Legal document

iCupid PRIVACY POLICY

1. Introduction

This Privacy Policy explains how Happy Corner HK Limited, a company incorporated in Hong Kong under company number 74069484, with its registered office at 12/F, Hang Seng Causeway Bay Building, 28 Yee Wo Street, Causeway Bay, Hong Kong (“Company”, “iCupid”, “we”, “us” or “our”), collects, uses, processes, stores, discloses, transfers, retains and deletes Personal Data in connection with iCupid.

This Privacy Policy applies to:

• the iCupid mobile application;
• the iCupid website;
• artificial intelligence-powered features provided through iCupid;
• subscriptions, Credits and other digital products;
• customer support, safety, moderation and account-management services; and
• any related service that links to this Privacy Policy,

collectively, the “Service”.

For the purposes of the Personal Data (Privacy) Ordinance (Cap. 486 of the Laws of Hong Kong) (“PDPO”), the Company is the data user responsible for determining how and for what purposes Personal Data under its control is used.

Please read this Privacy Policy together with:

• our Terms of Use;
• any Personal Information Collection Statement;
• any AI-processing or third-party disclosure notice;
• any device-permission notice;
• any purchase or subscription terms; and
• any other privacy notice displayed when Personal Data is collected.

2. Definitions

In this Privacy Policy:

“AI Companion” means an AI-generated boyfriend, girlfriend, dating partner, coach, communication partner, fictional character or similar interactive character made available through the Service.

“AI Provider” means a third-party provider of an artificial intelligence model, machine-learning system, language model, image-analysis system or related technology.

“App” means the iCupid mobile application.

“Credits” means contractual units or entitlements used to access designated features of the Service.

“Personal Data” means information relating directly or indirectly to a living individual from which it is practicable for that individual’s identity to be directly or indirectly ascertained, and in a form in which access to or processing of the information is practicable.

“Provider” means an AI Provider or another third-party service provider used to operate, secure, support or improve the Service.

“User Content” means any prompt, message, text, screenshot, image, profile information, preference, conversation, feedback or other content submitted by or on behalf of a user through the Service.

3. Scope of This Privacy Policy

This Privacy Policy applies to Personal Data processed by or on behalf of the Company through the Service.

It does not govern:

• a third party’s independent processing when you interact directly with that third party;
• websites, applications or services operated independently by third parties;
• information processed entirely on your device and not transmitted to us or a Provider;
• information that has been irreversibly anonymised so that no individual can reasonably be identified; or
• information relating to a deceased person, except where applicable law provides otherwise.

Where a Provider processes Personal Data on our behalf, we take reasonable steps designed to manage that Provider in accordance with applicable law and our contractual arrangements.

4. Personal Information Collection Statement

This section constitutes our general Personal Information Collection Statement. It may be supplemented by a shorter or more specific notice displayed at or before the point of collection.

4.1 Purposes of collection

We may collect Personal Data for the following purposes:

• creating, authenticating and administering accounts;
• confirming eligibility and minimum-age requirements;
• providing AI-powered features and requested analyses;
• processing prompts, messages, screenshots, images and conversations;
• maintaining AI Companion continuity, memory and preferences;
• personalising the Service;
• providing subscriptions, Credits and paid entitlements;
• validating transactions and restoring purchases;
• providing customer support;
• maintaining security and preventing fraud, abuse and unlawful activity;
• moderating content and enforcing our Terms of Use;
• operating, analysing, testing and improving the Service;
• communicating material service, policy, billing and security information;
• complying with legal, regulatory, tax and accounting obligations;
• establishing, exercising or defending legal claims; and
• conducting direct marketing where the consent required by law has been obtained.

4.2 Mandatory and voluntary information

Providing Personal Data is generally voluntary.

Certain information is mandatory where it is reasonably required to:

• create or secure an account;
• confirm eligibility;
• provide a requested function;
• process submitted content;
• validate a purchase;
• restore an account or entitlement;
• investigate a safety, fraud, support or security matter; or
• comply with law.

If you do not provide required information, we may be unable to:

• create or maintain your account;
• provide the requested AI feature;
• analyse an uploaded screenshot or image;
• personalise or retain an AI Companion conversation;
• validate or restore a purchase;
• respond fully to a support request; or
• continue providing some or all of the Service.

Optional profile information, photographs, preferences, marketing consent and personalisation information may be withheld. However, doing so may reduce the availability or relevance of certain features.

4.3 Classes of transferees

Personal Data may be transferred or disclosed to:

• AI Providers;
• cloud, database, authentication, storage and hosting Providers;
• content-safety, cybersecurity and fraud-prevention Providers;
• analytics, logging, diagnostic and crash-reporting Providers;
• Apple, Google and other app-store, subscription or payment Providers;
• email, notification and customer-support Providers;
• professional advisers, auditors and insurers;
• members of our corporate group;
• prospective or actual parties to a corporate transaction;
• courts, regulators, law-enforcement agencies and other persons legally entitled to receive the information; and
• persons authorised or directed by you.

