Greenflag Privacy Policy
This Privacy Policy explains how Smarttie Software Inc. ("Smarttie," "Greenflag," "we," "us," or "our") collects, uses, discloses, retains, and protects personal information when you use Greenflag, the trygreenflag.com website, our mobile applications, our public profile pages, our server APIs, and related services (together, the "Services").
Greenflag is a dating app with one defining trait: your profile is built by your friends. That means we handle not only your information, but also content your friends create about you, and content you create about other people. This Policy explains how that works. If you do not agree with this Policy, do not use the Services.
1. Controller and Contact
Smarttie Software Inc. is responsible for personal information processed under this Policy.
Registered address:
329 Howe St
Unit #970
Vancouver, BC V6C 3N2
Canada
Privacy and data requests: privacy@trygreenflag.com
Legal: legal@trygreenflag.com
Support: support@trygreenflag.com
Safety and reports: safety@trygreenflag.com
Website: https://trygreenflag.com
We have not appointed a Data Protection Officer. If that changes, we will update this Policy.
2. Quick Summary
- Greenflag is for adults only — you must be 18 or older.
- We collect your phone number, photos, basic facts, approximate location (to place you in a metro), and the content your friends create about you.
- We require photo verification (a liveness check and face match) through our vendor Didit to reduce fake profiles.
- We use your approximate location to lock discovery to your metro; we do not show your exact location to other users.
- We do not sell your personal information, and we do not share it for cross-context behavioral advertising.
- We use a small set of service providers (listed in Section 10) for verification, messaging, AI translation, hosting, payments, analytics, and error reporting.
- You can access, correct, delete, or export your information, subject to the limits in this Policy.
This summary is for convenience only; the full Policy controls.
3. Information We Collect
3.1 Information you provide
- Account and verification: your phone number (verified by SMS one-time code), display name, date of birth / age, and the photos and basic facts (such as height, neighborhood, and interests) you upload as raw assets.
- Photo verification: a live selfie/liveness capture and the face-match result used to confirm you match your chosen profile photo (processed by Didit; see Section 10).
- Your friend roster: the phone numbers and names of the friends, family, or loved ones you invite to vouch for you, so we can send them an invitation.
- Content from your Vouchers: the pitch slides, captions, and written vouches your friends create about you, including the stated relationship (for example, "his sister").
- Content you create about others: if you act as a Voucher, the pitch and vouch content you create about the person you are vouching for.
- Messages and interactions: messages you send in a match, your "Curious" interest signals, and "convert to friendship" choices.
- Support, reports, and feedback: messages, reports of other users, survey responses, and attachments you choose to send us.
3.2 Information collected automatically
- Device and app information: device and installation identifiers, app version, operating system, platform, language, and device type.
- Location: approximate location used to determine your metro for city-locked discovery and for reverse geocoding the area label. You can control device location permissions, but core discovery needs at least an approximate metro.
- Usage and diagnostics: IP address, request timestamps, routes, status, latency, rate-limit and abuse-prevention signals, security logs, feature-usage events, crash reports, and error diagnostics.
- Purchase metadata: plan/access status and receipts from the app stores (we do not receive your full card number).
3.3 Information from third parties
We may receive information from the app stores (purchase and receipt status), our verification and infrastructure providers, and anyone who reports you or interacts with you on the Services.
4. Sensitive Information
Some information on Greenflag may be considered sensitive, including your photos and face/biometric verification data, approximate location, and information that may reveal characteristics like sexual orientation (inherent in a dating context). We collect and use this only to operate the Services — to verify you, build and show profiles, lock discovery to your metro, and keep the community safe — and we apply the protections described in this Policy. We do not use this information for advertising, and we do not sell it.
A note on verification: Didit performs a liveness check and a 1:1 face match to confirm you match your chosen photo. The face geometry involved may be considered biometric information under laws such as the Illinois Biometric Information Privacy Act (BIPA) and similar Texas, Washington, and other state laws. This data is used only to confirm the verification result. We do not use it to build a facial-recognition database, to identify you across other services, or for advertising, and we do not sell it or disclose it except to Didit (which processes it on our behalf to perform the check) or as required by law.
