GLEAP PRIVACY POLICY

Effective Date: February 22, 2026
Last Updated: February 22, 2026

This Privacy Policy explains how Gleap (“we,” “us,” or “our”) collects, uses, shares, and protects your personal information when you use the Gleap mobile application and related services (collectively, the “Service”).

Gleap is operated by:

TABLE OF CONTENTS

1. Information We Collect
2. How We Collect Information
3. How We Use Your Information
4. How We Share Your Information
5. Health Information and Verification
6. Cookies and Tracking Technologies
7. International Data Transfers
8. Data Security
9. Your Privacy Rights
10. Data Retention
11. Third-Party Links and Services
12. Children's Privacy
13. Changes to This Privacy Policy
14. Contact Us
15. Jurisdiction-Specific Provisions

1. INFORMATION WE COLLECT

1.1 Personal Data

“Personal Data” refers to information with personal identifiers that can be used separately or collectively to identify an individual.

1.2 Anonymized Data

“Anonymized Data” refers to information that is not associated with or linked to your Personal Data and cannot be used to identify individual persons.

Important: We only collect Personal Data that is necessary to provide the Service to you. Not all types of data specified below will be collected from every user.

1.3 Categories of Data We Collect

A. Account Registration Data

When you create an account, we collect:

• Email address
• Phone number
• Date of birth
• Password (encrypted)
• Account creation date

B. Profile Information

When you complete your profile, you provide:

• Display name
• Gender identity
• Sexual orientation
• Physical characteristics (height, body type)
• Location/city (not precise GPS coordinates)
• Profile photos
• Bio/about me section
• Interests and preferences
• Relationship preferences
• Lifestyle information (smoking, drinking, exercise habits)

Note: Some of this information (such as sexual orientation and health-related lifestyle choices) may be considered sensitive or special category data in certain jurisdictions. By providing this information, you consent to our processing it as described in this Privacy Policy.

C. Health Documents (Optional)

You may voluntarily upload:

• STD/STI test results showing negative status
• Other health verification documents

Important: We only accept and store documents showing negative test results. Documents showing positive results are automatically rejected and not stored.

D. Content You Create

• Messages sent to other users
• Photos and videos you share
• Comments and interactions
• Reports you submit about other users

E. Location Data

• Approximate location: City or region you provide in your profile
• Precise location (optional): If you enable location sharing features, we collect:
  • GPS coordinates when you share your real-time location with matches
  • Location data when you use location-based matching features

You can control location sharing in your device settings.

F. Usage Data

• Profiles you view and interact with
• Features you use
• Search queries and filters
• Time spent on the app
• Matches and connections you make
• Messages sent and received (metadata)
• Ratings given and received (you can see who rated you but not the individual rating scores)

G. Device and Technical Data

• Device type and model
• Operating system and version
• Unique device identifiers (Device ID, Advertising ID)
• IP address
• Browser type (if using web version)
• App version
• Network information
• Time zone and language settings
• Crash reports and performance data

H. Payment and Transaction Data (When Available)

When our paid features become available and you make purchases:

• Transaction ID
• Purchase date and amount
• Subscription status
• Payment method type (we do NOT store full credit card numbers)
• Billing information processed by our payment provider

Note: All features are currently free. Payment processing will only apply when we introduce paid subscriptions in the future.

I. Customer Support Data

• Support tickets and inquiries
• Communication history with support team
• Feedback and survey responses

2. HOW WE COLLECT INFORMATION

2.1 Information You Provide Directly

• When you create and complete your profile
• When you upload health documents
• When you send messages or interact with other users
• When you contact customer support
• When you participate in surveys or promotions

2.2 Information Collected Automatically

When you use the Service, we automatically collect:

• Device and technical information
• Usage patterns and activity logs
• Location data (if enabled)
• App performance and crash data

2.3 Mobile Device Identifiers

What are Mobile Device IDs? Mobile Device IDs are unique identifiers assigned to your device by the manufacturer (e.g., Apple's IDFA, Google's Advertising ID).

How we use them:

• To recognize your device when you use the Gleap app
• To remember your preferences and settings
• To analyze app performance and crashes
• For fraud prevention and security

Important: Unlike cookies, Mobile Device IDs cannot be deleted. However, you can:

• Reset your Advertising ID in device settings:
  • iOS: Settings → Privacy & Security → Tracking → Reset Advertising Identifier
  • Android: Settings → Google → Ads → Reset Advertising ID
• Opt out of tracking (iOS 14.5+): When prompted, select “Ask App Not to Track”
• Limit ad tracking in device settings

2.4 Information from Third Parties

• Payment processors (transaction confirmation) - when paid features become available
• Cloud service providers (data storage and backup)
• Safety and security providers (fraud detection, content moderation)

2.5 Cookies and Similar Technologies

See Section 6 for detailed information about cookies.

