Last updated: 16 June 2026
1. Introduction
At Zlobby (a social network and dating app for the geek community), we take the protection of your personal data very seriously. This policy explains how we collect, use, store, and protect your information, in accordance with the General Data Protection Regulation (GDPR, EU 2016/679) and, where applicable, your local laws. The service is international and available in six languages (French by default, English, Spanish, German, Italian, Portuguese).
The mandatory law of your country of residence remains applicable and is not affected by this policy.
2. Data controller
The data controller is Emeric Mathis EI (sole trader, micro-enterprise), SIREN 932 467 939, RCS Avignon, registered office at 14 rue Cassini, 84300 Cavaillon, France. Website: https://www.zlobby.com.
For any question, request to exercise your rights, to contact the data protection officer (DPO), or to report an incident:contact@zlobby.com. Automated emails are sent from noreply@zlobby.com.
3. Data collected
We collect the following categories of data:
Registration data:
- Email address
- Password (hashed, never stored in clear text)
- Username
- Date of birth (minimum-age verification)
Profile data:
- Username, biography, profile picture (avatar) required and gallery up to 5 photos
- Gender, dating preferences (only if you enable Dating mode)
- Interests, favourite games (IGDB), favourite manga/anime (Kitsu)
- City, approximate geographic coordinates (for the distance filter), optional
- Profession, education, spoken languages, MBTI, etc., all optional
Sensitive data within the meaning of GDPR article 9
You may choose to disclose information falling under special categories (sexual orientation, political opinions, religious beliefs, neurodivergences and atypicalities treated as health data). These fields are all optional and their processing is based exclusively on your explicit consent (checkbox at the moment of filling). You can withdraw this consent and these data at any time from your profile, without affecting the lawfulness of processing carried out before withdrawal.
Activity data:
- Likes sent/received, matches, messages, conversations
- Published posts, comments, reactions, lobby messages
- Profile visits, blocks, reports
- Purchase history (virtual credits, Pro/Legend subscriptions)
Moderation logs:
For each analysed content item, we retain the moderation decision (safe / flagged / rejected), the associated score, and the timestamp (see section 8).
Technical data:
- IP address (anonymised by hash in rate-limiting logs)
- Browser, device, OS, preferred language
- Session cookies and preferences (see cookie policy)
- Anonymised error logs (via Sentry, automatic PII masking)
Payment data:
Card data (number, CVV, expiry) is processed exclusively by Stripe Payments Europe Ltd (Ireland) under PCI-DSS standards. Zlobby never stores nor has access to your card data. We only retain the Stripe transaction ID, the amount, and subscription metadata for billing.
4. Purposes and legal bases
Each processing activity relies on a specific legal basis (GDPR art. 6):
- Create and manage your account, provide the social network and messaging: performance of contract (art. 6.1.b)
- Dating mode, compatibility computation, distance filter: performance of contract; Dating mode is an explicit opt-in (dating_enabled), the social side works without it
- Processing of sensitive data (art. 9): explicit consent (art. 9.2.a)
- Content moderation, security, fraud and abuse prevention: legitimate interest (art. 6.1.f) and legal obligation (DSA, fight against illegal content)
- Payments, billing, accounting: performance of contract and legal obligation (art. 6.1.b and 6.1.c)
- Transactional emails and notifications: performance of contract; non-essential notifications based on consent
- Non-essential cookies and preferences: consent (see cookie policy)
- Compliance with legal obligations and responses to authorities: legal obligation (art. 6.1.c)
5. Retention period
Retention periods vary by data category:
- Active account: retained for the duration of your registration;
- Deleted account: immediate anonymisation of PII and permanent deletion within 30 days (grace period for restoration on request);
- Stripe transactions: 10 years (French Commercial Code art. L.123-22);
- Moderation logs: 5 years after last action (DSA audit trail);
- Technical / Sentry logs: 30 days;
- Messages: kept as long as the conversation exists; sender identifier anonymisedupon account deletion (to preserve the other party's history);
- Pre-launch waitlist: email deleted within 90 days after public launch if not converted to an account.