Further details are set out below and in our current AI Provider and Subprocessor List.

4.4 Access and correction

Subject to applicable law, you may request access to and correction of Personal Data held by us.

Requests should be made in writing to:

Privacy Contact: iCupid Privacy Officer

Email: privacy.icupid@soulcial.co

We may request information reasonably necessary to verify your identity and locate the relevant Personal Data. A fee may be charged for a data-access request where permitted by law, but any such fee will not be excessive.

4.5 Direct marketing

We will not use Personal Data for direct marketing where consent is required by law unless we have provided the legally required information and obtained valid consent.

You may opt out of direct marketing at any time without charge.

5. Personal Data We Collect

The Personal Data we collect depends on the features you use, the content you submit, your settings, your device and the permissions you grant.

5.1 Account and authentication information

We may collect:

• email address;
• username or display name;
• internal user identifier;
• encrypted or hashed authentication credentials;
• third-party login identifier;
• authentication and session tokens;
• age or confirmation that you are at least 18;
• account creation date;
• language, country and regional preferences;
• account status;
• login history;
• security and verification information; and
• records of your acceptance of policies and notices.

We generally do not require a government identity document unless reasonably necessary for an authorised age-verification, account-recovery, fraud-prevention or legal-compliance process.

5.2 Profile and personalisation information

If you use profile-building, coaching or personalisation features, we may collect information you choose to provide, including:

• name or preferred name;
• age or age range;
• gender;
• communication or dating preferences;
• relationship goals;
• interests and hobbies;
• occupation or industry;
• education;
• personality or communication style;
• profile biography;
• photographs;
• dating-app profile content;
• preferred language or tone;
• preferred AI Companion characteristics; and
• other information you choose to submit.

You are not required to provide profile information that is unnecessary for the feature you wish to use.

5.3 Prompts, messages and conversations

We may collect and process:

• prompts;
• questions and instructions;
• messages submitted for analysis;
• conversation text;
• suggested replies;
• AI Companion conversations;
• role-play and practice conversations;
• recent conversation context;
• conversation summaries;
• saved memories or preferences;
• ratings and feedback concerning AI responses;
• generated responses and analyses;
• safety classifications; and
• contextual information required to provide the requested function.

5.4 Screenshots, photographs and images

When you upload or select an image, we may receive:

• conversation screenshots;
• dating-profile screenshots;
• photographs or other selected images;
• text visible within an image;
• names, usernames, profile photographs or other information visible in the image;
• image dimensions, format and technical metadata retained by the upload process;
• content-safety classifications; and
• information inferred from the image for the purpose of providing the requested analysis.

Where your operating system provides a limited photo picker, we ordinarily receive only the images you select rather than your entire photo library.

You should remove, crop, redact or blur unnecessary identifying or sensitive information before uploading an image.

5.5 Information about other persons

User Content may contain Personal Data relating to another person, including:

• their name or username;
• profile photograph;
• messages or statements made by them;
• contact details;
• relationship information;
• interests, views or preferences;
• workplace or location information; and
• other information visible in a conversation or profile.

You must only submit such information where you have an appropriate right, permission or other lawful basis to do so.

We do not independently verify whether you have obtained all permissions required in relation to another person’s information.

5.6 Device, network and technical information

We may automatically collect:

• IP address;
• approximate region inferred from an IP address;
• device type and model;
• operating system and version;
• App version;
• browser type;
• language and time-zone settings;
• mobile network or internet-service information;
• device, installation or application identifiers;
• push-notification tokens;
• authentication and session information;
• server-request timestamps;
• application and server logs;
• crash, error and diagnostic information;
• API performance information;
• security events;
• network status; and
• information required to detect faults, abuse or unauthorised activity.

We do not collect precise GPS location unless a particular feature clearly requests that information, explains the purpose and obtains any permission required by law or the relevant operating system.

5.7 Usage and interaction information

We may collect:

• features used;
• screens or pages viewed;
• buttons, settings and functions selected;
• frequency and duration of use;
• number and type of AI requests;
• AI Provider or processing route used;
• input and output length;
• token or technical-resource usage;
• Credits purchased, granted, consumed or expired;
• subscription tier;
• entitlement and usage-limit information;
• safety-filter events;
• App performance;
• referral or campaign information; and
• interaction with service and promotional communications.

5.8 Purchase and subscription information

Where you make a purchase, we may receive:

• product or subscription identifier;
• purchase date;
• renewal and expiry date;
• transaction, receipt or order identifier;
• subscription status;
• refund, cancellation or chargeback status;
• price and currency;
• payment platform;
• country or region of purchase;
• promotional or trial status; and
• information needed to validate a purchase or restore an entitlement.

Purchases made through Apple App Store or Google Play are processed by the relevant platform. We generally do not receive your full payment-card number, card security code or complete banking credentials.

5.9 Customer-support information

If you contact us, we may collect:

• your name and contact details;
• account identifier;
• the content of your request;
• relevant transaction or entitlement information;
• screenshots, recordings or files you choose to provide;
• correspondence history;
• technical logs needed to investigate the matter; and
• identity-verification information where reasonably necessary.