3. HOW WE USE YOUR INFORMATION

3.1 Purpose-Based Data Processing

We process your information for the following purposes:

3.2 Legal Bases for Processing (GDPR/UK GDPR)

Where we process your personal data, we do so under one or more of the following legal bases:

• Performance of Contract: Processing necessary to provide the Service you've signed up for (e.g., creating your profile, enabling messaging, processing payments when available).
• Your Consent: Processing you've explicitly agreed to (e.g., uploading health documents, sharing precise location, receiving marketing communications).
• Legitimate Interest: Processing necessary for our legitimate business interests or those of our users, provided your rights don't override these interests. Our legitimate interests include:
  • Improving and developing the Service
  • Keeping users safe from fraud, abuse, and violations
  • Ensuring rating system integrity
  • Analyzing usage to optimize features
  • Defending legal claims
  • Preventing fraud and unauthorized access
• Legal Obligations: Processing required by law (e.g., responding to court orders, retaining financial records for tax purposes when applicable, complying with data retention laws).
• Vital Interests: Processing necessary to protect someone's life or physical safety (e.g., responding to emergency situations, preventing harm).

You have the right to object to processing based on legitimate interest. See Section 9 for how to exercise this right.

3.3 No Automated Decision-Making

We do not use fully automated decision-making systems that produce legal or similarly significant effects on you. While we may use technology to assist with certain functions (such as showing you profiles based on your preferences or detecting potential Terms violations), all significant decisions involve human review.

3A. WHAT WE DON'T DO WITH YOUR DATA

We do not:

• Sell your personal information to third parties for their marketing purposes
• Share your health documents with other users (only verification badges are visible)
• Publicly disclose individual ratings you receive (only aggregate ratings are shown)
• Use your data in ways not described in this Privacy Policy without your consent
• Share your precise location with other users unless you explicitly choose to do so
• Show advertisements from third parties on the Service
• Provide your contact information (email, phone number) to third-party analytics companies or advertisers
• Use third-party analytics tools that track your behavior across other apps or websites

We never ask for:

• Your password via email, message, or customer support
• Payment details outside of secure payment processors (when paid features become available)
• Health documents showing positive STD/STI results (these are automatically rejected and not stored)

4. HOW WE SHARE YOUR INFORMATION

4.1 Information Visible to Other Users

When you create a profile on Gleap, certain information is visible to other users:

• Your display name and age
• Your profile photos
• Your bio and interests
• Your general distance away from other users
• Your aggregate rating (if you have received ratings)
• Your health verification badge (if you've uploaded documents)
• Your last active status (online/offline)

What other users CANNOT see:

• Your email address or phone number
• Individual ratings you've received
• Your actual health documents
• Your precise GPS location (unless you share it with a specific match)
• Your payment or subscription information (when applicable)

What other users CAN see about ratings:

• They can see WHO rated you (list of users who have rated you)
• They CANNOT see the individual rating scores those users gave you
• They can only see your aggregate (average) rating if you have received sufficient ratings

4.2 Service Providers and Partners

We share your data with trusted third-party service providers who assist us in operating the Service:

Contractual protections: All service providers are bound by contracts requiring them to:

• Use your data only for specified purposes
• Implement appropriate security measures
• Comply with applicable data protection laws (GDPR, PDPA, CCPA, etc.)
• Not share your data with other parties without authorization
• Delete or return data when services are terminated

4.3 Legal and Safety Disclosures

We may disclose your information to:

Law Enforcement and Government Authorities:

• To comply with legal processes (court orders, subpoenas, search warrants)
• To respond to lawful government or regulatory requests
• To assist in crime prevention or investigation
• To protect national security (where required by law)

Safety and Protection:

• To protect the rights, property, or safety of Gleap, our users, or the public
• To prevent or investigate fraud, security breaches, or violations of our Terms
• To enforce our Terms of Service and other agreements
• To respond to emergency situations involving danger of death or serious physical injury

Legal Proceedings:

• To establish, exercise, or defend legal claims
• In connection with litigation, arbitration, or dispute resolution
• To comply with court orders or legal obligations

4.4 Business Transfers

If Gleap is involved in a merger, acquisition, sale of assets, bankruptcy, or other business transaction:

• Your information may be transferred to the new owner or successor entity
• We will notify you via email and/or prominent notice on the Service before your information is transferred
• The new owner will be required to honor the commitments in this Privacy Policy

4.5 With Your Consent

We may share your information with other parties when you give us explicit consent to do so (e.g., if you choose to share your profile on social media).

