Privacy Policy

Overview

Ekmilan ("we", "us", or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our dating application and related services. By using Ekmilan, you agree to the practices described in this policy.

Ekmilan is intended for users aged 18 and above. We do not knowingly collect data from anyone under 18.

Information We Collect

Account & Profile Information

• Name, date of birth, and gender
• Profile photos you provide
• About Me / Bio text you write — subject to automated text content moderation before being stored
• Mobile phone number — collected for account verification and security purposes
• Security audit data — IP address and browser/device User-Agent string, recorded during authentication events (login, registration, account deletion) for security and fraud detection. Audit records are retained for 90 days and then automatically deleted.

Location Data

• Precise GPS coordinates (when location permission is granted)
• City-level location (selected manually if GPS is denied)
• Location is used solely for profile discovery within your configured radius

Usage & Interaction Data

• Swipe interactions (likes, dislikes, blocks)
• Chat messages and message delivery status — stored encrypted at rest
• App activity timestamps and session data
• Device token for push notifications (Firebase FCM)

Phone Number — Collection & Usage

We collect your mobile phone number for the following purposes only:

• Identity verification — A one-time passcode (OTP) is sent via SMS to confirm your identity during registration or when updating your phone number
• Account security — Your phone number serves as an additional layer of account protection
• Account recovery — Used to help you regain access to your account if needed

Phone number OTP verification is powered by MSG91, a TRAI-compliant SMS service. A one-time passcode is generated on our servers and delivered via SMS. OTPs expire after 10 minutes and are single-use only.

We do not share your phone number with other users, use it for marketing calls or SMS, or sell it to any third party.

How We Use Your Information

• To create, maintain, and display your profile to potential matches
• To power location-based profile discovery and matching
• To deliver real-time chat messages and push notifications
• To detect and remove inappropriate or unsafe content using AI moderation — this applies to both profile photos (Google Vision API) and text content such as your About Me / Bio and name (OpenAI GPT-4o-mini)
• To prevent fraud, abuse, and policy violations
• To improve app performance and user experience

Camera & Profile Photo Moderation

Ekmilan requests access to your device camera solely for taking profile photos and live selfie verification. Camera access is used only when you actively initiate a photo capture — we do not access your camera in the background.

Profile photos are analyzed using the Google Cloud Vision API to ensure:

• Exactly one face is present
• No adult, violent, or otherwise unsafe content

Photos are stored securely on AWS S3. We do not share your photos with third parties beyond what is necessary for moderation and display.

Biometric Data — Live Selfie Fraud Detection

As part of live selfie verification, we process your selfie photo to generate a mathematical face representation (a face embedding — a set of numerical values derived from your facial geometry). This is classified as biometric data under India's Digital Personal Data Protection (DPDP) Act 2023 and similar regulations.

Why we collect it: To detect and prevent duplicate or fraudulent accounts. When you submit a live selfie, it is compared against previously indexed face embeddings to ensure you have not registered multiple accounts.

What is stored: Only the mathematical face embedding (not the raw selfie photo) is indexed in a secure AWS Rekognition face collection. The raw selfie photo is stored in AWS S3 as your profile photo and follows the same deletion rules as all other profile photos.

AI-generated face detection: Your live selfie is also checked using Hive AI to detect AI-generated, synthetic, or deepfake faces. This check does not store any data — it is a stateless classification call.

Retention: Your face embedding is stored only for as long as your account is active. When you delete your account, your face embedding is permanently removed from the AWS Rekognition collection immediately as part of the deletion process.

Your rights: You may request erasure of your biometric face data at any time by deleting your account from within the app, or by contacting us at support@ekmilan.com.

Verified profile badge: If you pass the live selfie liveness check, your profile may show a verified badge in the app. The badge indicates successful liveness verification at the time of check; it is not a background check, criminal check, or guarantee of user behavior.

Data Sharing & Third Parties

We do not sell your personal data. We share data only with trusted service providers who process it on our behalf:

• Google Cloud — Vision API for profile photo moderation
• OpenAI — GPT-4o-mini for automated text content moderation. When you submit your About Me / Bio, the text is sent to OpenAI's API solely to check for inappropriate or harmful content. The text is not used to train OpenAI's models and is not stored by OpenAI beyond the duration of the API call.
• Amazon Web Services (AWS S3) — Secure photo storage
• Amazon Web Services (AWS Rekognition) — Biometric face duplicate detection. Your live selfie is processed to generate a face embedding (a mathematical representation of your facial geometry) which is indexed in an encrypted AWS Rekognition face collection. This embedding is used solely to detect duplicate or fraudulent accounts and is deleted when you delete your account. AWS processes this data under our Data Processing Agreement and applicable privacy regulations.
• Hive AI — AI-generated and synthetic face detection. Your live selfie is sent to Hive AI's API to check whether the image is AI-generated, a deepfake, or otherwise synthetic. This is a stateless check — Hive AI does not retain your image or any derived data beyond the duration of the API call.
• Firebase (Google) — Push notification delivery (FCM) for real-time alerts (matches, messages, account updates)
• MSG91 — TRAI-compliant SMS delivery for phone number OTP verification. Your number is transmitted solely to dispatch the OTP and is not stored or used by MSG91 beyond delivery.

