Privacy Policy

Last updated: 2026-06-15

1. Controller identity

The controller responsible for the processing of your personal data in connection with this Service is the Machai operator. Our legal name, postal address, and other operator details are set out in our Imprint. For privacy-specific enquiries, contact us at ashkan.taremi@machaiapp.com.

2. Data we collect

We collect the following categories of personal data:

  • Account data: email address, email verification status, tier (free or Plus), account creation and last-login timestamps; if you sign in with Google, the Google account identifier instead of a password.
  • Profile data: display name, birthdate, gender, sexual orientation and who you are interested in, location (city plus latitude and longitude), distance preference, relationship intent, interests, lifestyle and structured-profile fields (height, body type, profession, lifestyle pace), free-text fun facts, your "mood of the day" and "secret to agent" notes, and any social-platform handles you choose to share.
  • Photos: photo files you upload (primary and gallery).
  • Onboarding and daily-question answers: your responses to onboarding cards and to the daily question used to enrich your profile over time.
  • AI-generated artefacts: your First Impression text, agent-to-agent conversation transcripts, compatibility scores and sub-scores with analyst notes, and the persona embedding vector we compute from your profile and First Impression.
  • Wallet and purchase data: token balance, transaction ledger, active boosts; Stripe customer identifier, subscription identifier, subscription status, and renewal date. We never store card numbers, card brands, or card last-four digits — those remain with Stripe.
  • Match and conversation data: match queue rows, consent events (the Tier-1 / Tier-2 / Tier-3 routing decisions taken by the safety pipeline), chat threads, and chat messages exchanged with your matched partner.
  • Reports and audit records: reports you submit on other users or messages, admin actions taken on your account, and access logs maintained as an audit trail.
  • Service operation data: rate-limit counters, error reports, and per-call AI metadata (token counts, model identifier, EUR cost, and latency — never the content of the prompt or completion).

3. Legal bases for processing

We rely on the following legal bases under Article 6(1) GDPR:

  • Contract performance — Art. 6(1)(b): to operate the Service you have signed up for, including account management, agent orchestration, matching, messaging, and billing for tokens and Machai Plus.
  • Legal obligation — Art. 6(1)(c): to comply with financial-record obligations, tax law, and lawful requests from authorities.
  • Legitimate interest — Art. 6(1)(f): to operate our safety pipeline (moderation, hard-limit enforcement, abuse prevention), to debug and improve the Service, and to maintain an audit trail.
  • Consent — Art. 6(1)(a): where we ask for it specifically. We do not currently rely on consent for any default processing; if we later add features that require it (for example, a browser analytics SDK), we will request consent before activating them.

You can object to processing carried out on the legitimate-interest basis under Article 21 GDPR (see Section 8).

4. Why we collect each category

| Category | Purpose | |---|---| | Account data | Authenticate you and gate Plus features | | Profile data | Generate your First Impression, drive your agent's behaviour, and compute matches | | Photos | Render your profile to other users; show your gallery to a partner after handoff | | Onboarding and daily-question answers | Enrich your profile so the matching and First Impression are accurate | | AI artefacts | Drive matching, scoring, and the consent-tier routing decisions | | Wallet and purchase | Account for tokens, deliver Plus benefits, reconcile with Stripe | | Match and conversation | Operate the agent-to-agent pipeline and the human handoff chat | | Reports and audit | Investigate safety reports and document admin actions for accountability | | Service operation | Enforce rate limits, debug errors, account for AI costs |

5. Third-party data processors

The following processors handle your personal data on our behalf or as independent controllers for limited purposes:

| Processor | Role | Data processed | |---|---|---| | OpenAI (United States) | LLM provider for compatibility scoring, moderation, embeddings, and daily-question generation | Conversation transcript text, prompt input, profile snippets | | Anthropic (United States) | LLM provider for agent dialogue, Plus tier | Conversation history and persona prompts | | Groq (United States) | LLM provider for agent dialogue, free tier | Conversation history and persona prompts | | Stripe (European Union and United States, PCI-DSS scope) | Payment processor for token packs and Plus subscription | Email address, Stripe customer identifier, subscription lifecycle events | | Resend (United States) | Transactional email delivery | Recipient email address, partner display name, subject and body of the email | | Cloudflare R2 (EU-resident bucket) | Photo storage | Photo bytes; presigned URLs for time-limited access | | Google (United States) | OAuth sign-in provider | Email address and Google account identifier when you sign in with Google | | PostHog (EU host: eu.posthog.com) | Server-side product analytics | Event names, your user identifier (UUID), and event properties with PII fields (email, names, phone, address, IP, photo URLs, card details) stripped at the boundary | | Sentry (European Union) | Error and performance tracking, optional | Transaction metadata and error stack traces; no PII tags, no chat content, no payment details |

We have data-processing agreements ("DPAs") in place with each processor where required under Article 28 GDPR. For US-based processors, see Section 11 (International transfers).

6. AI processing disclosure

We use large language models ("LLMs") to operate Service features. Routing of tasks between providers depends on the task and your tier:

  • Agent dialogue — Free tier: Groq (Llama 3.3 70B Versatile). Plus tier: Anthropic (Claude Sonnet 4.6).
  • Compatibility scoring, moderation, embeddings, and daily-question generation — both tiers: OpenAI (gpt-5.4-mini, plus the omni-moderation-latest endpoint for moderation).

Data flow per feature:

  • First Impression generation: your profile data and an allow-listed subset of your user-facts are sent to the relevant provider in a single prompt; the response is your generated First Impression text. You can edit the result before it goes live.
  • Daily questions: an allow-listed subset of your user-facts and your prior daily-question answers are referenced to generate a personalised question. Your answer is written back to your profile.
  • Agent-to-agent dialogue: your First Impression text, allow-listed persona-relevant user-facts, your mood-of-the-day if set, and the running conversation history are sent to the dialogue provider on each turn — for your own agent only. Your data is never made available to another user's agent.
  • Compatibility scoring: the completed transcript and both participants' persona prompts are sent to OpenAI to produce the five sub-scores and analyst notes.
  • Moderation: free-text inputs are sent to OpenAI's moderation endpoint before they are written to the database.
  • Embeddings: a persona text composed from your profile, your active First Impression, and an allow-listed subset of your user-facts is sent to OpenAI for embedding generation; the resulting vector is stored in our database for candidate matching.

All three of our LLM providers exclude API submissions from training their models by default, under their commercial API terms. We additionally set the store=false parameter on OpenAI chat-completion calls to opt out of OpenAI's 30-day Application State retention. Where each provider offers a Zero Data Retention setting, we have configured it: Groq Zero Data Retention is enabled in our Data Controls; for OpenAI we have an Enterprise Zero Data Retention or Modified Abuse Monitoring application in process; Anthropic operates on its standard 7-day API log retention with no training under its commercial API terms.

We store per-call cost and latency metadata in our own database — never the prompt or completion content — to operate the per-user budget cap and to debug performance issues.

Selective exclusions from the LLM pipeline. Some user-facts that you can see inside the Service are deliberately kept out of the persona embedding and out of cross-context contexts:

  • Mood of the day and secret to agent are included only in your own agent's prompt context (so your agent reflects them when it speaks on your behalf). They are never shared with another user's agent and are never included in the embedding that drives candidate matching.
  • Social-platform handles (Instagram, TikTok, X links) are not currently sent to any LLM provider. They are stored for display and for a future profile-enrichment feature; the consumer for that feature is not shipped.

Agent replies in opened chats

If you enable Agent Replies, your personal AI agent may draft and send messages on your behalf in an already opened 1:1 chat. This feature is disabled by default. You decide whether to use it. In addition, the feature is off by default for each chat and must be enabled for that specific chat.

Your agent may only reply in chats that you have already opened yourself. In the beta, your agent cannot approve matches for you, cannot automatically confirm handoffs, and cannot open new 1:1 chats without your prior manual confirmation.

To generate Agent Replies, we process in particular:

  • your profile information and preferences;
  • match and compatibility context;
  • the previous conversation in the relevant chat;
  • your agent settings;
  • technical information about enabling, disabling and using the feature.

