Privacy Policy

Last updated: April 9, 2026 · v1.0

Version 1.0 — effective April 9, 2026. Loviam processes your data in accordance with the General Data Protection Regulation (GDPR, EU 2016/679) and the French Data Protection Act. This policy is written in plain language, as recommended by the CNIL.

1. Data controller

The data controller is Eric Mollenthiel, publisher of the Loviam website, reachable at contact@loviam.com.

In accordance with Article 6-III-2 of the French LCEN law, the publisher's full postal and phone details are held by our hosting provider OVH SAS and can be obtained on legitimate request. For any GDPR inquiry, write to us at this address or via our contact form; we reply within one month at most.

2. Data we collect

We only collect data strictly necessary to operate the service:

  • Account: email address, hashed password, creation date, last login date
  • Profile: first name (or nickname), date of birth, gender, photos, biography, city of residence
  • Search preferences: gender(s) sought, age range, maximum distance
  • Location: latitude and longitude linked to your city (never exposed precisely to other users, only a rounded distance is displayed)
  • Interactions: likes, dislikes, super-likes, matches, messages exchanged, reports
  • Ad reward wallet: number of tokens earned and spent (from rewarded video ads)
  • Technical data: IP address, user-agent, push notification tokens (if accepted), connection logs

3. Sensitive data (GDPR Article 9)

Some data we process qualifies as "sensitive" under Article 9 GDPR. Its processing relies on your explicit consent, which you can withdraw at any time by deleting your account.

  • Sexual orientation (inferred): your search preferences (gender sought vs. your own) may reveal your orientation. This data is never sold or shared with third parties for advertising.
  • Precise geolocation: required to compute distances between profiles. Stored server-side only and never exposed in cleartext in the app.

4. Purposes and legal bases

Each processing has a defined purpose and a clearly identified legal basis:

  • Account creation and management — performance of contract (Art. 6.1.b)
  • Matchmaking — performance of contract (Art. 6.1.b) and explicit consent for sensitive data (Art. 9.2.a)
  • Messaging between users — performance of contract (Art. 6.1.b)
  • Moderation and abuse prevention — legitimate interest (Art. 6.1.f) and legal obligation (Art. 6.1.c)
  • Push notifications — consent (Art. 6.1.a), revocable at any time via your browser
  • Ad reward wallet — performance of contract (Art. 6.1.b)
  • Technical log retention — LCEN legal obligation (Art. 6.1.c)

5. Who sees your data?

  • Other users: see your first name, age, photos, bio and a rounded distance in kilometers. They never see your email, precise location, exact date of birth or IP address.
  • The publisher (Eric Mollenthiel): accesses only data strictly necessary for moderation, support and security.
  • Competent authorities: only in response to a valid judicial request.

Loviam never sells, rents or shares your personal data with third parties for advertising or commercial purposes.

6. Our sub-processors

To operate, Loviam relies on the following providers, selected for their data protection guarantees:

  • OVH SAS (France, EU) — hosting the application server, the PostgreSQL database and profile photos. All data stored in France.
  • OVH Mail Plan (France, EU) — email service used to send transactional emails (sign-up confirmation, password reset, notifications).
  • Cloudflare, Inc. (United States) — content delivery network and web application firewall (protection against bots and attacks). Cloudflare processes your IP address and HTTP request metadata in transit. Transfer outside the EU: Cloudflare is certified under the EU-U.S. Data Privacy Framework and enforces the European Commission's Standard Contractual Clauses, guaranteeing an adequate level of protection.
  • Google Search Console (Google Ireland Ltd., EU) — used only to monitor the SEO of public pages. No logged-in user data is transmitted.

No other third-party service (analytics, behavioral advertising, CRM, managed push) is used. The Mercure hub (realtime notifications) and the Web Push server (VAPID) are self-hosted on our own OVH server; no third party has access to messages.

7. Data retention

  • Active account: as long as you use the service
  • Account inactive for over 2 years: warning email, then automatic deletion 30 days later
  • Deleted account: 30-day recovery period, then permanent erasure
  • Messages: kept as long as both users in a conversation have an active account
  • Connection logs and IP addresses: 12 months maximum (LCEN obligation)
  • Reports and moderation decisions: 1 year after processing

8. Your rights (GDPR)

In accordance with Articles 15 to 22 GDPR, you have the following rights at any time:

  • Right of access — get a copy of all your data
  • Right to rectification — correct inaccurate data
  • Right to erasure — delete your account and data
  • Right to restriction — temporarily freeze certain processing
  • Right to portability — download your data in a structured format (JSON)
  • Right to object — object to processing based on legitimate interest
  • Right to withdraw consent — at any time, without affecting the lawfulness of prior processing
  • Post-mortem directives — define what happens to your data after death

To exercise these rights, email contact@loviam.com or use the contact form. Many of these rights are also directly accessible from your account settings (JSON export, one-click deletion).

You may also lodge a complaint with the CNIL (French Data Protection Authority) — www.cnil.fr.

9. Cookies and trackers

Loviam only uses strictly necessary cookies, exempt from consent under CNIL deliberation no. 2020-091:

  • PHPSESSID — PHP session cookie (duration: browser session)
  • CSRF token — anti-request-forgery protection (duration: session)
  • Cloudflare technical cookies (cf_clearance, __cf_bm) — used only for bot detection and security, exempt from consent

No advertising cookies, no third-party analytics, no behavioral trackers are placed on your device.

10. Minors

The Loviam service is strictly reserved for adults (18+). We do not knowingly collect data from minors. If we learn that a minor has registered, their account is deleted and their data erased immediately.

If you are a parent or guardian and believe a minor is using our service, contact us at contact@loviam.com.

11. Data security

We implement the following technical and organizational measures, proportionate to the risks:

  • Password hashing with a modern algorithm (Argon2id or equivalent, picked automatically by Symfony)
  • HTTPS/TLS encryption site-wide
  • CSRF protection on all sensitive forms
  • Cloudflare Web Application Firewall against attacks and bots
  • Geolocation never exposed to the client: only a rounded distance is returned
  • Regular database backups
  • Admin access limited to the data controller

12. Changes to this policy

This policy may change to reflect technical, legal or functional updates. Should a substantial change affect your rights, we will notify you by email or in-app at least 15 days before the changes take effect.

The date of the last update and the version number are shown at the top of this page. Continued use of the service after modification constitutes acceptance of the new policy.