Dapster — Privacy Policy
Last updated: 3 June 2026 · Effective: 6 April 2026 · Version 5.1
This Privacy Policy explains how Dapster ("we", "us", or "our") collects, uses, stores, and protects your personal information when you use the Dapster mobile application (the "App"). By using Dapster, you agree to the practices described in this Policy.
1. Information We Collect
A. Information You Provide Directly
When you register and set up your profile, we collect:
- Google account information (name, email, profile photo — collected when you sign in with Google), OR
- Username and hashed password (if you register with a username and password instead of Google Sign-In). We never store your password in plain text — it is stored using one-way cryptographic hashing (bcrypt).
- Full name or persona name
- Date of birth (used to verify you are 18 or older)
- WhatsApp phone number — a 10-digit number with country code, collected during onboarding. We keep this on file for account recovery and trust & safety purposes only. We do not send you WhatsApp messages, and we do not share your number with other users.
- Gender
- Profile photos you upload
- Bio and personal description
- Preferences: relationship status, looking for, body type, height, interests (turn-ons), and other onboarding fields
When you use the App, we may also collect:
- Messages, audio recordings, and images you send in chats
- Content you post in groups (channels)
- Reports you submit about other users
- Private photos: optional set of photos that you keep separate from your main profile. You may upload up to six private photos. Other users only see a blurred teaser until you explicitly grant access through the request / approve flow inside a 1:1 chat. You can revoke an approved grant at any time; the partner then loses access immediately. Private photos and grant records are deleted within 30 days of account deletion.
B. Information Collected Automatically
- Device information: device model, operating system version, unique device identifiers, app version
- IP address
- Usage data: features used, screens visited, swipe activity, session duration
- Push notification tokens (Firebase Cloud Messaging)
- Crash logs and error reports
C. Location Information
With your permission, we collect:
- Precise GPS location (latitude and longitude) to rank and show nearby users in your feed
- City, state, and country (derived from your coordinates)
Location is only collected while the App is in use, unless you grant background location access. You can revoke location permission at any time in your device settings.
D. Authentication Data
- JWT authentication tokens stored locally on your device
- If you register with a username, a bcrypt-hashed version of your password is stored on our servers. Your plain-text password is never stored or transmitted beyond the initial registration or login request.
E. Payment Information
- We do not store your credit card or payment details.
- In-app purchases (token bundles) are handled entirely by Google Play Billing. We receive only a purchase confirmation token from Google Play. Tokens have no real-world value and expire 30 days after purchase if unused.
2. How We Use Your Information
We use the information we collect to:
- Create and manage your account
- Authenticate you via Google Sign-In or username and password
- Recover your account and verify your identity using your WhatsApp phone number
- Detect and investigate duplicate, fraudulent, or abusive accounts (trust & safety)
- Build and display your profile to other users
- Power the matching feed (showing relevant nearby profiles based on your preferences, gender, and location)
- Enable 1:1 messaging and group chat functionality
- Deliver push notifications for matches, messages, and app activity
- Process in-app token purchases and manage your token balance
- Track online presence (last active status)
- Improve and personalize your experience
- Enforce our Terms and Conditions and content policies
- Detect and prevent fraud, abuse, and violations
- Comply with legal obligations
3. How We Share Your Information
We do NOT sell your personal data to third parties.
We share information only in the following cases:
- With other users — Your persona name, photos, bio, age, preferences, and approximate distance are visible to other Dapster users as part of normal app functionality. Your precise GPS coordinates are never shared with other users.
-
With service providers — We use the following third-party services to operate the App:
- Supabase (supabase.com): Cloud database hosting (PostgreSQL, hosted on AWS Mumbai / ap-south-1) and real-time messaging infrastructure
- Cloudflare (cloudflare.com): Object storage on Cloudflare R2 — profile photos, chat images, verification selfies, and private photos — and an API edge proxy (Cloudflare Workers) that fronts all requests between the App and our backend
- Railway (railway.com): Hosting for our application server (NestJS), located in Railway's US-East region
- Google Firebase (firebase.google.com): Push notifications (FCM) and Google Sign-In authentication
- Google Play: In-app token purchase processing
These providers access only the data necessary to perform their services and are bound by their own privacy policies.
- For legal compliance — We may disclose your information if required by law, court order, or governmental authority, or if we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others.
- In a business transfer — If Dapster is acquired, merged, or its assets are transferred, your information may be transferred as part of that transaction. We will notify you before your data is subject to a different privacy policy.
4. Data Storage and Security
- Account, profile, chat, and other relational data is stored in our Supabase-hosted PostgreSQL database, which runs on AWS in the Mumbai (ap-south-1) region — India.
- Profile photos, chat images, verification selfies, and private photos are stored on Cloudflare R2 (object storage). Cloudflare R2 is a global network; objects may be served from Cloudflare points of presence outside India.
- Our application server (NestJS) is hosted on Railway in the United States (us-east). Because of this, certain requests and the data they carry may transit servers outside India before being persisted to the database.
- All API communication between the App and our servers uses HTTPS (TLS 1.2+ encryption). Requests are routed through a Cloudflare Workers edge proxy before reaching the application server.