This information may include sensitive information or allow sensitive inferences, especially in a dating context. Where special categories of personal data are processed, we rely on your explicit consent.

Every message written by your agent is clearly labelled as "Agent" in the chat. If you write in the chat yourself, your agent pauses and asks whether it should continue.

You can disable Agent Replies at any time. Withdrawal applies for the future. Messages that have already been sent remain in the chat unless they are deleted or the chat is closed under the general product features. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.

The legal basis for Agent Replies is your consent under Art. 6(1)(a) GDPR. Where special categories of personal data are involved, we rely on your explicit consent under Art. 9(2)(a) GDPR.

Audit logs for Agent Replies

To ensure accountability, security and abuse prevention, we record agentic actions in an immutable audit log. This log includes in particular the relevant chat, the time of the action, the actor type ("human" or "agent"), the consent version, and enable/disable events. The message content is not duplicated in the audit log unless this is required for security, troubleshooting or legal defence.

Access to audit logs is restricted to authorised personnel and is logged internally. Audit logs are retained only for as long as necessary for accountability, security and legal defence purposes.

Automated decision-making

Machai uses automated systems to assess compatibility, suggest matches and provide the service. However, in the beta your agent does not automatically confirm handoffs and does not open 1:1 chats without your prior manual confirmation. In our assessment, Agent Replies in an already opened chat do not constitute a solely automated decision producing legal effects or similarly significant effects within the meaning of Art. 22 GDPR.

If we introduce Auto-Confirm or similar features in the future, we will update the Privacy Policy, consent notices and required safeguards before doing so.

7. Data retention

We retain your data while your account is active, plus the periods described below.

Account deletion. You may delete your account at any time from your account settings. Deletion takes effect immediately: your account is marked as deleted and your profile and photos are anonymised. A thirty (30) day grace period begins during which your account remains in an anonymised state. After this grace period, residual records are eligible for full deletion. Operational scheduling of full deletion is under active development; until then, anonymised records may persist beyond the grace period.

Transcript carve-out. Conversation transcripts and chat messages you exchanged with other users are preserved after your account closes, in anonymised form (shown as "Deleted User" to your former partners), so that other users retain access to their own conversation history. This is a deliberate design choice and the reasoning is that one user's right to erasure cannot remove the other party's own correspondence record.

Financial records. Stripe-related records and our wallet ledger are retained for the period required by German tax and commercial law (up to ten years), independent of account deletion, in line with our legal obligation under Article 6(1)(c) GDPR.

Audit log. Admin actions and security events are retained for the period necessary to investigate abuse and to comply with our accountability obligations under Article 5(2) GDPR.

Operation data. Rate-limit counters, error reports, and ephemeral analytics buffers are short-lived and rotated automatically.

8. Your rights under the GDPR

You have the following rights with respect to your personal data:

  • Access — Art. 15: to obtain confirmation of whether we are processing your data and, if so, to receive a copy.
  • Rectification — Art. 16: to correct inaccurate data.
  • Erasure — Art. 17: to have your data deleted, subject to the transcript carve-out described in Section 7.
  • Restriction — Art. 18: to limit how we process your data in specific circumstances.
  • Data portability — Art. 20: to receive your data in a structured, machine-readable format.
  • Objection — Art. 21: to object to processing based on legitimate interest.
  • Automated decision-making — Art. 22: to obtain human review of decisions taken solely by automated means that produce legal or similarly significant effects on you. How we use automated systems, and why in our assessment they do not amount to such a decision, is described in Section 6 under "Automated decision-making".
  • Withdraw consent — Art. 7(3): where processing is based on your consent, you may withdraw it at any time without affecting the lawfulness of prior processing.
  • Lodge a complaint with a supervisory authority: in particular in the EU Member State of your habitual residence, place of work, or place of the alleged infringement. Because our operator is resident in Hessen, Germany, the competent authority for our operations is the Hessischer Beauftragter für Datenschutz und Informationsfreiheit (HBDI).