6. Processors and data sharing
We rely on carefully selected processors. Transfers outside the European Union are governed by the European Commission's standard contractual clauses (SCCs):
- Other users: the public profile information you choose to make visible;
- Database, authentication, file and photo storage: Supabase Inc. (Singapore, SCCs);
- Application hosting: Vercel Inc. (USA, SCCs);
- Payments: Stripe Payments Europe Ltd (Ireland, EU), subscriptions and credit packs, PCI-DSS compliant;
- Automated AI moderation: Anthropic PBC (USA, SCCs), text and image analysis via Claude (default model Claude Haiku 4.5). Text and images you publish or upload (posts, comments, bios, avatars and profile pictures, gallery photos, messages) are transmitted to Anthropic for compliance analysis (see section 8);
- Transactional emails and notifications: Resend Inc. (USA, SCCs), email address and message content only;
- Error monitoring: Sentry (USA, SCCs), stack traces and technical context, PII masked, logs kept 30 days;
- City search and reverse-geocoding: Nominatim / OpenStreetMap Foundation (United Kingdom), only approximate coordinates and the search query, no account data;
- Game and media catalogues: IGDB (Twitch Interactive, USA) and Kitsu, we consume their public catalogue, no sharing of your data;
- Federated authentication: Google, Apple, Discord, GitHub (when you choose to sign in via these providers);
- Competent authorities: in case of legal obligation or illegal content (CSAM, terrorism).
We never sell your personal data to third parties.
7. International transfers
Some of your data may be transferred to countries outside the European Union (notably the United States and Singapore). These transfers are governed by appropriate safeguards, in particular the standard contractual clauses (SCCs) adopted by the European Commission, supplemented where necessary by additional technical measures (encryption, minimisation).
8. AI moderation and automated decision-making
To protect the community and comply with our legal obligations (in particular the Digital Services Act, DSA), all content (posts, comments, bios, avatars and profile pictures, gallery photos, private messages and lobby messages) is subject to automated moderationoperated by Anthropic PBC via the Claude model (text and images). The required profile picture is systematically moderated by AI before approval; in Dating mode, a « real person » check is applied.
Each analysis produces a decision (safe, flagged or rejected) and a score. In case of doubt, a human review is carried out. This moderation may constitute automated decision-making within the meaning of GDPR article 22. In accordance with the GDPR and article 14 of the DSA, you have the right to obtain a statement of reasons, to contest the decision, and to obtain human intervention. Any appeal may be submitted within 30 days to contact@zlobby.com.
9. Your rights
Under the GDPR, you have the following rights:
- Right of access: obtain a copy of your data
- Right of rectification: correct inaccurate data
- Right to erasure: delete your data
- Right to data portability: receive your data in a structured format
- Right to object: object to the processing of your data
- Right to restriction: restrict the processing of your data
- Withdrawal of consent: withdraw your consent at any time (notably for article 9 sensitive data), without affecting the lawfulness of prior processing
To exercise these rights, contact us at contact@zlobby.com.
10. Data security
We implement appropriate technical and organisational measures to protect your data against unauthorised access, loss, or alteration:
- Data encryption in transit (HTTPS/TLS)
- Password hashing
- Restricted access to personal data
- Regular security monitoring and audits
11. Minors
The Service is strictly reserved for persons aged 18 or over. We do not knowingly collect data from minors. Any account identified as belonging to a minor is deleted.
12. Cookies
For details of the cookies and trackers used and the management of your consent, see our cookie policy.
13. Complaints
If you believe that the processing of your data does not comply with regulations, you may lodge a complaint with the CNIL (the French data protection authority,www.cnil.fr) or with the competent supervisory authority of your country of residence.
Creator and external account integrations
When you choose to link a creator account, Zlobby processes only the data needed to verify the account and display the features you enable.
- Stable provider account identifier, display name, handle, avatar and public channel URL.
- Public channel metadata, recent or pinned content and scheduled broadcasts.
- OAuth access and refresh tokens are encrypted server-side with AES-256-GCM and are never exposed to the browser or logs.
- Live status, title, category, language, audience, maturity flag, thumbnail and freshness timestamps for supported streaming providers.
- Optional providers: Twitch, YouTube, TikTok, Kick, Discord, Steam and Instagram.
Account linking is performed at your request to provide the selected service. Each profile, Live Now and lobby display remains a separate opt-in.
Connections and visibility choices are kept until you disconnect or delete your account. Technical webhook records are deleted after 30 days; provider caches follow the provider limits.
You can link accounts for free. Public Creator Hub and Live Now display require active Pro or Legend access; lobby live status remains available without Premium after opt-in.
Disconnecting immediately hides the integration, removes cached content and webhooks, deletes encrypted credentials and requests provider revocation when supported.
For any questions about this policy, see our cookie policy or contact us.
