Effective Date: March 7, 2026 Last Updated: March 7, 2026 Version: 1.0

Introduction
Who We Are
Information We Collect
How We Use Your Information
Legal Bases for Processing (GDPR)
How We Share Your Information
Sensitive Personal Information
Cookies and Tracking Technologies
Data Retention
Data Security
Your Privacy Rights
GDPR Rights (EU/EEA/UK)
CCPA/CPRA Rights (California)
Other State Privacy Rights
Photo and Media Privacy
Location Data
Children's Privacy
International Data Transfers
Third-Party Links and Services
Changes to This Privacy Policy
Contact Us

1. Introduction

Primal Digital LLC ("Primal," "we," "us," or "our") is committed to protecting the privacy and security of your personal information. This Privacy Policy describes how we collect, use, share, and protect information when you use our platform, website, mobile applications, and related services (collectively, the "Platform").

We understand that our Platform involves particularly sensitive personal information, including information about your dating preferences, kink and fetish interests, and marketplace activity. We treat this data with the highest level of care and security.

Please read this Privacy Policy carefully. By using the Platform, you consent to the practices described herein. If you do not agree with this Privacy Policy, do not use the Platform.

2. Who We Are

Data Controller (for GDPR purposes): Primal Digital LLC [Address] Email: dpo@primal.app

Data Protection Officer: Email: dpo@primal.app

EU Representative (Art. 27 GDPR): [To be appointed -- EU representative's contact information]

3. Information We Collect

3.1 Information You Provide Directly

Account Information:

Full legal name
Date of birth
Email address
Phone number
Username/display name
Password (stored in hashed form only)
Gender and gender identity
Sexual orientation
Profile photographs and videos
Bio and profile description

Identity Verification Information:

Government-issued photo ID (passport, driver's license, national ID)
Selfie for facial comparison
ID document number (encrypted and stored separately from profile data)
Verification status and date

Profile and Preference Information:

Relationship preferences (e.g., sugar dating, kink partner, friendship)
Kink and fetish interests (selected from our taxonomy or custom entries)
Body type, height, ethnicity (optional, self-reported)
Lifestyle information (income range, education, occupation -- optional)
Desired match characteristics
"About Me" and "Looking For" text fields

Communication Data:

Messages sent and received through the Platform
Audio messages and voice notes
Video call metadata (we do NOT record video call content)
Reports and feedback submitted

Marketplace Data:

Item listings (descriptions, photos, pricing)
Purchase and sales history
Shipping addresses
Seller ratings and reviews
Dispute communications

Payment Information:

Payment method (credit/debit card, PayPal, etc.)
Billing address
Transaction history and amounts
Payout information for sellers (bank account/PayPal for cashouts)

Note: Full payment card numbers are NOT stored by Primal. Payment processing is handled by PCI DSS-compliant third-party processors.

Tax Information (Sellers Only):

Social Security Number (SSN) or Employer Identification Number (EIN) -- collected only when legally required for IRS Form 1099-K reporting
Tax identification is stored in encrypted form and used solely for tax compliance

3.2 Information Collected Automatically

Device and Technical Information:

Device type, model, and operating system
Browser type and version
IP address
Device identifiers (advertising ID, device ID)
App version
Screen resolution and device capabilities

Usage Information:

Pages and features accessed
Time spent on the Platform
Swipe and matching activity (anonymized for analytics)
Search queries
Feature interactions (likes, comments, gifts sent/received)
Referral source (how you found Primal)

Location Information:

Approximate location based on IP address (city/region level)
Precise GPS location (only with your explicit consent, only while using location-based features)
Location data from Safety Check-In feature (only when activated by you)

Log Data:

Access times and dates
Error logs and crash reports
Referring/exit pages

3.3 Information from Third Parties

Identity Verification Partners:

Verification results (pass/fail) and confidence scores from our ID verification provider

Payment Processors:

Transaction confirmation, refund status, dispute status

Social Media (if you link accounts):

Basic profile information from linked social media accounts (only if you choose to connect them)

Analytics Providers:

Aggregated usage data and demographics

Law Enforcement and Legal Requests:

Information received in connection with legal processes

4. How We Use Your Information

We use your information for the following purposes:

4.1 Providing and Operating the Platform

Creating and managing your account
Displaying your profile to potential matches (per your privacy settings)
Facilitating matching, messaging, and communication between users
Processing Marketplace transactions, payments, and payouts
Providing customer support
Enabling virtual gifting

