Legal

Privacy Policy

Our commitment to protecting your personal information and privacy rights.

Last updated: 2026-01-31

Effective Date: January 31, 2026

Controller: Homie Lab Inc. ("Rush," "we," "us," "our") Contact: privacy@feeltherush.app Address: Toronto, Ontario, Canada

For EU users: Our EU Representative is [To be appointed]. Contact: privacy@feeltherush.app

1. Scope

This Privacy Policy applies to the Rush mobile application, feeltherush.app website, and all related services (collectively, the "Service"). This Policy covers users in the European Union, European Economic Area, United Kingdom, United States (including California residents under CCPA/CPRA), Canada, and all other jurisdictions.

2. Data Categories We Collect

2.1 Information You Provide

| Category                    | Examples                                                                                     | Purpose                                     |
| --------------------------- | -------------------------------------------------------------------------------------------- | ------------------------------------------- |
| **Account Identifiers**     | Email address, phone number, Sign in with Apple/Google credentials, authentication tokens    | Account creation, login, account recovery   |
| **Profile Information**     | Display name, age/date of birth, photos, written bio, height, body type, position preference | Profile display, matching                   |
| **Sensitive Personal Data** | Sexual orientation, sexuality-related preferences, HIV status, relationship status           | Profile display (only as configured by you) |
| **Communications**          | Messages, photos shared in chat, report content                                              | Service delivery, safety                    |
| **Payment Information**     | Handled by Apple/Google; we receive transaction confirmation only                            | Subscription management                     |

2.2 Information Collected Automatically

| Category               | Examples                                                                                     | Purpose                                      |
| ---------------------- | -------------------------------------------------------------------------------------------- | -------------------------------------------- |
| **Location Data**      | GPS coordinates (processed to approximate 500m+ radius), IP-derived location                 | Discovery features, "Right Now" map          |
| **Device Information** | Device model, OS version, app version, unique device identifiers, advertising ID (IDFA/GAID) | Analytics, troubleshooting, fraud prevention |
| **Usage Data**         | Features used, tap patterns, session duration, in-app navigation                             | Product improvement, analytics               |
| **Technical Logs**     | IP address, crash logs, error reports, timestamps                                            | Security, debugging                          |

2.3 Information from Third Parties

  • Social Login Providers: Basic profile information if you choose Sign in with Apple/Google
  • Analytics Partners: Aggregated attribution data (Segment, AppsFlyer, Meta)

3. Special Categories of Data (Sensitive Data)

Rush collects and processes sensitive personal data including:

  • Sexual orientation
  • Sexual preferences and interests
  • HIV status (if you choose to disclose)

Your Control: These fields are entirely optional. You decide whether to complete them and who can see them via your privacy settings.

Legal Basis (GDPR Article 9): We process this data based on your explicit consent when you voluntarily provide it and choose to make it visible to other users.

Protection Measures:

  • Sensitive fields are never shared with advertisers or analytics providers
  • You can modify or delete this information at any time
  • We use encryption in transit and at rest

4. Legal Basis for Processing (GDPR)

| Purpose                                          | Legal Basis                       |
| ------------------------------------------------ | --------------------------------- |
| Account creation and service delivery            | Performance of contract           |
| Profile display to other users                   | Performance of contract           |
| Sensitive data display (orientation, HIV status) | Explicit consent                  |
| Location-based discovery features                | Legitimate interest + consent     |
| Safety scanning and moderation                   | Legitimate interest (user safety) |
| Analytics and product improvement                | Legitimate interest               |
| Marketing communications                         | Consent                           |
| Legal compliance                                 | Legal obligation                  |
| Fraud prevention and security                    | Legitimate interest               |

5. Location Practices

5.1 How We Use Location

We collect GPS-derived location to power discovery features including:

  • Distance indicators (e.g., "2 km away")
  • The "Right Now" map feature showing users in your vicinity
  • Location-based profiles in the grid

5.2 Location Privacy Protections

  • Approximate Display: Other users see your approximate location within a minimum 500-meter radius. We never display your exact GPS coordinates.
  • EXIF Stripping: All uploaded photos have location metadata (EXIF) removed before storage
  • Fuzzing: Your displayed location is randomized within the radius to prevent triangulation
  • Control: You can hide from the "Right Now" map while remaining active on the app