Where biometric-privacy laws apply, we collect and process this data with your consent, which you give when you choose to complete verification. We retain the biometric data used for the face match only as long as needed to perform and maintain your verification, and in any event we delete it (or require our vendor to delete it) within a reasonable period — generally within 30 days — after the verification is complete, unless a longer period is required to comply with law or to address a safety or security matter. You can decline verification, but your profile will not go live without it.
5. How We Use Information
We use information to:
- create and verify your account and confirm you are 18+;
- build, display, translate, and distribute friend-built profiles, vouches, and Public Decks;
- run city-locked discovery, the "Curious" mechanic, matching, and messaging;
- send the SMS verification code and service, security, account, and (where permitted) product messages;
- process purchases and access through the app stores;
- detect, prevent, and respond to fraud, abuse, harassment, safety incidents, and violations of our Terms and Community Guidelines, including reviewing reports and applying enforcement;
- analyze usage in privacy-preserving ways to improve the product;
- comply with legal obligations and protect the rights, safety, and security of users, the public, and Smarttie.
Content review and automated processing. To keep the community safe and to enforce our Terms and Community Guidelines, profiles, photos, vouches, and messages may be reviewed — using a combination of automated tools and human review — for fraud, abuse, harassment, illegal content, and safety risks. This means messages are not fully private: they may be scanned or reviewed for safety. We also use automated processing to rank and surface profiles in discovery and to support matching. These automated processes do not produce legal or similarly significant effects about you without the ability for human review where required by law; you can contact us to ask about a decision.
6. Legal Bases (where required, e.g. Mexico, EEA/UK)
Where data-protection laws require a legal basis, we rely on one or more of:
- Performance of a contract — to provide the Services you request;
- Consent — for example, to send the SMS verification code, to complete photo/biometric verification, to access device location, or for optional marketing (you can withdraw consent);
- Legitimate interests — to secure, maintain, and improve the Services, prevent abuse, and keep the community safe;
- Legal obligation — to comply with tax, consumer-protection, law-enforcement, and other legal requirements.
For users in Mexico, we process personal data in accordance with the Federal Law on the Protection of Personal Data Held by Private Parties (LFPDPPP); this Policy serves as our privacy notice ("aviso de privacidad"), and you may exercise your ARCO rights (Access, Rectification, Cancellation, Opposition) and withdraw consent as described in Section 11.
7. How Profiles and Public Decks Affect Privacy
Because friends build your profile, content about you may be created and shared by other people. You control whether your profile is published, can hide or unpublish it, and can revoke a Public Deck. However:
- Your live profile is visible to other users in your metro as part of discovery.
- A Public Deck is a web page at an unguessable address designed not to be indexed by search engines, but anyone with the link can view it, and content that is public or shared can be screenshotted, copied, cached, or re-shared by others outside our control. Revoking a link does not retrieve copies others already saved.
- We show your neighborhood/metro-level area, not your exact location, and we encourage limiting identifying details. Photos are inherently identifying — share only what you are comfortable making visible.
If your friends include other people's information in your pitch, or you do so in someone else's, you are responsible for having any consent required.
8. SMS Verification
We send a one-time verification code by SMS (through Twilio) when you or your invited friends sign in or verify a number. By entering a number and continuing, you consent to receive that code; message and data rates may apply. We use the number to verify and secure accounts, not for marketing. Additional details about our SMS practices are described in our internal SMS consent documentation and may be surfaced in-app at the point of verification.
9. Analytics, Crash Reporting, and Cookies
- Analytics (Mixpanel): we use product analytics designed around bounded, behavioral events (feature usage, onboarding steps, platform). Analytics are not intended to include message contents, vouch text, or secrets.
- Crash and error reporting (Sentry): crash reports include technical diagnostics and are intended to be scrubbed of message contents and secrets.
- Cookies / local storage: our apps use device storage, secure storage, and similar technologies to operate. If our website later adds cookies or web analytics, we will update this Policy and provide any required controls.