4.6 Aggregated and Anonymized Data

We may publicly share aggregated or anonymized information that cannot identify you individually, such as:

• “50% of Gleap users in Sydney are interested in outdoor activities”
• “Average number of matches per user: 15”
• “Dating trends and statistics reports”

5. HEALTH INFORMATION AND VERIFICATION

5.1 Health Document Uploads (Optional)

Gleap allows you to voluntarily upload STD/STI test results to verify your health status to potential matches.

What We Accept:

• Recent STD/STI test results showing NEGATIVE status only
• Tests from recognized medical laboratories or clinics
• Documents dated within a reasonable timeframe (typically within the last 6 months)

What We Do NOT Accept:

• Test results showing POSITIVE status
• Unverifiable or tampered documents
• Non-medical documentation

5.2 How Health Documents Are Processed

Review Process:

• You upload a health document via the app
• The document is securely transmitted to our servers (AWS S3 Sydney)
• Our verification team reviews the document (human review, no automated processing of health data)
• If verified, a “Health Verified” badge appears on your profile
• The actual document is stored securely and is NOT visible to other users

Storage and Security:

• Health documents are stored on AWS S3 servers with standard AWS security features
• Access is restricted to authorized verification personnel only
• Documents are stored separately from other profile data
• All access is logged and monitored

5.3 Health Verification Badge

Once your health document is verified:

• A “Health Verified” badge appears on your profile
• Other users can see you have been verified but CANNOT see your actual documents
• The badge does not specify which tests you took or the results
• The badge will expire automatically 90 days after your document upload

5.4 Your Control Over Health Data

You cannot manually delete health documents. Instead:

• Health documents and verification badges automatically expire after 90 days
• After 90 days, the document is automatically deleted from our systems
• You will need to re-upload a current document if you want to maintain verification
• If you delete your entire account, health documents are deleted as part of account closure

5.5 Legal Basis for Processing Health Data

Health information is considered “special category” or “sensitive” personal data under GDPR, UK GDPR, and other privacy laws.

Legal Basis:

• Your explicit consent: By uploading health documents, you provide explicit consent to our processing
• Consent is freely given: You are not required to upload health documents to use Gleap
• Withdrawal: You can withdraw consent by deleting your account (health documents cannot be deleted separately)

5.6 Health Data Retention

• Health documents are retained for 90 days from upload date
• After 90 days, documents are automatically deleted from our active systems
• After account closure, health documents are permanently deleted as soon as reasonably practicable
• For safety investigations, we may retain evidence of fraudulent health documents for a reasonable period after account closure to protect other users

5.7 No Medical Advice

6. COOKIES AND TRACKING TECHNOLOGIES

6.1 What Are Cookies?

Cookies are small text files stored on your device when you use the Service. They help us recognize your device and remember your preferences.

6.2 Types of Technologies We Use

In the Mobile App:

• Mobile Device IDs: Unique identifiers assigned by device manufacturers (see Section 2.3)
• Local Storage: Data stored locally on your device for app functionality
• Session Data: Temporary data stored during your use of the app

On Our Website (gleap.club):

• Cookies: Small text files stored in your browser
• Session Storage: Temporary data stored during your browsing session

6.3 Cookies We Use on Our Website

Note: We do NOT use third-party analytics cookies or advertising cookies.

6.4 How to Manage Cookies

Browser Settings: Most browsers allow you to block or delete cookies:

• Chrome: Settings → Privacy and Security → Cookies and other site data
• Safari: Preferences → Privacy → Manage Website Data
• Firefox: Preferences → Privacy & Security → Cookies and Site Data
• Edge: Settings → Privacy, search, and services → Cookies and site data

Mobile App Settings:

• iOS: Settings → Privacy & Security → Tracking
• Android: Settings → Google → Ads → Opt out of Ads Personalization

Impact of Disabling Cookies:

• Essential cookies: Website will not function properly
• Functional cookies: You'll need to reset preferences each visit

6.5 No Third-Party Tracking

We do not use:

• Google Analytics or other third-party analytics services
• Facebook Pixel or other social media tracking
• Advertising networks or tracking pixels
• Cross-site tracking technologies

Your activity on Gleap is not shared with or tracked by third-party analytics companies.

6.6 Do Not Track Signals

Some browsers have “Do Not Track” (DNT) settings. Currently, there is no industry standard for responding to DNT signals. We respect your privacy and minimize tracking to only what's necessary for Service functionality.

7. INTERNATIONAL DATA TRANSFERS

7.1 Where Your Data Is Stored

Gleap operates globally, and your data may be transferred to, stored in, and processed in countries other than your country of residence.

