach:

6.2.1. Account and profile data

(a) Basic Account information and profile data (such as email, phone number, username, date of birth, name, age, Account settings, profile fields, and links to profile photos stored in media storage) are kept for as long as you maintain an active Account.

(b) As part of GENZA’s current data architecture, certain core account and profile records (stored in PostgreSQL / JSONB format and related storage systems) are retained for the lifetime of your Account and may persist in backups for a limited period after Account deletion, unless and until they are deleted, de-identified, changed by the user, or removed as part of an account deletion process, subject to Sections 6.3-6.6.

6.2.2. User Content and interactions

(a) Content you share (photos, videos, prompts, likes, matches, messages and other interactions) is generally kept for as long as it is needed to operate the Services (for example, to show your profile, your chats and your matches), to maintain a consistent user experience and to support safety features (such as reporting, blocking and investigations).

(b) Where content is reported, flagged by our systems, or associated with a violation of our Terms or Community Guidelines (including High-Risk Categories), we may retain relevant copies for a longer period as evidence and for safety, fraud prevention, abuse detection and legal purposes.

6.2.3. Usage, device and technical logs

(a) Technical logs (such as IP addresses, device identifiers, login and security events, crash logs and in-app event logs) are retained for time-limited periods that we define in our internal retention schedules, except where certain account-linked records are retained for the lifetime of the Account as described above.

(b) Aggregated or anonymized analytics data (that can no longer reasonably be linked to an identified or identifiable person) may be kept for longer periods to help us understand and improve the Services.

6.2.4. Payment and transaction data

(a) Records related to purchases, subscriptions and payments (including timestamps, amounts, payment method identifiers and related metadata) are retained for periods required by applicable tax, accounting, anti-fraud and financial-recordkeeping laws.

(b) Where permitted, we may keep limited transaction-level data for longer in order to prevent fraud, enforce our Terms and respond to disputes or chargebacks.

6.2.5. Communications with us

(a) If you contact support or our legal team, we may keep copies of your communications (including emails, support tickets and attachments) for a period necessary to handle your request, monitor service quality and, where relevant, to establish, exercise or defend legal claims.

(b) Where the communication relates to safety incidents, High-Risk Categories, potential legal claims or regulatory matters, we may retain relevant records for longer in line with Section 6.4.

6.3. Criteria we use to set retention periods

When setting and reviewing our internal retention schedules, we typically consider:

(a) whether the data is necessary to keep your Account active and functional;

(b) whether the data is needed to maintain the integrity and security of the Services (including prevention of spam, fraud, scams, harassment and other abuse);

(c) statutory limitation periods for potential claims or regulatory investigations;

(d) sector-specific guidance or regulatory expectations for online dating and social services, where applicable;

(e) reasonable expectations of users regarding how long different types of information are kept.

6.4. Retention for legal, safety and enforcement purposes

6.4.1. Even after you delete your Account or specific content, we may retain certain information where we reasonably believe it is necessary to:

(a) comply with legal, regulatory, tax, accounting or reporting obligations;

(b) respond to lawful requests from courts, regulators or law enforcement (including preservation requests);

(c) enforce our Terms of Use, Community Guidelines and other policies;

(d) investigate, detect, prevent or address fraud, abuse, High-Risk Categories, security incidents or other harm;

(e) establish, exercise or defend legal claims.

6.4.2. In such cases, we will restrict access to the retained information to those who need it for the purposes above and will delete or de-identify it once it is no longer required.

6.5. Backups and system copies

6.5.1. Information you provide may appear in encrypted backups and system logs that we maintain for business continuity, disaster recovery and security purposes.

6.5.2. These backups are kept only for limited retention windows defined in our internal policies and are automatically overwritten on a rolling basis. We do not use backup data for active profiling or product decisions except where needed to restore systems after an incident or as required by law.

6.6. Account deletion and de-identification

6.6.1. When you delete your Account, we will take reasonable steps to:

(a) remove your profile from being visible to other users in the ordinary operation of the Services; and

(b) delete or irreversibly de-identify personal data that is no longer needed for the purposes described in this Policy.

6.6.2. De-identification or anonymization means that we remove or modify identifiers so that the information can no longer reasonably be linked to you as an identified or identifiable individual, taking into account available technology and the context of processing.

6.6.3. Where we rely on de-identified or anonymized data (for example, for statistics or product analytics), we will not attempt to re-identify you from that data, except as permitted by law and only where strictly necessary for security or compliance purposes.

6.7. Children’s data

6.7.1. Because the Services are not intended for individuals under 18 and we do not knowingly collect data from children (see Section 2), we do not maintain separate retention schedules for children’s data.

6.7.2. If we become aware that we have collected personal data from someone we reasonably believe to be under 18, we will take appropriate steps to delete that data as soon as reasonably practicable, subject to any limited retention needed to comply with legal obligations or to support safety investigations (for example, where the data is relevant to reporting child sexual abuse material or exploitation).

6.8. Updates to retention practices

6.8.1. We may update our internal retention schedules and the examples in this Section 6 from time to time (for example, if laws change, we introduce new features or we adjust how long we need data for security and fraud-prevention purposes).

6.8.2. Where such changes materially affect how long we keep your personal data, we will reflect this in an updated version of this Policy and, where required by law, inform you through the Services or other appropriate channels.

7. INTERNATIONAL DATA TRANSFERS

7.1. General principle

7.1.1. GENZA operates globally. This means your personal data may be processed in countries other than the country where you live, including the United States and other jurisdictions where we or our service providers are located.

7.1.2. Those countries may have different data protection laws from those in your country. Where we transfer personal data across borders, we do so in compliance with applicable data protection laws and with appropriate safeguards in place.

