Privacy Policy

1. Data controller

This Privacy Policy (“Policy”) explains how we process personal data when you use the Steep mobile app.

Data controller: INFINITRY LTD, registered office: 128 City Road, London, United Kingdom, EC1V 2NX. For privacy requests: infinitry.business@gmail.com.

2. Scope

This Policy covers the iOS and Android versions of the App, including sign-up, login, profile, discover, matching, messaging, notifications, paid features (Steep Plus), and account deletion.

Third-party sites linked from the App (e.g. store help pages) have their own policies.

3. What data we process

Account & identity: email address; password (email sign-up only — stored in hashed or encrypted form); unique user ID (UUID). Google sign-in uses session/identity data processed via Supabase Auth.

Profile & preferences: display name, birth date, gender, match preferences, city text, optional map coordinates, height, bio, relationship intent, interest tags, intro text, optional voice recording.

Media: photos you upload and text prompt answers.

Interaction & safety: likes, passes, super likes, match status, message content and timestamps; reports, blocks, and moderation records; last activity signals (e.g. for “active” indicators).

Technical & device: OS, app version, push device token (if you allow notifications), limited error/performance logs where applicable.

Payments & subscriptions: we do not receive your card details. Purchases via Apple App Store or Google Play are processed by those platforms. We may store subscription status (e.g. Plus expiry) as needed to provide the service.

4. Purposes and legal bases (summary)

Contract & service delivery: showing your profile, matching, messaging, notifications (performance of contract — UK GDPR / GDPR Art. 6(1)(b)).

Legitimate interests: fraud prevention, security, abuse detection, service improvement and statistics (balancing test and minimisation — Art. 6(1)(f)).

Consent: optional location sharing, push notifications, or other features that clearly require consent (Art. 6(1)(a)); you may withdraw consent anytime.

Legal obligation: court orders or competent authority requests (Art. 6(1)(c)).

We do not operate a separate “special category” policy; dating-related data such as photos, messages, and location are handled with care.

5. Third-party processors

Data may be shared with or processed on infrastructure of:

• Cloud backend and database (e.g. Supabase — region depends on project settings).
• Push services (APNs / FCM, depending on platform).
• Sign-in (Google OAuth during Google login).
• Subscription verification and receipts (Apple / Google and, if needed, our servers).

Processors use data only as needed to provide the service and are subject to their own privacy policies.

We may disclose limited information to authorities where required by law.

We do not sell personal data to ad networks in the sense of “sale” under laws like the CCPA.

6. International transfers

Servers or processors may be outside the UK/EEA (e.g. USA). Where UK GDPR / GDPR applies, we rely on appropriate safeguards (e.g. Standard Contractual Clauses, adequacy decisions, or supplementary measures).

Contact infinitry.business@gmail.com for more detail.

7. Security

We use technical and organisational measures such as encryption in transit (e.g. TLS), access controls, and security updates. No system is 100% secure; report suspicious activity promptly.

8. Retention

We keep data needed for the service while your account is active.

After deletion, we delete or irreversibly anonymise data within a reasonable period, except where law, security, or abuse prevention requires limited records.

Backups may delay deletion briefly; retention is kept technically reasonable.

9. Your rights

Depending on where you live, you may request access, rectification, erasure, restriction, objection, data portability (where feasible), and withdrawal of consent where processing is consent-based.

Requests: infinitry.business@gmail.com. We may ask reasonable questions to verify your identity.

You may complain to a supervisory authority (e.g. ICO in the UK at ico.org.uk, or your local DPA in the EU).

10. Children and age limit

Steep is for users aged 18 and over only. We do not knowingly collect data from children. Accounts that appear to belong to minors will be closed and data deleted or anonymised.

11. Ads and analytics

We do not currently use IDFA/GAID for ad tracking or sell profile data to ad networks.

If we add analytics or ads in future, this Policy will be updated and required permissions will be requested.

12. Notifications

Push notifications are sent only with device permission. You can turn them off in Settings; some critical account messages may be sent by email.

13. Cookies and mobile storage

The mobile app does not use website cookies. Session and security tokens may be stored in secure on-device storage (e.g. keychain-integrated storage).

14. Store listings and external links

Store “Privacy Policy” URLs may point to https://steepdating.com/privacy when published; the full current text is always shown in the App.

Terms of use: https://steepdating.com/terms

15. Changes to this Policy

We may update this Policy. Material changes may be communicated in-app or by email.

Last updated: as of the publication date of this text.