Privacy Policy

Effective 2026-05-01

This policy explains what Adorable collects, why, who we share it with, and what you can do about it. It is written to align with the Nigeria Data Protection Act (NDPA) 2023, the GDPR (where applicable), and the Apple App Store / Google Play disclosure requirements.

The data controller is Oriverse Technologies Ltd., contactable at privacy@oriverse.com.

1. What we collect

Identity & profile

• Email address, phone number, display name, profile photo, short bio, interests.
• Sign-in identifier from Google or Apple, if you use those providers.

Location

• Your device's coarse location and (with permission) precise location, used to centre the map, find nearby places, and — only if you opt in via "Live on map" — to publish a presence pin to other users for up to 2 hours.
• Place check-ins are stored in our database for 2 hours and then expire automatically.

Activity

• Places you view, search, save, or check in to.
• Messages you send and receive within the app, including read timestamps. This includes voice notes recorded in chat.
• Reports you submit about other users, places, or messages.
• Users you block.

Device & technical

• Firebase Cloud Messaging (FCM) registration tokens, used to deliver push notifications. Stored in your user profile and pruned when invalid.
• Crash logs and error stacks (via Firebase Crashlytics) — anonymised, aggregated; never include message content or location.
• IP address, device model, OS version (collected by Firebase Auth and our backend for rate limiting and abuse prevention).

We do not collect government IDs, payment information, biometric data, or precise contact lists.

2. Why we collect it (lawful basis)

• Performance of contract (NDPA Article 25(c) / GDPR Article 6(1)(b)): operating the core service — auth, discovery, check-ins, messaging.
• Consent (NDPA Article 25(a) / GDPR Article 6(1)(a)): precise location, push notifications, optional features ("Live on map", event reminders).
• Legitimate interests (NDPA Article 25(f) / GDPR Article 6(1)(f)): safety enforcement (phone verification, rate limiting, moderation), product analytics in aggregate form, fraud prevention.
• Legal obligation (NDPA Article 25(c) / GDPR Article 6(1)(c)): responding to lawful requests; retaining moderation records for the period required by law.

3. How we use it

• To run the core product: authentication, place discovery, check-ins, presence, 1-to-1 messaging, push notifications.
• To enforce safety: phone-verification gate, rate limiting, blocking, and moderation review of reports.
• To debug, secure, and improve the product through aggregated, non-identifying analytics.
• To communicate with you about your account, security, or material changes to these documents.

We do not sell personal data. We do not share personal data with advertisers. We do not use your messages, voice notes, or photos to train AI models.

4. Who we share it with (sub-processors)

• Google LLC (Firebase) — authentication, Firestore database, Cloud Storage for files, Cloud Messaging for pushes, Crashlytics for crash reporting. Servers may be in the US or EU. Google's terms: firebase.google.com/terms.
• Mapbox, Inc. (US) — map tiles, geocoding, directions. Coarse location and search queries pass through Mapbox; we proxy directions through our backend so individual users are not directly identifiable to Mapbox. Privacy: mapbox.com/legal/privacy.
• Apple Inc. and Google LLC — app distribution and platform-level push delivery (APNs / FCM). Subject to their developer agreements.
• Hetzner Online GmbH (Germany) — cloud hosting for the Adorable backend. Servers are in Germany; data in transit is TLS-encrypted.
• Coolify — open-source self-hosted deployment platform; runs on the Hetzner server above and does not receive separate data outside the app's normal request flow.

We do not share your personal data with any other recipient unless required by law (e.g. a valid court order from a Nigerian or other competent jurisdiction) or to investigate genuine safety threats.

5. International data transfers

Some of our sub-processors are based outside Nigeria — primarily in the United States and the European Union. We rely on contractual safeguards (including the EU Standard Contractual Clauses where applicable) to protect transferred data, and on the data-protection laws of those jurisdictions. By using the Service you consent to these transfers.

6. Retention

• Active account data — kept while your account exists.
• Check-in / presence records — auto-expire 2 hours after creation.
• Messages and voice notes — kept until either participant deletes the conversation or their account.
• Reports — retained for the lifetime of the moderation case plus 12 months after closure, so we can detect repeat offenders.
• Crash logs — retained 90 days, then aggregated.
• Backups — encrypted backups containing your data are overwritten within 90 days of your account deletion.

7. Your rights

You have the right to:

• access the personal data we hold about you;
• correct inaccurate data (much of this is editable directly in Settings);
• delete your data — instantly via Settings → Delete Account, which removes your profile, check-ins, saved places, conversations, voice notes, and uploaded photos, and revokes your authentication;
• restrict or object to processing based on legitimate interests;
• receive your data in a portable format (email privacy@oriverse.com);
• withdraw consent for optional features at any time without affecting prior processing;
• lodge a complaint with the Nigeria Data Protection Commission (NDPC) at ndpc.gov.ng, or with the data-protection authority in your country of residence.

We respond to verified rights requests within 30 days.

8. Security

• All traffic between the app and our backend uses HTTPS (TLS 1.2+).
• Passwords are handled entirely by Firebase Authentication and are never visible to us.
• Photos, voice notes, and other files are stored in Firebase Cloud Storage with rule-based access control (your uploads are written only by you; place photos are written only by our backend).
• Backend access is audit-logged.
• We design with the principle of least privilege; team members only access user data when necessary for support, safety, or legal compliance.

No system is perfectly secure. If we detect a personal-data breach affecting you, we will notify you and the NDPC within the timelines required by law.

9. Children

Adorable is for users 18 and older. We do not knowingly collect data from anyone under 18. If you believe a minor is using the Service, contact privacy@oriverse.com and we will investigate and remove the account.

10. Cookies & SDKs

The mobile app does not use web cookies. It uses the Firebase, Mapbox, and Crashlytics SDKs, each of which collects technical identifiers (device model, OS version, an installation id) for analytics and crash reporting. You can reset these identifiers in your device settings.

11. Changes to this policy

We update this policy when our practices change. Material changes are surfaced in-app and the new effective date is shown above. We keep prior versions on request.

12. Contact

For privacy questions, requests, or complaints: privacy@oriverse.com.
Oriverse Technologies Ltd. — hello@oriverse.com