Privacy Policy

1.  Cookies & Who We Share Your Data With

Our website doesn’t collect or store cookies, nor does it employ any tracking technologies. However, our mobile application collects and stores personal data submitted by users, including but not limited to names, email addresses, and other identifiers necessary to deliver our services. This data is securely managed through Firebase³, a cloud-based platform provided by Google LLC¹, and hosted on Amazon Web Services (AWS⁴). Both Firebase³ and AWS⁴ act as data processors, while we serve as the data controller responsible for determining the purposes and means of processing this information.

The data collected through our app may be stored on servers located in various jurisdictions, including the United States. We ensure that appropriate safeguards are in place to protect user data, including robust encryption, access controls, and compliance with global privacy regulations such as the General Data Protection Regulation (GDRP). By using our app, you acknowledge and agree to this processing and storage arrangement.

2.  Embedded Content from Other Websites

Reference links on our website act as if you’ve visited the external site directly and may collect data, use cookies, include tracking, and monitor interactions. Our app integrates Google Maps² in order to deliver location-based services and enhance user experience. When you interact with this feature, certain data may be collected and processed by Google LLC¹, including your IP address, device and browser information, location data, and behavioral data such as map interactions and navigation. These details are handled in accordance with Google’s¹ own privacy practices and may involve international data transfers, including to servers located in the United States or other jurisdictions. Google¹ may also use cookies or similar technologies during your use of embedded maps. For further details, you can consult Google’s¹ Privacy Policy and the Google Maps² Platform Terms of Service.

For users located in the European Union or other regions with data protection requirements like the GDRP, we are committed to ensuring lawful data handling. This means we will obtain your explicit consent prior to loading Google Maps² through mechanisms such as cookie banners or opt-in interfaces. We aim to provide clear and accessible information about the nature of data sharing with Google¹ and offer the option to opt out of non-essential tracking.

To safeguard your privacy and meet legal standards, we embed Google Maps² using techniques such as lazy loading or click-to-load functionality, which helps limit data transmission until you actively engage with the map. We also configure appropriate referrer policies and only initiate data sharing once we have secured your consent, where required. These measures are part of our broader effort to remain compliant with global privacy laws and protect your personal data.

3.  What Rights You Have Over Your Data

If you have provided consent for data processing, you still retain the right to withdraw that consent at any time; doing so will not affect the legality of any processing carried out before your withdrawal. You have the right to exercise control over your personal data in accordance with applicable data protection laws. This includes the ability to access the information we hold about you, request corrections to any inaccuracies, or ask that we update or delete your personal details. You may also object to certain types of data processing or request limitations on how your information is used. This can result in your account having to be terminated and deleted.

If you wish to exercise any of these rights, please contact us using the details provided in this privacy policy. We will respond as soon as possible and in compliance with applicable legal requirements. Additionally, if you believe that your data protection rights have been breached, you have the right to file a complaint with the appropriate supervisory authority in your region.

4.  Where Your Data Is Sent

When collecting personal data via national digital identity systems such as MitID⁵ (Denmark) and BankID⁷ (Sweden), additional considerations and legal frameworks apply. MitID⁵ is operated under the authority of the Danish Agency for Digital Government, which serves as the official data controller for identity verification processes. Processing activities tied to MitID⁵ are generally carried out under GDPR, Article 6(1)(e), pertaining to the performance of a task carried out in the public interest, and are supplemented by sections 10 and 11 of the Danish Data Protection Act . Data collected may include identity details, CPR number, device information, biometric verification (e.g. face scans), and usage logs, some of which may be retained for scientific or statistical purposes of societal relevance. Facial recognition data is typically processed only temporarily and is not stored beyond the completion of verification.

BankID⁶ in Sweden operates under a dual-controller model, meaning both the issuing bank and the service provider integrating BankID⁷ (i.e. your app) are considered independent data controllers. The use of BankID⁷ is governed by the GDRP and also informed by the EU’s eIDAS Regulation, which sets standards for electronic identification and trust services. Information collected through BankID⁷ includes the user’s name, Swedish personal identity number, issuing bank, authentication certificate or e-signature, and – depending on the method used – device and location data. From May 2024, BankID⁷ will require the use of Secure Start⁸ methods, such as QR code verification or Autostart, to strengthen protection against phishing attacks.

By integrating MitID⁵ and BankID⁷, you acknowledge your role as a data controller and commit to maintaining transparency, data minimization, and user rights in accordance with national and EU-level regulations. Appropriate safeguards, such as encryption, secure storage, and clear consent workflows, must be in place, especially when sensitive data is involved. Users should be informed of their ability to access, rectify, or delete personal information processed during identification.

