GDPR & EU Privacy Rights

As the Data Controller, we determine the purposes and means of processing your personal data. We are registered with the Irish Data Protection Commission (DPC) as our lead supervisory authority under the EU's one-stop-shop mechanism.

Under the GDPR, we must have a valid legal basis for every processing activity. Here is how we justify each category of processing:

Performance of a contract (Art. 6(1)(b))

• Creating and managing your account
• Running our AI compatibility engine and generating matches
• Enabling in-app messaging
• Processing subscription payments
• Providing customer support

Legitimate interests (Art. 6(1)(f))

• Detecting and preventing fraud, abuse, and spam
• Improving and developing new product features using aggregated analytics
• Maintaining the security and integrity of our systems
• Defending against legal claims

Consent (Art. 6(1)(a))

• Marketing communications via email (you can withdraw at any time)
• Non-essential cookies and tracking technologies
• Processing of special-category data you voluntarily add to your profile (sexual orientation, religion, ethnicity, health-related preferences)
• Sharing anonymised data with research partners

Legal obligation (Art. 6(1)(c))

• Responding to court orders and lawful law enforcement requests
• Retaining financial records for statutory periods
• Child safety reporting obligations

Special-category data (Art. 9(2)(a))

Where your profile contains special-category data (e.g. sexual orientation), we process it based on your explicit consent. You can remove such data from your profile at any time, and doing so does not affect your ability to use the Service.

As a data subject in the EEA, UK, or Switzerland, you have the following rights:

Right of access (Art. 15)

You can request a copy of all personal data we hold about you, along with information about how it is processed. Access requests are fulfilled within 30 days and are free of charge for the first request.

Right to rectification (Art. 16)

You can correct inaccurate or incomplete personal data directly in the app via Settings → Edit Profile, or by contacting our Privacy Team.

Right to erasure / "right to be forgotten" (Art. 17)

You can request deletion of your personal data. We will comply unless we are required to retain it for legal reasons (e.g. fraud prevention, safety, legal proceedings). Data is purged from live systems within 30 days and from backups within 90 days.

Right to restriction (Art. 18)

In certain circumstances, you can request that we restrict processing of your data (e.g. while you contest its accuracy or object to its processing).

Right to portability (Art. 20)

You can request your personal data in a structured, commonly used, machine-readable format (JSON). Go to Settings → Privacy → Download My Data, or contact our Privacy Team.

Right to object (Art. 21)

You can object at any time to processing based on our legitimate interests. We will cease processing unless we can demonstrate compelling legitimate grounds. You have an absolute right to object to processing for direct marketing purposes.

Rights related to automated decision-making (Art. 22)

Our AI matching engine uses automated processing to suggest compatible users. This does not produce legal or similarly significant effects — you can always choose not to match with a suggested user. You have the right to request human review of any decision that you believe has significantly affected you.

Right to withdraw consent

Where we process your data based on consent, you can withdraw it at any time without affecting the lawfulness of prior processing. Withdraw consent via Settings → Privacy, or by contacting privacy@dhabli.com.

You can exercise most rights directly within the app:

• Download your data: Settings → Privacy → Download My Data
• Delete your account: Settings → Account → Delete Account
• Update profile information: Settings → Edit Profile
• Manage communication preferences: Settings → Notifications
• Withdraw marketing consent: Settings → Privacy → Marketing
• Manage cookie preferences: our Cookie Settings page

For rights that cannot be exercised in-app, contact our Privacy Team at privacy@dhabli.com. We will verify your identity (to protect against fraudulent requests) and respond within 30 days. For complex requests, we may extend this to 90 days with notice.

Zod operates globally, and your data may be transferred to and processed in countries outside the EEA, including the United States. These countries may not offer the same level of data protection as the EEA.

Safeguards we use for international transfers:

• Standard Contractual Clauses (SCCs) adopted by the European Commission — used for transfers to our US parent entity and most third-party vendors
• UK International Data Transfer Agreements (IDTA) — used for transfers from the UK
• Adequacy decisions — where available (e.g. transfers to Canada, Japan)
• Transfer Impact Assessments (TIAs) — conducted before each new transfer to a non-adequate country

You can obtain a copy of our SCCs by emailing privacy@dhabli.com.

We have appointed a Data Protection Officer (DPO) as required by the GDPR. The DPO is responsible for overseeing our data protection strategy and ensuring compliance with GDPR requirements.

You may contact our DPO directly at any time:

If you believe we have violated your rights under the GDPR, you have the right to lodge a complaint with the supervisory authority in your EU member state of residence, place of work, or where the alleged violation occurred.

Our lead supervisory authority is the Irish Data Protection Commission (DPC):

UK users may also contact the Information Commissioner's Office (ICO) at ico.org.uk.

We ask that you contact us first — most issues can be resolved quickly. You are not, however, required to do so before contacting your supervisory authority.

For all GDPR-related requests or questions: