WealthSwipe Privacy Policy

Last Updated: 2026-04-29 Effective Date: To be set when the policy is published at https://wealthswipe.app/privacy.

1. Who we are

WealthSwipe is an iOS dating application that incorporates blockchain-verified wealth signals into the matching experience. This Privacy Policy describes what we collect, why, where it is processed, and what choices you have.

Service operator: Bernardo Camajori Tedeschini, operating WealthSwipe as a sole proprietor (Italy).
Privacy contact: privacy@wealthswipe.app

By creating an account or using the WealthSwipe app, you agree that we may process your data as described below.

2. Data we collect

We try to be specific. Where we say "we collect", we mean a value is stored in our MongoDB Atlas database, in Firebase Storage, or in our application logs.

2.1 Account data

Email address — used as your login identifier and for transactional messages (password reset, security notices).
Password (hashed) — we store a bcrypt hash of your password (cost factor 12). We do not store your password in plaintext and we cannot recover it; if you lose it you must use the reset flow.
Authentication tokens — JWT access tokens (15-minute lifetime) and refresh tokens (30-day lifetime, rotated on each use). Refresh tokens are persisted on your device in Apple's encrypted MMKV-backed storage and on our servers in a revocable list.

2.2 Profile data

Nickname — a chosen pseudonym. WealthSwipe does not require your legal name. We deliberately do not collect or display it.
Age — used for the 18+ eligibility check and for matching preferences.
Gender and Interested-in preference — used to surface matching candidates.
Free-text bio — a short user-authored description.
Photos — up to 6 photos, 5 MB each, stored in Firebase Storage under profiles/<userId>/<uuid>.jpg. Photos are uploaded directly from your device to Firebase Storage; only the resulting download URL is stored on our backend. Download URLs are publicly readable on the internet by design (see Section 5 — Sharing).
Optional location: city only — a coarse city name you type in (e.g. "Miami", "Milan"). We never collect GPS coordinates, latitude/longitude, IP-derived precise location, or background location. The city field is optional and can be left blank.
Wealth display preference — one of tier, exact, or hidden, plus per-wallet visible flags and per-chain visibility (per AD-003). This controls how your wealth is shown to other users.
Theme preference — light / dark / auto. Stored locally on your device only.

2.3 Wallet data

Wallet addresses — public Ethereum / Polygon / BSC addresses you choose to link. (Bitcoin and Solana are reserved in our schema but not currently active.)
Ownership signatures — when you link a wallet, you sign a one-time challenge nonce with the wallet (EIP-191 personal_sign). We store the challenge, the signature, and the verification result so we can prove you controlled the address at the moment of signing. Signatures may be re-requested periodically per AD-001.
What we do NOT have: we do not have your private keys, your seed phrase, your wallet password, your hardware-wallet PIN, or any spending power over your assets. Wallet access through WealthSwipe is read-only — we can query public on-chain data, nothing else.

2.4 Wealth snapshots

For each linked, visible wallet we periodically read its on-chain token balances through public JSON-RPC nodes (LlamaRPC, PublicNode, dRPC, Ankr) and convert balances to USD using CoinGecko's public, keyless price API.
Snapshots are refreshed by our backend cron at most once every 24 hours per wallet (per AD-002), within a deterministic window between 01:00 and 04:00 server time. You can also request an on-demand refresh, rate-limited to one refresh per hour per user.
A snapshot contains: wallet address, chain, balance per token, USD valuation, and a timestamp. Snapshots older than 48 hours are flagged stale and the wealth tier shows as "verification pending" until a fresh snapshot lands.

2.5 Matching data

Your swipes (like / dislike / super-like) on other users.
Mutual matches — when two users have liked each other, a MatchThread record is created.

2.6 Messages

Once two users match, they can exchange direct messages (max 2,000 characters per message) via our real-time chat. Message bodies are stored on our servers in MongoDB. Messages are not end-to-end encrypted today; we (the operator) and our database host can technically read them.

2.7 Push tokens

A Firebase Cloud Messaging (FCM) device token, provided by Apple's APNs and registered with our backend. We use it only to deliver match and message notifications. You can revoke it at any time by disabling notifications in iOS Settings or by logging out (logout deletes the device record).

2.8 Operational logs

Standard application logs on Fly.io (HTTP method, path, status code, latency, anonymous request id, and bearer-token user id where applicable). Logs are retained for 90 days and rotated automatically.

