Privacy Policy

The short version

We collect the minimum data needed to run the waitlist. We never sell it, share it with third parties, or use it for advertising. We delete it on the schedule below, automatically. We have no in-app messaging, so we cannot leak conversations we never had.

What we collect

From hosts (people who create a waitlist): email address, display name, handle (the URL slug), Instagram handle (optional), and an emoji of their choosing.

From applicants (people who apply to a waitlist): first name (or chosen name), email address, free-text answers to the host's prompts, and one optional public link.

What we explicitly do NOT collect: no last names, no phone numbers, no government IDs, no biometrics, no selfies, no location data, no date of birth, no payment information, no data about anyone other than the person filling out the form themselves.

How we use it

Host emails are used to send magic-link sign-in emails. Applicant emails are used only to send status notifications (queue position, decision). We never email anyone for marketing purposes. We do not have a newsletter.

Applicant emails are encrypted at rest using AES-256-GCM with a key separate from the database credentials, so a database dump alone does not yield plaintext emails.

How long we keep it

Deletion is enforced automatically by a daily job. We do not rely on human discipline.

• Pending applications: until the host makes a decision.
• Approved applications: 90 days after the decision, then deleted.
• Archived applications: 30 days after the decision, then deleted.
• Applications on a deleted waitlist: deleted within 24 hours.
• Magic-link sign-in tokens: 15 minutes, or sooner if used.
• Sessions: 30 days of inactivity.

Who we share it with

We do not sell, rent, or trade your data. We do not share it with advertisers. We do not use it to train AI models.

We use a small number of third-party services to operate the platform:

• Supabase — hosts our database. Located in North Virginia, USA.
• Resend — sends our transactional emails.
• Cloudflare — bot protection on our forms and our domain registrar.
• Vercel — hosts the application itself.

These services may process data on our behalf. They do not have independent rights to use it.

Your rights

We honor these rights for everyone, regardless of where you live. California residents have these rights under the CCPA; EU residents have these rights under the GDPR; we apply them globally.

• Right to delete: applicants can delete their application at any time from their status page. Hosts can delete their waitlist at any time from their settings, which deletes all associated applications within 24 hours.
• Right to know: email us and we will tell you what we have about you.
• Right to correction: hosts can edit their own information. Applicants can delete and resubmit.
• Right to non-discrimination: we will not treat you differently for exercising any of these rights.
• Right to data portability: email us and we will send you a copy of your data in a machine-readable format.

Children

The Dating Waitlist is not intended for anyone under 18. We do not knowingly collect data from minors. If we learn that we have collected data from a minor, we will delete it.

Security

We follow the security posture described in our public threat model. Highlights: no object storage (so no file-upload breach surface), applicant emails encrypted at rest, default-deny access control at the application layer, no logging of message content, secrets in environment variables only.

If we ever experience a security breach, we will notify affected users within 72 hours of confirmation, in line with GDPR norms, regardless of where you live.

Contact

For any privacy question or to exercise any of your rights, email thedatingwaitlist@gmail.com. We will respond within 30 days.

Changes

If we change this policy, we will update the "Last updated" date at the top. For substantive changes (collecting new data, sharing with new third parties), we will email registered hosts before the change takes effect.