Primary Data Storage Location: AWS S3 servers located in Sydney, Australia

Data May Be Accessed From:

• Hong Kong (our business operations)
• Other countries where our service providers operate

7.2 Cross-Border Transfer Protections

When we transfer your data outside of your country, we ensure appropriate safeguards are in place:

For EEA, UK, and Swiss Users:

• Standard Contractual Clauses (SCCs): We use European Commission-approved SCCs with service providers
• Adequacy Decisions: We may rely on European Commission adequacy decisions (e.g., for transfers to countries deemed to have adequate data protection)
• Supplementary Measures: Additional security measures (encryption, access controls) to protect data during transfer

For Australian Users:

• Transfers comply with Australian Privacy Principles (APPs)
• Service providers are contractually required to comply with APP-equivalent standards

For Singapore Users:

• Transfers comply with Singapore's Personal Data Protection Act (PDPA)
• Service providers must provide comparable protection

For All Users:

• Data encryption during transmission (TLS 1.3)
• Contractual obligations requiring service providers to protect data
• Right to object to transfers (see Section 9)

7.3 Your Rights Regarding Transfers

You have the right to:

• Request information about where your data is stored and processed
• Request a copy of the safeguards used for international transfers (e.g., SCCs)
• Object to transfers to specific countries (subject to our ability to provide the Service)

To exercise these rights, contact dpo@gleap.club.

8. DATA SECURITY

8.1 How We Protect Your Data

We implement industry-standard security measures to protect your personal information from unauthorized access, use, alteration, and destruction.

Technical Safeguards:

• Encryption in Transit: All data transmitted between your device and our servers is encrypted using TLS 1.3 protocol
• Secure Cloud Storage: AWS S3 with standard AWS security features and access controls
• Password Protection: Passwords are hashed using bcrypt with salt
• Firewalls: Network firewalls to prevent unauthorized access
• Intrusion Detection: Automated systems to detect and respond to security threats

Organizational Safeguards:

• Access Controls: Personal data is accessible only to authorized personnel on a need-to-know basis
• Employee Training: Regular security and privacy training for all staff
• Background Checks: Verification personnel undergo background checks
• Confidentiality Agreements: All employees and contractors sign confidentiality agreements
• Data Minimization: We only collect and retain data necessary for Service provision
• Regular Audits: Periodic security audits and vulnerability assessments

Physical Safeguards:

• Data centers with 24/7 security monitoring
• Biometric access controls
• Redundant power and cooling systems
• Fire suppression systems

8.2 Your Role in Security

You can help protect your account by:

• Using a strong, unique password (at least 12 characters, mix of letters, numbers, symbols)
• Not sharing your password with anyone
• Logging out from shared or public devices
• Enabling device security (PIN, fingerprint, face unlock)
• Keeping your app updated to the latest version
• Reporting suspicious activity immediately to support@gleap.club
• Being cautious of phishing attempts (we never ask for passwords via email)

8.3 Data Breach Notification

Despite our best efforts, no system is 100% secure. In the unlikely event of a data breach affecting your personal information:

What we will do:

• Investigate immediately: Contain the breach and assess the scope
• Notify you promptly upon becoming aware of the breach (via email and in-app notification)
• Notify authorities as required by applicable law:
  • GDPR/UK GDPR: Within 72 hours to supervisory authority
  • PDPA (Singapore): Within 3 days to Personal Data Protection Commission
  • Australian Privacy Act: As soon as practicable to Office of the Australian Information Commissioner
  • Other jurisdictions: As required by local law
• Provide details including: what data was affected, when the breach occurred, steps we've taken to address it, steps you should take to protect yourself, and contact information for further questions

What you should do:

• Change your Gleap password immediately
• Monitor your accounts for suspicious activity
• Enable two-factor authentication (if available in future updates)
• Contact us at security@gleap.club with any concerns
• Report any suspicious communications claiming to be from Gleap

Our commitment: We take data security seriously and continuously invest in systems to detect, prevent, and respond to security incidents.

8.4 Limitations

While we implement robust security measures, we cannot guarantee absolute security. You acknowledge that:

• Internet transmission is never 100% secure
• You use the Service at your own risk
• You are responsible for maintaining the security of your device
• We are not liable for security breaches caused by your actions (e.g., sharing passwords)

9. YOUR PRIVACY RIGHTS

We want you to be in control of your data. Depending on where you live, you have the following rights. The specific rights available to you may vary based on your jurisdiction.