3. Data we explicitly do NOT collect

To keep the scope of WealthSwipe honest and aligned with AD-005:

No KYC documents. No driver's license, no passport, no Social Security number, no tax ID, no proof of address.
No precise location. No GPS, no continuous location, no Wi-Fi triangulation. The optional city field is the only location signal we keep, and it is whatever you type.
No NFT data. NFTs are explicitly out of scope.
No biometrics. No FaceID templates, no fingerprint, no voice. (Apple's FaceID, if you use it to unlock your iPhone, is handled by iOS and never sent to us.)
No financial-account credentials beyond a public wallet address. No bank logins, no Plaid, no exchange API keys, no seed phrases.
No spending power. Wallet verification is by signature only — we never request, hold, or use any key that could move funds.
No third-party advertising trackers. We do not embed ad-network SDKs.

4. Why we collect what we collect

Purpose	Data used	Lawful basis (GDPR)
Create and protect your account	email, hashed password, auth tokens, logs	Contract
Match you with other users	profile, photos, swipes, matches, wealth display preference	Contract
Verify wealth on-chain	wallet address, signature, snapshots	Contract
Send transactional emails (password reset, security)	email	Legitimate interest
Push notifications for matches and messages	FCM token	Consent (granted via the iOS notification permission prompt)
Detect and prevent abuse	logs, swipe patterns, account metadata	Legitimate interest
Comply with legal obligations	the minimum subset needed	Legal obligation

We do not profile you for advertising and we do not share data with marketing partners.

5. Where data is stored and processed

WealthSwipe relies on a small number of sub-processors, all under contract or standard terms of use:

Sub-processor	Role	Region
MongoDB Atlas (free tier M0)	Primary database — accounts, profiles, wallets, snapshots, matches, messages
Fly.io	Application servers (Express + Socket.IO), 2× shared-cpu-1x	Frankfurt, Germany (EU)
Firebase Storage (Google Cloud)	Profile photos
Firebase Cloud Messaging (Google)	iOS push delivery via APNs	Global Google infrastructure
Postmark	Transactional email (password reset, security notices)	United States
Cloudflare	DNS for `wealthswipe.app` and email routing for `noreply@` / `admin@`	Global
Apple APNs	Push notification delivery to your iPhone	United States
Public RPC providers (LlamaRPC, PublicNode, dRPC, Ankr)	Read-only on-chain queries	Distributed
CoinGecko	Public token-price API, no API key	United States

Public RPC providers and CoinGecko receive only the wallet address being queried and the token contracts being read. They do not receive your email, your nickname, your photos, or any other personal data. From their side, the request looks like any other anonymous on-chain query.

For users in the EEA / UK, transfers to non-EU sub-processors (Postmark, MongoDB Atlas if the cluster is non-EU, Firebase Storage if the bucket is non-EU) rely on the Standard Contractual Clauses (SCCs) published by their respective vendors.

6. How we share your data

We do not sell your data. We do not share it with advertisers, data brokers, or any party that would use it for targeted advertising or scoring.

The only places your data is exposed beyond our infrastructure are:

To other users you match with. Once you both swipe like or super-like, the other user can see your nickname, age, gender, photos, bio, and your wealth in the format you configured (tier badge, exact value, or hidden). They can also read messages you send them.
To sub-processors listed above, strictly to operate the service.
To law enforcement when compelled by a valid legal request (e.g. court order in our jurisdiction). We will push back on overbroad requests and will notify you where lawful.
To a successor entity if WealthSwipe is acquired or merged. We will notify you in-app and by email before any such transfer takes effect.

7. Your rights

7.1 GDPR rights (EEA / UK / Switzerland)

You have the right to:

Access the personal data we hold about you. Today you can fetch most of it directly from the app via the GET /auth/me and GET /profiles/me endpoints; on request we will export the rest.
Rectify inaccurate data — edit your profile in-app, or email us.
Erase your data — delete your account from Settings → Delete account, or email us. See Section 9 — Retention for what happens after deletion.
Restrict processing or object to processing based on legitimate interests.
Port your data — we will provide a JSON export on request.
Withdraw consent — for example, revoking iOS notification permission disables push.
Lodge a complaint with your local supervisory authority (e.g. the Italian Garante per la protezione dei dati personali, the Irish Data Protection Commission, the UK ICO).