10. How We Share Information — Service Providers
We share information with service providers who process it on our behalf to run the Services. We do not sell personal information. Our current providers include:
| Provider | Purpose | Data involved |
|---|---|---|
| Didit | Photo/identity verification (liveness + 1:1 face match) | Selfie/liveness capture, chosen photo, match result |
| Twilio | SMS one-time-code verification | Phone number, verification events |
| OpenRouter + Google (Gemini) | AI features such as vouch translation and pitch assistance | The specific text submitted for the action (e.g. a vouch to translate) |
| Google Cloud Platform | Hosting, database, storage | All Service data, as infrastructure |
| Google Maps Platform | Reverse geocoding / metro placement | Approximate location at signup |
| OpenIM (self-hosted on GCP) | In-app chat (text, images, ≤1-min video) | Messages and chat media between matched users |
| Apple App Store / Google Play | In-app purchases and receipt verification | Purchase and receipt metadata |
| Postmark | Transactional email | Email address and message content for service emails |
| Mixpanel | Product analytics | Bounded behavioral events |
| Sentry | Crash and error reporting | Technical diagnostics |
We may also share information with professional advisors; with authorities, regulators, or courts where required by law or to protect rights and safety; with other users or the public when you publish or share content; and with an acquirer or successor in a merger, financing, or sale of assets. We do not share personal information for cross-context behavioral advertising / targeted advertising as those terms are defined under U.S. state privacy laws.
11. Your Privacy Rights and Controls
Depending on where you live, you may have rights to access, correct, delete, port, or restrict your personal information; to object to certain processing; to withdraw consent; to opt out of marketing; to opt out of "sale"/"sharing" or targeted advertising (note: we do not sell or share for targeted advertising); and to limit the use and disclosure of sensitive personal information to what is necessary to provide the Services (which is already how we use it). Users in Mexico may exercise ARCO rights under the LFPDPPP.
Authorized agents. Where the law allows, you may use an authorized agent to submit a request on your behalf; we may ask the agent for proof of authorization and may still ask you to verify your identity directly.
Opt-out preference signals. Although we do not sell personal information or share it for targeted advertising, where required by law we will treat a recognized browser- or device-level opt-out preference signal (such as Global Privacy Control) as a valid opt-out request for the browser or device that sends it.
To exercise rights, use the in-app controls or contact privacy@trygreenflag.com. You can also:
- Delete your account in the app, which removes your profile from discovery and deletes your account data subject to the retention exceptions in Section 12.
- Hide or unpublish your profile and revoke a Public Deck at any time.
We may need to verify your identity (for example, via the phone number on your account) before acting. Some requests may be limited where content is also someone else's (for example, a vouch your friend wrote), where we must keep records for legal, security, or safety reasons, or where information is controlled by another person. We will not discriminate against you for exercising these rights.
Appeals. If we deny your request, you may appeal by replying to our response (please reference "Privacy Request Appeal"); we will respond within the time the law requires. Depending on your state or country, you may also complain to your local data-protection or consumer authority — for example, your U.S. state attorney general, the California Privacy Protection Agency, Mexico's INAI, or your regional regulator.
12. Data Retention
We keep personal information only as long as needed for the purposes in this Policy. These are general guidelines, not fixed guarantees, and actual periods may vary with our legal obligations and safety needs:
- Profile, vouch, and message data is kept while your account is active and deleted or de-identified within a reasonable period (generally within about 30 days) after you delete your account, except as noted below.
- Inactive accounts. We may close and delete accounts that have been inactive for an extended period (for example, around two years), after any notice the law requires.
- Verification (biometric) data is retained only as long as needed to confirm and maintain your verification status and, as described in Section 4, is generally deleted within 30 days of completing verification.
- Safety, abuse, and ban records may be retained longer — for example, for a period after an account is banned — to enforce bans, prevent banned users from returning, investigate abuse, and protect the community.
- Payment, tax, and legal records are retained for the periods required by law (often several years, such as up to about seven years for tax and accounting records), and records of consent are kept as needed to demonstrate compliance.
- Backups, logs, and content already shared (such as a Public Deck someone saved) may persist after deletion as described in Sections 7 and 11.
13. Security
We use technical, organizational, and administrative safeguards designed to protect personal information, including encryption in transit, platform secure storage for secrets, access controls, rate limiting, and redaction rules for analytics and crash reporting. No method is perfectly secure; we cannot guarantee that unauthorized access, loss, or misuse will never occur. Protect your device, phone number, and account. If we learn of a breach affecting your information, we will notify you and authorities where required by law.
