Privacy Policy

1. Introduction

OnKeiDo (“we,” “us,” or “our”) operates a curated in-person dating event platform. This Privacy Policy explains what personal information we collect, where we get it, what we do with it, who else may receive it, how long we keep it, and the rights you can exercise over it.

We have organized this policy by topic rather than by jurisdiction. The same practices apply to all members; specific rights described in Your Rights are available to residents of jurisdictions whose laws grant them, including California, Texas, and Florida.

2. Categories of Personal Information We Collect

The table below uses the personal-information categories defined in California Civil Code § 1798.140, which the Texas Data Privacy and Security Act (Tex. Bus. & Com. Code Ch. 541) and the Florida Digital Bill of Rights (Fla. Stat. §§ 501.701 et seq.) treat as substantially equivalent.

We do not collect Social Security numbers, financial-account numbers, government identification numbers, or precise geolocation. We do not knowingly collect personal information from anyone under 21 (see Age).

3. Sources of Personal Information

We collect personal information from the following sources:

• You. Directly, when you register, complete onboarding, update your profile, attend an event, debrief afterward, or contact us.
• Your devices. Automatically, when you visit our site or use the app — IP address, browser type, device information, and session activity.
• OnKeiDo Hosts. Trained Hosts at OnKeiDo Evenings record structured behavioral observations about how conversations flow. These observations are behavioral, not content recordings.
• Other event attendees. Your conversation partners may rate their interaction with you after a round. These ratings inform future pairings.
• Spotify, when you connect your account. If you choose to connect Spotify in your account settings, Spotify shares your listening history, top artists, and genre data with us using an authorization token you control. You can disconnect at any time in account settings; once disconnected, we stop receiving new data.
• Our service providers. When we send data to a third party for processing (for example, to convert speech to text), the provider returns processed data to us. The original identifiable data is held only on our servers; the third party receives only anonymized inputs.

4. How We Use Your Information

• Matching intelligence. Your onboarding answers, event observations, ratings, and (if enabled) Conversation Insights data power the matching system that pairs members for conversation rounds.
• The OnKeiDo Brief. After each Evening we generate a personalized post-event report from observations, ratings, and your own feedback.
• Account operations. Account creation, authentication, event registration, billing (when membership is paid), customer support, and account recovery.
• Communications. Event confirmations, post-event Briefs, Curator correspondence, and service-related notifications via email and SMS.
• Safety and integrity. Detecting and responding to safety concerns and policy violations; investigating reports; protecting members and our platform.
• Improvement of the service. Aggregated, de-identified data is used to improve matching quality, event design, and our conversational systems.
• Legal compliance. Meeting record-keeping, consent-defense, and disclosure obligations imposed by law (see Biometric Information and Retention).

We do not use your personal information for purposes that are incompatible with the purposes above, and we do not sell or rent your personal information. We do not engage in cross-context behavioral advertising and we do not engage in targeted advertising.

5. Categories of Recipients

We share personal information with the following categories of recipients, each of which is bound by data-processing terms that restrict use to the purposes we specify. Before personal information leaves our servers it is de-identified by our Privacy Gateway wherever the recipient does not need identifiable data to perform its function (see AI-Assisted Processing).

• Speech providers (Deepgram). Receive de-identified, voice-altered audio for speech-to-text conversion during Voice Onboarding and Voice Debrief, and receive synthesized-speech requests for Curator voice output. Selected for zero-data-retention terms.
• Language-model gateway (OpenRouter). Receives pseudonymized text for processing by underlying language-model providers. Each request is sent under a rotating pseudonym so no single provider can build a profile across your interactions. Selected for zero-data-retention terms.
• Email delivery (Postal). Self-hosted on our own infrastructure. Receives your email address and the message content we send you.
• SMS delivery (Telnyx). Receives your phone number and the message content we send to you, plus delivery-status information returned by the carrier. See SMS Messaging.
• Hosting and storage (Hetzner; Supabase, self-hosted on Hetzner). Hold all of OnKeiDo’s own application data, including your account and event records. Both are under data-processing agreements.
• Government and legal authorities. When we are required by law, subpoena, court order, or governmental request, or when disclosure is necessary to protect the rights, property, or safety of OnKeiDo, our members, or others.
• Business transferees. In the event of a merger, acquisition, reorganization, or sale of assets, your personal information may be transferred to the acquiring entity under terms at least as protective as this policy.