5.3 Sensitive Jurisdiction Warning

Important: Rush respects that LGBTQ+ individuals face safety risks in certain regions. While we implement location fuzzing and privacy protections, users in jurisdictions where homosexuality is criminalized should exercise additional caution. We recommend:

  • Using the "Hide from Right Now" feature
  • Being selective about profile information
  • Understanding that we may be compelled to respond to legal requests from local authorities

6. Messaging

  • Storage: Messages are stored server-side in Supabase to enable multi-device sync and reliability
  • Encryption: TLS encryption in transit; encryption at rest via Supabase
  • No E2EE: End-to-end encryption is not currently implemented; messages can be accessed for safety/legal purposes
  • Retention: Active messages are retained until you delete them. Upon account deletion, messages are purged per our retention schedule.
  • Attachments: Photos and media shared in chat are stored in encrypted cloud storage

7. Automated Processing and Content Moderation

7.1 Photo Scanning

We use AWS Rekognition to automatically scan uploaded images for:

  • Prohibited content (CSAM, non-consensual imagery)
  • Public nudity policy violations
  • Safety threats

This is not profiling for advertising. Scanning is solely for safety and policy compliance.

7.2 Text Analysis

We may use automated tools to detect:

  • Grooming patterns
  • Threats of violence
  • Fraud indicators
  • Spam

7.3 Human Review

Flagged content and user reports are reviewed by trained human moderators. We do not use fully automated decision-making that produces legal or similarly significant effects without human review.

7.4 Your Rights

Under GDPR Article 22, you have the right not to be subject to decisions based solely on automated processing. Our automated systems flag content for human review; final enforcement decisions involve human judgment.

8. Cookies and Tracking Technologies

Please see our separate [Cookie Notice](/legal/cookies) for full details.

Summary:

  • The website uses cookies for functionality, analytics (Segment), and advertising attribution (Meta Pixel)
  • The mobile app uses SDK equivalents
  • We do not sell your personal data
  • You can manage cookie preferences via browser settings

9. How We Use Your Data

  • Account creation, authentication, and service delivery
  • Displaying your profile to other users (as configured by your settings)
  • Showing approximate location for discovery features
  • Safety enforcement, abuse prevention, and fraud detection
  • Content moderation and policy enforcement
  • Analytics and product improvement
  • Responding to user support requests
  • Legal compliance and responding to valid legal requests
  • Marketing communications (with your consent)

10. Data Sharing

10.1 Service Providers

We share data with trusted providers who process data on our behalf:

| Provider             | Purpose                    | Data Shared                           |
| -------------------- | -------------------------- | ------------------------------------- |
| Supabase             | Hosting, database, storage | All service data                      |
| AWS Rekognition      | Image moderation           | Uploaded photos (scanned, not stored) |
| Segment              | Analytics                  | Usage events, anonymized identifiers  |
| Meta Ads             | Attribution                | Conversion events, advertising ID     |
| AppsFlyer            | Attribution (if enabled)   | Install/conversion events             |
| Google Maps Platform | Location services          | Approximate coordinates               |

10.2 Other Users

Other Rush users can see:

  • Your profile information (as configured by you)
  • Your photos (per your visibility settings)
  • Your approximate location (if enabled)
  • Messages you send them

10.3 Legal and Safety Disclosures

We may disclose data:

  • In response to valid legal process (subpoenas, court orders, government requests)
  • To protect user safety when there is risk of imminent harm
  • To report suspected CSAM to NCMEC as required by law
  • To cooperate with law enforcement regarding serious crimes

We will challenge overly broad requests and notify affected users unless prohibited by law.

10.4 No Sale of Personal Data

We do not sell your personal data. Under CCPA/CPRA, "sale" includes sharing data for monetary or other valuable consideration. We do not engage in such practices with your data.

11. International Data Transfers

Your data is primarily processed and stored in the United States through Supabase and related infrastructure.

For EU/EEA/UK Users:

Transfers to the US rely on:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Supplementary technical and organizational safeguards
  • Data Processing Agreements with all processors

You can request a copy of the relevant SCCs by contacting privacy@feeltherush.app.

