Privacy Policy

1. Who we are and what this policy covers

Wesprs is a privacy-first, ephemeral dating service. You are verified to be a human adult, and then you are never identified. This policy explains what we process, why, for how long, and the choices you have.

This policy covers the Wesprs mobile apps and this website at wesprs.com. It does not cover any third-party service you reach from a link we provide — those have their own policies. Where we refer to the "controller", we mean Digital Services LLC, the company that operates Wesprs; our named Data Protection Officer is reachable at [email protected].

Wesprs is available worldwide to adults. The minimum age to use Wesprs is 18.

2. The principle: data we deliberately never hold

The most important fact about our privacy posture is what we refuse to collect.

We do not collect your legal name. We do not use your email address as your identity, and we do not offer social login. You sign in with a passkey, a hashed phone number passed through a privacy relay, or a pseudonymous recovery phrase that only you hold — never an account tied to a real-world identity we can read.

We do not store biometric data. We do not run advertising or tracking software. We do not keep your conversations after they expire. These are not settings; they are architectural decisions described throughout this policy.

3. Definitions

"Profile" — the pseudonymous handle and the intent, preferences, and coarse area you broadcast. "Ephemeral content" — profiles, posts, messages, and images that expire server-side after 24 hours. "Special-category data" — under the GDPR, information about your sexual orientation or sex life; using a dating service can itself reveal this, so we treat the relevant fields as special-category and process them only with your explicit consent. "Abuse-report metadata" — the minimal record we keep when someone reports misconduct, described in Section 6. "Verification snapshot" — the five-field, no-biometric result of the human-and-age check described in Section 4.

4. Verified anonymity — how we check you are a human adult without keeping your face

To keep Wesprs free of bots, minors, and impersonators, we verify two things once: that you are a live human, and that you are at least 18.

We run a liveness check (FaceTec, on our own servers) and an age-estimation check (Yoti). The camera image and any biometric template created during the check are destroyed as soon as the result is returned — we retain zero biometric data. Our verification vendors are contractually required to delete the biometric inputs immediately and may not retain them.

What we keep is a snapshot of at most five non-biometric fields: a boolean that you are 18 or older, a flag that the liveness check passed, an abuse-resistance hash (so a banned person cannot trivially re-register), your pseudonymous handle, and the timestamp. There is no photo, no face geometry, and no government-ID copy in that record.

For users in jurisdictions with specific biometric-consent laws, we request that consent before any scan, separately from accepting this policy.

5. What we process, and why

Account and access — your pseudonymous handle and an authentication credential (passkey, relay-hashed phone, or recovery phrase) so you can sign in and we can keep the service secure. We never receive a plaintext phone number we can reverse.

Profile and intent — the intent you declare, your preferences, and your coarse area, so we can show you relevant people. Fields that reveal sexual orientation or sex life are special-category data and are processed only on your explicit consent, which you give during onboarding and can withdraw.

Location — coarse area only. We use a low-resolution geospatial grid (H3 resolution 7 or coarser) so you appear in roughly the right place. We do not collect or store precise GPS coordinates, and we do not keep a location history.

Images — photos you choose to share. We strip embedded metadata (including EXIF and any GPS tags) on our servers before the image is delivered, and images are served through expiring signed URLs valid for at most one hour.

Messages — your conversations are end-to-end encrypted using the Signal protocol. We relay ciphertext only; the operator cannot read your messages.

Payments and support — handled as described in Sections 8 and 9.

Lawful bases: explicit consent (Art. 9 GDPR) for special-category data; performance of our contract with you for core service delivery; and our legitimate interest in keeping the service safe and abuse-free, balanced against your rights.

6. Retention — ephemeral by architecture, with one documented carve-out

Profiles, posts, messages, and images expire server-side 24 hours after they are created. This is enforced by a server-side time-to-live, not by a manual deletion step you have to trust us to run. Signed URLs for images expire within one hour.

The verification snapshot (Section 4) persists while your account is active so that you do not have to re-verify on every session, and is deleted when you delete your account.

The one deliberate exception is abuse-report metadata. When someone reports misconduct, we preserve a minimal evidence set — a hashed identifier, the reason, and the relevant dates — in a restricted store separate from ordinary content, so that a report survives the 24-hour expiry, an unmatch, a block, or an account deletion. We keep this for a minimum of 14 days and, where a legal-claims or safety basis requires it, for up to approximately 3 years in the EU, 6 years in the UK, and 5 years in the US. This carve-out is what lets us respond to harassment and to mandatory-reporting obligations; without it, deleting an abuser would also delete the evidence against them.

IP addresses in our first-party server logs are stripped within 24 hours.

