Privacy Policy

This Privacy Policy explains how CafePop Switzerland GmbH ("CafePop," "we," "us," or "our") collects, uses, stores, shares, and protects personal information when you use our website, mobile application, and related services (collectively, the "Platform").

CafePop is the data controller for all personal data processed through the Platform. This means we determine the purposes and means of processing your personal data and bear full responsibility for its lawful handling.

This Policy applies to all users of the Platform, including Profile Members (women who create profiles) and Visitors (users who browse profiles). By using the Platform, you consent to the data practices described in this Policy.

We collect data in three ways: information you provide directly, information generated automatically by your use of the Platform, and information from third-party services you connect to the Platform.

Information You Provide

• Account data: email address, password (hashed — never stored in plain text), and account preferences.
• Profile data: name or display name, date of birth, gender, location (city/region), occupation, bio, interests, and profile photos.
• Contact data: WhatsApp number (Profile Members only — used solely to share with users who save your profile).
• Subscription data: billing information processed by our payment provider (we do not store full card numbers).
• Communications: messages you send to our support, moderation, or legal team.
• Verification data: identity verification materials submitted as part of our manual profile review process.

Information Collected Automatically

• Device data: device type, operating system, browser type and version, screen resolution.
• Log data: IP address, access timestamps, pages visited, referring URLs, and session duration.
• Usage data: swipe interactions (anonymised), profile saves (anonymised), search terms used within the Platform.
• Location data: approximate location derived from IP address (city-level only — we do not request precise GPS location).
• Cookies and similar technologies: see Section 8 for full details.

Information from Third Parties

• Authentication providers: if you choose to sign in with a third-party provider (e.g. Google), we receive your email address and basic profile information.
• Payment processors: transaction confirmation and anonymised billing data from our payment processor (Stripe or equivalent).
• App stores: anonymised analytics from Apple App Store or Google Play where applicable.

We use your personal data only for the purposes described below. We never use your data for purposes incompatible with those disclosed in this Policy without your prior consent.

Under the Swiss Federal Act on Data Protection (nDSG) and the EU General Data Protection Regulation (GDPR — applicable to users in the EU/EEA), we process your personal data on the following legal bases:

We do not sell, rent, or trade your personal data. We share your information only in the following limited circumstances:

With Other Platform Users

Your public profile information (name, photos, bio, occupation, interests, city/region) is visible to registered Visitors browsing the Platform. Your WhatsApp number is only disclosed to a Visitor after they explicitly save your profile — it is never publicly displayed or indexed.

With Service Providers

We engage carefully selected third-party service providers who process data on our behalf under strict data processing agreements. These providers may only use your data for the specific purposes we authorise and may not use it for their own purposes. Current categories include:

• Cloud infrastructure & hosting (servers located in Switzerland or the EU).
• Payment processing (we use a PCI-DSS compliant payment processor — full card numbers never reach our servers).
• Email delivery (transactional emails only — no marketing without your consent).
• Cloud storage for profile photos (Swiss or EU data centres).
• Anonymised analytics (no personally identifiable data shared).

For Legal Reasons

We may disclose your data to law enforcement agencies, courts, or regulatory authorities where required by Swiss law or a binding legal order. We will notify you of such disclosure where legally permitted to do so.

Business Transfers

In the event of a merger, acquisition, or sale of all or a portion of our assets, your data may be transferred to the acquiring entity. We will notify you in advance and ensure the acquiring entity is bound by privacy protections equivalent to this Policy.

Where Your Data Is Stored

All personal data is stored on servers located in Switzerland or within the European Economic Area (EEA). We do not store personal data in countries without adequate data protection laws unless appropriate safeguards (such as Standard Contractual Clauses) are in place.

Security Measures

We implement industry-standard technical and organisational security measures to protect your personal data against unauthorised access, disclosure, alteration, or destruction. These include:

• Encryption of data in transit using TLS 1.2+ (HTTPS enforced across all Platform surfaces).
• Encryption of sensitive data at rest using AES-256.
• Passwords hashed using bcrypt — we never store plain-text passwords.
• Role-based access controls limiting internal access to personal data on a need-to-know basis.
• Regular security audits and vulnerability assessments.
• Multi-factor authentication for all internal systems accessing personal data.
• Audit logging of all access to personal data.
• Incident response procedures to detect, contain, and notify of data breaches.

Data Breach Response

In the event of a data breach that poses a risk to your rights and freedoms, we will notify the relevant Swiss supervisory authority (the Federal Data Protection and Information Commissioner, FDPIC) within 72 hours of becoming aware of the breach, and notify affected individuals without undue delay, in accordance with the nDSG and GDPR.