7.2. Where your data may be processed

7.2.1. Depending on how you use the Services and where you are located, your personal data may be processed in:

(a) the United States (for example, where GENZA Inc. and certain hosting or analytics providers are located);

(b) other jurisdictions where our service providers, support or security vendors are located;

(c) the European Union/European Economic Area (EU/EEA) or the United Kingdom, where we or some of our providers host or mirror certain services;

7.2.2. We limit access to your personal data to those locations and entities that need it for the purposes described in this Policy (see Sections 3-5) and subject to appropriate contractual and security safeguards.

7.3. Transfers from the EU/EEA, United Kingdom and Switzerland

7.3.1. If you are located in the EU/EEA, the United Kingdom or Switzerland, and we transfer your personal data to countries that are not recognized by your jurisdiction as providing an “adequate” level of data protection, we will implement appropriate safeguards as required by applicable law, such as:

(a) using standard contractual clauses adopted or approved by the European Commission (EU SCCs) under Article 46 GDPR;

(b) using the UK’s International Data Transfer Agreement (IDTA) or the UK Addendum to the EU SCCs, where required under UK GDPR;

(c) relying on any applicable adequacy decision or similar mechanism adopted by the European Commission, the UK government or Swiss authorities, where available;

(d) applying additional technical and organizational measures (for example, encryption, strict access controls, data minimization) where needed to address specific risks identified in transfer impact assessments.

7.3.2. These safeguards are designed to ensure that your personal data remains protected to a standard substantially equivalent to that in the EU/EEA, the UK or Switzerland, as applicable.

7.3.3. In limited cases, and only where permitted by law, we may also rely on specific derogations for international transfers (for example, where the transfer is necessary for the performance of our contract with you, for the establishment, exercise or defense of legal claims, or where you have explicitly consented after being informed of the risks).

7.4. Transfers under other regional laws

7.4.1. In countries with their own cross-border transfer rules (for example, certain U.S. states, Brazil, other jurisdictions with comprehensive privacy laws), we will comply with the applicable requirements when transferring personal data abroad. This may include:

(a) providing you with additional notices about international transfers;

(b) entering into specific contractual arrangements with recipients;

(c) implementing additional security measures required by local law.

7.5. Transfers to service providers and partners

7.5.1. As described in Section 5, we use third-party service providers and partners who may be located outside your country of residence. When we transfer personal data to those providers, we:

(a) limit the data to what is necessary for the services they perform;

(b) require them to process personal data only on our documented instructions and for the purposes described in this Policy;

(c) require them to implement appropriate technical and organizational measures to protect personal data;

(d) put in place, where required, valid cross-border transfer mechanisms (such as SCCs, UK IDTA/Addendum or equivalent).

7.6. Your rights in relation to international transfers

7.6.1. Where required by law (for example, under the GDPR or UK GDPR), you have the right to request more information about:

(a) the international transfers of your personal data that we carry out; and

(b) the appropriate safeguards we use to protect your personal data in connection with those transfers.

7.6.2. You may contact us using the details in Section 16 to request a copy of the key contractual safeguards (for example, standard contractual clauses) used for your data. We may redact parts of those documents where necessary to protect confidential information, business secrets or the privacy of others.

8. ACCOUNT DELETION

8.1. How you can delete your Account

8.1.1. You can delete your Account at any time using the in-app/Account settings (where this function is available) or by contacting us using the details in Section 16 of this Policy and clearly requesting Account deletion.

8.1.2. For security and verification purposes, we may ask you to complete certain steps (for example, log in or confirm your request from the email/phone number associated with your Account) before we process the deletion.

8.2. What happens when you delete your Account

8.2.1. Once we have processed your deletion request:

(a) your Account will be closed and you will no longer be able to log in or use it;

(b) your profile will no longer be shown to other users in the ordinary operation of the Services (for example, in recommendations, discovery, search or matching); and

(c) you will stop receiving in-app activity related to that Account (for example, new matches or messages), except for limited service or legal communications that may still be necessary (for example, confirmations or legal notices).

8.2.2. Content that you have already shared with other users (for example, messages, images and other communications in existing chats) may continue to be available to those users for a period of time, in order to preserve the integrity of their experience and our safety records, even after your Account has been deleted. Such content will no longer be associated with an active, discoverable profile in the ordinary operation of the Services.

8.3. Data deletion, retention and de-identification

8.3.1. After Account deletion, we will delete or irreversibly de-identify personal data that is no longer needed for the purposes described in this Policy, in line with our retention rules and Section 6 (How Long We Keep Your Information).

8.3.2. We may continue to retain certain limited information after Account deletion where we reasonably need it, including where core account and profile records have been retained for the lifetime of the Account under Section 6, and for example to:

(c) prevent, detect or address fraud, abuse, High-Risk Categories, security incidents or other violations of our Terms or Community Guidelines;

(d) establish, exercise or defend legal claims.

8.3.3. Where information is retained after Account deletion for these purposes, access to it is restricted to those persons and Service Providers who reasonably need it for the purposes above, and it will be deleted or de-identified once it is no longer required.

8.4. Deleting specific content without deleting your Account

8.4.1. In many cases you can remove specific content (for example, photos, profile fields or other User Content) without deleting your entire Account, by using the tools provided in the Services.

8.4.2. Removing specific content generally means that it will no longer be visible to other users in the ordinary operation of the Services, subject to technical limitations, caching and the retention rules described in Section 6 and this Section 8.

9. YOUR RIGHTS AND CHOICES

9.1. Overview

9.1.1. Depending on your place of residence and applicable law, you may have certain rights in relation to your personal data. These may include, for example, rights to:

(a) access your personal data;

(b) correct or update inaccurate data;

(c) delete certain data;

(d) restrict or object to certain processing;

(e) receive a copy of your data in a portable format;

(f) withdraw consent where processing is based on consent;

(g) opt out of certain uses of your data for targeted advertising or sale/sharing, where applicable.