9.1 Universal Rights (Available to All Users)

9.2 Additional Rights for EEA, UK, and Swiss Users (GDPR/UK GDPR)

• Right to Restriction: Right to limit how we use your data while we investigate a complaint
• Right to Data Portability: Enhanced right to transfer data directly to another service (where technically feasible)
• Right to Judicial Remedy: Right to seek compensation through courts if your rights are violated

9.3 Additional Rights for California Users (CCPA/CPRA)

• Right to Know: What categories of personal information we collect and how we use it
• Right to Delete: Request deletion of personal information (with exceptions for legal obligations)
• Right to Opt-Out of Sale: We do not sell personal information (opt-out not needed)
• Right to Non-Discrimination: We will not discriminate against you for exercising your rights
• Right to Correct: Request correction of inaccurate personal information
• Right to Limit Use of Sensitive Personal Information: While we minimize sensitive data use, you can object to certain uses

For California-specific requests: dpo@gleap.club with subject line “California Privacy Request”

9.4 How to Exercise Your Rights

Step 1: Verify Your Identity

For your protection, we must verify your identity before fulfilling requests. We may ask for:

• Your email address or phone number on file
• Answers to security questions
• Recent activity on your account
• Government-issued ID (for sensitive requests like deletion)

Step 2: Submit Your Request

• Email: dpo@gleap.club
• In-App: Settings → Privacy → Submit Privacy Request
• Subject Line: Specify your request (e.g., “Data Access Request,” “Account Deletion Request”)

Step 3: We Respond

• Initial Response: Within 5 business days acknowledging receipt
• Final Response: Within 30 days (may extend to 60 days for complex requests)
• Format: Email response with requested data or confirmation of action taken

9.5 Requests We May Decline

We may decline requests if:

• We cannot verify your identity
• The request is manifestly unfounded, excessive, or repetitive
• The request would infringe on trade secrets or intellectual property
• The request would violate the privacy rights of others
• We are legally required to retain the data
• The request is technically infeasible

If we decline your request, we will explain why and inform you of your right to appeal or complain to a supervisory authority.

9.6 Appeals Process (For Certain US States)

If you are a resident of Virginia, Colorado, Connecticut, Utah, Iowa, Indiana, Kentucky, Rhode Island, Maryland, Tennessee, Minnesota, Delaware, Nebraska, New Hampshire, New Jersey, Texas, Oregon, or Montana, and we deny your privacy request:

• Email us: dpo@gleap.club with subject line “Privacy Request Appeal”
• Include: Your original request, our denial response, reason for appeal
• Response: Within 60 days of receiving your appeal
• Further Action: If you're unsatisfied with our appeal decision, you may contact your state's attorney general

9.7 Authorized Agents (California & Other States)

You may designate an authorized agent to submit requests on your behalf. The agent must provide:

• Written authorization signed by you
• Proof of their identity
• Verification that you gave them permission

We may still require you to verify your identity directly.

9.8 Data Protection Authorities

If you believe we've violated your privacy rights, you can lodge a complaint with the relevant supervisory authority:

• European Economic Area: https://edpb.europa.eu/about-edpb/board/members_en
• United Kingdom: Information Commissioner's Office (ICO): https://ico.org.uk
• Switzerland: Federal Data Protection and Information Commissioner (FDPIC): https://www.edoeb.admin.ch
• Australia: Office of the Australian Information Commissioner (OAIC): https://www.oaic.gov.au
• Singapore: Personal Data Protection Commission (PDPC): https://www.pdpc.gov.sg
• Hong Kong: Office of the Privacy Commissioner for Personal Data: https://www.pcpd.org.hk
• New Zealand: Office of the Privacy Commissioner: https://www.privacy.org.nz

10. DATA RETENTION

10.1 How Long We Keep Your Data

We retain your personal information only as long as necessary for the purposes outlined in this Privacy Policy and as required by law.

General Retention Principles:

• Active Account Data: Retained while your account is active to provide the Service
• Inactive Accounts: May be automatically closed after a period of prolonged inactivity
• Post-Account Closure: Certain data retained for a reasonable period for safety, legal, and operational purposes
• Health Documents: Automatically deleted 90 days after upload OR promptly after account closure, whichever comes first
• Transaction Records: Retained as required by applicable tax and accounting laws (when paid features become available)
• Legal Hold Data: Retained until legal matter is resolved
• Aggregated/Anonymized Data: May be retained indefinitely as it cannot identify you

10.2 Safety Retention Period

After you close your account or are banned, we retain certain data for a reasonable period to:

• Investigate reports of abuse, fraud, or violations submitted after account closure
• Respond to law enforcement requests about past activity
• Defend against legal claims
• Identify patterns of abuse across multiple accounts
• Protect the safety of remaining users

Data retained during safety period:

• Account identifiers (email, phone, device IDs)
• Profile data
• Messages and content involved in reports
• Rating history
• Usage logs
• Reports submitted by or about you

Data NOT retained:

• Health documents (deleted automatically after 90 days or promptly after account closure)
• Payment information (deleted immediately unless legally required, when applicable)
• Precise location data (deleted immediately)

10.3 Legal Data Retention

We retain certain data to comply with legal obligations:

• Tax and Financial Records (when applicable): Transaction history, invoices, subscription records — retained as required by Hong Kong Inland Revenue Ordinance, Australian Taxation Office, and other applicable laws
• Traffic Data / Access Logs: IP addresses, session logs, access timestamps — retained as required by applicable data retention laws
• Consent Records: Records of consents you've given and withdrawals — required by GDPR Article 7 and other applicable laws

10.4 Data Retention After Specific Actions

If you let health documents expire (90 days):

• Removed from active systems automatically
• Verification badge removed from profile
• Permanently deleted promptly
• No copies retained after deletion cycle

If you delete your account:

• Health documents deleted promptly (if still within 90-day period)
• Most profile data deleted or anonymized within a reasonable period
• Some data retained for safety period (see Section 10.2)

If you delete specific messages:

• Deleted from your view and recipient's view
• May be retained in backups temporarily
• Permanently removed after backup cycle

If you delete profile photos:

• Removed from profile immediately
• Deleted from servers promptly
• May remain in backups temporarily

10.5 Anonymized and Aggregate Data

What is Anonymized Data? Anonymized Data is information that has been processed to remove all personal identifiers, so it cannot be used to identify you individually.

Examples:

• “Users in Sydney aged 25-34 prefer profiles with outdoor activity photos”
• “Average number of messages sent per day across all users: 12”
• “Percentage of users who complete health verification: 35%”

How we use it:

• To improve the Service and develop new features
• To understand usage trends and demographics
• To publish research or reports (e.g., “Dating Trends 2026”)
• To optimize features

Retention: Anonymized and aggregate data may be retained indefinitely because it cannot identify you personally.

Your rights: Because anonymized data cannot identify you, data subject rights (access, deletion, etc.) do not apply to anonymized data under most privacy laws (GDPR, CCPA, etc.).

10.6 Data Deletion Process

When data is scheduled for deletion:

• Marked for deletion in our active database
• Removed from backups during the next backup cycle
• Overwritten on storage media to prevent recovery
• Certificates of destruction maintained for audit purposes

Note: Data deleted from our systems may remain in backups temporarily during normal backup rotation cycles.

11. THIRD-PARTY LINKS AND SERVICES

11.1 External Links

The Service may contain links to third-party websites, apps, or services (e.g., health clinics, testing centers, social media platforms).

Before using external services:

• Read their privacy policies
• Understand what data they collect
• Review their security practices

11.2 Third-Party Payment Processors (When Available)

When we introduce paid features, we will use third-party payment processors to handle transactions:

• Apple In-App Purchase (for iOS subscriptions)
• Google Play Billing (for Android subscriptions)

What they will collect: Payment card information, billing address, transaction details

What we will receive: Transaction confirmation, subscription status, transaction ID (no full card numbers)

Their privacy policies:

• Apple: https://www.apple.com/legal/privacy/
• Google: https://policies.google.com/privacy

11.3 Social Media Platforms

If you share content from Gleap to social media (e.g., “Check out my profile”), the social media platform may collect information about your activity.

We do not:

• Access your social media friends list
• Post to social media without your permission
• Track your activity on social media

11.4 Health Testing Providers

We may provide links to STD/STI testing clinics or services for your convenience.

11.5 No Liability

You agree that Gleap is not liable for:

• Privacy practices of third-party services
• Losses or damages resulting from third-party services
• Accuracy or legality of third-party content
• Security breaches on third-party platforms

Use third-party services at your own risk.

12. CHILDREN'S PRIVACY

12.1 Age Requirement

Gleap is restricted to individuals who are 18 years of age or older.

We do not knowingly collect personal information from anyone under 18 years of age. If you are under 18, do not use the Service, do not create an account, and do not provide any information to us.

12.2 If You Are a Parent or Guardian

If you believe your child under 18 has created an account or provided us with personal information:

Step 1: Contact Us Immediately

• Email: support@gleap.club or dpo@gleap.club
• Subject Line: “Underage User Report”

Step 2: Provide the Following Information

• Your relationship to the child
• The child's username, email, or phone number (if known)
• Proof of your legal guardianship (e.g., birth certificate, court documents)
• Any additional information that can help us locate the account

Step 3: We Will Take Action

• Investigate and verify the claim within 5 business days
• Immediately suspend the account if the user is confirmed to be under 18
• Permanently delete all personal information associated with the account promptly
• Notify you once deletion is complete

12.3 Reporting Underage Users

If you suspect another user is under 18:

In-App Reporting:

• Go to the user's profile
• Tap the “Report” button
• Select “Underage User”
• Provide any supporting information

Email Reporting:

• Email: support@gleap.club
• Include: Username, profile link, reason for suspicion

We will investigate all reports promptly, request age verification if necessary, suspend and delete accounts confirmed to be underage, and ban users who misrepresent their age.

