Privacy Policy — 1v1 Social

This Privacy Policy explains what personal data 1v1.social ("1v1", "we", "us") collects when you use the website and application available at www.1v1.social (the "Service"), why we collect it, how long we keep it, who we share it with, and the rights you have under data-protection law (including UK GDPR, EU GDPR, and CCPA).

We are the data controller for personal data processed about you in connection with the Service. Plain-language summary at the top of every section, full detail underneath.

1. What data we collect

The short version: account info you give us, content you post, technical signals from your device, and minimal call/voice metadata. We do not record voice calls.

Information you give us

Account: username, email address, password (stored as a bcrypt hash — we never see the plaintext), date of birth (used to derive an age band; we do not store the raw DOB after derivation), and your initial profile bio if any.
Sign in with Google: if you choose to authenticate with Google instead of a password, Google shares with us your verified email address and a unique Google account identifier (the OpenID "sub" claim). We use these to create or recognise your 1v1 account. We do not request access to your Google contacts, Drive, or any other Google service. Google's handling of the OAuth flow itself is governed by Google's Privacy Policy.
Profile: display name, bio, social links you choose to add, avatar image (uploaded to our storage provider), interests, mood, equipped cosmetic perks.
User Content: direct messages (text, voice, image), Spotlight posts, Story audio, live-room chat messages, comments, waves, and reactions.
Communications with us: bug reports, feedback messages, abuse reports, ban appeals, DMCA notices.

Information we collect automatically

Device & connection: IP address, user-agent (browser + OS), language, timezone, and approximate region inferred from your IP. We use this for security and anti-abuse.
Service usage: the actions you take on the Service (login attempts, posts created, friends added, calls completed, etc.) and timestamps. Some events are written to an append-only audit log for moderation and security forensics.
Call metadata: for 1-on-1 voice calls and live rooms, we record start/end timestamps, duration, peer IDs, and end reason. We do not record or transcribe the audio itself by default.
Push notification subscription: if you enable push notifications, we store the subscription endpoint and public keys your browser provides. We do not have access to your device-level tokens.
Cookies: see section 7.

Information we do not collect

We do not record, transcribe, or store the audio content of 1-on-1 voice calls or live rooms.
We do not collect contact lists or scan your device for other accounts.
We do not buy data about you from third-party data brokers.
We do not run third-party advertising trackers.

2. Why we use your data

We use your personal data for the following purposes:

Operate the Service. Authenticate you, route calls, deliver messages, maintain your friend graph, render your profile, send transactional emails (verification, password reset, weekly digest if subscribed).
Safety and trust. Detect abuse, fraud, and bot activity. Action reports. Apply bans, shadow bans, and rate limits. Identify ban evasion.
Analytics (aggregate). Understand how the Service is used in aggregate so we can improve it. We do not build advertising profiles.
Legal compliance. Comply with applicable law, respond to lawful requests from law-enforcement, and enforce our Terms of Service.
Communicate with you. Respond to support requests; notify you of security or service-affecting changes; send the optional emails you have opted into.

3. Legal basis for processing (UK / EU GDPR)

Where UK or EU GDPR applies to your use of the Service, our legal bases are:

Performance of a contract (Article 6(1)(b)): for processing necessary to provide the Service to you (account creation, message delivery, call routing, etc.).
Legitimate interests (Article 6(1)(f)): for safety, fraud prevention, abuse detection, security forensics, aggregate analytics, and direct communication about the Service. Where we rely on legitimate interests, we balance them against your rights and interests.
Consent (Article 6(1)(a)): for non-essential cookies, marketing emails, and any optional features for which we ask you to opt in. You may withdraw consent at any time.
Legal obligation (Article 6(1)(c)): for retention of certain audit data and for responding to lawful process.

We share personal data only with the limited categories of recipients listed below:

Other users see content you choose to make visible — your username and avatar (always), your profile bio and social links (if you publish them), your Spotlight posts and Stories (visible to all signed-in users), your DMs (visible only to the friend you sent them to), your live-room chat (visible to room members while the room is active).
Infrastructure providers (data processors acting on our behalf):
- Railway — application hosting and runtime logs.
- MongoDB Atlas — primary database.
- Cloudflare R2 — object storage for avatars, voice messages, story audio, and image attachments.
- Resend — transactional email delivery (verification, password reset).
- Sentry — error and exception reporting (does not include your message content).
Each processor is bound by a data-processing agreement and processes personal data only on our instructions and for the purpose of providing services to us.
Authentication providers (separate controllers, not processors):
- Google — if you choose to sign in with Google, Google supplies us with your verified email address and a unique Google account identifier. Google acts as a separate controller for the OAuth flow on its side; once Google passes the data to us, we become the controller for that data within the Service.
Authorities when we are required to comply with a valid legal process (subpoena, court order, statutory request) or when we reasonably believe disclosure is necessary to prevent harm.
Acquirers in connection with a corporate transaction (merger, acquisition, asset sale). If that ever happens we will give notice and any new operator will continue to be bound by terms substantially similar to these.

