legal · gdpr
Privacy Policy
Who we are
Kora is a dating and activity-booking service: you match with people nearby and book a real-world activity at a partner venue for your date. This policy explains what personal data we process when you use the Kora mobile app, the merchant portal, or this website, the legal bases we rely on, and the rights you have over your data. It is written to meet the EU General Data Protection Regulation (GDPR).
The data controller responsible for your personal data is the company that operates Kora — a company being established in Romania, where the service launches.
Pending incorporationKora is in the process of being incorporated as a Romanian company. The operating company’s legal name, registered office, and company/VAT registration numbers will be confirmed on the Imprint before public launch.
For any privacy question, or to exercise your rights, write to privacy@koraexperiences.com. If we appoint a Data Protection Officer, their contact details will be published here.
Data we collect
When you use Kora as a dater, we process:
- Account & sign-in. Your email address and password, which are handled by our authentication provider, Supabase. We never store your password, and we never see your full password. The dater app signs you in with email and password (with a one-time email code to confirm your address); sign-in with Google or Apple is not yet available in the app.
- Profile. Your first name, date of birth (used to confirm you are 18 or over and to show your age), gender, sexual orientation, the genders you are interested in meeting, your height, photos, a short bio, up to three interest tags, and optional lifestyle details (drinking, smoking, diet, workout, pets, education, communication style, love language, social-media use, and sleep habits).
- Discovery preferences. The distance, age range, genders, height range, and interests you want to see.
- Location. When you allow it, your device’s position — collected as a single fix from the app’s “while using the app” location permission, never as a continuous trail. Other people never see your coordinates; they only ever see an approximate distance to you. Location is optional: without it, the distance filter simply does not apply.
- Matches & messages. Your likes and passes, your matches, the text messages you send (chat is text-only), and the date proposals you make or receive.
- Bookings & payments. Which activity you booked, with whom, the amount, the payment mode (split or host-pays-all), and the payment and refund status. Each booking also keeps a snapshot of the activity and venue details (including the venue address) at the time you booked. Card details are entered directly with Stripe — Kora never sees or stores your full card number.
- Safety reports. If you report another person, we keep the report and any reason you give, so our team can act on it. Reports are never shown to the person you report.
- Activity & device data. When you were last active, your device type and platform (iOS/Android), app version, your push-notification token, IP-derived data, and crash and diagnostic logs that help us keep the service working.
If you are a merchant (venue partner), we process:
- Business & contact details. Your business email and how you signed in, your legal business name, your trading (display) name, a contact phone number, your business category, and your venues’ names, addresses, opening hours, and descriptions.
- Payout & verification (via Stripe). To pay you out, Stripe collects your bank/IBAN and the identity-verification documents that Stripe Connect requires. These are handled entirely by Stripe — Kora never receives or stores your bank details or identity documents. We keep your Stripe account identifier and your verification status, and we send Stripe your business name, contact details, and one venue address to open your payout account.
Special-category data
Because Kora is a dating service, some of the data you choose to share is special-category data under Article 9 of the GDPR — in particular your sexual orientation and the genders you are interested in meeting. Some optional details can also reveal special-category data: for example a halal diet can indicate a religious belief, and your photos may reveal characteristics such as ethnicity. You decide what to add, and you can leave any of it out.
We process this data for one purpose only: to run the core dating features and show you relevant people. Our legal basis is your explicit consent (Article 9(2)(a)), which you give when you complete your profile. You can withdraw it at any time by editing or deleting that information, or by deleting your account — note that removing it may stop the matching features from working.
We never sell this data, and we never use it for advertising.
Purposes & legal bases
We only process your data where the law gives us a basis to. Specifically:
- Run your account and deliver the service (profiles, matching, chat, bookings) — performance of our contract with you (Art. 6(1)(b)); for special-category data, your explicit consent (Art. 9(2)(a)).
- Take payment and issue refunds — performance of our contract (Art. 6(1)(b)).
- Keep the service safe — handling abuse reports, preventing fraud, and removing accounts that break our rules — our legitimate interest in a safe community (Art. 6(1)(f)).
- Understand and improve the product — with your consent for analytics where consent applies (see “Cookies & analytics”), otherwise our legitimate interest in aggregate, non-identifying usage metrics (Art. 6(1)(f)).
- Meet legal obligations — accounting, tax, and anti-fraud duties (Art. 6(1)(c)).
- Communicate with you — service messages such as account confirmations, booking updates, and security notices, which are part of providing the service (contract). We do not send marketing or newsletter emails today; if we ever do, it will be optional and only with your consent, which you could withdraw at any time.
Where we rely on legitimate interests, we have weighed them against your rights and freedoms, and you can object to that processing at any time (see “Your rights”).
Matching & automated processing
Kora chooses which profiles to show you using the preferences you set — distance, age range, height, the genders you want to meet, and your interests — together with basic recency signals. This is automated, but it does not produce legal or similarly significant effects on you within the meaning of Article 22 of the GDPR: it only decides whose profile is shown to you. You stay in control of who you like, match, message, and meet.