4.2 Safety and Security

Verifying your identity and age
Detecting and preventing fraud, scams, bots, and fake accounts
Enforcing our Terms of Service and Community Guidelines
Investigating reports of misconduct, harassment, or illegal activity
Complying with FOSTA-SESTA and other legal obligations
Preventing money laundering and financial fraud
Protecting the safety of our users and the public

4.3 Improvement and Personalization

Improving matching algorithms and user experience
Personalizing content, recommendations, and notifications
Conducting analytics and research on Platform usage patterns (in aggregated/anonymized form)
Testing new features and functionality
Troubleshooting bugs and technical issues

4.4 Communications

Sending transactional emails (account confirmation, password reset, transaction confirmations)
Sending notifications about matches, messages, and Platform activity (per your notification settings)
Sending marketing communications (only with your consent; unsubscribe available)
Notifying you of changes to our Terms or Privacy Policy

4.5 Legal and Compliance

Complying with applicable laws, regulations, and legal processes
Responding to lawful requests from law enforcement and government agencies
Enforcing our legal rights and defending against claims
Tax reporting obligations (1099-K for qualifying sellers)

5. Legal Bases for Processing (GDPR)

For users in the EU/EEA/UK, we process your personal data based on the following legal bases:

Purpose	Legal Basis
Account creation and Platform operation	Performance of contract (Art. 6(1)(b))
Matching, messaging, profile display	Performance of contract (Art. 6(1)(b))
Payment processing	Performance of contract (Art. 6(1)(b))
Safety, fraud prevention, security	Legitimate interest (Art. 6(1)(f))
Legal compliance (FOSTA-SESTA, tax)	Legal obligation (Art. 6(1)(c))
Marketing communications	Consent (Art. 6(1)(a))
Analytics and improvement	Legitimate interest (Art. 6(1)(f))
Processing kink/fetish preferences	Explicit consent (Art. 9(2)(a))
Processing biometric data (face verification)	Explicit consent (Art. 9(2)(a))
Location data (precise GPS)	Consent (Art. 6(1)(a))

You may withdraw consent at any time without affecting the lawfulness of processing that occurred before withdrawal.

6. How We Share Your Information

6.1 With Other Users

Based on your privacy settings, the following may be visible to other users:

Profile information (display name, photos, bio, age, location at city level)
Kink and fetish interests (if you choose to display them)
Marketplace listings and seller ratings
Verification badge status
Online status and last active time (configurable)

We NEVER share the following with other users:

Your real name (unless you choose to display it)
Your email address, phone number, or physical address
Your ID verification documents
Your payment or financial information
Your precise GPS location
Your browsing/swipe history
Reports you have filed

6.2 With Service Providers

We share information with trusted third-party service providers who assist us in operating the Platform:

Identity Verification: [Provider name] -- for ID and age verification
Payment Processing: [Provider name] -- for payment transactions
Cloud Hosting: [Provider name] -- for data storage and computing
Email/Notification Services: [Provider name] -- for transactional and marketing emails
Analytics: [Provider name] -- for aggregated usage analytics
Content Moderation: [Provider name] -- for automated content scanning
Customer Support Tools: [Provider name] -- for ticket management

All service providers are bound by data processing agreements and are prohibited from using your data for their own purposes.

6.3 With Law Enforcement and Legal Authorities

We may disclose your information to law enforcement or government authorities when:

Required by law, subpoena, court order, or legal process;
We believe disclosure is necessary to prevent imminent harm, fraud, or illegal activity;
We receive a valid DMCA takedown request;
We detect content involving minors (reported to NCMEC);
We detect suspected sex trafficking (reported to NCMEC and law enforcement).

We will notify you of law enforcement requests for your data unless prohibited by law or court order.

6.4 With Your Consent

We may share your information with third parties when you have given explicit consent, such as linking third-party accounts or opting into promotional partnerships.

6.5 Business Transfers

In the event of a merger, acquisition, bankruptcy, dissolution, reorganization, or similar corporate event, your personal information may be transferred as part of the transaction. We will notify you of any such transfer and any choices you may have regarding your information.

6.6 Aggregated and De-Identified Data

We may share aggregated or de-identified data that cannot reasonably be used to identify you for research, analytics, marketing, or other purposes.

6.7 We Do NOT Sell Your Data

Primal does NOT sell your personal information to third parties for their marketing purposes. For California residents: we do not "sell" or "share" (as defined by CCPA/CPRA) your personal information.