5.10 Safety, moderation and enforcement information

We may collect or generate:

• content-safety classifications;
• flagged prompts, messages, images or responses;
• reports of prohibited or harmful content;
• suspected fraud, abuse or circumvention indicators;
• account restrictions;
• moderation and enforcement decisions;
• appeal records;
• evidence relating to a suspected breach of our Terms of Use;
• communications relating to a safety or enforcement matter; and
• information needed to comply with a valid legal request.

5.11 Marketing and communication preferences

We may collect:

• whether you consented to marketing;
• the wording, date and method of consent;
• email and notification preferences;
• unsubscribe and opt-out records; and
• interaction with promotional communications.

5.12 Information received from third parties

We may receive information from:

• Apple or Google where you use a third-party sign-in service;
• Apple App Store, Google Play or another payment platform;
• authentication Providers;
• cloud, security and fraud-prevention Providers;
• analytics and diagnostic Providers;
• a person who contacts us concerning your account or activity;
• public authorities where permitted by law; and
• another service from which you direct or authorise a transfer.

6. Sensitive and Highly Private Information

Dating and communication content may reveal or permit inferences concerning:

• sexual orientation;
• intimate relationships or sex life;
• physical or mental health;
• racial or ethnic origin;
• religion;
• political opinions;
• immigration or citizenship status;
• financial circumstances;
• criminal allegations;
• precise location; or
• other highly private matters.

The Service is not designed to require this information for ordinary use.

You should not submit sensitive or highly private information unless:

• it is genuinely necessary for a feature you choose to use;
• you understand that it may be processed by the Providers identified in this Privacy Policy;
• you have the legal right to provide it; and
• you have removed information that is not necessary.

We may reject, restrict or delete content that we reasonably consider unsuitable for processing through the Service.

7. How We Use Personal Data

7.1 Providing and administering the Service

We may use Personal Data to:

• create and administer accounts;
• authenticate users;
• provide AI-powered analysis and generated content;
• analyse conversation screenshots and profile content;
• provide opening-message and reply assistance;
• operate AI Companion functionality;
• maintain conversation continuity and saved preferences;
• personalise tone, language and recommendations;
• store content where requested or enabled;
• calculate and apply Credits and usage limits;
• provide subscriptions and entitlements;
• validate and restore purchases; and
• provide other requested functions.

7.2 Operating, testing and improving the Service

We may use Personal Data to:

• maintain and develop the Service;
• diagnose faults and errors;
• monitor availability, latency and performance;
• understand how features are used;
• improve user interfaces and workflows;
• manage infrastructure capacity;
• test and evaluate models and routing arrangements;
• conduct quality assurance;
• estimate and control operating costs;
• prevent service degradation; and
• develop new features.

Where reasonably practicable, we use aggregated, anonymised or de-identified information for analytics, evaluation and improvement.

7.3 Personalisation and memory

Where enabled, we may use information from your profile and previous interactions to:

• maintain AI Companion continuity;
• remember preferences;
• adjust language, tone and response style;
• avoid repeating questions;
• provide more relevant suggestions; and
• maintain summaries of previous interactions.

You may be able to manage, delete or reset certain saved information through the App.

Deleting or resetting a visible memory does not necessarily immediately remove related data from backups, security logs or records lawfully retained for other purposes.

7.4 Safety, security and misuse prevention

We may use Personal Data to:

• detect prohibited or harmful content;
• prevent fraud and unauthorised access;
• identify attempts to circumvent limits or safety systems;
• investigate suspected breaches;
• protect users and third parties;
• enforce our Terms of Use;
• secure accounts and infrastructure;
• comply with Provider safety requirements; and
• respond to credible risks of serious harm.

7.5 Customer support and communications

We may use Personal Data to:

• respond to enquiries;
• provide technical and customer support;
• investigate service issues;
• send account, transaction and subscription messages;
• send safety and security notifications;
• notify you of material policy or service changes;
• handle complaints and appeals; and
• verify account ownership.

7.6 Purchases, accounting and commercial administration

We may use Personal Data to:

• validate transactions and receipts;
• manage subscriptions, Credits and entitlements;
• detect payment fraud;
• process or administer refunds;
• address chargebacks and disputes;
• maintain accounting, tax and corporate records;
• forecast usage and infrastructure cost; and
• establish or defend transaction-related claims.

7.7 Legal and regulatory purposes

We may use Personal Data to:

• comply with applicable law;
• respond to valid court, regulatory or law-enforcement requests;
• preserve evidence;
• establish, exercise or defend legal claims;
• protect legal rights, safety and property;
• investigate suspected unlawful activity; and
• comply with tax, accounting and corporate obligations.

7.8 Direct marketing

Where the consent required by law has been obtained, we may use permitted Personal Data to:

• provide information about iCupid features and plans;
• promote Credits, subscriptions or offers;
• invite you to surveys, research or events;
• provide information about related services offered by us; and
• measure engagement with our communications.