We do not make automated decisions that have legal or similarly significant effects, and we do not profile you for advertising. The age shown on your profile is a number worked out from your date of birth — your exact birth date is never shown to other users.
Who receives your data
We use a small number of trusted providers to run Kora. They process your data only on our instructions, under a data-processing agreement. The current list, with each provider’s role and hosting region, is maintained on our sub-processor list. In summary:
- Supabase — our database, authentication (including your email and password), file storage for your photos (kept in private storage and served through short-lived links), and realtime chat delivery. Hosted in the EU (Ireland).
- Stripe — payments, refunds, and merchant payout onboarding and identity verification (Stripe Connect).
- Resend — transactional and account email (such as welcome, booking, and account notices).
- Expo — delivery of mobile push notifications. Push content can include a match or sender’s first name and a short message preview.
- Mapbox — converting a merchant’s venue address into map coordinates.
- Amplitude — product analytics, used only where you have given consent, with data processed in its EU server zone.
- Sentry — error and crash monitoring, configured to minimise personal data.
- Vercel (website and portals) and Google Cloud (our API, hosted in the EU — Belgium) — our hosting providers.
When you tap “directions” to a booked venue, your device opens your own maps app (Apple or Google Maps) with the venue location — that is your maps app, not a Kora transfer.
International transfers
We aim to keep your data in the EU/EEA: our database, file storage, and API are hosted in the EU, and our analytics provider is configured for its EU server zone. Some providers are based in, or process data in, the United States — in particular Stripe, Vercel, Sentry, and Expo. Where data leaves the EEA, the transfer is covered by the European Commission’s Standard Contractual Clauses, the EU–US Data Privacy Framework, or another lawful safeguard, and we make the relevant information available on request.
How long we keep your data
We keep your personal data for as long as your account is active. You can delete your account at any time:
- Daters can delete from the app immediately. When you do, we anonymise your profile straight away: your name, bio, location, photos, and the messages you sent are removed from view, and your email address is replaced with a one-way hash, so the account can no longer be linked to you.
- Merchants request deletion from the portal; we review the request (so any in-progress bookings and payouts are settled), then anonymise the account and close the Stripe payout account.
Some data is, by its nature or by law, kept beyond deletion: a booking keeps the first name and photo reference of each participant as part of its record, and we keep booking, payment, and refund records to meet Romanian accounting and tax obligations (generally up to ten years). We also keep limited safety records (for example relating to an account removal or an abuse report) for as long as needed to keep other users safe, and an internal log of administrative actions. Residual files and the underlying sign-in record are then erased on a scheduled basis.
“Deletion” of an account is therefore an anonymisation: a hashed identifier and the records above remain, but the account is no longer identifiable to you.
Security
We protect your data with a layered set of controls:
- Encryption in transit (HTTPS/TLS) for all traffic to our website, app, and API.
- Database-level access controls (row-level security) so each person can reach only their own data, and signed requests checked on every API call.
- Separately scoped sign-in sessions for the dater app, the merchant portal, and the admin area, so a session in one cannot be used in another. On mobile, your session is held in the device’s secure keystore.
- Passwords and credentials handled by Supabase — we never store passwords in plain text — and passwords, tokens, and similar secrets stripped out of our error and diagnostic logs.
- Rate limiting and anti-abuse protections on sign-in and other sensitive actions, and a password-reset flow designed not to reveal whether an email address has an account.
No service can be perfectly secure, but we work to protect your data and will notify the competent supervisory authority within 72 hours where required (Art. 33), and inform you without undue delay where a breach is likely to result in a high risk to you (Art. 34).
Your rights
Under the GDPR you have the right to:
- access the personal data we hold about you, and get a copy;
- correct data that is wrong or out of date;
- delete your data (“right to be forgotten”);
- receive your data in a portable format, or have it sent to another service;
- restrict or object to certain processing, including processing based on our legitimate interests; and
- withdraw any consent you have given, without affecting past processing.
You can do most of this yourself in the app — edit your profile, or delete your account from Settings. Otherwise, write to privacy@koraexperiences.com or use the form at /contact under “Legal / Privacy”. We respond within one month. Merchant account deletion is reviewed by our team before it is carried out, so that in-progress bookings and payouts are settled.
Age limit (18+)
Kora is strictly for adults. You must be at least 18 to create an account: we ask for your date of birth and block accounts where it indicates you are under 18. We do not run identity or age verification beyond this, so we cannot guarantee every user’s declared age — meet with care. We do not knowingly collect data from anyone under 18. If you believe a minor has registered, contact us at privacy@koraexperiences.com and we will remove the account.
Changes to this policy
We update this policy when our data practices change — not only on a fixed schedule. If a change is material, we will tell you in the app or by email before it takes effect. The “last updated” date at the top always reflects the current version, and previous versions are archived.
Complaints
If you think we have mishandled your data, please contact us first so we can put it right. You also have the right to complain to a data-protection authority. As Kora operates from Romania, our lead authority is the Romanian ANSPDCP. If you live elsewhere in the EU, you may also contact the supervisory authority in your own country of residence.