External AI and infrastructure providers do not receive your real name, email address, phone number, or other identifying details unless they need that data to perform their function (for example, Postal receives your email address to deliver your message).

6. Sensitive Personal Information

California, Texas, and Florida law classify certain categories of personal information as “sensitive.” The sensitive categories we collect are biometric information processed for the purpose of generating matching insights (see Biometric Information), and acoustic-prosodic measurements (see Conversation Insights) when you opt in.

We use sensitive personal information only for the purposes that are necessary to deliver the service you have asked for: matching, post-event Brief generation, and safety. We do not use sensitive personal information to infer characteristics about you for advertising or for any purpose outside the service. Under California law, you have the right to limit our use of sensitive personal information; because we already restrict our use to service delivery, exercising that right would not change our handling.

7. Retention

Each category of personal information is retained only for as long as it is needed for the purposes described above or for the period required by law, whichever is longer.

• Account, profile, and event-history data: retained while your account is active. When you request deletion, the account enters a 30-day reactivation grace period; after that, your personal data is permanently deleted, with the carve-outs described below.
• Onboarding conversation transcripts: retained while your account is active; deleted with your account.
• Voice Debrief audio: retained for a maximum of seven days from the end of the debrief, then permanently deleted. Voice Debrief transcripts are retained on the same timeline as your account.
• Conversation Insights measurements (acoustic-prosodic numbers): retained while your account is active. These measurements are deleted with your account when you exercise the right to delete.
• Biometric-consent records: retained for five years from the later of your consent or your withdrawal of consent. This is the legal-compliance carve-out described below; the records are anonymized on account deletion but the record itself is preserved for the five-year period.
• Aggregated, de-identified data: may be retained indefinitely for service improvement. This data cannot be linked back to you.
• Records required to defend legal claims, comply with regulatory obligations, or resolve disputes: retained for the period required by the applicable statute of limitations or regulation.

8. Conversation Insights

Conversation Insights is an optional Tier 2 feature. When you opt in, your device’s microphone measures acoustic characteristics during conversation rounds. The system measures conversational dynamics, not conversation content.

What is collected

Numerical measurements only, roughly 500 bytes per round, including pitch and pitch variation, speaking rate, pause duration and turn-taking timing, vocal stability, frequency of acknowledgment vocalizations, and the distribution of speaking time between you and your conversation partner. No words, phrases, sentences, or semantic content of any kind are captured.

What is not collected

• No audio recording. No audio file is created, stored, or transmitted off your device.
• No speech-to-text. Audio is never converted to text.
• Temporary buffer only. A small buffer in device memory is overwritten in real time to extract the numerical measurements, then discarded.

On-device speaker separation

To distinguish between conversation partners, the system uses temporary acoustic characteristics held in device memory during the round. These are never stored, never transmitted off the device, and are not voiceprints. They exist only for the duration of the active round and are discarded immediately afterward.

Your control

You enable or disable Conversation Insights as part of your Tier 2 consent at Profile > Consent Management, and again on the pre-Evening confirmation screen before each event. Changes take effect from the start of your next conversation round.

9. Voice Debrief

After events, you may participate in a Voice Debrief conversation. The audio is processed by AI to generate matching-intelligence insights and is stored only on our own servers; it is not transferred to the speech provider as an identifiable file. Voice Debrief audio is retained for a maximum of seven days from the end of the debrief and is then permanently deleted by an automated cleanup process. The transcript of the debrief is retained on the same timeline as your account.

10. Biometric Information

The voice signals processed during Voice Onboarding and Voice Debrief may constitute biometric information under the Illinois Biometric Information Privacy Act (BIPA, 740 ILCS 14) and analogous state laws. We do not use these signals to identify you. They are used only to produce text transcripts and matching-intelligence insights.