12. Data Retention

| Data Type                      | Retention Period                      |
| ------------------------------ | ------------------------------------- |
| Active account data            | Duration of account                   |
| Messages                       | Until user deletion                   |
| Photos                         | Until user deletion                   |
| Reports and moderation records | 2 years                               |
| IP and device logs             | 90 days                               |
| Analytics                      | Aggregated/anonymized after 12 months |

Account Deletion Timeline:

1. Immediate: Profile hidden from other users 2. 30 days: Grace period for account restoration 3. 90 days: Full purge from primary systems and backups

13. Your Privacy Rights

13.1 All Users

You have the right to:

  • Access your data
  • Correct inaccurate information
  • Delete your account and associated data
  • Download your data (data portability)

13.2 EU/EEA/UK Users (GDPR)

Additional rights:

  • Withdraw consent for sensitive data processing
  • Object to processing based on legitimate interests
  • Restrict processing in certain circumstances
  • Lodge a complaint with your supervisory authority

13.3 California Residents (CCPA/CPRA)

You have the right to:

  • Know what personal information we collect, use, and share
  • Delete your personal information
  • Opt-out of sale — We do not sell personal information
  • Non-discrimination — We will not discriminate against you for exercising your rights
  • Correct inaccurate personal information
  • Limit use of sensitive personal information — You can request we limit use to what is necessary

Categories of Personal Information Collected (CCPA):

  • Identifiers (name, email, phone, device ID)
  • Personal information under Cal. Civ. Code § 1798.80 (name, address, phone)
  • Protected classifications (sexual orientation)
  • Commercial information (transaction records)
  • Internet/network activity (usage logs)
  • Geolocation data
  • Sensory data (photos)
  • Inferences (preferences derived from the above)

California "Shine the Light": California residents may request information about disclosure of personal information to third parties for direct marketing. Contact privacy@feeltherush.app.

13.4 Canadian Users (PIPEDA)

You have the right to access your personal information and challenge its accuracy. Contact privacy@feeltherush.app.

13.5 How to Exercise Your Rights

In-App: Settings → Privacy → Download My Data / Delete Account

Email: privacy@feeltherush.app

We will respond within:

  • 30 days (GDPR)
  • 45 days (CCPA, extendable by 45 days with notice)

We may verify your identity before processing requests.

14. Data Security

We implement appropriate technical and organizational measures:

  • TLS encryption for data in transit
  • Encryption at rest via Supabase
  • Access controls and authentication
  • Regular security assessments
  • Rate limiting and fraud detection
  • EXIF metadata stripping from photos
  • Employee training on data protection

No system is 100% secure. We cannot guarantee absolute security but strive to protect your data using industry-standard practices.

Data Breach Notification

In the event of a breach affecting your personal data:

  • EU users: We will notify relevant supervisory authorities within 72 hours and affected users without undue delay if high risk
  • California users: We will notify affected residents as required by law
  • All users: We will provide notification as appropriate to the circumstances

15. Age Restriction

Rush is strictly 18+.

Age Verification:

  • Users must confirm they are 18+ during registration
  • Date of birth is collected and verified against this threshold
  • Profiles suggesting underage users are immediately investigated
  • Accounts of minors are terminated and reported to NCMEC if illegal content is involved

COPPA Compliance:

Rush does not knowingly collect information from anyone under 18. If we learn a user is under 18, we will delete their account and data.

16. Changes to This Policy

We may update this Policy to reflect changes in our practices or legal requirements.

Notification: For material changes, we will notify you via:

  • In-app notification
  • Email (if you've provided one)
  • Website banner

Continued use of Rush after changes constitutes acceptance of the updated Policy. If you disagree with changes, you may delete your account.

17. Contact Us

Data Protection Inquiries: Email: privacy@feeltherush.app

Legal Inquiries: Email: legal@feeltherush.app

General Support: Email: support@feeltherush.app

Phone: +1 (647) 684-0908

Mailing Address: Homie Lab Inc. 517 Richmond St East Suite 1015 Toronto, ON M5A 1R4 Canada

For EU users with unresolved concerns, you may lodge a complaint with your local Data Protection Authority.

_Last Updated: January 31, 2026_