7. Sensitive Personal Information

We recognize that certain categories of information collected on the Platform are particularly sensitive:

7.1 Kink and Fetish Preferences

Your kink and fetish interest data is classified as sensitive personal information and receives enhanced protections:

Stored with additional encryption beyond our standard security measures;
Never shared with third parties for advertising or marketing;
Never used for purposes other than matching, personalization, and community features;
Visible to other users only if you explicitly choose to display them;
Excluded from any data sale or sharing (not that we sell data, but this is categorically excluded);
Permanently deleted upon account deletion (no retention).

7.2 Sexual Orientation and Gender Identity

This data is collected only if you choose to provide it and is treated as sensitive personal information under GDPR (special category data, Art. 9). Processed only with your explicit consent and subject to the same enhanced protections as kink preference data.

7.3 Biometric Data

Facial recognition data used for identity verification is:

Processed only with your explicit consent;
Used solely for the purpose of identity verification;
Not stored after verification is complete (verification result only is retained);
Not used for any other purpose, including surveillance or tracking;
Handled in compliance with Illinois BIPA, Texas CUBI, Washington state biometric law, and other applicable biometric privacy laws.

8. Cookies and Tracking Technologies

8.1 What We Use

Type	Purpose	Duration
Essential Cookies	Authentication, security, basic functionality	Session / 12 months
Functional Cookies	Preferences, language, display settings	12 months
Analytics Cookies	Usage patterns, feature popularity, error tracking	24 months
Performance Cookies	Load times, server response, app stability	Session

8.2 What We Do NOT Use

No advertising cookies or tracking pixels from third-party ad networks;
No cross-site tracking for advertising purposes;
No fingerprinting for advertising (device fingerprinting is used solely for fraud prevention).

8.3 Cookie Consent

On first visit, you will be presented with a cookie consent banner where you can:

Accept all cookies;
Accept only essential cookies;
Customize your cookie preferences by category.

You can change your cookie preferences at any time in Account Settings > Privacy > Cookie Preferences.

8.4 Do Not Track

We honor Do Not Track (DNT) signals. When we detect a DNT signal, we disable all non-essential cookies and tracking.

9. Data Retention

9.1 Active Accounts

We retain your data for as long as your account is active and as needed to provide the Platform's services.

9.2 Deleted Accounts

Upon account deletion:

Data Type	Retention Period	Reason
Profile data (name, bio, preferences)	Deleted within 30 days	No further need
Photos and media	Deleted within 30 days	No further need
Messages	Deleted within 30 days	Retained temporarily for counterparty access
Identity verification documents	Deleted within 90 days	Regulatory compliance
Transaction records	7 years	Tax and financial compliance
Tax information (SSN/EIN)	7 years	IRS requirements
Fraud/safety records	3 years	Prevent re-registration of banned users
Legal hold data	Duration of legal proceeding	Legal obligation
Anonymized analytics	Indefinite	Non-identifiable, used for improvement

9.3 Inactive Accounts

Accounts inactive for twenty-four (24) months will receive a notification. If no response is received within thirty (30) days, the account will be deactivated and data will be handled per Section 9.2.

10. Data Security

10.1 Technical Measures

We implement industry-standard security measures including:

Encryption in Transit: All data transmitted between your device and our servers is encrypted using TLS 1.3;
Encryption at Rest: All stored data is encrypted using AES-256;
Additional Encryption: Sensitive data (kink preferences, ID documents, tax information) receives an additional layer of application-level encryption;
Access Controls: Role-based access with principle of least privilege; multi-factor authentication required for all staff accessing user data;
Infrastructure Security: Hosted on SOC 2 Type II certified infrastructure;
Database Security: Encrypted, access-logged databases with automated intrusion detection;
Password Security: Passwords are hashed using bcrypt with appropriate work factors; we never store plaintext passwords.

10.2 Organizational Measures

Background checks required for all employees with access to user data;
Regular security awareness training for all staff;
Documented incident response plan;
Regular security audits and penetration testing;
Bug bounty program for responsible disclosure.

10.3 Data Breach Notification

In the event of a data breach affecting your personal information, we will:

Notify affected users within seventy-two (72) hours of becoming aware of the breach (as required by GDPR);
Notify relevant supervisory authorities as required by law;
Provide details of the breach, data affected, and remedial steps taken;
Offer credit monitoring where appropriate.

10.4 No Guarantee

While we implement robust security measures, no system is completely secure. We cannot guarantee the absolute security of your data. You use the Platform at your own risk.