Written release

Before any voice-based onboarding or debrief, you are shown a written release describing exactly what data is collected, the purpose and duration of collection, and the third parties that process it. You must affirmatively consent before any voice capture begins. We apply this written-release process to all members, not just Illinois residents.

No sale or profit from biometric information

We do not sell, lease, trade, or otherwise profit from biometric information. External speech providers receive voice-altered audio under zero-data-retention terms, which prevents voice profiling.

Five-year preservation of consent records

Important carve-out from the right to delete. When you exercise your right to delete your account, we hard-delete your personal data. We do not, however, delete the record of your biometric consent. Instead, we anonymize it: the link between the consent record and your member account is severed, but the record itself — including the email address and full name you used at the time of consent, the exact text of the release you saw, and the date you consented — is preserved as our legal-compliance record. We retain the anonymized record for five years from the later of your consent or your withdrawal of consent, after which it is deleted.

This carve-out is permitted by California (CCPA § 1798.105(d)(8), retention to defend a legal claim), Texas (TDPSA, Tex. Bus. & Com. Code Ch. 541, comparable legal-defense exception), and Florida (FDBR, Fla. Stat. §§ 501.701 et seq., comparable legal-defense exception) because the record is necessary to defend against legal claims under BIPA, which has a five-year statute of limitations. We retain only what is necessary for that defense and we cannot use the anonymized record to identify you for any other purpose.

You can withdraw your biometric consent at any time at Settings > Biometric Consent. Withdrawal stops future voice-based features for your account and starts the five-year preservation clock for the consent record from the date of withdrawal. For BIPA-related questions, contact privacy@onkeido.com.

11. AI-Assisted Processing and the Privacy Gateway

OnKeiDo uses artificial intelligence to power Voice Debrief analysis, Brief generation, interaction-quality assessments, profile updates, and the Curator conversation experience. Before any of your data reaches an external AI provider it passes through our Privacy Gateway.

What the Privacy Gateway does

• Removes identifiers. Names, phone numbers, email addresses, venue names, specific dates, and other identifying details are replaced with neutral placeholders before data leaves our servers.
• Rotates pseudonyms. The pseudonym assigned to your data changes with every request, so no external provider can link your data across multiple interactions.
• Rotates providers. Your data is distributed across providers so that no single provider can build a profile of you.
• Alters voice audio. When voice audio leaves our servers for speech-to-text, the audio is altered first, with a different alteration each session, preventing voice profiling by external providers.
• Enforces zero data retention. All AI and speech providers we use are selected for zero-data-retention terms; they do not store, log, or train on your data after completing our request.

Where your identifiable data lives

Your identifiable personal data is stored only on OnKeiDo’s own servers (hosted on Hetzner). External providers receive only anonymized, de-identified data and do not retain it after processing.

12. Consent Tiers

OnKeiDo operates a two-tier consent system. Tier 1 is the baseline required for core event participation. Tier 2 enables enhanced matching features such as Conversation Insights and additional observation channels, and is fully optional. Your event experience is the same at both tiers; the difference is in how much information the matching system has to work with. You can change your tier at any time at Profile > Consent Management, and changes take effect before your next OnKeiDo Evening.

13. Your Rights

Residents of California, Texas, Florida, and other states with comparable privacy laws have the following rights regarding their personal information. Where a right is unique to a particular jurisdiction we have identified the source.

• Right to know. The categories of personal information we collect about you, the sources, the purposes, and the categories of recipients (CCPA §§ 1798.100, 1798.115).
• Right to access. A copy of the specific pieces of personal information we hold about you (CCPA § 1798.110; TDPSA Ch. 541; FDBR Fla. Stat. § 501.715).
• Right to delete. Deletion of personal information we hold about you, subject to the carve-outs in Retention and Biometric Information (CCPA § 1798.105).
• Right to correct. Correction of inaccurate personal information we hold about you (CCPA § 1798.106).
• Right to data portability. A copy of your personal information in a portable, machine-readable format (CCPA § 1798.130).
• Right to opt out of sale or sharing. We do not sell or share personal information for cross-context behavioral advertising, so no opt-out is required for you to exercise.
• Right to opt out of targeted advertising. We do not engage in targeted advertising, so no opt-out is required.
• Right to limit use of sensitive personal information. We only use sensitive personal information for service delivery; you can request a written confirmation of this limit.
• Right to non-discrimination. We will not discriminate against you for exercising any of these rights.
• Right to appeal. If we decline a rights request, you can appeal it. See Appeals below (required by TDPSA and FDBR; offered to all members).