- Passwords (for username/password accounts) are stored only as bcrypt hashes; the plain-text password is never persisted.
- Authentication tokens (JWTs) are stored on your device. On Android they live in the app's sandboxed SharedPreferences area, which is accessible only to the Dapster app on a non-rooted device.
- We implement reasonable technical and organizational security measures to protect your data against unauthorized access, loss, or disclosure.
- No system is 100% secure. We cannot guarantee absolute security of your data transmitted over the internet.
5. Data Retention
- Your data is retained for as long as your account is active.
- If you delete your account, your personal profile data, photos, and preferences will be deleted within 30 days.
- Chat messages may be retained for a limited additional period for safety and abuse-prevention purposes, after which they are deleted.
- Some data (e.g., abuse reports or legal hold data) may be retained longer if required by law.
- Password hashes are retained for as long as your account is active and are permanently deleted when your account is deleted.
6. Location Data
- We collect your location to power the proximity-based matching feed.
- Your precise coordinates are stored in our database and updated when you use the App.
- Only an approximate distance (e.g., "3 km away") is shown to other users — your exact coordinates are never exposed.
- You may disable location access in your device settings at any time, though this may reduce the quality of profile recommendations.
7. Push Notifications
- We send push notifications for events such as new matches, messages, and app activity via Firebase Cloud Messaging (FCM).
- You may manage notification preferences within the App or through your device notification settings.
- Disabling notifications will not affect core app functionality.
8. Children's Privacy
- Dapster is strictly for users aged 18 and above.
- We do not knowingly collect personal information from anyone under 18.
- If we become aware that a user is under 18, we will immediately terminate their account and delete all associated data.
- If you believe a minor has created an account, please contact us at dapsterofficial@gmail.com so we can take immediate action.
9. Your Rights and Choices
You have the following rights regarding your personal data:
- Access: You may request a copy of the personal data we hold about you.
- Correction: You may update your profile information directly in the App at any time.
- Deletion: You may delete your account and all associated data through the App settings, or by contacting us.
- Withdraw Consent: You may revoke permissions (location, notifications, camera, microphone) through your device settings at any time.
- Portability: You may request an export of your data in a portable format.
To exercise any of these rights, contact us at dapsterofficial@gmail.com. We will respond within 30 days.
10. Third-Party Links and Services
- The App may contain links or integrations with third-party services (e.g., Google Sign-In).
- We are not responsible for the privacy practices of third-party services.
- Please review the privacy policies of any third-party service you use.
11. Audio and Media Messages
- Audio messages recorded and sent within the App are uploaded to Cloudflare R2 and transmitted to the recipient. They are deleted from R2 when the parent message is deleted.
- Images sent in chats are stored on Cloudflare R2.
- View-once images are accessible only once by the recipient and are then marked as viewed and no longer served by the App.
- 1:1 match chats and friend chats automatically disappear 24 hours after the message is sent. A background job sweeps expired messages from the database every minute and deletes the associated media object from Cloudflare R2 at the same time.
- Channel (group) messages are NOT automatically deleted after 24h — they live until the channel owner or admin removes them, or until the channel itself is deleted.
11A. Private Photos
- You may upload up to six "private photos" that are kept separate from your main profile photos.
- Private photos are stored in a private Cloudflare R2 bucket. The raw files are never served on a public URL — every byte fetch is authenticated and authorized on our backend before R2 is read.
- Other users see only a blurred placeholder ("blurhash") until you explicitly grant access through the in-chat request / approve flow.
- You may revoke an approved grant at any time from the chat screen; the partner loses access immediately and we send them a push notification informing them that access was revoked.
- When you delete your account, every private photo file you uploaded is deleted from R2 and every grant record is removed within 30 days.
12. Verification Data
- If you choose to submit identity verification (selfie), that image is reviewed by our moderation team solely for verification purposes.
- Verification images are not shared with other users or third parties.
- Verification images are deleted after the review is complete.
13. Changes to This Privacy Policy
- We may update this Privacy Policy periodically to reflect changes in our practices or for legal, operational, or regulatory reasons.
- We will notify you of significant changes through the App or via the contact information associated with your account.
- Continued use of the App after the effective date of changes constitutes your acceptance of the updated Policy.
- The "Last Updated" date at the top of this document indicates when the most recent changes were made.
14. Governing Law
This Privacy Policy is governed by the laws of India. Any disputes relating to this Policy shall be subject to the exclusive jurisdiction of the courts located in India.
15. Automated and Ambassador Profiles; AI-Assisted Messaging
- Some profiles on Dapster are "Ambassador" or example profiles operated or assisted by Dapster or its partners, and some messages you receive may be generated by automated systems, including artificial intelligence (AI).
- Where you interact with an Ambassador profile or an AI-assisted feature, the content of those messages may be processed by Dapster and its service providers in order to operate, moderate, and improve the service.
- Ambassador profiles are labelled in the App.
- You should never share sensitive personal or financial information in any chat.
This processing is carried out in accordance with the "Information We Collect" and "How We Use Your Information" sections above.
16. Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us:
We are committed to resolving any concerns promptly and transparently.
© 2026 Dapster. All rights reserved.