9.1.2. This Section 9 explains:

(a) how you can exercise rights directly through the Services; and

(b) what additional statutory rights may be available to you under GDPR/UK GDPR and certain U.S. state laws or other local laws.

9.2. Managing your information in the Services

9.2.1. Profile and Account settings. You can usually access, edit and update key Account and profile information (such as photos, prompts, interests, bio, preferences) directly via the App or website.

9.2.2. Deleting content. You may remove certain User Content (for example, photos, profile fields) using the tools provided in the Services. Removed content will generally no longer be visible to other Users, subject to our retention rules (see Section 8) and technical limitations.

9.2.3. Account deletion. You can delete your Account via the in-app functionality or by contacting us (see Section 16). After deletion, we will handle your data as described in Section 8.

9.2.4. Location, notifications and device settings.

(a) You can manage permissions for location services, push notifications, contacts access and similar via your device operating system and/or App settings.

(b) If you disable location services, some features may not work or may be limited (for example, distance indicators or nearby profiles).

9.2.5. Marketing communications.

(a) You can opt out of marketing emails by using the “unsubscribe” link in those emails.

(b) You can manage certain marketing and notification preferences in the App (where available) or by contacting us.

(c) Even if you opt out of marketing, we may still send you service and transactional communications (for example, security alerts, legal notices, subscription information).

9.3. Rights under GDPR / UK GDPR and similar laws

This subsection applies to you if you are in the European Economic Area (EEA), Switzerland, the United Kingdom or another jurisdiction with similar data protection laws.

9.3.1. Controller. The “controller” of your personal data is the GENZA entity identified in Section 1 (Who We Are).

9.3.2. Your statutory rights. Subject to conditions and exceptions in applicable law, you may have the following rights:

(a) Right of access. To obtain confirmation whether we process your personal data and, if so, to receive a copy and certain information about the processing.

(b) Right to rectification. To request correction of inaccurate personal data and completion of incomplete data.

(c) Right to erasure (“right to be forgotten”). To request deletion of your personal data in certain circumstances, for example where it is no longer necessary for the purposes for which it was collected, or where you withdraw consent and there is no other legal basis.

(d) Right to restriction of processing. To request that we limit processing of your data in certain cases (for example, while we verify accuracy or assess an objection).

(e) Right to object.

(f) Right to data portability. To receive certain personal data that you provided to us, in a structured, commonly used and machine-readable format, and to have it transmitted to another controller where technically feasible.

(g) Right to withdraw consent. Where processing is based on your consent, you may withdraw that consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.

9.3.3. How to exercise these rights.

(a) Many actions (access, correction, deletion of content, Account deletion) can be performed directly in the App or website.

(b) For other requests, you can contact us using the details in the Section 16. To help us respond, please clearly state:

(c) We may need to verify your identity (for example, by asking you to log in or provide additional information) before acting on your request, to protect your data and other Users.

9.3.4. Response times and limitations.

(a) We aim to respond within the time limits set by applicable law (for example, generally one month, with possible extension for complex requests).

(b) Your rights are not absolute. We may decline or limit a request where:

(c) Where we decline or limit a request, we will explain the main reasons, unless we are legally prevented from doing so.

9.3.5. Right to lodge a complaint.

If you believe that our processing of your personal data infringes applicable data protection law, you have the right to lodge a complaint with a supervisory authority, in particular in the EEA/UK country or Swiss canton where you live, work or where the alleged infringement took place. You may also contact us first; we will try to resolve any concerns.

9.4. Rights under certain U.S. state privacy laws

This subsection applies to you if you are a resident of a U.S. state with a comprehensive consumer privacy law in force that grants similar rights (for example, California, Colorado, Connecticut, Virginia and others), to the extent those laws apply to GENZA.

9.4.1. Categories of rights. Subject to statutory conditions and exceptions, you may have some or all of the following rights:

(a) Right to know/access. To request that we disclose:

(b) Right to deletion. To request deletion of certain personal information we collected from you, subject to statutory exceptions (for example, where retention is required for security, fraud prevention, legal compliance or internal uses reasonably aligned with your expectations).

(c) Right to correction. To request correction of inaccurate personal information.

(d) Right to data portability. To request a copy of certain personal information in a portable format, where feasible.

(e) Right to opt out of “sale” or “sharing” and targeted advertising.

If we “sell” or “share” personal information (as defined by applicable state law) or use it for “targeted advertising” / “cross-context behavioral advertising”, you may have the right to opt out of such uses.

(f) Right to limit use of sensitive personal information. In some states, you may have the right to limit certain uses or disclosures of “sensitive” personal information, where applicable.

(g) Right to be free from discrimination. We will not unlawfully discriminate against you for exercising any privacy right granted by applicable law.

9.4.2. How to exercise state privacy rights.

(a) You may submit a request using the channels described in the Contact / Data Protection section, indicating that you are exercising a state privacy right and specifying your state of residence.

(b) Where required by law, we will provide at least one method for submitting requests (for example, an email address or web form).

(c) For opt-outs of “sale”, “sharing” or targeted advertising, we may additionally provide in-product controls or links labelled as “Do Not Sell or Share My Personal Information”, “Your Privacy Choices” or similar, where required.

9.4.3. Verification and authorized agents.

(a) We may need to verify your identity before acting on your request, which can include matching information you provide with information we already hold.

(b) If you use an authorized agent (where permitted by law), we may require proof that the agent is validly authorized and may still ask you to verify your identity directly with us.

9.4.4. Appealing a decision.

In some states, you may have the right to appeal our decision if we refuse or partially refuse your request. Where applicable, we will inform you of appeal options and deadlines in our response.

9.5. Other local rights and how to contact us

9.5.1. You may have additional rights under the laws of your country or state (for example, rights relating to consumer health data, electronic communications or specific sectoral regulations). Where these rights apply, we will respect them and provide mechanisms to exercise them, as required by law and described in this Policy or in separate notices.

