Privacy Policy

This page explains what twalow collects, how we use it, and what we don't do with it. Plain language, no fluff.

What we collect

• Account info: your email, your password (stored as a one-way hash, never readable), the gender you select, and your age range.
• Photos: the photos you upload. They're displayed to other users for rating.
• Activity: the ratings you give and receive, the tags you give and receive, the photo comparisons you create or vote in.
• Anti-abuse signals: a fingerprint cookie, your IP address, and rate-limit data so we can prevent spam, brigading, and abuse.
• Optional location: if you opt into the "nearby" feature, an approximate location while you're broadcasting. We don't store precise coordinates after you stop broadcasting.

How we use it

• To run the rating service: matching photos to raters, computing scores, surfacing your tags and ratings on your profile.
• To prevent abuse: spotting duplicate accounts, throttling automated activity, and removing content that violates the rules.
• To produce aggregate statistics: counts of ratings, demographic breakdowns of votes (e.g. "60% of women aged 25-34 picked photo A"). These are aggregate, not individual.

Why we're allowed to process this data

Under data protection laws (including the EU's GDPR and the UK GDPR), we rely on the following legal bases:

• Contract: we process your account info, photos, ratings, tags, and battle votes because you signed up to use a rating service. Without this data the service can't function.
• Legitimate interest: we process anti-abuse signals (fingerprint, IP, rate limits) to prevent fraud, spam, and brigading. We process aggregate statistics to operate and improve the service.
• Consent: the optional "nearby" location feature only runs if you opt in by enabling location. You can revoke this at any time by stopping the broadcast or denying browser permission.
• Legal obligation: we may keep certain records (e.g. for content moderation or to respond to lawful requests) to meet our obligations.

What we don't do

• We don't sell your data to anyone.
• We don't run third-party advertising networks that track you across other sites.
• We don't expose who rated you. Ratings are anonymous to the person being rated.
• We don't expose your email, age, or photos to anyone other than as part of the rating service.

Cookies

We use a session cookie to keep you logged in, and an anti-abuse fingerprint cookie that helps us prevent spam and rate manipulation. We do not use advertising cookies.

How long we keep it

• Account data and photos: kept until you delete your account or remove the photo. Removed photos are taken out of rotation and excluded from future comparisons.
• Ratings and tags: kept while either party (rater or rated) has an active account. When an account is deleted, that user's outgoing ratings and tags are anonymized or removed.
• Anti-abuse signals (fingerprint, IP, rate-limit data): kept for up to 12 months, then deleted or aggregated. We may keep records longer where required to investigate an open abuse case.
• Location data (nearby feature): only stored while you're actively broadcasting. Discarded shortly after you stop. Aggregated nearby counts may be kept longer in non-identifying form.
• Backups and logs: system logs and backups may contain residual data for up to 30 days after deletion before being overwritten.

Your rights

You have the following rights over your data. Most can be exercised directly in the product; for others, email twalow@gmail.com and we'll respond within 30 days (the GDPR limit).

• Access: request a copy of the personal data we hold about you.
• Rectification: ask us to correct anything inaccurate (e.g. wrong age range or gender).
• Deletion ("right to be forgotten"): delete any of your photos from your profile at any time, or request full account deletion by email. We'll remove your account, photos, and outgoing ratings within a reasonable time, subject to the backup retention noted above.
• Portability: request your data in a machine-readable format so you can take it elsewhere.
• Restriction: ask us to pause processing of your data while a dispute is resolved.
• Objection: object to processing that relies on legitimate interest (e.g. anti-abuse signals). We'll honour the objection unless we have an overriding lawful reason to continue.
• Withdraw consent: where we rely on consent (e.g. the nearby feature), you can withdraw it at any time without affecting prior lawful processing.
• Complaint: if you're in the EU/UK, you have the right to complain to your local data protection authority. We'd appreciate the chance to address it first by email.
• You can also hide your numeric score from your own profile via the "Hide number" toggle. This is a display preference, not a deletion.

Service providers

We host on cloud infrastructure (currently AWS) and use standard infrastructure services to operate the site. These providers process data on our behalf under their own security and privacy controls. We don't share data with them beyond what's necessary to run the site.

International data transfers

twalow is operated from servers in the United States. If you access the service from the EU, UK, or other regions outside the US, your data is transferred to and processed in the US. We rely on the following safeguards for these transfers:

• Our hosting provider (AWS) is certified under the EU-US Data Privacy Framework and the UK Extension to that framework.
• Where the framework does not apply, transfers rely on Standard Contractual Clauses (SCCs) approved by the European Commission.

For questions about transfer safeguards or to request a copy of the SCCs we rely on, email twalow@gmail.com.

California residents (CCPA / CPRA)

If you're a California resident, you have the right to know what personal information we collect about you, to request deletion, to correct inaccuracies, and to opt out of any "sale" or "sharing" of your personal information. The categories listed under "What we collect" above apply to you, and the contact route under "Your rights" is the same.

We do not sell your personal information and we do not share it for cross-context behavioural advertising. There is therefore no "Do Not Sell or Share My Personal Information" link to provide. We don't use your data to make significant automated decisions about you.

Not for under-18s

twalow is for adults only. If we learn that someone under 18 has signed up, we'll remove the account.

Updates

We may update this policy from time to time. Material changes will be reflected in the "last updated" date above and, where appropriate, called out on the site.

Contact

Privacy questions, account deletion requests, or anything else? Email twalow@gmail.com.