We do not sell your personal data. We do not share it with advertisers or data brokers.

5. How long we keep data

We keep personal data only for as long as necessary for the purposes set out above. Concrete retention windows:

Account & profile: for as long as your account exists. Deleting your account erases your profile data within 30 days; backups are pruned within 90 days.
Direct messages: until you or the other party deletes the message or until the account associated with the message is deleted. Deleting your account deletes the messages you sent; messages others sent to you are deleted from your view but may persist on their side until they delete them.
Spotlight posts & comments: until you delete them or your account is deleted.
Stories: auto-delete 24 hours after posting (audio files in storage and the database record both removed).
Voice messages in DMs: deleted with the message they belong to.
Live-room chat: retained briefly after the room ends for moderation review, then deleted.
Call metadata: retained for up to 90 days for abuse-handling and analytics, then aggregated.
Audit log entries (security & moderation): retained for up to 12 months.
Banned-account records: retained indefinitely to enforce the ban (preventing re-registration with the same identifiers).
Server logs: retained on Railway for the duration of Railway's default log retention (typically 7-30 days).

6. Security

We use HTTPS for all traffic (TLS 1.2+), HSTS, DNSSEC, and CAA records to protect domain integrity. Passwords are hashed with bcrypt. Sensitive cookies are HttpOnly and Secure with SameSite=Lax. Sessions are signed JWTs with rotation on logout. We rate-limit state-changing endpoints and run abuse heuristics on signups, login attempts, and message activity.

No online service is perfectly secure. If we discover a security incident affecting your personal data, we will notify affected users and the relevant supervisory authority within the timelines required by applicable law (within 72 hours for UK GDPR breaches that are likely to risk your rights and freedoms).

7. Cookies and similar technologies

1v1 uses a small number of cookies and similar storage. None are used for advertising.

Strictly necessary (no consent needed): the auth session cookie, the CSRF cookie, and the cookie-consent state itself. These are required for the Service to work and are deleted when you log out or close your browser as appropriate.
Functional (consent required where law requires): your theme preference, language preference, and recently-viewed-users list. Stored in localStorage; never transmitted to third parties.
Analytics (consent required, opt-in): aggregate, privacy-preserving usage signals if you opt in via the cookie banner. Off by default.

You can change your cookie preferences any time from the cookie banner or from Settings → Privacy.

8. Your rights

If UK or EU GDPR applies to your use of the Service, you have the right to:

Access the personal data we hold about you.
Rectify inaccurate personal data.
Erase your personal data ("right to be forgotten"). The simplest way to exercise this is to delete your account from Settings → Account.
Restrict or object to certain processing.
Portability: receive a copy of your data in a structured, commonly used, machine-readable format.
Withdraw consent at any time for processing based on consent.
Lodge a complaint with your local supervisory authority. In the UK, this is the Information Commissioner's Office (ICO).

You can exercise most of these rights from inside the Service (Settings → Privacy and Settings → Account). For everything else, email privacy@1v1.social. We respond within 30 days; if a request is complex or large in volume we may extend by a further 60 days and will tell you why.

California residents have similar rights under the CCPA / CPRA, including the right to know, delete, correct, and opt out of "sales" or "sharing" of personal information. We do not sell or share personal information as those terms are defined in the CCPA.

9. International transfers

1v1 is operated from the United Kingdom. Data we collect may be transferred to and processed in countries other than the country where you live (in particular, the United States and the European Union, where some of our processors operate). When we transfer personal data outside of the UK or the EEA, we rely on appropriate safeguards — typically the European Commission's Standard Contractual Clauses with UK and Swiss addenda where applicable.

10. Children

1v1 is not intended for users under 13 years old. We do not knowingly collect personal data from children under 13. If you believe a child under 13 has provided us with personal data, contact privacy@1v1.social and we will delete it.

If you are between 13 and 16 and located in a region where parental consent is required, you confirm that a parent or guardian has consented to your use of the Service.

11. Changes to this Policy

We may update this Privacy Policy from time to time. When we do we will update the "Last updated" date above and, for material changes, notify you through the Service or by email. The most recent version is always available at https://www.1v1.social/privacy.

12. Contact us

For privacy questions, data-rights requests, or to report a privacy concern, email privacy@1v1.social. For abuse reports, email abuse@1v1.social.