Legal

Privacy Notice

Last updated: January 2026

1. Introduction

Waffle ("we", "our", or "us") is committed to protecting your privacy. This Privacy Notice explains how we collect, use, disclose, transfer, and safeguard your personal data when you use our mobile application and related services (together, the "Services"). It is intended to meet the transparency requirements of the Swiss Federal Act on Data Protection (revFADP) and, where applicable, the EU General Data Protection Regulation (GDPR).

Controller: Waffle, operated from Switzerland
Privacy contact: privacy@waffles-app.com

2. Information We Collect

2.1 Information You Provide

  • Account information (name, email address, phone number, password, profile photo)
  • Profile information (biography, profession, zodiac sign, city)
  • Content you create (posts, comments, messages, stories)
  • Contact list data (only if you choose to import contacts for Founding Friends)
  • Communications with us (support requests, feedback, survey responses)

2.2 Information Collected Automatically

  • Device information (device type, operating system, app version, language, time zone, unique identifiers)
  • Usage data (features used, interactions, timestamps, approximate session duration, log data)
  • Diagnostic data (crash reports, performance metrics, error logs)
  • Location data (only when you enable location features and grant device permissions; may be approximate or precise depending on your settings)

2.3 Information from QR Code Scans

When you scan another user's QR code or they scan yours, we record the connection along with the time and (if location is enabled) the approximate location of the scan. We use this to verify the in-person meeting and to help detect and prevent fraud and abuse (e.g., automated or remote connections). We do not share raw QR-scan location data with other users.

3. How We Use Your Information

We use personal data for the following purposes:

  • Providing services: Account creation, authentication, profile management, and app functionality
  • Connection verification: Verifying in-person connections via QR code scans and preventing abuse
  • Communication: Enabling messaging between connected users and delivering notifications
  • Personalization: Customizing your experience, including feed ordering and recommendations
  • Safety and security: Detecting and preventing fraud, abuse, and security issues; enforcing our terms
  • Improvement: Analytics, troubleshooting, performance monitoring, and developing new features
  • Legal compliance: Complying with legal obligations and responding to lawful requests

Legal Bases (GDPR, where applicable)

Depending on the context, we process your personal data based on one or more of the following legal bases:

  • Contract (Art. 6(1)(b)): Processing necessary to provide you with our Services
  • Legitimate interests (Art. 6(1)(f)): Processing for fraud prevention, security, service improvement, and analytics, where our interests do not override your rights
  • Consent (Art. 6(1)(a)): Where you have given consent for specific processing activities (e.g., optional location features, marketing communications)
  • Legal obligation (Art. 6(1)(c)): Where processing is required by law

Under the Swiss revFADP, we process personal data in accordance with the principles of lawfulness, proportionality, purpose limitation, transparency, and data security.

4. Information Sharing

We do not sell your personal information. We may share personal data as follows:

  • Other Users: Your profile information and content are visible to your friends according to your privacy settings. Messages are visible to the communicating parties.
  • Service Providers: Third parties who help us operate our services (hosting, infrastructure, analytics, crash reporting, notifications, customer support). They process personal data only on our instructions and must implement appropriate security measures.
  • Legal Requirements: When required by law, in response to lawful requests, or when necessary to protect rights, safety, and property, investigate fraud or abuse, or establish, exercise, or defend legal claims.
  • Business Transfers: If Waffle is involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of assets, personal data may be transferred as part of that transaction subject to appropriate safeguards.

5. Your Rights and Privacy Controls

Waffle gives you control over your information through in-app settings:

  • Choose who can see your posts (all friends, specific friends, or only you)
  • Hide your online status from other users
  • Control location sharing and visibility
  • Opt out of the Lonely Together feature
  • Block users to prevent all interaction
  • Download or delete your data and account through the app

Your Legal Rights

Depending on your location and applicable law, you may have the following rights regarding your personal data:

  • Access: Request information about what personal data we hold about you
  • Rectification: Request correction of inaccurate or incomplete data
  • Erasure: Request deletion of your personal data in certain circumstances
  • Restriction: Request that we limit processing of your data in certain circumstances
  • Data portability: Request a copy of your data in a structured, commonly used, machine-readable format
  • Object: Object to processing based on legitimate interests or for direct marketing purposes
  • Withdraw consent: Where processing is based on consent, withdraw it at any time without affecting prior processing

How to exercise your rights: Contact us at privacy@waffles-app.com. We may request identity verification. We will respond within applicable legal timeframes (generally 30 days).

Right to Lodge a Complaint

If you believe we have not handled your personal data properly, you have the right to lodge a complaint with a supervisory authority. In Switzerland, this is the Federal Data Protection and Information Commissioner (FDPIC). In the EU/EEA, you may contact your local data protection authority.

6. Data Security

We implement appropriate technical and organizational security measures to protect your information, including:

  • Encryption in transit (TLS) and at rest
  • Secure authentication with password hashing
  • Access controls and authentication for internal systems
  • Regular security reviews and monitoring

However, no method of transmission over the internet or method of electronic storage is 100% secure. We cannot guarantee absolute security.

7. Data Retention

We retain your information only as long as necessary for the purposes described in this Notice, unless a longer retention period is required by law or needed for security, fraud prevention, dispute resolution, or enforcement of our terms.

  • Account and profile data: Retained while your account is active; deleted or anonymized within 30 days of account deletion, subject to legal and security requirements
  • User content: Posts, comments, and messages are retained until you delete them or delete your account, unless retention is required for safety, legal compliance, or disputes
  • QR scan verification records: Retained for up to 90 days to verify connections and prevent abuse, then deleted or anonymized
  • Logs and security records: Retained for up to 12 months for security monitoring and system integrity
  • Backups: Data may remain in encrypted backups for up to 30 days after deletion until backup rotation completes

8. Automated Decision-Making

We may use automated systems to help detect fraud, abuse, and policy violations (e.g., analyzing QR scan patterns to detect automated connections). These systems assist human review but do not make final decisions that significantly affect you without human involvement. You may contact us to request information about or contest any automated processing.

9. Children's Privacy

Waffle is not intended for users under 13 years of age. We do not knowingly collect personal data from children under 13.

If you are in the EU/EEA/UK, parental consent may be required for users under 16 (or a lower age set by national law, but not below 13) for certain consent-based processing. If we become aware we have collected a child's personal data without appropriate consent, we will take steps to delete the data or obtain valid consent.

10. International Data Transfers

Your information may be transferred to and processed in countries other than your own, including countries outside of Switzerland and the EU/EEA, where our infrastructure or service providers are located.

We implement appropriate safeguards for such transfers:

  • GDPR: Standard Contractual Clauses (SCCs) approved by the European Commission, and supplementary technical and organizational measures where necessary
  • Switzerland: Safeguards recognized under revFADP, including SCCs adapted for Swiss law, adequacy decisions, and contractual protections

You may request information about transfer safeguards by contacting us at privacy@waffles-app.com.

11. Changes to This Notice

We may update this Privacy Notice from time to time. We will notify you of significant changes through the app and/or by email. Your continued use of Waffle after changes become effective constitutes acceptance of the updated Notice.

12. Contact Us

If you have questions about this Privacy Notice, our privacy practices, or wish to exercise your rights, please contact us:

Email: privacy@waffles-app.com