12.4 Age Verification

To enforce our age requirement:

• Users must provide date of birth during registration
• We use automated checks to detect potentially underage users
• We may request government-issued ID for age verification
• Accounts that cannot verify age will be suspended

12.5 No Liability for Misrepresentation

While we take age verification seriously:

• We cannot guarantee all users have accurately reported their age
• Users are responsible for representing themselves truthfully
• We are not liable for minors who lie about their age
• Parents/guardians are responsible for monitoring their children's online activity

12.6 Educational Purpose

If you are a parent, please:

• Talk to your children about online safety
• Monitor their device usage
• Use parental controls to restrict access to dating apps
• Report any underage users you discover

13. CHANGES TO THIS PRIVACY POLICY

13.1 Updates

We may update this Privacy Policy from time to time to reflect:

• Changes in our data practices
• New features or services
• Legal or regulatory requirements
• Industry best practices
• User feedback

Current Version:

• Effective Date: February 22, 2026
• Version: 1.0

13.2 Notice of Material Changes

Before any material changes take effect (e.g., changes to how we use sensitive data, new data sharing practices, reduced rights), we will:

Notify You:

• In-app notification: Prominent banner when you open the app
• Email notification: Sent to your registered email address
• Push notification: If you've enabled notifications
• Updated “Last Updated” date at the top of this policy

Advance Notice:

• 30 days before material changes take effect
• You'll have time to review changes and decide whether to continue using the Service

13.3 Non-Material Changes

For minor changes (e.g., clarifications, typos, formatting), we will:

• Update the “Last Updated” date
• Post the revised policy on our website and app
• Not send individual notifications

13.4 Your Continued Use

By continuing to use the Service after changes take effect, you accept the updated Privacy Policy.

If you don't agree with changes:

• Stop using the Service
• Delete your account before changes take effect
• Contact us with questions: dpo@gleap.club

13.5 Archived Versions

Previous versions of this Privacy Policy are available upon request:

• Email: dpo@gleap.club
• Subject: “Previous Privacy Policy Request”
• Specify the date or version you'd like to review

14. CONTACT US

14.1 General Inquiries

For questions about this Privacy Policy, our data practices, or the Service:

14.2 Privacy Requests

To exercise your privacy rights (access, deletion, correction, etc.):

• Email: dpo@gleap.club
• Subject: Specify your request type (e.g., “Data Access Request”)
• Include: Your registered email or phone number for identity verification

14.3 Security Concerns

To report security vulnerabilities or data breaches:

• Email: security@gleap.club
• Use subject line: “Security Issue”
• Do not publicly disclose vulnerabilities before we've had a chance to address them

14.4 Mailing Address

14.5 Response Times

• General inquiries: 5 business days
• Privacy requests: 30 days (may extend to 60 days for complex requests)
• Security issues: Immediate acknowledgment, resolution timeline depends on severity
• Customer support: 24-48 hours

15. JURISDICTION-SPECIFIC PROVISIONS

15.1 European Economic Area (EEA), United Kingdom, and Switzerland

Legal Basis for Processing: See Section 3.2 for detailed legal bases under GDPR/UK GDPR.

Your Rights: Enhanced rights under GDPR/UK GDPR as detailed in Section 9.2.

Data Controller: Gleap Limited (contact details in Section 14.4)

Data Protection Officer: dpo@gleap.club

Supervisory Authority: You have the right to lodge a complaint with your local data protection authority:

• EEA: https://edpb.europa.eu/about-edpb/board/members_en
• UK: Information Commissioner's Office (ICO) - https://ico.org.uk
• Switzerland: Federal Data Protection and Information Commissioner (FDPIC) - https://www.edoeb.admin.ch

Data Transfers: We use Standard Contractual Clauses (SCCs) for transfers outside the EEA/UK/Switzerland (see Section 7).

15.2 Australia

Australian Privacy Principles (APPs): We comply with the Privacy Act 1988 (Cth) and APPs.

Your Rights:

• Access and correct your personal information
• Make a complaint about how we handle your information

Complaints: If you're not satisfied with our response to a privacy complaint:

• Contact the Office of the Australian Information Commissioner (OAIC)
• Website: https://www.oaic.gov.au
• Phone: 1300 363 992

Overseas Disclosure: Your data may be disclosed to overseas recipients (see Section 7). By using the Service, you consent to these disclosures.

15.3 Singapore

Personal Data Protection Act (PDPA): We comply with Singapore's PDPA 2012.