14. International Transfers
We are based in Canada and use providers that may process information in Canada, the United States, and other countries — which may have different privacy laws than where you live. Greenflag serves users in the United States and Mexico, and your information may be processed in those countries and in Canada. Where required, we use appropriate safeguards (such as standard contractual clauses or other lawful transfer mechanisms) for international transfers.
15. California and U.S. State Privacy Disclosures
We do not sell personal information or share it for cross-context behavioral advertising as defined under U.S. state privacy laws (including the CCPA/CPRA). Depending on your use, we may collect these categories of personal information:
- Identifiers — phone number, name, device identifiers, customer IDs, IP address;
- Customer records / commercial information — purchase, access, and transaction records;
- Internet/network activity — app and server request metadata and feature-usage events;
- Geolocation — approximate location for metro placement;
- Biometric information — liveness/face-match verification data;
- Audio/visual information — your photos and any chat media you send;
- Characteristics that may be sensitive — information inherent to a dating context;
- Inferences — limited product-usage inferences for service improvement.
We collect, use, disclose, and retain these for the purposes and for the periods described in this Policy (see Section 12), and we disclose them only to the service providers and other recipients listed in Section 10. We do not sell personal information, do not share it for cross-context behavioral advertising, and do not use or disclose sensitive personal information beyond the purposes permitted under the CCPA/CPRA (such as providing the Services, verification, and safety). We do not offer financial incentives in exchange for your personal information.
California residents (and residents of other U.S. states with similar laws, such as Virginia, Colorado, Connecticut, Texas, Oregon, and Montana) may exercise rights to know, access, correct, delete, and port their information; to opt out of sale/sharing/targeted advertising; to limit the use of sensitive personal information; and to appeal a denied request (see Section 11). You may not be discriminated against for exercising these rights, and you may use an authorized agent. To exercise these rights, contact privacy@trygreenflag.com. Because Greenflag verifies accounts by phone, we generally verify requests using the phone number on your account.
Washington and Nevada — consumer health data. Some information inherent to a dating service (for example, data that may reveal sexual orientation) could be treated as "consumer health data" under Washington's My Health My Data Act and Nevada law. We collect and use such information only to provide and secure the Services as described in this Policy and with your consent where required; we do not sell it, and we apply the protections described here. Washington and Nevada residents may contact privacy@trygreenflag.com to exercise applicable rights.
16. Mexico — LFPDPPP / Aviso de Privacidad
For users in Mexico, Smarttie Software Inc. acts as the data controller ("responsable") and this Policy serves as our privacy notice. We process the personal data described above to provide the Services, and sensitive data (such as photos, verification data, and data inherent to a dating context) with your consent. You may exercise your ARCO rights (Acceso, Rectificación, Cancelación, Oposición), limit the use or disclosure of your data, and withdraw consent by contacting privacy@trygreenflag.com. You may also file a complaint with the INAI.
17. Children
Greenflag is strictly for adults. The Services are not directed to anyone under 18, and we do not knowingly collect personal information from anyone under 18. If you believe someone under 18 is using Greenflag or has provided information to us, contact safety@trygreenflag.com and we will act, including terminating the account.
If we become aware of apparent child sexual abuse material (CSAM) or the sexual exploitation of a minor, we will remove it, preserve relevant evidence, and report it as required by law to the National Center for Missing & Exploited Children (NCMEC) and/or to law enforcement. We may retain and disclose related information for those reporting, investigative, and child-safety purposes even where we would otherwise delete it.
18. Marketing Communications
If you opt in or provide contact information, we may send product updates and (where permitted) marketing messages. You can opt out using the unsubscribe link or by contacting support@trygreenflag.com. We may still send non-marketing service, security, account, payment, and legal messages.
19. Third-Party Links
The Services may link to or integrate with third-party sites and services governed by their own privacy practices. We are not responsible for their privacy, security, or content.
20. Changes to This Policy
We may update this Policy from time to time. When changes are material, we will provide notice by posting the updated Policy, updating the "Last Updated" date, and/or sending in-app or email notice. Your continued use of the Services after the update takes effect means you acknowledge the updated Policy.
21. Contact
Smarttie Software Inc.
329 Howe St, Unit #970
Vancouver, BC V6C 3N2, Canada
Privacy and data requests: privacy@trygreenflag.com
Legal: legal@trygreenflag.com
Support: support@trygreenflag.com
Safety and reports: safety@trygreenflag.com