9. How to exercise your rights

Self-serve. Visit your account settings to download a complete export of your personal data (Right of Access and Right to Data Portability) or to delete your account (Right to Erasure). The export is provided as structured JSON and includes your account, profile, photos metadata with time-limited photo URLs, AI artefacts, wallet ledger, conversations and consent events, reports, notifications, audit log, and (if applicable) your own account's deletion status if you have initiated deletion.

Email. For any other right, or for rectification of data you cannot edit yourself, contact us at ashkan.taremi@machaiapp.com. We will respond within one (1) month of receiving a complete request, in line with Article 12(3) GDPR. Where the request is complex or numerous, we may extend by a further two (2) months and will inform you within the first month.

We do not charge a fee for exercising your rights except where requests are manifestly unfounded or excessive.

10. Cookies and email communications

Cookies. The Service uses only two cookies, both of which are essential to the operation of the Service:

  • Session cookie (next-auth.session-token or __Secure-next-auth.session-token on HTTPS): set by our authentication library to keep you signed in; expires at the end of your authenticated session.
  • Locale cookie (machai_locale): stores your interface-language preference (English or German); maximum age one (1) year.

We do not currently load any browser-side analytics, marketing, or advertising trackers. Product analytics is operated server-side only and the user identifier we send is a UUID with no PII attached (see Section 5). If we later add a browser-side analytics SDK or any marketing or advertising tracker, we will obtain consent under the ePrivacy framework before activating it.

Email communications. We send transactional emails to you in response to specific events: at present, when the safety pipeline routes a match as Tier-2 ("notify") or Tier-3 ("require approval"), the affected participants receive a notification email so they can act on the match. We do not currently send marketing or promotional emails. A per-user opt-out for these match-notification emails is not currently shipped; this is a known limitation. Until the opt-out ships, the way to stop receiving these emails is to contact us by email so we can suppress your address manually, or to delete your account.

11. International transfers

Several of our processors are based in the United States. When personal data is transferred to a US-based processor (OpenAI, Anthropic, Groq, Resend, Google, and the US-resident operations of Stripe), we rely on the European Commission's Standard Contractual Clauses ("SCCs") under Article 46(2)(c) GDPR, supplemented where appropriate by additional technical and organisational measures, including encryption in transit, minimisation of identifiers in payloads, and server-side PII stripping for analytics events.

We minimise the personal data sent in each call. Specifically, our server-side analytics strips email, names, phone, address, IP, photo URLs, and card details from event properties at the boundary before the event leaves our infrastructure. LLM prompts contain only what the feature requires: profile fields, transcript content, and the persona text described in Section 6 — never your card details, never your IP address, and never the user-facts explicitly excluded from the persona embedding pipeline (mood, secret to agent, social handles, which are described in Section 6).

12. Security

We take reasonable technical and organisational measures to protect your personal data. These include:

  • Encrypted transport (HTTPS) for all client-to-server traffic.
  • JWT-based authentication with rotating refresh tokens.
  • Encryption at rest for photo storage in Cloudflare R2.
  • A safety pipeline that filters free-text inputs through a moderation classifier before storage.
  • A per-call AI budget cap to limit the impact of compromised credentials.
  • A default-deny gate on internal analytics introspection endpoints in production.
  • An audit log of admin actions for accountability under Article 5(2) GDPR.
  • Server-side processing of all LLM calls; provider API keys are never embedded in client code.

No security measure is absolute. If we become aware of a personal-data breach that is likely to result in a risk to your rights and freedoms, we will notify the supervisory authority within seventy-two (72) hours of becoming aware, in line with Article 33 GDPR, and inform you in line with Article 34 where the risk to you is high.

13. Children

The Service is intended for adults. You must be at least eighteen (18) years old to use Machai. We do not knowingly process personal data of persons under 18. If we become aware that we have collected data from a person under 18, we will delete it without undue delay. If you believe a child is using the Service, please contact us.

14. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be announced by email and on your daily feed at least thirty (30) days before they take effect. The "Last updated" date at the top of this page reflects the most recent revision.

15. Contact

For privacy-specific enquiries, contact us at ashkan.taremi@machaiapp.com. For operator and commercial-register details, see our Imprint. For terms of service, see our Terms of Service.