Additionally, your personal data may be transferred to and processed in countries outside of your own jurisdiction, including regions that may not offer the same level of data protection as your home country. This includes transfers to trusted third-party service providers such as Firebase³ (operated by Google LLC¹) and Amazon Web Services (AWS⁴), which host and manage the infrastructure supporting our app. These providers may store and process data in locations such as the United States or other international data centers. We take appropriate steps to ensure that any data transferred across borders is protected in accordance with applicable privacy laws, including the use of contractual safeguards like Standard Contractual Clauses where required.

By using our app, you acknowledge that your data may be sent to and processed in these external locations. We remain committed to maintaining the confidentiality, integrity, and security of your information throughout this process, and we only engage with partners who demonstrate strong compliance with global data protection standards.

5.  Information we collect

Here’s a comprehensive and legally grounded draft for the “Information We Collect” section of your privacy policy, tailored to your data flow and aligned with GDRP and national regulations:

We collect personal data from users through national electronic identification systems, including MitID⁵ (Denmark) and BankID⁷ (Sweden), as part of our identity verification process. This initial data includes full name, date of birth, and gender, which are retrieved securely from the respective eID providers.

MitID⁵ is operated under the authority of the Danish Agency for Digital Government and governed by the Danish Data Protection Act (MitID Legal Privacy Notice⁶) and the GDRP, Article 6(1)(e).

BankID⁷ operates under a dual-controller model and is regulated by GDRP and the eIDAS Regulation (EU 910/2014) BankID Juridik och Regelverk⁷.

Once the user has completed their profile, we collect additional personal data to support the functionality of our service. This includes home address, email, phone number, links to personal social media profiles, relationship status, height, weight, sexual orientation, physique, smoking status, blood type, allergies, and information about children (names, gender, and date of birth). This data is provided voluntarily by the user and is processed based on explicit consent under GDRP Article 6(1)(a) and, where applicable, Article 9(2)(a) for special categories of personal data. Users may edit their additional personal data at any time, and any changes will be reflected and securely updated on our servers. Handzhake collects your location data to detect nearby users and enable connection features, even when the app is closed or not in use. This helps you discover and interact with people around you. Your exact location is never shared with other users — only proximity (close or not) is used. Location data is not sold or shared with third parties. If a user chooses to delete this information, it will be permanently removed from our systems and cannot be restored except by re-entering the data manually.

All collected data is used solely for the purposes outlined in this policy, including user authentication, personalization of services, and secure communication. We apply strict data minimization principles and ensure that only relevant and necessary data is processed. Sensitive data such as biometric identifiers, health-related information, and sexual orientation are handled with heightened security and stored in accordance with GDRP requirements for special category data.

Users retain full rights over their personal data, including access, rectification, erasure, and objection, as outlined in GDPR Articles 12–23 of the GDRP regulatives.

6.  How we use your information

We use your information solely to support the intentional and secure functionality of our app services. This ensures that all shared and agreed-upon data between users is accurate, trustworthy, and reliable.

The integrity of this data is fundamental to the app’s purpose of creating a space where users can rely on one another and interact with confidence. By maintaining high standards of data verification and trust, we aim to prevent fraud and identity theft across the platform.

7.  Sharing your information

We do not share your personal information with other users or external parties unless you explicitly choose to do so. The primary form of data sharing occurs between users within the platform, and only when both parties have mutually agreed to exchange specific personal information. This process is governed by a principle of reciprocity – data is only released when both users consent to share, ensuring that no information is disclosed unilaterally. If one user agrees to share, the other must also confirm their willingness to exchange data before any information becomes visible. This mutual agreement is the foundation of our trust-based platform.

Users retain full control over the data they choose to share. Any shared information can be withdrawn at any time, and once removed, it will no longer be accessible to the other party. If a user opts to share data externally – such as through links, QR codes, or Handzhake character codes , this will only occur with the user’s explicit consent. These external sharing mechanisms generate static identifiers that reveal only limited information selected by the user. When such a link or code is used or scanned by another person, the user must actively approve the connection before any data is exchanged. These types of sharing may display certain profile elements while obscuring others until both parties agree to a mutual data exchange. External sharing links and codes are automatically deactivated if the user deletes or cancels the sharing arrangement.

This approach ensures that all data exchanges – whether internal or external – are intentional, secure, and based on mutual trust. It reflects our commitment to protecting your privacy and preventing unauthorized access or misuse of personal information.

8.  How we transfer, store and protect your data

We are deeply committed to safeguarding your personal information and ensuring that every interaction with our platform is secure, intentional, and fully under your control. Here’s how we manage the transfer, storage, and protection of your data:

We only allow data sharing between users who have mutually agreed to exchange specific personal information. No unilateral disclosure is permitted. If a user decides to share data outside the platform – via a static link, QR code, or Handzhake character code – only limited information chosen by the user will be revealed. These identifiers display minimal profile elements until the recipient uses or scans them, and even then, the original user must actively approve any new connection before data is exchanged. External views may show certain information while hiding others until both parties agree to a mutual exchange. Users can deactivate shared links or codes at any time, instantly disabling external access.

