Privacy Policy
Last updated February 2026
The short version
We know dating data is personal. Here's what you need to know upfront:
- We strip your name, email, phone number, and username from your dating app data before storing it
- We do store your photos anonymously (not linked to your name or contact info) to power features like profile comparisons
- We never sell your personal data — only anonymized, aggregated research datasets
- Our data extraction code is open source — you can see exactly what we strip and what we keep
- You can delete your data at any time
Now, here's the full policy:
1. Who are we?
SwipeStats.io is operated by Boe Ventures AS, a Norwegian company. We're a dating app analytics platform that helps you understand your Tinder and Hinge data. For data protection purposes, we are the "data controller" of your personal data.
Contact:
Boe Ventures AS
Norway
Email: privacy@swipestats.io (for all inquiries including privacy, security, and support)
2. What information do we collect?
Information you give us directly
Account info: Your email address, password (stored encrypted), and username.
Dating app data you upload:
When you upload a data export from Tinder or Hinge, we process the full file but immediately strip personally identifiable information before storing anything. Here's exactly what happens:
For Tinder uploads, we remove:
- Your name, email, username, and phone ID
- Authentication IDs
- Instagram and Spotify details (we only keep a yes/no for whether they were connected)
For Tinder uploads, we keep:
- Birth date, gender, and gender preferences
- Age filter settings
- Account creation date
- Daily usage stats (app opens, swipes, matches, messages sent/received)
- Match and conversation metadata
- Photos
For Hinge uploads, we remove:
- First name and last name
- Email, phone number, and phone carrier
- IP addresses, device IDs, and advertising identifiers
- User agent strings
For Hinge uploads, we keep:
- Age, preferences, and dating intent
- Account signup date
- Country-level location (not city or address)
- Match and conversation data
- Prompts and media
- Device type (not device ID)
We generate a unique, hashed profile ID from your birth date and account creation date — this means your profile can't be linked back to your real identity.
Want to verify this yourself? Our extraction code is open source on GitHub.
Payment info: Card details are processed by LemonSqueezy (a Stripe company) — we never see or store your full card number. We keep billing address and transaction history.
Communications: Support emails, feedback, and your marketing preferences.
Information we collect automatically
When you use our site, we automatically collect:
- Device info: Browser type, operating system, device type, screen resolution
- Usage info: Pages viewed, features used, time on page, clicks
- Network info: IP address, approximate location (country/region level), referring website
Information from third parties
- PostHog: Aggregated analytics data
- LemonSqueezy: Payment transaction confirmations
What if I don't want to provide information?
You can browse our public website without providing any personal information. To use our analytics features, you'll need to create an account and upload dating app data.
3. What about sensitive data in dating profiles?
We know dating app data can be especially sensitive. Your gender preferences may reveal your sexual orientation. Your profile might mention your religion, health status, or ethnicity. Under GDPR, this is called "special category data" (Article 9) and gets extra protection.
How we handle it: We process this data based on your explicit consent, which you give when you upload your data and accept our terms. You can withdraw that consent anytime by deleting your data or contacting us at privacy@swipestats.io.
Withdrawing consent doesn't affect anything we did before you withdrew it. And data that's already been anonymized into aggregate research can't be deleted — because it's no longer linked to you in any way.
4. How do we use your information?
| What we do | Why we're allowed to (GDPR legal basis) |
|---|---|
| Show you analytics and visualizations | Contract performance (Art. 6(1)(b)) |
| Manage your account | Contract performance (Art. 6(1)(b)) |
| Process payments | Contract performance (Art. 6(1)(b)) |
| Create anonymized research datasets | Legitimate interest (Art. 6(1)(f)) |
| Improve the product | Legitimate interest (Art. 6(1)(f)) |
| Keep the service secure | Legitimate interest (Art. 6(1)(f)) |
| Send you marketing emails | Your consent (Art. 6(1)(a)) |
| Comply with the law | Legal obligation (Art. 6(1)(c)) |
| Process sensitive dating data | Your explicit consent (Art. 9(2)(a)) |
When we rely on "legitimate interest," we've done balancing tests to make sure our interests don't override your rights. You can ask us for details anytime.
