Privacy Policy
Last updated: May 10, 2026 — Sparkle5, LLC
This Privacy Policy explains how Luvu, operated by Sparkle5, LLC (“we”, “us” or “our”), collects, uses, and protects your personal data. We are the data controller for the purposes of the GDPR and equivalent legislation.
1. Special Category Data — Dating App (GDPR Art. 9)
Luvu is a dating service. When you create a profile you may share information that reveals your sexual orientation, sexual preferences or relationship intentions. Under GDPR Art. 9 this is special category data requiring explicit consent. By creating a profile and completing your dating preferences you explicitly consent to us processing this data to deliver match suggestions and operate the service. You may withdraw consent at any time by deleting your account (Profile → Settings → Delete Account).
2. Data We Collect
- Account data: email address, password hash, date of birth, gender.
- Profile data: display name, photos, bio, headline, and dating preferences (age range, distance, gender sought, relationship goals, lifestyle attributes).
- Usage data: swipes, likes, matches, message metadata, login timestamps, device type, IP address.
- Location data: approximate GPS coordinates sent each session (with your permission) solely for match distance calculation.
- Payment data: subscription status, transaction IDs, amounts. We never store card numbers — payments are handled entirely by Stripe, Apple, or Google.
- Verification data: camera selfie taken with the in-app camera for the Live badge; reviewed by human moderators and stored securely.
- Communications: messages you send and receive, stored to operate the messaging feature and to enable safety reviews.
3. Legal Basis for Processing (GDPR)
- Contract performance (Art. 6(1)(b)): account management, match delivery, messaging, billing.
- Explicit consent (Art. 9(2)(a)): processing of special category data (dating preferences, orientation).
- Legitimate interests (Art. 6(1)(f)): safety, fraud prevention, abuse detection, improving the service.
- Legal obligation (Art. 6(1)(c)): retaining financial records and responding to lawful requests.
4. How We Use Your Data
- Delivering match suggestions based on your preferences and location.
- Operating and improving the service and user experience.
- Safety, fraud prevention, content moderation, and abuse investigation.
- Billing, subscription management, and payment confirmation.
- Sending transactional emails (match alerts, security notifications).
- Aggregate, anonymised analytics — we never sell individual data.
5. Data Processors & Sub-processors
We share data with the following sub-processors solely to operate the service. All are bound by data processing agreements. US and Australian processors operate under EU Standard Contractual Clauses (SCCs).
| Processor | Country | Purpose | Data shared |
|---|---|---|---|
| Google LLC | USA ¹ | Sign in with Google (SSO); token verification | Auth token, email, name |
| Apple Inc. | USA ¹ | Sign in with Apple (SSO); In-App Purchase validation | Auth token, email (first sign-in), purchase receipts |
| Stripe, Inc. | USA ¹ | Web subscription payment processing | Email, subscription details, transaction IDs (no card numbers stored by us) |
| Hetzner Online GmbH | Germany (EU) | Profile photo & verification selfie storage (S3-compatible object storage) | Photo files |
| Mailgun Technologies (Sinch) | Germany (EU) | Transactional email delivery — processed exclusively on Mailgun EU servers (Frankfurt) | Email address, email content |
| SMTP2GO Pty Ltd | EU (servers) | Transactional email delivery (secondary provider) — processed on EU infrastructure | Email address, email content |
| Giphy Inc. | USA ¹ | GIF search & trending content in messages | Search query text only |
¹ Transfer to the USA is covered by EU Standard Contractual Clauses (SCCs). Hetzner Online GmbH, Mailgun (EU servers), and SMTP2GO (EU servers) process data within the EU — no SCC required for those processors.
6. Data Sharing & Disclosure
We do not sell your personal data. We may disclose data:
- To the sub-processors listed above, only as necessary.
- To law enforcement or regulators in response to a valid legal order.
- To a successor entity in the event of a merger or acquisition, under equivalent privacy protections.
- To protect the safety of users or the public where we have a good-faith belief that disclosure is necessary.
7. International Data Transfers
The majority of your data is processed within the EU: photos are stored with Hetzner Online GmbH in Germany, and email is sent via Mailgun EU servers (Frankfurt) and SMTP2GO EU infrastructure. For the remaining US-based processors — Google (SSO), Apple (SSO & IAP), Stripe (payments), and Giphy (GIF search) — transfers from the EU/EEA are covered by EU Standard Contractual Clauses (SCCs). You may request a copy of the applicable SCCs by contacting us.
8. Your Rights (GDPR — EU/EEA Users)
- Access: request a copy of data we hold about you.
- Rectification: correct inaccurate data.
- Erasure: request deletion of your data (“right to be forgotten”).
- Restriction: ask us to restrict processing.
- Portability: receive your data in a structured, machine-readable format.
- Objection: object to processing based on legitimate interests.
- Withdrawal of consent: withdraw consent for special category data at any time by deleting your account.
Exercise rights at: support@sparkle5.com. You also have the right to lodge a complaint with your national supervisory authority: BfDI (Germany), IMY (Sweden), CNIL (France), Garante (Italy), ICO (UK).
9. Data Retention
- Active account: retained while your account is active.
- Deleted account: personal data deleted within 30 days of account deletion.
- Exceptions: anonymised analytics (retained indefinitely); financial records (7 years, legal obligation); safety records — reports, bans — retained to prevent re-registration.
10. Security
We use TLS encryption in transit, encryption at rest, strict access controls, and regular security reviews. In the event of a data breach we will notify you and the relevant supervisory authority as required by GDPR Art. 33/34.
11. Children
Luvu is strictly for users aged 18 and over. If we discover a minor has registered we delete their account and all associated data immediately. Parents or guardians may contact us at support@sparkle5.com.
12. Changes to This Policy
We will notify you of material changes by email at least 30 days before they take effect. Continued use of the service after changes take effect constitutes acceptance of the revised policy.
13. Contact
Sparkle5, LLC30 N. Gould Street #10391, Sheridan, WY 82801, USA
E-mail: support@sparkle5.com
EU/EEA users may contact us in their local language.