7. International transfers

We launch with EU-hosted infrastructure. Where any processing or vendor involves transferring personal data outside the EEA or the UK — for example to a US-based provider — we rely on a recognised transfer mechanism (an adequacy decision where available, Standard Contractual Clauses, and a transfer impact assessment) and minimise what crosses the border.

Special-category data destined for non-EEA infrastructure is end-to-end or otherwise strongly encrypted before transmission, so that the recipient infrastructure cannot read it.

8. Payments

Wesprs offers a single privacy subscription (and, later, a Constellation tier). On the web we bill through Stripe; in the mobile apps we bill through Apple In-App Purchase and Google Play Billing.

We do not see or store your full card number. The payment processor handles card data under its own PCI-compliant terms. We keep the minimal billing metadata needed to manage your subscription and meet tax and accounting obligations.

Subscription metadata is never exported to any advertising or analytics system. Paying for Wesprs links you to a subscription record, never to an ad profile.

9. Service providers we rely on

We work with a small, audited set of processors, each bound by a data-processing agreement and used only for a stated purpose: cloud and CDN hosting (EU-region); the verification vendors named in Section 4 (biometric inputs deleted immediately); the payment processors named in Section 8; and self-hosted, cookieless analytics that we run ourselves.

We do not use third-party advertising networks, data brokers, tracking pixels, session-replay tools, or behavioural-remarketing services. There are zero advertising or tracking software development kits in our apps or on this website, and that absence is verified by an automated check in our build pipeline.

10. Analytics and cookies

Our only analytics is a self-hosted, cookieless, EU-hosted measurement tool. It is aggregate by design and cannot identify you or follow you across sites. We do not load any third-party analytics endpoint.

We do not set advertising or cross-site tracking cookies, so there is no consent banner — there is nothing to consent to. The only cookie this website may set is a strictly functional one that remembers your chosen language. You can read the full stance on our cookies page.

11. Security

Messages are end-to-end encrypted with the Signal protocol; we relay ciphertext and cannot read your conversations. Stored secrets are protected with envelope encryption. Images have their metadata stripped server-side and are served only through short-lived signed URLs. Coarse-geo handling means we never hold a precise location to leak.

If you discover a vulnerability, our disclosure policy and contacts are published at wesprs.com/security. No system is perfectly secure, and we describe our limits honestly rather than promising the impossible.

If a personal-data breach occurs that is likely to risk your rights, we will notify the relevant supervisory authority within 72 hours and notify affected users without undue delay where the risk is high.

12. Detecting and reporting child sexual abuse material and intimate-image abuse

We screen non-encrypted images against industry hash-matching systems for known child sexual abuse material and non-consensual intimate imagery (for example PhotoDNA, Thorn, and StopNCII). Apparent child sexual abuse material is reported to the relevant authority — the US National Center for Missing & Exploited Children, and the UK National Crime Agency for UK matters — and the required evidence is preserved as the law demands.

Victims of intimate-image abuse do not need a Wesprs account to ask us to act. The non-account-holder intake at wesprs.com/ncii-intake lets anyone file a takedown request, which we aim to action within 48 hours.

13. Your rights

Under the GDPR and UK GDPR you have the right to access the data we hold about you, to have it corrected, to have it erased, to receive it in a portable form, to object to or restrict certain processing, and to withdraw any consent you have given (including the explicit consent for special-category data) without affecting processing already carried out.

Because most of your content expires within 24 hours and we hold no legal-name or email identity, there is structurally little to export or erase. We will still honour any request to the extent data exists, normally within one month. Withdrawing the explicit consent for identity declarations may mean we can no longer offer parts of the service that depend on it.

To exercise a right, or if you believe we have mishandled your data, contact our Data Protection Officer at [email protected]. You also have the right to lodge a complaint with your local supervisory authority (in the EU and UK).

14. Children

Wesprs is strictly for adults aged 18 and over. We verify age before access (Section 4) and do not knowingly allow anyone under 18 to use the service. If we discover an account belonging to a minor, we close it and delete the associated data, and we follow the applicable child-safety reporting obligations.

15. Account and data deletion

You can delete your account from within the app at any time. Ephemeral content already expires within 24 hours; deleting your account removes your verification snapshot and your account record.

The only data that may persist beyond deletion is the abuse-report metadata described in Section 6, retained under the legal-claims and safety carve-out for the period stated there. Nothing else outlives its stated purpose.

16. Changes to this policy

We may update this policy as the service and the law evolve. For material changes we will give notice at least 14 days before they take effect, keep a change log, and keep prior versions accessible. The effective date at the top of this page always reflects the current version.

17. Contact

Data Protection Officer and privacy requests: [email protected]. Security and vulnerability disclosure: [email protected] (policy at wesprs.com/security). Intimate-image abuse takedown (no account needed): wesprs.com/ncii-intake.

If you are in immediate danger, contact your local emergency services first.