Privacy Policy
Version 2.0 · effective from 2026-05-11
1. Data controller and contact
The data controller is the administration of saitas.net (the "Platform"). For questions, consultations and to exercise your rights, use these addresses:
- General enquiries: [email protected]
- Data protection matters (DPO): [email protected]
- Abuse reports: [email protected]
2. What data we collect
2.1 Registration data (mandatory)
- Email address (authentication)
- Display name (shown to other users)
- Password (stored only as a bcrypt / Argon2 hash)
- Gender and date of birth (required for the matching feature)
2.2 Profile data (optional)
- Country, region, city
- About-me free text
- Hobbies
- Photos (hosted on BunnyCDN, Germany)
- Custom question answers
2.3 Usage data
- Messages to other users
- Likes, matches, blocked users
- Photo votes
- Hand-game (rock / paper / scissors) history
- Karma points and level progress
- Visits to other users' profiles
- Last login / activity timestamps
2.4 Technical data
- IP address (retained only in nginx access logs, ~30 days)
- Browser / device type
- Session cookie (see Cookie Policy)
2.5 Special-category data (GDPR Art. 9)
Gender, age, and indirectly sexual orientation (revealed by who you like) and religious / philosophical beliefs (from question answers) are special-category data. We process them solely on the basis of your explicit consent given at registration (GDPR Art. 9(2)(a)).
2.6 What we do NOT collect
- National ID number, passport, ID card
- Real name (unless you put it in your bio yourself)
- Phone number
- Payment card data (no payments processed on the Platform)
- Precise GPS location (only country / region / city you provide manually)
3. Legal basis
| Purpose | Basis |
|---|---|
| Account creation, login, profile display | GDPR Art. 6(1)(b) — contract performance |
| Messages, hand-game, likes | GDPR Art. 6(1)(b) |
| Gender, age, orientation (special category) | GDPR Art. 9(2)(a) — explicit consent |
| Marketing email (digest, reactivation) | GDPR Art. 6(1)(a) — consent (revocable) |
| Bounce / spam protection, security | GDPR Art. 6(1)(f) — legitimate interests |
| Moderation (bans, photo removal) | GDPR Art. 6(1)(f) — legitimate interests |
4. Retention periods
- Account: until you delete it (inactive 2+ years → admin review prompt)
- Messages: as long as both parties have accounts
- Email log: 90 days
- Bounce / complaint events: indefinitely (sender-reputation protection)
- Session cookie: until logout (or 10 years with "Remember me")
- Nginx access logs: 30 days
- Photo files on CDN: until account purge (deleted together)
- Admin action log: indefinitely (audit)
5. Who we share data with
All our sub-processors are within the European Economic Area (EEA). No user-data flow leaves the EEA.
| Provider | Role | Region |
|---|---|---|
| UAB „Interneto vizija" | Hosting (servers, DB) | LT |
| Cloudflare, Inc. | DNS, TLS, WAF | EU PoP |
| Bunny.net | Photo storage / CDN | DE |
| Resend, Inc. | Email delivery | IE (eu-west-1) |
6. International data transfers
All user-related data stays within the European Economic Area. As of 2026-05-11 the Platform uses no provider outside the EEA; Google Fonts has been removed and web fonts are now self-hosted.
7. Your rights
Under GDPR you have the following rights:
- Right of access (Art. 15) — confirmation and a free copy of your data.
- Right to rectification (Art. 16) — correct inaccurate data via profile settings.
- Right to erasure ("right to be forgotten", Art. 17) — delete your account and related data.
- Right to restriction of processing (Art. 18).
- Right to data portability (Art. 20) — receive your data in a structured, commonly used format.
- Right to object (Art. 21) — opt out of direct marketing at any time (unsubscribe link in every email + profile settings).
- Right to withdraw consent (Art. 7(3)) — withdrawal does not affect prior processing.
- Right not to be subject to automated decisions (Art. 22) — note that our recommendations are suggestions, not automated decisions.
Exercise any of these rights by writing to [email protected]. We must respond within 30 days (GDPR Art. 12).
If you believe we infringe your rights, you may lodge a complaint with the Lithuanian State Data Protection Inspectorate ([email protected], L. Sapiegos g. 17, 10312 Vilnius).
8. Security measures
- TLS 1.3 for all HTTP traffic; HSTS enabled
- Passwords stored only as hashes (bcrypt / Argon2id)
- CSRF tokens on all forms
- Session cookie with
secure+samesite=laxattributes - Webhook signature verification (Svix HMAC) before any
is_subscribedchange - Admin action audit log
- Photo files reachable only via content-hash URLs, never sequential IDs
9. Children
Saitas.net is intended solely for users aged 18 and older. By registering you confirm you are of age. If we learn an account was created by a minor we will delete it without delay.
If you notice a minor using the Platform, report it to [email protected].
10. Changes to this policy
Material changes will be announced by email or a prominent notice on the Platform. The version and effective date are shown at the top. Previous versions are archived in our internal DPIA documentation; copies available on request to the DPO.