11. Your Privacy Rights

All users, regardless of location, have the following rights:

Access: Request a copy of the personal data we hold about you;
Correction: Request correction of inaccurate or incomplete data;
Deletion: Request deletion of your personal data (subject to legal retention requirements);
Data Portability: Request your data in a machine-readable format;
Opt-Out of Marketing: Unsubscribe from marketing communications at any time;
Cookie Preferences: Modify cookie settings at any time;
Profile Visibility: Control what information is visible to other users;
Account Deactivation: Temporarily hide your profile without deleting your account.

To exercise any of these rights, email privacy@primal.app or use the self-service tools in Account Settings > Privacy.

We will respond to all privacy requests within thirty (30) days (or within the timeframe required by applicable law).

12. GDPR Rights (EU/EEA/UK)

If you are located in the European Union, European Economic Area, or United Kingdom, you have additional rights under the GDPR/UK GDPR:

12.1 Rights

Right of Access (Art. 15): Obtain confirmation of whether we process your data and request a copy;
Right to Rectification (Art. 16): Request correction of inaccurate data;
Right to Erasure (Art. 17): Request deletion of your data ("right to be forgotten");
Right to Restriction of Processing (Art. 18): Request that we restrict processing while a dispute is resolved;
Right to Data Portability (Art. 20): Receive your data in a structured, commonly used, machine-readable format;
Right to Object (Art. 21): Object to processing based on legitimate interests;
Rights Related to Automated Decision-Making (Art. 22): You will not be subject to decisions based solely on automated processing that produce legal or similarly significant effects;
Right to Withdraw Consent (Art. 7): Withdraw consent at any time for processing based on consent.

12.2 Exercising Your Rights

Submit requests to dpo@primal.app. We will verify your identity before processing and respond within one (1) month (extendable by two (2) months for complex requests, with notice).

12.3 Supervisory Authority

You have the right to lodge a complaint with your local data protection supervisory authority.

12.4 Data Protection Impact Assessments

We conduct Data Protection Impact Assessments (DPIAs) for processing activities that are likely to result in a high risk to your rights and freedoms, including processing of sensitive kink/fetish preference data and biometric verification data.

13. CCPA/CPRA Rights (California)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):

13.1 Rights

Right to Know: Request disclosure of the categories and specific pieces of personal information we have collected, the sources, the business purposes, and the categories of third parties with whom we share it;
Right to Delete: Request deletion of your personal information;
Right to Correct: Request correction of inaccurate personal information;
Right to Opt-Out of Sale/Sharing: We do not sell or share your personal information, but you may submit an opt-out request for additional assurance;
Right to Limit Use of Sensitive Personal Information: Request that we limit the use of sensitive personal information (including kink preferences) to what is necessary to provide the services;
Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights.

13.2 Categories of Information Collected

Category (CCPA)	Examples	Collected
Identifiers	Name, email, phone, IP address	Yes
Personal information (Cal. Civ. Code 1798.80)	Address, payment info	Yes
Protected classification characteristics	Age, gender, orientation	Yes (optional)
Commercial information	Purchase/sales history	Yes
Biometric information	Face scan for verification	Yes (with consent)
Internet activity	Browsing, search, usage	Yes
Geolocation data	Approximate and precise location	Yes (precise with consent)
Sensory data	Photos, audio messages	Yes
Professional/employment info	Occupation (optional)	Yes (optional)
Sensitive personal information	Kink preferences, SSN (sellers)	Yes

13.3 How to Submit Requests

Email: privacy@primal.app
In-app: Account Settings > Privacy > California Privacy Rights
Toll-free: [Phone number to be established]

We will verify your identity using your account credentials and, if necessary, additional verification. We will respond within forty-five (45) days (extendable by forty-five (45) days with notice).

13.4 Authorized Agents

You may designate an authorized agent to submit requests on your behalf. The agent must provide written authorization from you and we may require you to verify your identity directly.

13.5 Financial Incentives

Any financial incentives we offer (e.g., discounts for providing additional profile information) are based on our reasonable, good-faith estimate of the value of the data to our business. You may opt out of financial incentive programs at any time.

14. Other State Privacy Rights

14.1 Virginia (VCDPA)

Virginia residents have rights to access, correct, delete, obtain a copy of, and opt out of targeted advertising and sale of personal data. Submit requests to privacy@primal.app.

14.2 Colorado (CPA)

Colorado residents have similar rights to Virginia residents, including the right to opt out of targeted advertising, sale, and profiling. Submit requests to privacy@primal.app.

14.3 Connecticut (CTDPA)

Connecticut residents have rights to access, correct, delete, obtain a copy of, and opt out of targeted advertising, sale, and profiling. Submit requests to privacy@primal.app.