8. AI Processing and Third-Party AI Providers

8.1 Why information is sent to AI Providers

The Service uses AI Providers to perform functions including:

• text and reply generation;
• conversation analysis;
• image and screenshot analysis;
• profile and biography assistance;
• AI Companion conversations;
• summaries and memory generation;
• communication exercises; and
• safety classification.

To provide a requested function, we may transmit relevant information including:

• your prompt;
• conversation text;
• selected screenshots or images;
• information visible within submitted content;
• relevant profile and preference information;
• recent conversation context;
• saved summaries or memories;
• instructions created by iCupid;
• safety-related information;
• technical request information; and
• generated Output.

We seek to transmit only information reasonably necessary for the relevant function.

8.2 Disclosure and explicit permission

Before Personal Data is transmitted to a third-party AI Provider, we will provide an appropriate disclosure and obtain affirmative permission where required by applicable law or platform policy.

The notice may identify:

• the AI Provider or category of Provider;
• the types of information being transmitted;
• the processing purpose;
• relevant processing locations;
• whether the information may be retained or used for service improvement; and
• how permission may be withdrawn.

If you refuse or withdraw required permission, features that depend on external AI processing may become unavailable.

8.3 Current AI Providers

Our current AI Providers may include:

• Google, for AI-generated communication assistance, text analysis, image or screenshot analysis and related functions; and
• DeepSeek, for AI Companion, conversational, summarisation or related functions.

The feature assigned to a particular Provider may change according to performance, availability, cost, safety, technical or operational considerations.

8.4 Provider use of prompts and responses

The Provider’s processing of prompts, files and responses depends on:

• the specific product or API used;
• whether the service is paid or unpaid;
• our account and billing configuration;
• contractual terms;
• technical settings;
• retention and safety-monitoring settings; and
• the Provider’s rules in force at the relevant time.

Our current Provider list will describe, to the extent reasonably known and relevant:

• whether private prompts or responses are used for general model improvement;
• the applicable retention or safety-logging arrangement;
• material processing locations; and
• any available opt-out or reduced-retention configuration.

You should not submit information that is unnecessary for the requested function.

8.5 Google AI services

Where we use a paid or billing-enabled Google AI service, Google’s processing will be governed by the applicable commercial terms, data-processing terms and technical configuration.

We intend to use configurations under which private prompts, files and responses are not used by Google for general product improvement, except where:

• separately and clearly disclosed;
• authorised by the user where legally required; or
• necessary for security, abuse prevention, service operation or legal compliance under the applicable arrangement.

Information may nevertheless be processed or retained for limited technical, security, abuse-monitoring, caching or legal purposes in accordance with the applicable Google terms and configuration.

8.6 DeepSeek AI services

Where we use DeepSeek AI services, submitted prompts, conversation context, files and generated responses may be processed by DeepSeek and its authorised Providers.

Processing may take place in the People’s Republic of China or other locations used by DeepSeek or its authorised Providers.

The retention, security monitoring, research, development and model-improvement treatment will depend on the applicable API service, contractual terms and technical settings.

The current arrangement will be described in the AI Provider and Subprocessor List. You should not submit unnecessary confidential, financial, medical, identity-document or intimate information to a feature processed by DeepSeek.

8.7 Changes to AI Providers

We may add, remove or replace an AI Provider or model where reasonably necessary for:

• service quality;
• accuracy or capability;
• performance;
• capacity;
• cost control;
• security;
• legal or regulatory compliance;
• Provider availability; or
• business continuity.

We may update the Provider list without requiring acceptance of an entirely new Privacy Policy where the new Provider:

• performs the same or a substantially similar purpose;
• processes substantially the same categories of information; and
• does not materially reduce the protection described in this Privacy Policy.

Where a change materially expands the purposes, information categories, processing locations or Provider use of Personal Data, we will provide any additional notice or obtain any renewed permission required by law or platform policy.

8.8 No ownership or endorsement relationship

Unless expressly stated otherwise:

• no AI Provider owns or operates iCupid;
• no AI Provider sponsors or endorses iCupid;
• the Company is responsible for the overall Service; and
• your contractual relationship concerning iCupid is with the Company.

9. Model Training, Product Improvement and Quality Assurance

9.1 General-purpose model training by the Company

Unless we first provide a separate clear notice and obtain any consent required by law, we do not use private conversation screenshots, private messages or AI Companion conversations to train a general-purpose model for use by unrelated users.

9.2 Improvement of iCupid

We may use the following to evaluate and improve iCupid:

• aggregated usage statistics;
• anonymised or de-identified information;
• synthetic data;
• test data;
• voluntarily submitted feedback;
• ratings of responses;
• safety classifications;
• performance and error information; and
• limited samples reviewed under appropriate access controls where reasonably necessary for safety, support or quality assurance.

9.3 Provider training and improvement

Whether an AI Provider may use submitted content for its own research, service improvement or model improvement depends on the applicable Provider arrangement.

