Privacy Policy

Last updated: 14 June 2026

1. Data Controller

Victoria von Schmettow
Gabelsbergerstraße 9, 80333 München, Germany
Email: hey@1found1.com

2. Scope

This policy explains what personal data we process when you use the 1found1 app and website (the "Service"), why, on what legal basis, who we share it with, and your rights.

3. What data we process

  • Account data: your email address (via Google or email sign-up) and an account identifier. If you sign up with email, your password is stored only in encrypted (hashed) form by our auth provider.
  • Profile data: first and last name, photo(s), location, study background, industries, associations, strengths/weaknesses, answers to profile questions, time commitment, and any LinkedIn link.
  • Usage data: swipes, matches, and chat messages.
  • Notification data: your push-notification consent status and (if you opt in) your push subscription.
  • Technical data: IP address and server log data generated automatically on access.
  • Anonymous usage statistics: aggregated, anonymous measurement of active usage time (duration only, with no link to your identity) to improve the Service.

4. Purposes and legal bases

  • Providing the Service (profile, matching, chat): performance of contract – Art. 6(1)(b) GDPR.
  • Making your profile visible to other founders: your consent – Art. 6(1)(a) GDPR.
  • Service & waitlist emails (e.g. sign-up confirmation and the notification once matching is opened for you): performance of contract / legitimate interests – Art. 6(1)(b) and (f) GDPR.
  • Push notifications: your consent – Art. 6(1)(a) GDPR.
  • Security, abuse prevention, rate-limiting: legitimate interests – Art. 6(1)(f) GDPR.
  • Anonymous usage statistics (active usage time): legitimate interests – Art. 6(1)(f) GDPR. Collected anonymously and in aggregate, with no profiling and no additional cookies.

5. Profile visibility

Once matching is opened for you, your profile is shown to other users. Photos and full name remain hidden until you and another user mutually match. You can withdraw consent and delete your profile at any time.

6. Where your data is stored

All personal data is securely stored with our infrastructure provider Supabase. The servers and databases used are physically located in Frankfurt, Germany (AWS eu-central-1 region). Your core personal data is therefore hosted within the European Union.

7. Other processors

  • Vercelhosting, delivery & cookieless, aggregated analytics (Vercel Web Analytics, no cookies, no personal profiling).
  • Googleauthentication (OAuth).
  • Resendsending emails.
  • Upstashabuse protection (rate-limiting).
  • Push-services (Google, Mozilla, Apple) – only if you enable notifications.

Your core data (profiles, answers, messages) stays in the EU with Supabase. Where a provider used for authentication, email or hosting processes limited data outside the EU/EEA, such transfers are safeguarded by appropriate measures (e.g., EU Standard Contractual Clauses).

8. Cookies

We use only technically necessary cookies (sign-in/session). No tracking, analytics, or advertising cookies, so no cookie banner is required.

9. Data security and data breaches

We implement robust, industry-standard administrative, technical, and physical security measures, including encryption (in transit and at rest) and database-level Row Level Security (RLS), to protect your data against unauthorized access, alteration, disclosure, or destruction.

However, no system is 100% secure or impenetrable, and we cannot guarantee absolute security. In the unlikely event of a data breach that is likely to result in a risk to your rights and freedoms, Victoria von Schmettow will act strictly in accordance with the GDPR (Art. 33, 34): we will contain and mitigate the breach without delay, investigate its cause, and notify the competent supervisory authority and affected users without undue delay (and, where required, within 72 hours of becoming aware of it).

10. Retention and deletion

We keep your data as long as your account exists. You can delete your profile and account at any time ("Delete profile"); your data is then erased unless statutory retention obligations require otherwise.

11. Your rights

You have the right to access, rectification, erasure, restriction, data portability, and objection. You may withdraw any consent at any time with effect for the future. You also have the right to lodge a complaint with a data-protection supervisory authority.

12. Minimum age

The Service is not intended for persons under 18, and we do not knowingly process their data.

13. Changes

We may update this policy to reflect changes to the Service or legal requirements. The current version is always available in the app.

14. Contact

Questions about this policy or your data: hey@1found1.com