14. How to Exercise Your Rights

You can exercise your privacy rights through the following methods:

• Request a copy of your data: Settings > Data Export. We email you a downloadable copy of your personal information.
• Delete your account and personal data: Settings > Delete Account. Deletion starts a 30-day reactivation window and then permanently removes your personal data, subject to the carve-outs in Retention.
• Withdraw biometric consent: Settings > Biometric Consent.
• Change consent tier: Profile > Consent Management.
• Correction of inaccurate data, or any other request: Email privacy@onkeido.com from the address on your OnKeiDo account.

Verification. For requests submitted by email we verify your identity by matching the requesting email to your OnKeiDo account and, when necessary, asking you to confirm account-specific information. For requests submitted through the in-product surfaces, your active session is the verification.

Response timeline. We respond to verifiable rights requests within 45 days of receipt, as required by CCPA, TDPSA, and FDBR. When more time is reasonably necessary we may extend this period by an additional 45 days and will notify you of the extension and the reason.

Authorized agents. California residents may use an authorized agent to submit a rights request. The agent must provide written, signed authorization from you, and we may ask you to verify your own identity directly before processing.

15. Appeals

If we decline a rights request, we will tell you why and how to appeal. To appeal, reply to our decision email or write to privacy@onkeido.com with the subject line “Privacy Rights Appeal.” A different member of our team will review the appeal and respond within 60 days. If the appeal is denied, Texas and Florida residents may contact their state Attorney General; California residents may contact the California Privacy Protection Agency.

16. Sale, Sharing, and Opt-Out Preference Signals

We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising. We do not engage in targeted advertising. Because we do not sell or share, there is no opt-out for you to exercise for these activities.

We do not currently process the Global Privacy Control browser signal or other opt-out preference signals, because our data practices do not include the sale, sharing, or targeted-advertising activities those signals are designed to opt out of. If our practices change in a way that triggers an opt-out obligation, we will implement opt-out preference signal handling at that time and update this section.

17. Age

OnKeiDo is intended only for adults 21 years of age or older. We do not knowingly collect personal information from anyone under 21. If we learn that we have collected personal information from a person under 21, we delete that information promptly. If you believe a person under 21 has provided us with personal information, please contact privacy@onkeido.com.

18. SMS Messaging and Mobile Information

When you provide your phone number and opt in to receive SMS notifications from OnKeiDo, we use your number to send service-related messages about event reminders, post-event reports, and account updates. Message frequency varies. Message and data rates may apply. You may opt out at any time by replying STOP. Reply HELP for assistance.

We will not share your opt-in to an SMS campaign with any third party for purposes unrelated to providing you with the services of that campaign. We may share your personal data, including your SMS opt-in or consent status, with third parties that help us provide our messaging services, including platform providers, phone companies, and other vendors who assist in the delivery of text messages.

The categories of recipients above exclude text-messaging originator opt-in data and consent; that information is not shared with any third parties.

19. Security and Safety

We use industry-standard security measures to protect your data, including encryption in transit and at rest, role-based access controls, and regular security reviews. The Privacy Gateway adds an additional layer of protection by ensuring that identifiable information never leaves our servers in unprotected form. No system is perfectly secure and we cannot guarantee absolute security.

How we handle in-event safety matters — the three-tier severity model, the appeals pathway with published timelines, reviewer independence, and our defenses against coordinated false reports — is described on our safety page.

20. Changes to This Policy

We may update this Privacy Policy from time to time. We will revise the “last updated” date at the top, and for material changes we will notify you by email or through a notice in the product before the changes take effect.

21. Contact

For any privacy-related question, request, or appeal, contact privacy@onkeido.com.