BlushBiteBack

Legal · Last updated March 2025

Privacy Policy — your privacy matters.

BlushBite is built on the principle that desire is private. This policy explains what data we collect, why, and how it is protected.

1. Who We Are

BlushBite is operated by BlushBite (operated as a sole trader, incorporation pending), a company registered in the Netherlands. Our platform is EU-hosted and serves a global adult audience (18+). We are the data controller for personal data processed through this platform.

For privacy enquiries, please contact us at: privacy@blushbite.co

2. What Data We Collect

  • Account data: Your email address and alias (an anonymised username automatically generated at signup — your real name is never used on the platform).
  • Profile preferences: Gender, desired genders, and vibe preferences collected during onboarding. These are stored anonymously and used only for content personalisation.
  • Identity verification data: Government-issued ID, selfie photograph, and liveness check data — collected and processed exclusively by our third-party verification provider, Didit (didit.me). BlushBite does not store raw identity documents on our servers.
  • Usage data: Pages visited, feature interactions, and session length. Used for platform improvement only. Not sold or shared with advertisers.
  • Communications: Any messages or support requests you send through the platform.

3. Why We Collect It

  • To verify companion identity and prevent fraud — legal basis: legitimate interest and legal obligation.
  • To provide personalised content discovery — legal basis: consent given via onboarding preferences.
  • To maintain platform safety and comply with applicable laws, including EU GDPR and Dutch law.
  • To process bookings and facilitate transactions between users and companions.

4. Third-Party Identity Verification (Didit)

We use Didit (didit.me) to verify the identity of companions on our platform. When you submit identity verification, your government-issued ID and biometric data (selfie and liveness check) are transmitted directly to and processed by Didit under their own Privacy Policy, available at didit.me/legal/privacy-policy.

Didit acts as a data processor on our behalf under a Data Processing Agreement compliant with GDPR Article 28. Verification results (pass/fail status only) are returned to BlushBite. Raw documents are not stored by BlushBite.

5. Sub-Processors & Third Parties

BlushBite uses the following third-party processors to operate the platform. Each is bound by a Data Processing Agreement or equivalent legal instrument where required by GDPR:

  • Didit (didit.me) — Identity verification for companions. EU GDPR Article 28 DPA in place. Privacy policy: didit.me/legal/privacy-policy. Legal transfer mechanism: intra-EU processing.
  • OpenAI (openai.com) — Content embeddings for personalisation and discovery. Data processed outside the EU under Standard Contractual Clauses (SCCs). Privacy policy: openai.com/policies/privacy-policy. Legal transfer mechanism: SCCs (GDPR Art. 46(2)(c)).
  • Railway (railway.app) — Infrastructure and database hosting. EU Frankfurt region. Data Processing Agreement in place. Privacy policy: railway.app/legal/privacy. Legal transfer mechanism: intra-EU processing.
  • Cloudflare (cloudflare.com) — Media delivery and CDN. Data Processing Agreement in place. Privacy policy: cloudflare.com/privacypolicy. Legal transfer mechanism: DPA with SCCs for any non-EU edge nodes.

6. Data Storage & Security

  • All data stored on EU-based servers (Railway, Frankfurt region).
  • Passwords hashed with bcrypt at cost factor 12 — never stored in plain text.
  • All data in transit encrypted via TLS 1.2 or higher.
  • We do not sell personal data to third parties under any circumstances.

7. Your Rights (GDPR)

As an EU data subject, you have the following rights under the General Data Protection Regulation:

  • Right of access — you may request a copy of the personal data we hold about you.
  • Right of rectification — you may ask us to correct inaccurate data.
  • Right of erasure ("right to be forgotten") — you may request deletion of your data.
  • Right to restriction of processing — you may ask us to limit how we use your data.
  • Right to data portability — you may request your data in a machine-readable format.
  • Right to object — you may object to processing based on legitimate interest.

To exercise any of these rights, contact us at privacy@blushbite.co. You may also lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) at autoriteitpersoonsgegevens.nl.

8. Data Retention

  • Active accounts: Data retained while your account is active.
  • Verification records: Retained for legal compliance for 7 years post-verification.
  • Deleted accounts: Anonymised within 30 days of a valid deletion request.

Where US 18 USC 2257 records retention obligations apply, records are retained for a minimum of 7 years after production and 5 years after cessation of business, in compliance with federal law.

9. Cookies

We use strictly necessary session cookies only, required for authentication and maintaining your signed-in state. We do not use advertising cookies, third-party tracking cookies, or analytics cookies that identify you personally. No cookie consent banner is shown because we only set cookies that are technically essential.

If you have JavaScript enabled, anonymous session analytics may be recorded for platform stability and performance monitoring. These records are not linked to your identity and are used solely for technical diagnostics. No advertising or fingerprinting cookies are set under any circumstances.

10. UK Users

BlushBite processes personal data of UK residents under the UK GDPR (the retained EU GDPR as amended by the Data Protection Act 2018). UK users have the same rights as EU data subjects as described in Section 7 above, including rights of access, rectification, erasure, restriction, portability, and objection.

UK residents may also lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk.

11. User-Generated Content

Both companions ("The Dream") and registered users ("The Dreamer") may submit stories and confessions to the platform. All user-generated content (UGC) is moderated before publication. Submitters retain authorship of their original content but grant BlushBite a non-exclusive, royalty-free licence to display that content on the platform for as long as the submission remains live.

Content submitted anonymously is stored with a pseudonymous identifier and is not linked to your real identity in any public-facing display. Your alias is used in place of your real name at all times.

You may request removal of your UGC at any time by contacting us at privacy@blushbite.co. Removal requests are processed within 30 days.

12. EU Digital Services Act (DSA)

BlushBite complies with the EU Digital Services Act (Regulation (EU) 2022/2065). We operate a notice-and-action system for illegal content. Users may report illegal content or harmful material by contacting us at support@blushbite.co.

BlushBite is not currently a Very Large Online Platform (VLAP) and does not meet the 45 million monthly active users (MAU) threshold that triggers enhanced DSA obligations. We will reassess this status as the platform grows.

13. Changes to This Policy

We will notify users of any material changes to this Privacy Policy via email or an in-platform notice. Continued use of BlushBite after 30 days of notification constitutes acceptance of the updated policy.

© 2025 BlushBite · EU-hosted · GDPR compliant · Terms of Service