We will disclose material Provider practices in our Provider list or a feature-specific notice.

Where a Provider arrangement would permit use of identifiable private content for general model training beyond what users would reasonably expect, we will take any additional steps required by applicable law or platform policy before using that arrangement.

9.4 De-identification

We may de-identify or aggregate information so that it no longer reasonably identifies you.

Once information has been irreversibly anonymised, it may no longer constitute Personal Data. We may retain and use such information for lawful business purposes, including analytics, research, safety evaluation and service improvement.

We will not attempt to re-identify irreversibly anonymised information except where reasonably necessary to test the effectiveness of our anonymisation controls or as otherwise permitted by law.

10. Human Access to User Content

Authorised personnel or contractors may access limited User Content where reasonably necessary to:

• provide support requested by you;
• investigate a technical problem;
• investigate fraud, abuse or a security incident;
• review potentially prohibited or harmful content;
• conduct appropriately controlled quality assurance;
• respond to a legal request;
• protect a person from serious harm; or
• maintain and secure the Service.

Access is restricted according to role, business need and applicable security controls.

Personnel are not authorised to access private content for personal curiosity or unrelated purposes.

We may use Providers to assist with authorised review, subject to applicable contractual, confidentiality and security arrangements.

11. Screenshots and Information About Other Persons

11.1 Your responsibility

Before uploading a screenshot, image or conversation containing information about another person, you should:

• consider whether you have the appropriate right, permission or lawful basis;
• remove information that is unnecessary for the requested analysis;
• avoid submitting highly private or confidential information;
• avoid using the Service to monitor, expose, embarrass or harm another person; and
• comply with applicable privacy, confidentiality, contractual and intellectual-property obligations.

11.2 Recommended redaction

Where reasonably possible, remove or conceal:

• full names;
• usernames;
• profile photographs;
• telephone numbers;
• email addresses;
• exact home or work addresses;
• precise location;
• government identity numbers;
• banking or payment information;
• medical information;
• intimate information; and
• information concerning unrelated persons.

11.3 Prohibited content

You must not submit:

• non-consensual intimate images;
• unlawfully recorded communications;
• hidden-camera material;
• passwords or authentication credentials;
• complete payment-card or banking credentials;
• government identity documents unless expressly requested through an authorised verification process;
• sexual or intimate content involving a person under 18;
• confidential information you are not authorised to disclose; or
• information whose collection, disclosure or processing is unlawful.

11.4 No verification of third-party consent

We do not ordinarily contact the other participants in an uploaded conversation to verify consent or accuracy.

Your submission of third-party information does not make that person a user of iCupid or create a contractual relationship between that person and the Company.

12. How We Share Personal Data

We may disclose Personal Data to the following categories of recipients.

12.1 AI Providers

AI Providers receive information reasonably necessary to perform requested AI functions, subject to the applicable service, settings and contractual arrangements.

12.2 Cloud and backend Providers

We may use Providers for:

• database hosting;
• authentication;
• file storage;
• server and edge functions;
• backups;
• content delivery;
• infrastructure monitoring; and
• application hosting.

Our current backend Providers may include Supabase, Inc. and its authorised subprocessors.

12.3 App stores and payment Providers

We may share or receive information from:

• Apple;
• Google;
• payment processors;
• subscription-management Providers;
• receipt-validation Providers; and
• fraud-prevention Providers.

These parties may independently process information under their own terms and privacy policies.

12.4 Analytics and technical Providers

We may use Providers for:

• analytics;
• crash reporting;
• error tracking;
• logging;
• performance monitoring;
• email delivery;
• push notifications;
• customer support;
• cybersecurity; and
• service-status monitoring.

Current Providers are listed in our AI Provider and Subprocessor List.

12.5 Professional advisers and insurers

We may disclose information to lawyers, accountants, auditors, insurers, consultants and other professional advisers where access is reasonably necessary and subject to applicable confidentiality obligations.

12.6 Corporate group

We may disclose Personal Data to an affiliate or member of our corporate group where reasonably necessary to:

• operate the Service;
• provide shared administration;
• manage security;
• provide support;
• comply with law; or
• complete an internal reorganisation.

12.7 Legal and regulatory disclosures

We may disclose Personal Data where we reasonably believe disclosure is required or permitted to:

• comply with law;
• respond to a valid court order, warrant or regulatory request;
• investigate suspected illegal activity;
• protect the rights, safety or property of the Company or another person;
• prevent fraud or security threats;
• enforce our Terms of Use; or
• establish, exercise or defend legal claims.

Where legally permitted and reasonably practicable, we may notify the affected user before disclosure. We are not required to provide notice where notice is prohibited, impracticable or would prejudice an investigation or another person’s safety.

12.8 Corporate transactions

Personal Data may be disclosed to a prospective or actual buyer, seller, investor, lender, affiliate or adviser in connection with:

• a merger;
• acquisition;
• financing;
• restructuring;
• sale of assets;
• insolvency;
• transfer of the Service; or
• change of control.