9.5.2. All privacy-related requests, questions or complaints can be submitted using the contact details indicated in the Section 16. When contacting us, please provide enough information to identify your Account and your request so we can process it efficiently.

9.5.3. By creating an Account and using the Services, you consent to receive electronically all notices, disclosures and communications relating to your Account and your use of the Services that GENZA would otherwise be required to provide in paper form, in accordance with applicable law (including the U.S. E-SIGN Act and UETA where applicable). You may request a paper copy of any electronic record by contacting us at the address in Section 16, and you may withdraw your consent to electronic delivery by contacting support@genza.io, in which case we may need to terminate your Account if we are unable to provide the Services without electronic delivery. Further details are set out in Section 10.5.7 of the Terms of Use.

10. SECURITY OF YOUR DATA

10.1. No system is perfectly secure

10.1.1. We use reasonable technical and organizational measures to protect your personal data against unauthorized access, loss, misuse, alteration or destruction.

10.1.2. However, no online service, mobile application, database or transmission over the internet or other network can be guaranteed to be 100% secure.

10.1.3. By using the Services, you understand that there is always some level of risk that your data may be compromised despite our efforts.

10.2. Technical and organizational measures

Subject to the state of the art, implementation costs and the nature, scope, context and purposes of processing, we may use, among other things, the following categories of measures:

10.2.1. Access control and authentication

(a) logical access controls to limit access to personal data to authorized personnel only, based on role and need-to-know;

(b) authentication and authorization mechanisms for internal tools and systems;

(c) staff confidentiality obligations and appropriate policies for handling user data.

10.2.2. Encryption and data segregation

(a) encryption of data in transit using industry-standard protocols (for example, HTTPS/TLS) when your data is transmitted between your device and our servers;

(b) encryption of data at rest for sensitive data categories (such as authentication credentials, payment tokens and safety-related records), using industry-standard encryption methods appropriate to the data classification;

(c) separation of environments and data where appropriate (for example, testing vs production), to reduce the impact of potential incidents.

10.2.3. Infrastructure and network security

(a) use of reputable hosting and infrastructure providers with their own security controls;

(b) technical safeguards to reduce common attack vectors (for example, basic firewalls, network-level protections, restrictions on administrative access);

(c) monitoring for unusual technical activity indicative of misuse, abuse or attacks, to the extent reasonably possible.

10.2.4. Application-level safeguards

(a) use of secure development practices and basic input validation to reduce common vulnerabilities where reasonably possible;

(b) limited logging and auditing of access to critical systems and administrative interfaces;

(c) internal procedures for deployment and change management intended to avoid uncontrolled changes to the Services.

10.2.5. Organizational and procedural safeguards

(a) internal rules and guidance for staff on handling personal data and responding to security events;

(b) restricting access to personal data only to those personnel and service providers who need it for the purposes described in this Policy;

(c) regular review, on a reasonable basis, of key controls and configurations, especially after relevant incidents or material product changes.

10.3. What you should do to help protect your data

10.3.1. Security is partly dependent on how you use the Services. To help protect your data, you should:

(a) use strong, unique passwords for your Account and for the email address or phone number linked to it;

(b) keep your login credentials confidential and do not share them with anyone;

(c) limit access to your device and use screen lock mechanisms;

(d) install updates of your operating system and of our Services when they are made available, because updates may include important security fixes;

(e) be cautious when using public or shared devices or networks and log out when finished;

(f) be careful with links and files sent by other users and avoid sharing sensitive information (for example, passwords, codes, financial data, identity document images) in chats.

10.3.2. If you believe that your Account, your device or your credentials have been compromised, you should:

(a) change your password immediately; and

(b) contact us without undue delay using the details in Section 16.

10.4. Security incidents and our response

10.4.1. We maintain internal processes for detecting and assessing suspected security incidents involving personal data.

10.4.2. If we become aware of a security incident that has actually compromised personal data, we will:

(a) take steps to contain and investigate the incident;

(b) assess the risks to affected individuals; and

(c) take reasonable steps to mitigate adverse effects where possible (for example, forcing password resets where appropriate).

10.4.3. Where required by applicable law, we will notify:

(a) the competent supervisory or regulatory authority; and

(b) you, if the incident is likely to result in a high risk to your rights and freedoms,

as soon as reasonably practicable, taking into account the need to conduct an initial assessment and to avoid increasing the risk by premature disclosure.

10.5. Security and third-party service providers

10.5.1. Where we engage third-party service providers that process personal data on our behalf (for example, hosting providers, analytics providers, payment processors), we require them by contract to implement appropriate security measures consistent with applicable law and the nature of their services.

10.5.2. However, we do not control the detailed technical and organizational measures of each third party. Their own security practices are also described in their privacy notices and policies, which you can review on their websites.

10.6. Retention, minimization and security

10.6.1. As described in Section 6, we keep personal data only for as long as reasonably necessary for the purposes set out in this Policy, including legal, accounting and reporting requirements.

10.6.2. Limiting how long we keep data, and reducing the volume of data we store where possible, is part of our overall approach to data protection and security.

11. COOKIES AND SIMILAR TECHNOLOGIES

11.1. What we mean by “cookies and similar technologies”

11.1.1. When we refer to “cookies and similar technologies” in this Policy, we mean:

(a) browser cookies;

(b) mobile SDKs;

(c) pixels and beacons;

(d) local storage and similar technologies built into browsers and devices;

(e) device identifiers and advertising identifiers (for example, IDFA, GAID), where available.

11.2. Where we use these technologies

11.2.1. We may use cookies and similar technologies in connection with:

(a) the genza.io website and any related websites we operate;

(b) the GENZA mobile application, via SDKs and device identifiers;

(c) emails, push notifications or in-app messages (for example, to understand whether a message has been opened or a link has been clicked).