All providers are bound by data processing agreements and applicable privacy laws.

Data Retention & Deletion

You may delete your account at any time from within the app. Upon deletion, we permanently remove:

• Your profile, photos, and verified details
• All your interactions, matches, and chat history
• Your location data and cached profile information
• Your authentication tokens and account credentials (including your stored phone number)
• Your biometric face embedding — permanently deleted from the AWS Rekognition face collection as part of the deletion process

Deletion is irreversible and is processed immediately upon request. For step-by-step instructions, see our Account Deletion Guide.

Data retained after deletion: A small number of records are kept after deletion for legitimate safety and legal reasons:

• Safety block records — If another user has blocked you, we retain a one-way cryptographic identifier (an HMAC hash — not your phone number) within that block record. This cannot be reversed to obtain your phone number, and ensures that if you re-register, safety blocks placed by other users continue to apply.
• Terms acceptance log — We retain a record that your account accepted our Terms of Service, for legal compliance. This record contains only an internal account reference and the date of acceptance — no personal contact information.
• Moderation reports — If a safety report was filed against your account prior to deletion, that report is retained for moderation audit purposes. It contains no contact information.
• Security audit logs — Authentication events (login, registration, account deletion) are retained for up to 90 days and then automatically deleted. Logs contain only a masked identifier (last 4 digits of phone), IP address, and timestamp.

Your Rights

In accordance with India's Digital Personal Data Protection (DPDP) Act 2023, you have the following rights:

• Access — Request a summary of the personal data we hold about you
• Correction — Update inaccurate information via your profile settings
• Deletion — Delete your account and all associated data at any time. This removes your profile, photos, chat history, location data, and authentication credentials permanently and irreversibly
• Data Portability — Request a copy of the personal data you have provided to us
• Withdrawal of Consent — Revoke location access or notification permissions via device settings at any time
• Grievance Redressal — Raise a complaint regarding the processing of your personal data

To exercise any of these rights, contact us at support@ekmilan.com. We will respond within 72 hours.

Security & Encryption

We implement multiple layers of security to protect your personal data:

• Encryption at rest — credentials: Your phone number is stored in our authentication database encrypted using AES-256-GCM. Lookups use a keyed HMAC-SHA256 index so the plaintext value is never written to disk
• Encryption at rest — profile data: Sensitive profile fields (name and other PII) are encrypted using a unique per-user key. Each user's key is itself wrapped by a master key using AES-256-GCM envelope encryption, ensuring GDPR-style erasure — deleting your account cryptographically destroys all your PII
• Encryption at rest — chat messages: All chat messages are encrypted with a per-conversation AES-256-GCM key derived from a master secret, so messages are unreadable outside of the application context
• Encryption in transit: All communication between the app and our servers uses HTTPS/TLS. Internal service-to-service communication within our infrastructure is also encrypted
• Authentication: Sessions use short-lived signed JWT tokens. Token subjects contain only an internal user ID — your phone number is never embedded in a token

No method of transmission over the Internet is 100% secure. We encourage you to keep your login credentials confidential and to report any suspected unauthorised access immediately.

Children's Privacy & Child Safety Standards

Ekmilan is strictly an 18+ platform. We do not knowingly collect or process personal data from anyone under 18 years of age. Age is validated at registration — our system checks your date of birth and will not permit account creation if you are under 18, both in the app and on our servers.

If we become aware, or if it is reported to us, that an account belongs to a person under 18, we will immediately terminate that account and delete all associated data. To report a suspected minor, contact us at support@ekmilan.com.

Ekmilan has a zero-tolerance policy for Child Sexual Abuse and Exploitation (CSAE) in any form. For our full child safety standards — including prohibited content, our in-app reporting mechanism, CSAM handling procedures, and our child safety point of contact — please see our Child Safety Standards page.

Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes via the app. Continued use of Ekmilan after changes constitutes acceptance of the updated policy.

Contact Us

If you have any questions or concerns about this Privacy Policy, please reach out to us:

support@ekmilan.com