We will seek appropriate confidentiality and data-protection arrangements where reasonably practicable.

12.9 At your direction or with your consent

We may disclose information where:

• you instruct us to do so;
• you connect or authorise a third-party service;
• disclosure is necessary to complete a request initiated by you; or
• you provide valid consent.

13. Service Providers and Subprocessors

We may appoint Providers to process Personal Data on our behalf.

Where appropriate and reasonably practicable, we use contractual, technical or organisational measures designed to require Providers to:

• process Personal Data only for authorised purposes;
• restrict access to authorised persons;
• maintain appropriate security;
• notify us of relevant security incidents;
• assist with lawful access, correction or deletion requests;
• comply with applicable retention requirements;
• delete or return information when no longer required; and
• comply with applicable data-protection obligations.

The Provider list may be updated from time to time. A change in Provider does not necessarily change the purposes for which we process Personal Data.

14. No Sale of Private Content

We do not sell or rent private conversation content, uploaded screenshots or account Personal Data to data brokers.

We do not currently use private conversation content or uploaded screenshots for third-party behavioural advertising.

We may use aggregate or de-identified information for analytics, business planning, research and service improvement.

If our practices materially change, we will update this Privacy Policy and obtain any consent required by law before commencing the materially different practice.

15. International and Cross-Border Processing

The Company and its Providers may process Personal Data outside Hong Kong.

Processing locations may include:

• the region in which our cloud project is hosted;
• the United States;
• the People’s Republic of China;
• Singapore;
• countries in the European Economic Area; and
• other locations in which our Providers or their authorised subprocessors operate.

The privacy, data-protection and government-access laws of another jurisdiction may differ from those of Hong Kong.

Where reasonably practicable and appropriate, we use contractual, technical or organisational measures designed to address:

• authorised processing purposes;
• security;
• confidentiality;
• access restrictions;
• incident notification;
• retention and deletion;
• data-subject requests; and
• allocation of responsibilities.

Where applicable law or platform policy requires a specific disclosure or permission before a cross-border or third-party AI transfer, we will provide that disclosure or request that permission.

16. Data Retention

16.1 General principles

We retain Personal Data only for as long as reasonably necessary for:

• the purpose for which it was collected;
• a directly related purpose;
• maintaining the Service;
• security and fraud prevention;
• resolving complaints or disputes;
• legal and regulatory compliance; or
• establishing, exercising or defending legal claims.

Retention periods may vary depending on:

• the nature and sensitivity of the information;
• the feature used;
• whether you chose to save the information;
• security and fraud risks;
• Provider arrangements;
• backup cycles;
• accounting requirements; and
• actual or anticipated legal claims.

16.2 Intended retention schedule

Unless a longer or shorter period is reasonably necessary, our intended retention approach is:

If the retention schedule conflicts with a shorter period required by law, the legally required period will apply.

16.3 Extended retention

We may retain information for longer where reasonably necessary to:

• comply with law;
• respond to a lawful request;
• prevent fraud or repeated abuse;
• investigate a security incident;
• resolve a dispute;
• enforce our Terms of Use;
• establish, exercise or defend legal claims;
• preserve evidence; or
• protect a person from serious harm.

16.4 Backups

Deletion from active systems may not immediately remove Personal Data from encrypted or otherwise protected backups.

Backup copies are ordinarily removed through normal backup rotation and are not restored for ordinary business use unless required for:

• disaster recovery;
• business continuity;
• security investigation;
• legal compliance; or
• the establishment or defence of legal claims.

16.5 Anonymisation

Instead of deletion, we may irreversibly anonymise information so that it can no longer reasonably identify an individual.

Irreversibly anonymised information may be retained and used for lawful purposes without a fixed retention period.

17. Account and Data Deletion

17.1 How to request deletion

You may initiate account deletion through:

Settings → Account → Delete Account within the App

We may require reasonable verification before processing a deletion request.

17.2 Information normally deleted

Subject to lawful exceptions, account deletion will normally result in deletion or irreversible anonymisation of:

• account and profile information;
• saved AI conversations;
• AI Companion history and saved memories;
• uploaded screenshots and images;
• saved analyses;
• personalisation preferences;
• account-linked User Content; and
• other Personal Data associated with the account.

17.3 Information that may be retained

We may retain limited information where reasonably necessary for:

• accounting and tax records;
• transaction verification;
• fraud prevention;
• security;
• evidence of consent or policy acceptance;
• complaint and dispute resolution;
• enforcement history;
• legal and regulatory obligations;
• protection of another person; or
• establishment, exercise or defence of legal claims.

Retained information will not be used for unrelated direct marketing or ordinary personalisation.

17.4 Processing period

Deletion requests may require a reasonable period to:

• verify identity;
• prevent fraud;
• identify the relevant data;
• remove data from active systems;
• communicate the request to relevant Providers; and
• complete applicable backup rotation.

17.5 Subscriptions

Deleting an iCupid account does not automatically cancel a subscription billed through Apple, Google or another external payment Provider.