11.3. Purposes for using cookies and similar technologies

We use cookies and similar technologies for the following categories of purposes:

11.3.1. Strictly necessary / essential

Used to provide core functionality of the Services, such as:

(a) keeping you logged in and maintaining your session;

(b) enabling security features and detecting misuse;

(c) routing traffic between servers and distributing load.

These technologies are essential for the Services to work. You cannot switch them off via our interfaces, but you may block them at browser/device level (which may break core functionality).

11.3.2. Functionality

Used to remember choices you make and improve your experience, for example:

(a) remembering certain settings or preferences;

(b) helping us show you relevant in-product tips or flows;

(c) supporting language and localization features.

11.3.3. Performance and analytics

Used to understand how the Services are used and to improve them, for example:

(a) measuring which screens, features and flows are most or least used;

(b) detecting technical issues, crashes and performance problems;

(c) running product experiments (A/B tests) to evaluate new features or changes.

11.3.4. Security and abuse prevention

Used to help protect Users and the platform, for example:

(a) detecting unusual login patterns and possible Account takeover;

(b) identifying automated behavior (bots, scraping);

(c) preventing and investigating fraud, scams and other abuse.

11.3.5. Advertising and marketing (where applicable)

Where permitted by law and subject to your choices, we may use cookies and similar technologies to:

(a) measure the effectiveness of our own marketing campaigns (for example, whether an ad for GENZA led to an installation or registration);

(b) understand, in aggregate, which types of Users respond to certain campaigns;

(c) avoid showing the same GENZA ads repeatedly to the same person on external platforms.

11.4. First-party and third-party cookies / technologies

11.4.1. Some cookies and similar technologies are set or controlled directly by us (“first-party”).

11.4.2. Others are set or controlled by third parties (“third-party”), such as:

(a) analytics providers;

(b) security and fraud-prevention providers;

(c) advertising and attribution partners (for example, to measure installs or campaign performance).

11.4.3. These third parties process data in accordance with their own privacy policies. We require them, by contract, to process data in a way that is consistent with applicable law and with the purposes described in this Policy.

11.5. Your choices and controls

11.5.1. Browser and device settings

In many cases, you can control cookies and similar technologies through your browser or device settings by:

(a) blocking cookies;

(b) deleting cookies;

(c) limiting tracking or resetting advertising identifiers on mobile devices.

If you block or delete cookies, some parts of the Services may not function correctly.

11.5.2. In-product controls (where available)

Where required by law (for example, in the European Economic Area, the United Kingdom or certain U.S. states), we may provide in-product controls, banners or preference centers that allow you to:

(a) give or withdraw consent for non-essential cookies and similar technologies;

(b) manage certain categories of cookies (for example, analytics, advertising).

11.5.3. “Do Not Track” and similar signals

At this time, we do not respond to all “Do Not Track” (DNT) signals or similar mechanisms from browsers, because there is no widely accepted industry standard for how to interpret them.

Where applicable laws require us to honor specific browser or platform signals (for example, certain “opt-out preference” signals in some U.S. states), we will follow those legal requirements and will update our practices as standards evolve.

11.5.4. Opt-out of interest-based advertising

11.5.4.1. Where we participate in interest-based advertising or cross-context behavioral advertising, you may have the right to opt out of “sale” or “sharing” of personal information or targeted advertising under certain laws (for example, California, Colorado). These rights are described in Section 12 and may be exercised through:

(a) in-product privacy settings or “Your Privacy Choices / Do Not Sell or Share” links, where available; and/or

(b) browser- or device-level preference signals that applicable law requires us to honor.

11.5.4.2. Opting out does not mean you will see no ads at all; it means that ads may be less tailored using certain types of data or partners.

11.6. Cookie Policy

11.6.1. We may maintain a separate Cookie Policy or cookie table that:

(a) lists main types or categories of cookies and similar technologies we use;

(b) explains their purposes and typical lifetimes;

(c) is updated more frequently than this Policy as vendors and technologies change.

11.6.2. Where such a Cookie Policy is available, it is incorporated by reference into this Privacy Policy. In case of inconsistencies, the more specific or recently updated explanation in the Cookie Policy will usually prevail for cookie-related details, while this Privacy Policy governs overall data protection practices.

12. ADDITIONAL PRIVACY RIGHTS FOR RESIDENTS OF CERTAIN U.S. STATES AND CONSUMER HEALTH DATA

12.1. Scope of this section

12.1.1. This section applies to you if you are a resident of a U.S. state that has a comprehensive consumer privacy law in force which applies to GENZA (for example, California, Colorado, Connecticut, Virginia and other similar laws as they come into effect).

12.1.2. It supplements the information in Sections 3-11 and in particular Section 9 (Your Rights and Choices). If there is any conflict between this Section 12 and the rest of this Policy for residents of these states, this Section 12 will prevail to the extent required by applicable state law.

12.2. California residents (CCPA / CPRA)

12.2.1. Categories of personal information we collect

For purposes of the California Consumer Privacy Act (as amended by the California Privacy Rights Act) (together, “CCPA”), in the last 12 months we have collected the following categories of “personal information” about California residents, as those terms are defined in the CCPA:

We describe these categories, the sources of this information and the purposes for which we use it in more detail in Sections 3-5 of this Policy.

12.2.2. “Selling” or “sharing” personal information; targeted advertising

12.2.2.1. Under CCPA/CPRA, certain uses of personal information (for example, involving cookies, advertising identifiers or analytics/advertising partners) may be treated as a “sale” or “sharing”, even if no money changes hands (see also Section 5.1).

12.2.2.2. To the extent our use of analytics and advertising technologies is considered a “sale” or “sharing” under CCPA, California residents have the right to opt out of such “sale” or “sharing”.