All personal information is stored on high-security servers, protected by multi-layered encryption and aligned with global data protection standards. Users have complete control over what information they choose to store, share, or remove from the platform. Once data is withdrawn, it becomes inaccessible to others, ensuring user autonomy. Activity logs and sharing records are stored securely to support transparency and accountability.

Every data exchange, whether internal or external, operates under a mutual consent model. This system prevents unauthorized access and fosters trust. Information shared through external identifiers remains selectively visible, with sensitive details hidden until both parties confirm consent. Our platform actively monitors data activity to identify anomalies, prevent misuse, and maintain integrity. We do not sell or disclose personal information to third parties. All transfers are directed by user choices and preferences.

Our approach is built around empowering you with transparency and control. From selective sharing and revocable access to secure storage and mutual agreements, your privacy is central to how our platform operates.

9.  Keeping your information safe

We rely on trusted third-party infrastructure partners—Firebase³, AWS⁴, and Google¹ – to help us deliver secure, scalable, and privacy-conscious services. These companies are industry leaders in cloud computing and data protection, and we’ve chosen them specifically for their commitment to security, compliance, and user control.

Our sharing with Firebase³, AWS⁴ and Google¹ To operate our platform securely and reliably, we use infrastructure services provided by Firebase³, AWS⁴, and Google¹. These providers meet established international security and privacy standards, and data is stored and transferred using encrypted channels. Our configurations follow best practices and comply with regulations such as GDRP, ensuring that only authorized access is permitted. No personal data is sold or used by these providers beyond what’s necessary to deliver core infrastructure functions.

10.  Your choices about your information

User sharing inside the app platform and outside the platform Users have full control over how and when their data is shared. Within the platform, personal information is only exchanged when both users mutually agree to share specific details.

External sharing by using QR codes, links, or character codes  reveals limited data chosen by the user. These tools require the user to actively approve any new connection before any information is exchanged, and sensitive elements remain hidden until both parties agree to a mutual share.

11.  How long we keep your information

We retain your personal data only for as long as it is necessary to fulfill the specific purposes for which it was collected. This means that once the data is no longer needed to deliver our services, meet legal obligations, or support user-initiated interactions, it will be securely deleted or anonymized. We do not store personal data indefinitely or without purpose.

In some cases, we may be required to retain certain information for a defined period due to legal requirements, such as tax, labor, or anti-fraud regulations. Where applicable, these retention periods are determined by national laws and are strictly followed. We also periodically review stored data to ensure it remains accurate, relevant, and up to date. If the original purpose for processing changes, we will notify users and, where necessary, obtain new consent.

By exception, certain data may be retained longer for archiving in the public interest, or for scientific or historical research, provided appropriate safeguards such as encryption or anonymization are in place.

This approach aligns with GDRP Article 5(1)(e) and Recital 39, which require that personal data be stored for no longer than necessary and that time limits be established for erasure or review. You can read more about these principles on the European Commission’s official website.

12.   Links to other websites and services

Our app platform doesn’t link to external websites or third-party services outside of our own ecosystem. The only accessible links within the app are to our Terms of Service, Privacy Policy, Support, and How to resources. These links are provided solely to enhance your experience and ensure transparency in how we operate.

We do not embed or redirect users to external entities beyond these core resources. As a result, users remain within the secure environment of our platform. This approach aligns with the principles of data minimization and user control under the GDRP. By limiting exposure to third-party sites, we help safeguard your personal data and ensure compliance with Articles 13 and 14, which emphasize the importance of transparent communication when processing user information.

You can read more about these principles and their interpretation at the European Commission’s official website.

13.  Changes to this Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other operational needs. When we make material changes, we will notify users clearly – either through in-app messaging, email, or other appropriate means – before the changes take effect.

All updates will be documented with a revised “Last Updated” date at the top of the policy. We encourage users to review the Privacy Policy periodically to stay informed about how we protect and process personal data.

These updates are made in accordance with the GDRP, particularly Articles 12 and 13, which require transparent communication and timely notification when personal data handling practices change. We ensure that any modifications continue to uphold your rights and our obligations under EU law.

You can read more about these principles on the European Commission’s official website.

14.  How to contact us

Got a question, need support, or simply want to say hi? We’d love to hear from you – no complicated forms, no hoops to jump through. Just drop us a message at support@handzhake.com and one of our friendly team members will get back to you as soon as possible.

We believe in keeping things simple and human, because that’s how real conversations happen.

Your feedback, ideas, and questions mean the world to us – and yes, we actually read every message.