You must separately cancel the subscription through the platform through which it was purchased.

18. Your Rights and Choices

Subject to applicable law and lawful exceptions, you may request to:

• confirm whether we hold Personal Data about you;
• access Personal Data held by us;
• correct inaccurate Personal Data;
• update account information;
• delete your account and associated Personal Data;
• withdraw consent;
• opt out of direct marketing;
• obtain information concerning applicable classes of recipients;
• restrict or object to particular processing where applicable;
• receive a copy of certain information where applicable; or
• exercise another right available under the law of your place of residence.

18.1 Access and correction under Hong Kong law

Requests to access or correct Personal Data should be made in writing in Chinese or English.

We may:

• request information to verify your identity;
• ask you to clarify the scope of the request;
• require the use of a prescribed or appropriate form;
• charge a fee permitted by law for a data-access request;
• redact information concerning another person;
• refuse or limit a request where permitted or required by law; or
• retain information that is subject to a lawful exception.

We will respond within the period required by applicable law.

18.2 Verification

To protect users, we may require information reasonably necessary to confirm:

• your identity;
• your authority to act for another person;
• ownership of the relevant account; and
• the scope of the request.

We will not request more verification information than is reasonably necessary.

18.3 Additional jurisdictional rights

Depending on your location, you may have additional rights concerning:

• erasure;
• restriction;
• objection;
• portability;
• withdrawal of consent;
• automated decision-making; and
• complaints to a privacy or data-protection authority.

Those rights may be subject to conditions, exemptions and verification requirements.

18.4 How to submit a request

Contact:

Privacy Contact: iCupid Privacy Officer

Email: privacy.icupid@soulcial.co

Please provide:

• your name;
• your account email or user identifier;
• the right you wish to exercise;
• sufficient detail to identify the relevant information; and
• verification information reasonably requested by us.

19. Withdrawal of Consent

Where processing depends on consent, you may withdraw consent through:

• App privacy settings;
• the relevant feature or permission control;
• device settings;
• an unsubscribe link; or
• contacting us.

Withdrawal may prevent a feature from operating. For example, withdrawing permission for third-party AI processing may prevent use of:

• screenshot analysis;
• text assistance;
• profile analysis;
• AI Companion conversations; or
• other externally processed features.

Withdrawal does not affect:

• processing lawfully carried out before withdrawal;
• processing based on another lawful or permitted basis;
• information that must be retained by law;
• information needed for security or fraud prevention;
• information needed to resolve a dispute; or
• information needed to establish, exercise or defend legal claims.

20. Direct Marketing

Where permitted by law and after obtaining any required consent, we may use:

• your name;
• email address;
• notification token;
• language preference;
• service interests; and
• marketing preferences,

to send information concerning:

• iCupid subscriptions;
• Credits;
• new features;
• promotional offers;
• surveys;
• research;
• events; and
• related services offered by us.

We will not provide Personal Data to another person for that person’s direct-marketing purposes without any consent required by law.

You may opt out at any time, without charge, by:

• selecting “unsubscribe” in an email;
• changing marketing or notification settings;
• disabling promotional push notifications; or
• contacting info.icupid@soulcial.co.

Opting out of marketing does not prevent necessary account, billing, security, safety, legal or service communications.

21. Cookies, SDKs and Similar Technologies

Our App and website may use:

• cookies;
• local storage;
• software development kits;
• pixels;
• device identifiers;
• session technologies; and
• similar technologies,

to:

• keep users signed in;
• remember preferences;
• maintain security;
• prevent fraud;
• measure service performance;
• diagnose errors;
• understand feature usage;
• deliver notifications; and
• improve the Service.

Where required, we will request permission before using non-essential analytics, advertising or tracking technologies.

You may be able to control certain technologies through:

• browser settings;
• device settings;
• App privacy controls;
• operating-system privacy controls; or
• a cookie-consent tool.

Disabling essential technologies may prevent the Service from functioning correctly.

22. Device Permissions

The Service may request device permissions for:

• a photo picker or photo-library access;
• camera access;
• notifications;
• microphone access, if voice functionality is provided; and
• another function disclosed at the time of request.

We request a permission when it is relevant to a function.

You may normally withdraw device permission through your device settings. Withdrawing permission may prevent the relevant function from operating.

Granting a device permission does not mean that we continuously collect all information accessible through that permission. We collect information used by the relevant function as described in the permission notice and this Privacy Policy.

23. Security

We use administrative, technical and organisational measures designed to protect Personal Data against unauthorised or accidental:

• access;
• processing;
• disclosure;
• alteration;
• loss;
• erasure; and
• use.

Depending on the system and risk, measures may include:

• access controls;
• role-based permissions;
• authentication controls;
• encryption in transit;
• encryption or equivalent safeguards at rest where supported;
• secret and credential management;
• logging and monitoring;
• environment separation;
• software updates and vulnerability management;
• backups and recovery controls;
• Provider assessment;
• confidentiality obligations;
• data-minimisation controls; and
• incident-response procedures.