14.4 Utah (UCPA)

Utah residents have rights to access, delete, and opt out of targeted advertising and sale. Submit requests to privacy@primal.app.

14.5 Other States

As additional states enact comprehensive privacy laws, we will update this section accordingly. Regardless of your location, we strive to provide all users with meaningful privacy rights as described in Section 11.

15. Photo and Media Privacy

15.1 Photo Storage

All photos are stored on encrypted servers;
Photos are served via secure, authenticated URLs that cannot be accessed without a valid session;
We implement measures to discourage (but cannot guarantee prevention of) screenshotting and downloading of private content.

15.2 Photo Visibility Levels

You control who can see your photos through three visibility levels:

Public: Visible to all Platform users;
Private: Visible only to users you explicitly grant access;
Hidden: Stored but visible only to you (useful for drafts or items not yet listed).

15.3 Photo Deletion

When you delete a photo:

It is immediately removed from your profile and all user-facing surfaces;
It is permanently deleted from our servers within thirty (30) days;
Cached copies on CDN nodes are purged within seventy-two (72) hours;
We cannot delete copies that other users may have saved externally (screenshots, downloads).

15.4 EXIF Data

We strip EXIF metadata (including GPS coordinates, device information, and timestamps) from all uploaded photos before displaying or storing them, to protect your privacy and location.

15.5 Digital Watermarking

We may apply invisible digital watermarks to photos to help identify unauthorized redistribution. These watermarks do not alter the visible appearance of your photos.

16. Location Data

16.1 Approximate Location

We collect approximate location data (city/region level) based on your IP address. This is used for:

Showing you nearby matches;
Displaying approximate distance on profiles;
Complying with location-specific legal requirements.

You may set a custom location or hide your location in your privacy settings.

16.2 Precise Location

Precise GPS location is collected ONLY when:

You explicitly enable location services for the Primal app;
You activate the Safety Check-In feature during a meetup.

Precise location is NEVER displayed to other users. It is used only for distance calculations (displayed as approximate ranges, e.g., "less than 5 miles away") and safety features.

16.3 Disabling Location

You can disable location sharing at any time in your device settings or in Account Settings > Privacy > Location. Disabling location may limit certain features (e.g., distance-based matching).

17. Children's Privacy

Primal is intended exclusively for adults aged eighteen (18) and older. We do not knowingly collect personal information from anyone under the age of eighteen (18).

If we discover that we have inadvertently collected information from a minor, we will:

Immediately suspend the account;
Delete all associated personal information within twenty-four (24) hours;
Report the incident to NCMEC if any concerning content is involved;
Cooperate with law enforcement as appropriate.

If you believe a minor is using the Platform, please report it immediately to safety@primal.app.

18. International Data Transfers

18.1 Data Location

Primal's primary servers are located in the United States. Your data may be processed and stored in the United States and other countries where our service providers operate.

18.2 Safeguards for International Transfers

For transfers of data from the EU/EEA/UK to countries without an adequate level of data protection, we implement appropriate safeguards including:

Standard Contractual Clauses (SCCs) approved by the European Commission;
Supplementary measures as recommended by the EDPB;
Data Processing Agreements with all service providers;
Assessment of the legal framework of the recipient country.

18.3 EU-US Data Privacy Framework

[If applicable: We participate in the EU-US Data Privacy Framework and comply with its principles.]

19. Third-Party Links and Services

The Platform may contain links to third-party websites, apps, or services. This Privacy Policy does not apply to those third parties. We encourage you to review the privacy policies of any third-party services you use.

Third-party services that may be linked or integrated include:

Payment processors;
Social media platforms (if you link accounts);
Shipping carriers (for Marketplace);
Identity verification providers.

20. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by:

Sending an email to the address associated with your account;
Displaying a prominent notice within the Platform;
Updating the "Last Updated" date at the top of this policy.

We encourage you to review this Privacy Policy periodically. Material changes will be effective thirty (30) days after notice, unless a shorter period is required by law. Your continued use of the Platform after the effective date of any changes constitutes your acceptance of the updated Privacy Policy.

21. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Data Protection Officer: dpo@primal.app
General Privacy Inquiries: privacy@primal.app
Mailing Address: Primal Digital LLC, [Address to be provided]
Phone: [To be established]

For EU/EEA/UK residents, you may also contact our EU Representative at [to be appointed].

We aim to respond to all privacy inquiries within thirty (30) days.

Privacy Policy

Table of Contents