Back to Legal
Your data

Privacy Notice.

DEX is operated from the United Kingdom. This notice explains, in plain English, what personal data we process, why, on what legal basis, and what rights you have under UK GDPR and the Data Protection Act 2018.

Who is the controller?

The controller of your personal data is the operator of DEX (meetdex.net).

Our Data Protection Officer can be reached at dpo@meetdex.net.

What we collect

  • Account basics: email, password hash, date of birth, name/handle, IP at signup.
  • Profile content: photos, bio, tribe, position, looking-for, height, weight, age.
  • Approximate location: lat/lng used to power the nearby grid.
  • Special category data (UK GDPR Art. 9): data revealing sexual orientation, and any intimate images you choose to upload. Processed only with your explicit consent (Art. 9(2)(a)).
  • Direct messages: stored to deliver them and for moderation.
  • Reports, blocks, favourites: needed to run safety features.
  • Payment metadata: Stripe customer ID, amount, currency, date. We never see your card details.
  • Device fingerprint: hashed, used to detect ban-evasion only.
  • Logs: IP, user-agent, timestamps for security and abuse prevention.

Why we process it (lawful bases)

  • Contract (Art. 6(1)(b)): account, messaging, location grid — needed to deliver the service you signed up for.
  • Legitimate interests (Art. 6(1)(f)): abuse prevention, fraud detection, security logs. We've documented the balancing test.
  • Explicit consent (Art. 9(2)(a)): special category data — sexual orientation and intimate content.
  • Legal obligation (Art. 6(1)(c)): complying with UK law including the Online Safety Act 2023 and lawful law-enforcement requests.

Who we share with

  • Stripe (payments, customer support). EU/UK transfers under SCCs.
  • Supabase / Lovable Cloud (database, storage, hosting).
  • Yoti (planned) — age and identity verification.
  • Push notification providers (Apple, Google) — only the notification payload.
  • UK law enforcement — only when legally compelled. See Law Enforcement Guidelines.

International transfers

Some processors are based outside the UK. Where data leaves the UK we rely on UK adequacy regulations or the ICO's International Data Transfer Agreement (IDTA), and we apply additional safeguards.

How long we keep it

  • Live account data: while your account exists.
  • Deleted accounts: hard-purged 30 days after deletion request (grace period for accidental deletes).
  • Moderation logs: 2 years (Online Safety Act audit requirement).
  • Payment records: 6 years (HMRC requirement).
  • Sign-in IP / device fingerprints: 90 days.

Your rights

Under UK GDPR you have the right to:

  • Access — Settings → "Export my data" or email dpo@meetdex.net.
  • Rectification — edit it in the app.
  • Erasure — Settings → "Delete account" (30-day grace, then permanent).
  • Restriction and objection — email dpo@meetdex.net.
  • Withdraw consent — for special category data, deletion of your account is the cleanest withdrawal.
  • Complain to the ICOico.org.uk.

We respond within one calendar month.

Security

TLS in transit. Encryption at rest. Role-based access controls. Row-Level Security on every user table. We will notify the ICO within 72 hours of any qualifying breach and you directly if it affects you.

Children

DEX is strictly 18+. We do not knowingly collect data from anyone under 18. If you believe a minor is using the app, report immediately — the account will be removed and reported to UK authorities.

Last updated · May 2026