To exercise any of these rights, email privacy@wealthswipe.app. We aim to respond within 30 days as required by GDPR.

7.2 CCPA / CPRA rights (California residents)

You have the right to:

Know what personal information we collect, use, and disclose.
Delete the personal information we hold about you.
Correct inaccurate personal information.
Opt out of sale or sharing of personal information — N/A: we do not sell or share personal information for cross-context behavioral advertising. This statement is provided for completeness as required by the CCPA.
Limit use of sensitive personal information — we do not collect the categories of "sensitive personal information" defined by the CPRA (no SSN, no precise location, no biometrics, no financial-account credentials), so this right is effectively N/A.
Non-discrimination — we will not deny service or charge a different price because you exercised a CCPA right.

To exercise CCPA rights, email privacy@wealthswipe.app. You may use an authorized agent.

8. Children

WealthSwipe is strictly 18+. We do not knowingly collect personal data from anyone under 18. The signup flow enforces an 18+ self-attestation and a date-of-birth check. If we discover that an account was created by a minor, we delete the account and all associated data. If you believe a minor has registered, email privacy@wealthswipe.app.

9. Retention

Data	Retention
Account (email, hash, profile)	Until user-initiated deletion
Photos in Firebase Storage	Removed within 30 days of account deletion
Wealth snapshots	365 days, then pruned
Match threads and messages	Lifetime of the conversation; on account deletion the deleted user's identity is removed and messages are anonymized to "deleted user" but message bodies remain visible to the surviving party (necessary for them to keep their own chat history)
Application logs	90 days
Refresh tokens	Until expiry (30 days) or revocation
Password-reset tokens	1-hour expiry, single-use

10. Security

Passwords are hashed with bcrypt at cost factor 12.
All API traffic uses HTTPS (TLS terminated at Fly.io's edge).
JWT access tokens are short-lived (15 minutes); refresh tokens rotate on every use and are revocable from the server.
Firebase Storage rules enforce per-user write isolation — only the authenticated user can write to their own profiles/<userId>/ prefix. Photos are publicly readable, which is acceptable because they are intended to be shown to matches anyway.
A successful password reset revokes every outstanding refresh token so any compromised session is invalidated.
We rate-limit the login and password-reset endpoints to slow down credential stuffing.

No system is perfectly secure. If we discover a breach affecting your data, we will notify you and the relevant supervisory authority within the timeframes required by GDPR (typically 72 hours).

11. Cookies and tracking technologies

The WealthSwipe iOS app does not use cookies. We do not embed any web view that loads third-party advertising trackers.

We have Firebase Analytics and Firebase Crashlytics wired into the app, but currently we send only the bare-minimum default events (app open, screen view, crash reports). We do not send personally identifying data (email, nickname, wallet address) to Firebase Analytics.

12. Third-party SDKs in the iOS app

SDK	What it does	Data it receives
`@react-native-firebase/app`	Bootstraps the Firebase SDK	Anonymous app-instance id
`@react-native-firebase/analytics`	Aggregate usage analytics	Default events, no PII
`@react-native-firebase/crashlytics`	Crash reporting	Stack traces, device model, OS version
`@react-native-firebase/storage`	Profile photo upload	Authenticated user id, image bytes
`@react-native-firebase/auth`	Authenticates the client to Firebase Storage via a custom token minted by our backend	The custom token, your WealthSwipe user id
`@react-native-firebase/messaging`	Push token registration and delivery	FCM device token, notification payloads
`@walletconnect/sign-client`	WalletConnect v2 dApp pairing	Public wallet address, signature requests
`ethers`	Local signature verification and JSON-RPC calls	Wallet address, public on-chain reads only

None of these SDKs receive your password, your private keys, or your seed phrase — those values never leave your wallet app and (for the password) are hashed before they leave your device.

13. Changes to this policy

We may update this policy from time to time. When we make a substantive change, we will:

Bump the Last Updated date at the top.
Push a notification or display an in-app banner the next time you open WealthSwipe.
For material changes (new categories of data, new sub-processors, new monetization mechanic) we will give you a 30-day notice before the change takes effect.

14. Contact

Questions, requests, or complaints: privacy@wealthswipe.app

If we have not addressed your concern, you may contact your local data-protection authority. EU/UK users can find theirs at https://edpb.europa.eu/about-edpb/about-edpb/members_en.