We retain your personal data only for as long as necessary to fulfil the purposes described in this Policy, comply with legal obligations, resolve disputes, and enforce our agreements. When data is no longer required, we delete or anonymise it securely.

Upon account deletion, we initiate a deletion process that removes personally identifiable data within 30 days, except where we are legally required to retain it for longer (such as billing records). Backups are purged within 90 days.

We use cookies and similar tracking technologies to operate the Platform, remember your preferences, maintain your session, and analyse usage patterns. We do not use cookies for cross-site advertising or tracking.

Managing Cookies

You can control cookies through your browser settings. Note that disabling strictly necessary cookies will prevent the Platform from functioning correctly. For analytics cookies, you can opt out through our cookie preference centre accessible in the Platform footer.

We do not use third-party advertising cookies. We do not participate in cross-site tracking networks. We do not use fingerprinting technologies.

Under Swiss data protection law (nDSG) and the GDPR (where applicable), you have the following rights regarding your personal data. We take these rights seriously and aim to respond to all requests within 30 days.

How to Exercise Your Rights

To exercise any of your rights, please contact our Data Protection Officer at hellocafepop@gmail.com. You may also manage many of these rights directly from your account settings. We will verify your identity before processing any request.

Most requests can be fulfilled immediately through your account settings. For complex requests, we will acknowledge receipt within 72 hours and complete the request within 30 days, with the possibility of a 60-day extension in exceptional circumstances (we will notify you if an extension is required).

Right to Lodge a Complaint

If you are unsatisfied with how we handle your personal data or respond to your request, you have the right to lodge a complaint with:

CafePop is strictly an adult platform for users aged 18 and over. We do not knowingly collect personal data from anyone under 18 years of age.

We employ age verification as part of our registration and moderation process. If you are a parent or guardian and believe your child has created an account on CafePop, please contact us immediately at hellocafepop@gmail.com and we will delete the account and all associated data without delay.

CafePop primarily stores and processes data within Switzerland and the European Economic Area (EEA). Switzerland is recognised by the EU Commission as providing adequate data protection (adequacy decision), meaning data transfers between Switzerland and the EU are lawful without additional safeguards.

In limited circumstances, data may be transferred to countries outside Switzerland and the EEA (for example, in the case of some cloud service providers). Where such transfers occur, we ensure appropriate safeguards are in place, including:

• Standard Contractual Clauses (SCCs) approved by the European Commission.
• Transfers to countries with an EU adequacy decision.
• Binding Corporate Rules (BCRs) where applicable.
• Your explicit consent for specific transfers.

You may request a copy of the safeguards in place for any specific transfer by contacting our Data Protection Officer at hellocafepop@gmail.com.

The Platform may contain links to or integrations with third-party websites and services. The most notable is WhatsApp, which is used for direct communication between users after a profile is saved.

Our current key third-party service providers and their roles include:

• Supabase (database and authentication infrastructure) — EU/Switzerland data centres.
• Stripe or equivalent (payment processing) — PCI-DSS Level 1 certified.
• Vercel or equivalent (web application hosting) — EU region.
• Apple App Store / Google Play Store (mobile application distribution).

We review our third-party providers regularly to ensure they maintain appropriate data protection standards. All providers are bound by data processing agreements requiring them to protect your data in accordance with this Policy and applicable law.

We may update this Privacy Policy from time to time to reflect changes in our data practices, legal requirements, or Platform features. The date at the top of this Policy indicates when it was last revised.

For material changes — those that significantly affect your rights or how we use your data — we will provide clear advance notice through:

• An email notification to the address associated with your account, sent at least 14 days before changes take effect.
• A prominent notice on the Platform homepage and within the app.
• A push notification if you have notifications enabled on the mobile app.

Your continued use of the Platform after the effective date of a revised Policy constitutes your acceptance of the updated terms. If you disagree with a material change, you may delete your account before the change takes effect and we will delete your personal data as described in Section 7.

We maintain a public archive of previous versions of this Policy, available upon request by emailing hellocafepop@gmail.com.

For all privacy-related enquiries, requests, or concerns, please contact our Data Protection Officer. We take privacy seriously and are committed to responding promptly and thoroughly to all requests.

We aim to acknowledge all privacy requests within 72 hours and resolve them within 30 days. For urgent matters — such as suspected data breaches or safety concerns — please mark your email "URGENT".