No internet, cloud, email or electronic-storage system is completely secure.

We do not guarantee that Personal Data will never be accessed, disclosed, altered, lost or destroyed despite our safeguards.

You are responsible for protecting your password, device and account credentials and for notifying us promptly if you suspect unauthorised access.

24. Data-Security Incidents

If we become aware of a suspected or confirmed Personal Data incident, we may:

• investigate the incident;
• take reasonable steps to contain it;
• assess the nature and likely consequences;
• remediate vulnerabilities;
• preserve relevant evidence;
• notify affected Providers;
• notify regulators or authorities where required or appropriate; and
• notify affected individuals where required by law or otherwise appropriate having regard to the likely risk.

A notification may be delayed where reasonably necessary to:

• contain the incident;
• avoid prejudicing an investigation;
• comply with a lawful instruction;
• protect another person; or
• obtain accurate information.

You should contact us promptly if you believe your account or Personal Data has been compromised.

25. Automated Processing

The Service uses automated systems to:

• generate communication suggestions;
• analyse conversation content;
• personalise AI interactions;
• create summaries and memories;
• detect prohibited content;
• calculate Credits and usage;
• identify possible fraud or abuse;
• route requests between Providers; and
• recommend features or responses.

Automated systems may make mistakes.

We do not use AI Output alone to make decisions producing legal or similarly significant effects concerning your:

• employment;
• credit;
• insurance;
• housing; or
• access to essential public services.

Account restrictions may be initiated through automated detection. Where reasonably appropriate, a material enforcement decision may be reviewed by authorised personnel or through an available appeal process.

26. Children and Minimum Age

The Service is intended only for persons aged 18 or above.

We do not knowingly permit a person under 18 to create an account.

You must not:

• create an account for a person under 18;
• allow a person under 18 to use your account;
• submit sexual or intimate content involving a person under 18; or
• use the Service to exploit or endanger a minor.

If we reasonably believe an account is held or used by a person under 18, we may:

• restrict or suspend the account;
• request age verification;
• delete relevant information; and
• take other action reasonably necessary to protect the person or comply with law.

If you believe we have collected Personal Data from a person under 18, contact privacy.icupid@soulcial.co.

27. Third-Party Services and Links

The Service may contain links to or integrations with third-party services.

A third party may independently collect and process Personal Data under its own privacy policy and terms.

We are not responsible for a third party’s independent:

• privacy practices;
• security;
• content;
• availability;
• accuracy; or
• conduct.

You should review the relevant third party’s terms and privacy policy before providing information directly to that party.

28. Business Transfers and Corporate Changes

If the Company undergoes or considers:

• a merger;
• acquisition;
• investment;
• financing;
• restructuring;
• sale of assets;
• insolvency;
• transfer of the Service; or
• change of control,

Personal Data may be disclosed or transferred as part of the transaction.

A recipient may process Personal Data:

• in accordance with this Privacy Policy;
• after providing notice of a materially different policy and obtaining any permission required by law; or
• as otherwise permitted by applicable law.

We may retain a copy where reasonably necessary for legal, tax, accounting, security or dispute-resolution purposes.

29. Changes to This Privacy Policy

We may amend this Privacy Policy to reflect changes in:

• the Service;
• our data practices;
• AI Providers;
• technical infrastructure;
• retention arrangements;
• legal or regulatory requirements;
• security practices;
• platform requirements; or
• business operations.

We will update the “Last Updated” date when changes are made.

For a material change, we may provide notice through:

• an in-App notice;
• email;
• the website;
• a notification; or
• another appropriate method.

We may require affirmative acceptance or renewed consent where required by applicable law or platform policy.

Changes may take effect without renewed acceptance where they:

• clarify existing practices;
• correct an error;
• improve user protection;
• replace a Provider performing substantially the same function without materially expanding the processing; or
• are otherwise permitted to take effect by notice.

30. Language

This Privacy Policy may be made available in more than one language.

If there is any inconsistency between the English version and another language version, the English version will prevail to the extent permitted by applicable law.

31. Complaints

If you have a concern about our handling of Personal Data, please contact us first so that we may investigate.

We may request information reasonably necessary to understand the complaint and verify your identity.

We will endeavour to respond within a reasonable period, having regard to:

• the nature and complexity of the complaint;
• verification requirements;
• whether a Provider must be consulted;
• security considerations; and
• applicable legal deadlines.

You may also contact the privacy or data-protection authority applicable to your location, including the Office of the Privacy Commissioner for Personal Data, Hong Kong, where applicable.

32. Contact Us

Questions, requests and complaints concerning this Privacy Policy or our processing of Personal Data should be sent to:

Company: Happy Corner HK Limited

Company Number: 74069484

Registered Address: 12/F, Hang Seng Causeway Bay Building, 28 Yee Wo Street, Causeway Bay, Hong Kong

Privacy Contact: iCupid Privacy Officer

Privacy Email: privacy.icupid@soulcial.co

Customer Support: info.icupid@soulcial.co