1. Introduction
At GirlsApp, we take the protection of your personal data seriously. This Privacy Policy describes what data we collect, how we use it, with whom we share it, and what rights you have over your data.
This Policy complies with the EU General Data Protection Regulation (GDPR) and the Russian Federal Law No. 152-FZ "On Personal Data".
2. Data controller
The data controller is GirlsApp Team, an independent digital project operating from Ukraine and not registered as a legal entity.
In accordance with our Privacy-First / No-KYC model, GirlsApp Team does not maintain a public postal address. All requests related to the processing of personal data are handled exclusively via email:
- Privacy inquiries: privacy@girlsapp.pink
- Legal inquiries: legal@girlsapp.pink
The GirlsApp team processes such requests within 30 days and applies GDPR standards to the processing of personal data, even where it does not fall under its territorial scope automatically.
3. What data we collect
3.1. Data you provide directly:
- Registration data: email, username, password (stored as an Argon2id hash).
- Profile data: display name, interface language.
- Payment data: information about the selected plan and cryptocurrency transaction (wallet address, transaction hash, amount). We do not store private keys or seed phrases.
- WhatsApp credentials: if you connect your account, we store session data encrypted with AES-256-GCM using a server-side key.
3.2. Data collected automatically:
- Technical data: IP address, browser type, operating system, date and time of visit.
- Usage data: number of messages sent, active sessions, interactions with Service features.
- Cookies: we use strictly necessary cookies for authentication and security. See our cookie policy.
4. Purposes and legal bases
| Purpose | Legal basis |
|---|---|
| Account creation and management | Performance of contract |
| Providing the Service | Performance of contract |
| Billing and invoicing | Performance of contract + legal obligation |
| Security and fraud prevention | Legitimate interest |
| Transactional messages (email) | Performance of contract |
| Service improvement (analytics) | Legitimate interest |
| Legal compliance | Legal obligation |
5. Data retention
- Account: for the entire duration of the account + 3 years after deletion (for legal obligations).
- Payment data: 10 years (accounting obligations).
- Security logs: 12 months.
- Technical cookies: session-based, deleted on logout; JWT refresh token — 30 days.
6. Who we share your data with
We do not sell identifiable personal data (names, emails, customer phone numbers, message content, etc.) and do not share such data with third parties for commercial purposes. However, we rely on trusted sub-processors:
- hCaptcha (Intuition Machines, Inc.): bot protection during registration and login. hCaptcha Policy
- CoinRemitter: cryptocurrency payment processing. CoinRemitter Policy
- SMTP provider: transactional email delivery.
- Hosting provider: server hosting in the EU.
All sub-processors are bound by contractual obligations ensuring a level of protection equivalent to this Policy.
Aggregated and anonymized data: in accordance with our Terms of Service (section 11), we may process de-identified usage metrics (averages, country trends, model statistics) for analytics, benchmarks and published industry reports. This data is irreversibly stripped of any re-identification capability under GDPR (Recital 26) and is no longer considered personal data.
7. International data transfers
Your data is primarily stored on servers located in the European Union. Any transfer of data outside the EU is carried out in compliance with the Standard Contractual Clauses of the European Commission or other appropriate safeguards provided for by GDPR.
8. Your rights
Under GDPR and 152-FZ, you have the following rights:
- Right of access — obtain a copy of your personal data.
- Right to rectification — request correction of inaccurate data.
- Right to erasure (right to be forgotten) — request deletion of your data.
- Right to restriction of processing — suspend processing in certain cases.
- Right to data portability — receive your data in a structured format.
- Right to object — object to processing based on legitimate interest.
- Right to lodge a complaint with a data protection supervisory authority.
To exercise your rights, send a request to privacy@girlsapp.pink. We will respond within 30 days.
You can also delete your account at any time via the "Settings" section of your dashboard.
9. Data security
We implement the following technical and organizational measures:
- Encryption in transit: TLS 1.3 for all connections.
- Encryption at rest: sensitive data (WhatsApp credentials) encrypted with AES-256-GCM.
- Password hashing: Argon2id with salt.
- Access protection: JWT with httpOnly cookies, CSRF tokens, hCaptcha on registration and login.
- Isolation: Docker containerization, firewalls.
- Backups: daily, encrypted.
- Monitoring: security event logging and intrusion detection.
See our security page for more details.
10. Minors
The Service is not intended for persons under 18 years of age. We do not knowingly collect personal data from minors. If you become aware that a minor has provided us with their data, please contact us and we will delete it immediately.
11. Changes to this Policy
We may update this Policy from time to time. You will be notified of any material changes by email or via a notification in your dashboard.
12. Contact
For questions related to the processing of personal data, please contact: privacy@girlsapp.pink.