We will make available one or more mechanisms to exercise this right, which may include:

12.2.3. Use and disclosure of sensitive personal information

12.2.3.1. Where we collect “sensitive personal information” (as defined in CCPA), we do not use or disclose it for purposes that require an additional “Right to Limit” under CCPA, unless later required by law or separately disclosed.

12.2.3.2. Instead, we use sensitive personal information only for the limited purposes allowed by CCPA, such as:

Because of this, California residents do not currently have a separate “Right to Limit” our use of sensitive personal information under CCPA in relation to GENZA beyond the existing rights described in Sections 9 and 12.

12.2.4. California privacy rights

In addition to the rights described in Section 9.4, California residents may, subject to statutory conditions and exceptions:

How to exercise these rights and how we verify and respond to requests is described in Section 9.4.2-9.4.4. You may also contact us using the details in the Section 16.

12.3. Other U.S. states with comprehensive privacy laws

12.3.1. Applicability

This subsection applies, as relevant, to residents of U.S. states that have comprehensive consumer privacy laws similar to CCPA/CPRA (for example, Colorado, Connecticut, Virginia and others), to the extent such laws apply to GENZA.

12.3.2. Additional rights

Subject to statutory conditions and exceptions, residents of these states may have rights that are substantially similar to those described in Section 9.4, including:

12.3.3. Opt-out of targeted advertising and sale

Where required by state law, we will provide mechanisms (for example, in-product privacy settings, links such as “Your Privacy Choices”, and/or recognition of valid browser preference signals) that allow you to opt out of:

12.3.4. Appeals

Where state law provides a right to appeal our decision on a privacy request (for example, if we refuse or partially refuse a request), we will inform you of how to submit an appeal and the applicable deadlines in our response.

12.3.5. Interaction with other sections

The practical steps to exercise these rights (methods of contact, verification, response times) are described in Section 9.4. This subsection is intended to clarify that we recognize and will honor applicable state-specific rights to the extent those laws apply to GENZA.

12.4. Consumer Health Data (Washington and similar laws)

12.4.1. Scope

12.4.1.1. This subsection applies where state “consumer health data” laws (such as Washington’s My Health My Data Act and similar or future laws in other U.S. states) apply to your use of the Services.

12.4.1.2. In addition to this Privacy Policy, GENZA may maintain a separate Consumer Health Data Privacy Policy or equivalent Consumer Health Data Privacy Notice, which is made available through the Services where those laws apply. The Consumer Health Data Privacy Policy provides more detailed information about how we collect, use, disclose and protect “consumer health data” as defined by those laws.

12.4.1.3. If there is any inconsistency between this Section 12.4 and the Consumer Health Data Privacy Policy for matters covered by those state laws, the Consumer Health Data Privacy Policy will prevail for the scope and jurisdictions to which it applies, to the extent required by law.

12.4.2. How we may encounter consumer health data

12.4.2.1. GENZA is not a medical or healthcare provider and does not offer diagnosis or treatment. However, because users can share free-text, photos and other content, some users may choose to disclose information that may qualify as “consumer health data” under applicable state law, for example:

12.4.2.2. We do not require you to provide such information to use the Services. If you choose to disclose it, it will be handled as described in this Privacy Policy and, where applicable, in the Consumer Health Data Privacy Policy.

12.4.3. Use and disclosure of consumer health data

12.4.3.1. Where a state consumer health data law applies, we will handle consumer health data in line with that law and the Consumer Health Data Privacy Policy. In particular, as further described in the Consumer Health Data Privacy Policy, we:

12.4.4. Your choices regarding health-related information

12.4.4.1. You can always choose not to disclose health-related information in your profile or communications. If you previously disclosed such information and no longer want us to process it:

12.4.5. Additional rights under consumer health data laws

12.4.5.1. Where consumer health data laws apply to GENZA and to your use of the Services, you may have additional rights specifically in relation to consumer health data (for example, rights to access, delete, withdraw consent for certain uses, or obtain details of disclosures).

12.4.5.2. The scope and exercise of those rights are described in the Consumer Health Data Privacy Policy and may also be exercised using the privacy contact channels set out in Section 9 and 16.

13. ADDITIONAL INFORMATION FOR USERS IN THE EEA, UNITED KINGDOM AND SWITZERLAND

13.1. Applicability of this section

13.1.1. This Section 13 applies to you if, at the time of using the Services, you are located in:

(a) a member state of the European Economic Area (EEA);

(b) the United Kingdom; or

(c) Switzerland.

13.1.2. In such cases, your personal data is subject to the EU General Data Protection Regulation (GDPR), the UK GDPR and/or the Swiss Federal Data Protection Act, as applicable, in addition to the rest of this Privacy Policy.

13.2. Controller and contact details

13.2.1. The controller of your personal data is the GENZA entity identified in Section 1.

13.2.2. You can contact us for any questions or requests relating to your personal data using the contact details set out in Section 16.

13.2.3. We currently do not list in this Privacy Policy any specific data protection officer or local representative in the EEA/UK. If we are required by law to appoint such a person or entity for the Services, we will update this Privacy Policy and/or provide additional notices in the Services to identify them.

13.3. Legal bases for processing

13.3.1. Where GDPR/UK GDPR/Swiss law applies, we rely on the following main legal bases for processing your personal data (as already reflected in Section 4 of this Privacy Policy):

(a) Performance of a contract

To provide and operate the Services and to take steps at your request prior to entering into a contract (for example, creating and maintaining your Account, enabling matches and messaging, processing subscriptions and paid features).

(b) Legitimate interests

To pursue our legitimate interests, provided that they are not overridden by your interests or fundamental rights and freedoms. These legitimate interests include, for example:

(i) operating, maintaining and improving the Services;

(ii) ensuring safety, security, fraud prevention and abuse prevention;

(iii) handling user support, complaints and disputes;

(iv) internal analytics, product development and business reporting;

(v) protection of our rights, our users and the public.

