Terms of Service

Last updated: 1 December 2025

1. Introduction

This Privacy Policy explains how we collect, use, store, share, and protect personal data of users who access soulmate.gines.app or related services.

We follow:

  • GDPR (EU/EEA)
  • UK GDPR
  • CCPA (California), where applicable
  • other international privacy standards

2. Data We Collect

2.1 Data You Provide

  • Email address (required to receive the portrait)
  • Name / nickname (optional)
  • Birthdate / gender (optional)
  • Responses to quizzes or forms
  • Uploaded images (if required for Portrait)

2.2 Automatically Collected Data

  • Device type, OS, browser version
  • Language and region
  • IP address (only for security, fraud prevention, geolocation)
  • Session metadata and analytics
  • Timestamp of consent
  • Referral / campaign info (UTM, source)

2.3 Third-Party Data

From payment platforms:

  • payment status, transaction IDs (no full card numbers)

From email delivery providers:

  • email delivery status

3. How We Use Your Data

We process your data to:

  • deliver the Soulmate Portrait and related AI-generated content;
  • manage subscriptions, billing, and identity verification;
  • send essential service emails (via Resend);
  • provide customer support;
  • personalize your experience;
  • analyze and improve the Service;
  • detect fraud and prevent misuse;
  • comply with legal obligations.

We never sell personal data.

4. Legal Bases (for GDPR users)

We rely on:

  • Consent: when you provide your email or upload content.
  • Contract: delivering the Portrait, processing payments, providing access.
  • Legitimate interest: security, analytics, service improvements.
  • Legal obligation: tax, accounting, regulatory compliance.

5. Sharing Data with Third Parties (Subprocessors)

We share data only with trusted partners necessary to operate the Service:

  • Web2Wave (EU/US) — Form processing, lead capture.
  • Replit (USA) — Backend infrastructure, request handling. Protected by Standard Contractual Clauses (SCCs).
  • Resend (EU/US) — Transactional email delivery (portrait delivery, account emails).
  • Stripe / Apple / Google — Payment processing.
  • Analytics / Anti-fraud Tools — (only if implemented; listed in future updates)

All subprocessors operate under Data Processing Agreements (DPAs). We do not share your data with advertisers or brokers.

6. International Data Transfers

If your data is transferred outside the EU/EEA, we use:

  • Standard Contractual Clauses (SCCs),
  • Adequacy decisions, or
  • Equivalent safeguards.

7. Data Retention

  • Email & subscription records: while your subscription is active + 12 months
  • Uploaded images: deleted within 24 hours (up to 72h for fraud debugging)
  • Analytics data: aggregated / anonymized within 6–12 months
  • Consent logs: retained for 5 years (GDPR requirement)

You may request deletion at any time.

8. Your Rights

You may request:

  • access to your data;
  • correction of inaccurate data;
  • deletion ("right to be forgotten");
  • export of your data (portability);
  • restriction or objection to processing;
  • withdrawal of consent at any time.

Email: support@cosma.to — We respond within 30 days.

9. Security

We use industry-standard security measures:

  • TLS/HTTPS encryption
  • encrypted storage
  • role-based access control
  • secure use of env variables (no plaintext logs)
  • periodic audits

No system is fully immune to vulnerabilities, but we take all reasonable measures.

10. Children's Privacy

The Service is not intended for individuals under 18. We do not knowingly collect data from minors.

11. Changes to This Policy

We may revise this Policy. Updated versions will be posted with a new date. Continued use after updates means acceptance.

12. Contact

Email: support@cosma.to

Paradiscoleta Unipessoal LDA
Address: Estrada Monumental, 348-A, app Y
Madeira island, Funchal, Portugal
Postal code: 9000-100

← Back to Home