5. How does anonymization work?
Why we anonymize data
SwipeStats runs a research data business. We create anonymized, aggregated datasets used by academic researchers, universities, journalists, content creators, and commercial research partners.
What "anonymized" actually means
We remove or generalize data so it can't identify you:
- Direct identifiers removed: Names, usernames, contact info, exact locations
- Data aggregated: Combined across many users so individual patterns disappear
- Small groups protected: We don't release statistics based on tiny sample sizes
- Values generalized: Specific numbers become ranges
- Quasi-identifiers removed: Unusual combinations that could narrow down who you are
Our anonymization meets the GDPR Recital 26 standard — the data "does not relate to an identified or identifiable natural person."
What this means for you
Once data is anonymized:
- It's no longer "personal data" under the law
- It can be kept indefinitely
- It can't be deleted on request (because we genuinely can't figure out which bits were yours)
- You won't receive compensation for its use
Can I opt out of the research data?
Yes. You can opt out of having your data included in future anonymized research datasets through your account settings, or by emailing privacy@swipestats.io. This won't affect data already anonymized and published.
6. Who do we share your information with?
Our service providers
| Who | What they get | Why | Safeguards |
|---|---|---|---|
| Vercel | Application data | Cloud hosting | SOC 2, ISO 27001 certified, DPA |
| Neon | Database content | PostgreSQL hosting | Encryption at rest and in transit, DPA |
| LemonSqueezy (Stripe) | Payment info | Payment processing | PCI DSS compliant, EU-US DPF |
| PostHog | Usage analytics, session replays | Product analytics and debugging | Data anonymization, DPA |
| Research partners | Anonymized data only | Research datasets | Robust anonymization per Section 5 |
Do you sell my personal data?
No. We do not sell your personal data as defined by GDPR, CCPA, or any similar law. The anonymized datasets we license to researchers are not personal data.
When might you disclose my information?
Only when required to:
- Comply with legal obligations
- Respond to lawful requests from authorities
- Protect our rights, safety, or property
- Enforce our Terms of Service
What if SwipeStats gets acquired?
If we're involved in a merger, acquisition, or sale of assets, your information may be transferred. We'll notify you before your data becomes subject to a different privacy policy.
7. Where is my data stored?
SwipeStats is based in Norway (part of the EEA). Your data may also be processed in:
- European Union: Cloud infrastructure
- United States: Vercel, Neon, PostHog, LemonSqueezy
For transfers outside the EEA, we use:
- EU-US Data Privacy Framework (our US providers are certified)
- Standard Contractual Clauses where the DPF doesn't apply
- Additional technical measures where necessary
Want details? Email privacy@swipestats.io and we'll send you a copy of our transfer safeguards.
8. How long do you keep my data?
| Data type | How long we keep it |
|---|---|
| Account information | Until you delete your account |
| Uploaded dating app data | Until you delete it or close your account |
| Payment records | As required by Norwegian accounting law |
| Analytics and usage data | As long as necessary for business purposes |
| Support communications | As long as necessary for business purposes |
| Anonymized research data | Indefinitely (no longer personal data) |
| Backup copies | Automatically deleted after a reasonable period |
When you delete your account:
- Personal data is removed from our active systems within a reasonable timeframe
- Backups are purged on a regular schedule
- Anonymized data stays — because it's no longer linked to you
9. What are my privacy rights?
Rights for everyone
No matter where you live, you can:
- Access your personal data
- Ask us to correct inaccurate data
- Delete your account and data
- Opt out of marketing emails
Additional rights for EEA/UK residents (GDPR)
| Right | What it means | How to use it |
|---|---|---|
| Access (Art. 15) | Get a copy of your personal data | Email us or use account export |
| Rectification (Art. 16) | Fix inaccurate data | Account settings or email us |
| Erasure (Art. 17) | Delete your data | Delete account in settings or email us |
| Restriction (Art. 18) | Limit how we process your data | Email us |
| Portability (Art. 20) | Get your data in a machine-readable format | Use account export |
| Object (Art. 21) | Object to legitimate interest processing | Email us |
| Withdraw consent (Art. 7) | Take back consent you gave us | Account settings or email us |
| Complaint | Complain to a supervisory authority | Contact Datatilsynet (see below) |
Norwegian supervisory authority:
Datatilsynet
Postboks 458 Sentrum
0105 Oslo, Norway
https://www.datatilsynet.no
Additional rights for California residents (CCPA/CPRA)
If you're in California, you also have the right to:
- Know what personal information we collect, where it comes from, and who we share it with
- Delete your personal information (with some exceptions)
- Correct inaccurate personal information
- Opt out of sale/sharing — we don't sell personal info or share it for behavioral advertising, so this doesn't apply
- Limit sensitive info use — you can restrict how we use sensitive personal information
- Non-discrimination — we won't treat you differently for exercising your rights
To exercise your California rights, email privacy@swipestats.io with the subject line "California Privacy Rights Request."
How quickly will you respond?
- GDPR requests: Within 30 days (up to 90 for complex requests)
- CCPA requests: Within 45 days (up to 90 with notice)
10. What about cookies?
What cookies do we use?
| Type | Purpose | Do we need your consent? |
|---|---|---|
| Strictly necessary | Site functionality, security, keeping you logged in | No |
| Analytics | Understanding how people use the site | Yes |
| Functional | Remembering your preferences | Yes |
| Marketing | Measuring ad effectiveness (if applicable) | Yes |
How does consent work?
If you're just browsing: We ask for explicit consent before setting non-essential cookies.
If you create an account (including anonymous accounts): Analytics tracking is enabled under legitimate interest (GDPR Art. 6(1)(f)) to improve service quality, prevent fraud, and guide feature development.
Session replays: We use session replays (via PostHog) to debug issues and improve the experience. These are enabled for all account holders. You can request deletion of your recordings anytime.
How can I manage cookies?
- Through our website cookie settings (if available)
- Through your browser settings — most browsers let you block or delete cookies
Do you respond to "Do Not Track" signals?
Currently no, as there's no industry standard. We'll update this if a standard is adopted.
11. How do you keep my data safe?
Technical measures
- Encryption in transit (TLS 1.2+)
- Encryption at rest (AES-256)
- Access controls and authentication
- Regular security assessments
- Automated threat detection
Organizational measures
- Staff training on data protection
- Access limited to need-to-know basis
- Confidentiality agreements
- Incident response procedures
- Regular policy reviews
What's your part?
You're responsible for keeping your login credentials secure, using a strong password, not sharing your account, and logging out on shared devices.
No system is 100% secure — we can't guarantee absolute security, but we take it seriously.
12. What about children?
SwipeStats is not for anyone under 18. Dating apps require users to be at least 18, and so do we. We don't knowingly collect data from minors.
If you believe we've accidentally collected data from someone under 18, please contact us immediately at privacy@swipestats.io.
13. What about links to other sites?
We may link to third-party sites. We're not responsible for their privacy practices — check their own policies.
14. What happens if there's a data breach?
If we experience a breach that puts your rights at risk:
- We'll notify the Norwegian Data Protection Authority (Datatilsynet) within 72 hours
- If the breach is high-risk for you personally, we'll notify you directly without undue delay
- We'll tell you what happened, the likely consequences, and what we're doing about it
15. Will this policy change?
Small changes: We'll update the "Last Updated" date at the top.
Big changes: We'll email you and post a prominent notice on the site at least 30 days before changes take effect.
If you keep using SwipeStats after changes take effect, that counts as acceptance of the updated policy.
16. How can I contact you?
Email: privacy@swipestats.io
For faster routing, use these subject lines:
- "Privacy Rights Request" for data access or deletion
- "Security Concern" for security issues
- "Support" for general questions
Mail:
Boe Ventures AS
Norway
We aim to respond to all inquiries within 5 business days.
This Privacy Policy was last updated in February 2026.