(c) Consent

Where required by law, we rely on your consent, for example for:

(i) certain cookies, SDKs and similar technologies that are not strictly necessary;

(ii) certain forms of marketing or electronic communications;

(iii) processing of specific categories of sensitive data (for example, precise location or certain health-related information), where local law requires consent.

You can withdraw consent at any time as described in Sections 9 and 11, without affecting the lawfulness of processing before withdrawal.

(d) Compliance with legal obligations

To comply with legal and regulatory requirements, including those relating to consumer protection, data protection, electronic communications, tax, accounting, law enforcement requests and court orders.

(e) Protection of vital interests

In rare situations where processing is necessary to protect your vital interests or those of another person (for example, in connection with serious and immediate risks to life or physical safety).

13.3.2. If you would like more detail on how a specific processing operation relates to a particular legal basis, you can contact us using the details in Section 16.

13.4. Legitimate interests balancing

13.4.1. For processing that we carry out on the basis of our legitimate interests, we have considered and weighed:

(a) our interest in operating a safe, reliable and commercially viable dating and social discovery service;

(b) your reasonable expectations as a user of such a service; and

(c) the potential impact on your rights and freedoms (including data protection and privacy).

13.4.2. We apply safeguards intended to ensure that your interests and rights are not overridden, for example:

(a) data minimization and limited retention;

(b) technical and organizational security measures;

(c) restricting access to your personal data to those who need it;

(d) providing you with clear information and practical controls (for example, Account settings, opt-outs and rights described in Section 9).

13.4.3. You have the right to object, on grounds relating to your particular situation, to processing based on legitimate interests, as described in Section 9.3 (Rights under GDPR / UK GDPR and similar laws).

13.5. Automated decision-making and profiling under GDPR/UK GDPR

13.5.1. As described in Section 4.10 (Automated Decision-Making and Profiling), we use profiling and automated processing, in particular to:

(a) recommend which profiles you see and which users see your profile;

(b) support fraud and abuse detection;

(c) support safety measures relating to High-Risk Categories.

13.5.2. We do not carry out automated decision-making that produces legal effects concerning you or similarly significantly affects you, in the sense of Article 22 GDPR / UK GDPR, without ensuring that such processing is permitted by law and that appropriate safeguards (including human review) are in place.

13.5.3. If, in the future, we introduce automated decision-making that falls within Article 22 GDPR / UK GDPR and is relevant to you, we will provide additional information required by law, including your rights in relation to such decisions.

13.6. International data transfers for EEA/UK/Swiss users

13.6.1. Section 7 (International Data Transfers) describes how and where your personal data may be transferred and processed. For users in the EEA, UK and Switzerland, we:

(a) use applicable European Commission standard contractual clauses, the UK International Data Transfer Agreement or Addendum, or other recognized mechanisms where required;

(b) implement additional technical and organizational measures where appropriate, based on transfer risk assessments;

(c) rely, where available, on adequacy decisions adopted by the European Commission, the UK government or Swiss authorities.

13.6.2. You may request more information about the mechanisms used for international transfers of your personal data, including a copy of the key contractual safeguards (subject to redactions for confidential information and the privacy of others), by contacting us as described in Section 16.

13.7. Right to lodge a complaint with a supervisory authority

13.7.1. If you are in the EEA, UK or Switzerland and you believe that our processing of your personal data infringes applicable data protection law, you have the right to lodge a complaint with a competent supervisory authority.

13.7.2. You can usually choose to complain to the authority in:

(a) the country or (for Switzerland) canton of your habitual residence;

(b) the place where you work; or

(c) the place where the alleged infringement took place.

13.7.3. You can also contact us first using the details in Section 16. We will try to address your concerns, but you always retain the right to contact a supervisory authority directly.

14.1. General rule

14.1.1. The Services may contain links to, or integrations with, websites, applications, services or tools that are operated by third parties and not by GENZA (“Third-Party Services”).

14.1.2. This includes, for example:

(a) App Store and mobile platform providers;

(b) external payment providers (where used);

(c) analytics, attribution, security and marketing tools;

(d) social networks or other platforms that you choose to connect;

(e) websites, profiles or content linked by other users in their profiles or messages;

(f) third-party resources or information pages we may reference (for example, safety resources).

14.1.3. Third-Party Services are governed by their own terms and privacy policies. This Privacy Policy does not apply to any processing carried out solely by those third parties for their own purposes.

14.2. Third-Party Services that are independent controllers

14.2.1. In many cases, Third-Party Services act as independent controllers of your personal data, not as processors on our instructions. This typically includes:

(a) App Store and platform providers (such as Apple App Store and Google Play);

(b) external payment providers that process your payments directly;

(c) social networks or identity providers you use for sign-in or sharing content;

(d) external websites and apps you visit via links in profiles, ads or messages.

14.2.2. When you interact with these Third-Party Services, they may collect and process personal data about you under their own privacy policies. GENZA is not responsible for how they handle your data and does not control their privacy or security practices.

14.2.3. You should carefully review the applicable third-party terms and privacy policies before providing them with personal data or using their services.

14.3. Third-party sign-in, sharing and integrations

14.3.1. If you choose to sign up, log in or otherwise interact with the Services via a Third-Party Service (for example, a social login or platform account), that provider may share limited information with us (such as a verified email address or an identifier), as described earlier in this Policy.

14.3.2. That provider may also independently know that you have created or accessed an Account. Its use of your data is subject to its own privacy policy, not this Policy.

14.3.3. If you connect or share content from the Services to a Third-Party Service (for example, posting a link to your profile or screenshot on social media), any information you disclose in that context is handled by that third party. GENZA has no control over what they do with that data.

14.4. Links and content shared by users

14.4.1. Other users may share links or references to external websites, apps, profiles, messengers, payment services or other resources in their profiles or messages. These are Third-Party Services that are not controlled, operated or endorsed by GENZA.