Your Rights:

• Access your personal data
• Correct inaccurate data
• Withdraw consent (may affect Service availability)

Complaints: If you have concerns about our data practices:

• Contact our Data Protection Officer: dpo@gleap.club
• If unsatisfied, contact the Personal Data Protection Commission (PDPC)
• Website: https://www.pdpc.gov.sg

Do Not Call (DNC) Registry: We respect Singapore's DNC Registry. If you've registered your number, we will not send marketing calls/SMS unless you've given explicit consent.

15.4 Hong Kong

Personal Data (Privacy) Ordinance: We comply with Hong Kong's PDPO.

Data User: Gleap Limited (Company Number: 3219068)

Your Rights:

• Access and correct your personal data
• Object to use of data for direct marketing

Complaints: Contact the Office of the Privacy Commissioner for Personal Data:

• Website: https://www.pcpd.org.hk
• Phone: +852 2827 2827

15.5 New Zealand

Privacy Act 2020: We comply with New Zealand's Privacy Act.

Your Rights:

• Access and correct your personal information
• Request deletion of data
• Make privacy complaints

Complaints: Contact the Office of the Privacy Commissioner:

• Website: https://www.privacy.org.nz
• Phone: 0800 803 909

15.6 California, USA

California Consumer Privacy Act (CCPA) / California Privacy Rights Act (CPRA):

Your Rights:

• Right to Know what personal information we collect and how we use it
• Right to Delete personal information (with certain exceptions)
• Right to Opt-Out of Sale (Note: We do not sell personal information)
• Right to Non-Discrimination for exercising your rights
• Right to Correct inaccurate information
• Right to Limit Use of Sensitive Personal Information

Categories of Personal Information Collected: See Section 1.3 for detailed categories.

Business Purpose for Collection: See Section 3 for purposes.

Categories of Third Parties We Share With: See Section 4 for recipients.

Do Not Sell My Personal Information: We do not sell personal information. If this changes, we will provide an opt-out.

Shine the Light Law: California residents can request information about personal information disclosed to third parties for their direct marketing purposes (once per year, free of charge).

To Exercise Your Rights:

• Email: dpo@gleap.club with subject “California Privacy Request”
• Include: Your name, email, and specific request

Authorized Agents: You may designate an authorized agent to make requests on your behalf (see Section 9.7).

Response Time: Within 45 days (may extend to 90 days for complex requests).

15.7 Other US States (Virginia, Colorado, Connecticut, Utah, etc.)

Many US states have enacted comprehensive privacy laws similar to California's CCPA. If you reside in Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Iowa, Indiana, Kentucky, Rhode Island, Maryland, Tennessee, Minnesota, Delaware, Nebraska, New Hampshire, New Jersey, Texas, Oregon, or Montana:

Your Rights (generally include):

• Right to Access personal data
• Right to Delete personal data
• Right to Correct inaccurate data
• Right to Opt-Out of targeted advertising (Note: We don't do targeted ads)
• Right to Opt-Out of sale of personal data (Note: We don't sell data)
• Right to Appeal denied requests (see Section 9.6)

To Exercise Your Rights: Email dpo@gleap.club with subject “[Your State] Privacy Request”

Response time: Typically 45 days

Appeals: If we deny your request, you may appeal (see Section 9.6).

15.8 Canada

Personal Information Protection and Electronic Documents Act (PIPEDA):

Your Rights:

• Access your personal information
• Challenge accuracy and completeness
• Withdraw consent (may affect Service availability)

Complaints: Contact the Office of the Privacy Commissioner of Canada:

• Website: https://www.priv.gc.ca
• Phone: 1-800-282-1376

15.9 Brazil

Lei Geral de Proteção de Dados (LGPD):

Your Rights:

• Confirmation of processing
• Access to data
• Correction of incomplete/inaccurate data
• Anonymization, blocking, or deletion
• Portability
• Information about sharing
• Refusal to consent
• Revocation of consent

Data Controller: Gleap Limited

Data Protection Officer (Brazil): Email: dpobrazil@gleap.club

Complaints: Contact Autoridade Nacional de Proteção de Dados (ANPD):

• Website: https://www.gov.br/anpd

15.10 Other Jurisdictions

If your jurisdiction is not specifically listed above, we will:

• Comply with applicable local privacy laws
• Provide rights required by law in your jurisdiction
• Respond to your privacy requests in accordance with local requirements

To inquire about your jurisdiction: Email dpo@gleap.club with your location and specific questions.

16. ACCEPTANCE OF THIS POLICY

By creating an account and using Gleap, you acknowledge that you have read, understood, and agree to this Privacy Policy.

This Privacy Policy is incorporated into and forms part of our Terms and Conditions.

If you do not agree with this Privacy Policy, you must not use the Service.

End of Privacy Policy

Last Updated: February 22, 2026 — Version: 1.0

Copyright © 2026. GLEAP LIMITED. All rights reserved.