EXY Privacy Policy
Effective date: 17 May 2026 · Last updated: 17 May 2026
EXY is a dating and connections app published by Halo AI Services Ltd
("EXY", "we", "us"). This policy explains what personal data we collect when you use the
EXY iOS app, why we collect it, how we use and share it, how long we keep it, and the
rights you have over your data. We have written it in plain English. If anything is
unclear, contact us at privacy@haloaiservices.com.
1. Who is the data controller?
Halo AI Services Ltd is the data controller for personal data processed through EXY.
We are registered in the United Kingdom. Our contact address for privacy questions is
privacy@haloaiservices.com.
2. What personal data we collect
2.1 Data you give us
- Account: email address, password (stored hashed by our auth provider, never in plain text), display name, date of birth, gender, pronouns.
- Profile: bio, interests, relationship style, photos and short videos you upload, optional voice prompts you record.
- Optional verification: a selfie you submit so we can confirm your photos match you.
- Discovery preferences: distance and age range you choose, who you want to be matched with.
- Messages and reactions: the content of messages, GIFs, voice notes, and emoji reactions you exchange with matches.
- Safety signals: profiles you block, reports you submit, and the reason you give for reporting.
- Subscription state: whether you have purchased EXY Premium or a Boost, including the Apple-issued transaction id (not your card details — Apple handles payment).
2.2 Data we collect automatically
- Device identifiers: a per-install user id used to associate your data, and an Apple Push Notification token so we can send you notifications.
- Activity: the timestamps of your last sign-in and last activity, used to show "active recently" indicators and order Discover results.
- App diagnostics: if you opt into crash reporting, we collect crash stack traces (no personal content) so we can fix bugs.
2.3 What we do not collect
- We do not request your device location. Distance between users is calculated only from the city you choose to share, never from GPS.
- We do not track you across other apps or websites.
- We do not sell your data.
- We do not use third-party advertising SDKs.
3. Why we collect it and the legal basis
| Purpose | Legal basis (UK GDPR / EU GDPR) |
|---|
| Run your account and let you sign in | Contract (Art. 6(1)(b)) |
| Show your profile to people who match your criteria, and theirs to you | Contract |
| Deliver messages between matches | Contract |
| Send push notifications about matches, likes, and messages | Consent (you can disable in iOS Settings) |
| Process safety reports and enforce community standards | Legitimate interest (Art. 6(1)(f)) |
| Verify your age (17+ required) | Legal obligation |
| Process subscription purchases | Contract |
| Diagnose crashes (if you've opted in) | Consent |
4. Who we share it with
We share the minimum data needed with the following processors:
- Supabase — hosts our database, file storage, and authentication. Your profile, photos, messages, and account credentials are stored here. Supabase processes data in the EU and US under standard contractual clauses.
- Apple — processes push notification tokens via APNs, and handles all subscription payments via the App Store. We never see your card details.
- Sentry (if you've opted in to crash reporting) — receives crash stack traces and basic device metadata.
We do not share your data with advertisers, data brokers, or any party for marketing.
Law enforcement requests are honoured only with a valid legal order.
5. How long we keep it
- Account and profile: for as long as your account is active. If you don't sign in for 24 months we email you and delete the account 30 days later.
- Messages: kept while either party retains the match. Removed when either side unmatches or deletes their account.
- Photos and voice prompts: deleted from storage within 30 days of you removing them from your profile, or immediately on account deletion.
- Safety reports: kept for 7 years for safety, audit, and dispute purposes, then deleted.
- Diagnostic crashes: kept for 90 days.
6. Your rights
Under UK and EU GDPR, you have the right to:
- Access the personal data we hold about you.
- Correct inaccurate data.
- Delete your account and all associated data — directly inside the app via Settings → Account → Delete Account.
- Export your data in a portable format — email us and we'll send a JSON export within 30 days.
- Withdraw consent for crash reporting and push notifications at any time, without affecting the lawfulness of prior processing.
- Object to processing based on legitimate interest.
- Lodge a complaint with the UK Information Commissioner's Office (ico.org.uk) or your local supervisory authority.
To exercise any of these rights, contact privacy@haloaiservices.com.
We respond within 30 days.
7. Age policy
EXY is rated 17+ and intended only for users 18 years and over. We require you to confirm
your date of birth on first launch. If we learn that a user is under 18 we permanently
close the account.
8. International transfers
Supabase and Sentry may process data in the United States. These transfers rely on the
EU Standard Contractual Clauses and the UK International Data Transfer Addendum.
9. Security
All network traffic uses HTTPS/TLS. Your auth tokens are stored in the iOS Keychain,
encrypted by the operating system. Photos and voice prompts are stored in private
Supabase Storage buckets with row-level security rules enforcing that only the owner can
read or modify them.
10. Changes to this policy
If we make material changes we will notify you in the app and update the "effective date"
above. Continued use of the app after the effective date means you accept the change.
11. Contact
Halo AI Services Ltd
Email: privacy@haloaiservices.com
Postal address: available on request.