14.4.2. We do not routinely review, approve or monitor all such external links. If you choose to follow a link or communicate with someone outside the Services (for example, via external messengers, social media, or payment platforms), you do so at your own risk.

14.4.3. Any personal data you provide directly to third parties in that context is subject to their privacy policies. GENZA is not responsible for:

(a) the content, security or practices of such external services;

(b) how those third parties collect, use, disclose or protect your data;

(c) any loss or damage arising from your use of those Third-Party Services.

14.5. Third-party cookies, SDKs and similar technologies

14.5.1. As explained in the section on cookies and similar technologies, we may allow certain third-party providers to place or access cookies, mobile software development kits and similar technologies in connection with the Services (for example, analytics, security, attribution or measurement tools).

14.5.2. These third parties may collect information such as device identifiers, usage data and event data in order to provide their services to us (for example, measuring performance, detecting abuse or attributing installations).

14.5.3. Their use of such technologies and data is also subject to their own privacy policies. Where applicable law treats certain activities as “sale” or “sharing” of personal information or as targeted advertising, your additional rights and choices are described in the sections of this Policy dealing with state-specific privacy rights and cookies and similar technologies.

14.6. User responsibility and caution

14.6.1. You are responsible for deciding whether to use any Third-Party Services, follow links, or provide personal data to third parties. GENZA cannot guarantee the security or privacy practices of any third party.

14.6.2. We recommend that you:

(a) be cautious when leaving the Services via links in profiles, messages, ads or other content;

(b) review the terms and privacy policies of any Third-Party Service before using it or providing personal data;

(c) be especially careful when third parties request sensitive information such as passwords, identity documents, financial data or security codes.

14.6.3. If you believe that a link or interaction with a Third-Party Service in connection with the Services is unsafe, fraudulent or abusive, you should:

(a) avoid using that link or service; and

(b) report the issue to us through the in-app reporting tools or support channels so that we can review it and, where appropriate, take action under our Terms of Use and Community Guidelines.

15. CHANGES TO THIS POLICY

15.1. Why we may change this Policy

15.1.1. We may update or modify this Privacy Policy from time to time, for example when:

(a) we introduce new features, products or services;

(b) our data processing practices change;

(c) applicable laws or regulatory guidance change;

(d) we adjust our corporate structure or the entities responsible for your data.

15.1.2. We will not retroactively reduce your privacy rights in a way that is inconsistent with applicable law. Any changes will apply on a going-forward basis from the effective date indicated in the “Last updated” line at the top of this Policy.

15.2. How we will inform you

15.2.1. When we make changes, we will revise the “Last updated” date and, where appropriate, the version number at the top of this Policy.

15.2.2. If we make changes that are material in the context of applicable law or that significantly affect how we process your personal data, we will take additional steps to inform you, which may include:

(a) displaying a notice in the App or on the website;

(b) sending you an email or in-app message;

(c) presenting you with the updated Policy or a summary of key changes.

15.2.3. Where applicable law requires it (for example, if the changes affect processing based on consent), we will seek your consent to the changes or to specific new processing activities.

15.3. When changes take effect

15.3.1. Unless otherwise stated in the notice, changes to this Policy take effect from the date indicated in the “Last updated” field at the top of the Policy.

15.3.2. If you continue to use the Services after the updated Policy takes effect, this will generally mean that you have read and understood the updated version, to the extent permitted by applicable law.

15.3.3. If you do not agree with the updated Policy, you must stop using the Services and delete your Account. You may also contact us if you have questions about specific changes.

16. CONTACT DETAILS AND COMPLAINTS

16.1. General contact channels

16.1.1. If you have general questions about the Services (that are not specifically about privacy or data protection), you can contact us via:

(a) in-app support tools or help centre (where available); or

(b) any support address indicated in the App or on the website.

16.1.2. These channels are intended for product, technical and account-related issues.

16.2. Privacy and data protection contact

16.2.1. For questions, requests or complaints specifically related to privacy, data protection or this Policy, you should contact us at email: support@genza.io (or any other dedicated privacy contact that we may indicate in the App or on the website for your jurisdiction).

16.2.2. When you contact us about privacy matters, please:

(a) clearly state that your request concerns “privacy” or “data protection”;

(b) describe your request or concern in sufficient detail; and

(c) provide information that allows us to identify your Account (for example, the email or phone number used to register and your country of residence).

16.2.3. We may ask you for additional information if reasonably necessary to verify your identity or to clarify your request, especially when you exercise statutory rights (for example, access, deletion, objection).

16.2.4. You may send written correspondence to the applicable entity listed in the Section 1. For faster handling of privacy-related requests, we recommend using the email contact in this Section.

16.3. Complaints to supervisory or regulatory authorities

16.3.1. If you believe that our processing of your personal data violates applicable data protection or privacy law, you have the right to lodge a complaint with the competent authority, where such a right is provided by law. This may include, for example:

(a) a data protection authority in the country or state where you live or work; or

(b) the authority in the place where the alleged infringement took place.

16.3.2. Nothing in this Policy limits your right to file such a complaint. You may use this right in addition to, or instead of, contacting us directly.

16.3.3. We encourage you to contact us first using the details in Section 16.2. We will review your request or complaint and attempt to resolve the issue in line with this Policy and applicable law.

16.4. Local representatives and specific contacts (where applicable)

16.4.1. If, in the future, any law requires us to designate:

(a) a data protection officer;

(b) a representative in a specific jurisdiction (for example, an EU or UK representative); or

(c) a specific contact point for consumers in a particular state or country,

we will identify the relevant details in this section or in a separate jurisdiction-specific notice.

16.4.2. Until such details are expressly provided, all privacy-related questions and requests should be directed to support@genza.io or to the postal address of GENZA Inc. as set out above.