Legal · Privacy

Privacy Policy

Last updated: April 2026

Protecting your personal data matters to us. This privacy policy transparently explains which data we process, for which purposes, on what legal basis and with whom we share it. It applies to the use of the malla app (iOS, Android) and this website. The legal basis is the EU General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG).

1. Controller

Odin Adventure Labs LLC
30 N Gould St, Ste R
Sheridan, WY 82801 · USA
Email: support@themalla.app
Content responsibility: Lukas Langhammer.

We are not legally required to appoint a Data Protection Officer. Privacy requests: email the address above with subject "Privacy".

2. Data we process

  • Account basics: first name / nickname, date of birth (to verify 18+), email, phone number (for OTP login), language, time zone.
  • Profile content: photos, bio, interests, preferences, mode (Love / Group / Friends). This content may allow inferences about special categories under Art. 9 GDPR (e.g. sexual orientation) — you provide it voluntarily, and the legal basis is your explicit consent under Art. 9(2)(a) GDPR.
  • Location data: coarse (city-level) location to show relevant profiles and events; precise location only when you enable "Nearby". You may revoke the permission any time in system settings.
  • Communications: chats and group messages, reports to support or the safety team.
  • Usage data: likes, matches, RSVPs, filters applied, app events (pseudonymised), session duration, crash reports.
  • Device and technical data: device model, OS, app version, language, IP address (truncated where possible), push tokens.
  • Payment and subscription status: purchase receipts, subscription status and cancellation signals from Apple App Store or Google Play. We do not process card or bank details.
  • Deep-link and attribution data: inbound install links, campaign parameters, referrer (via Branch.io — see below).

3. Purposes and legal bases

  • Providing core features (profile, matching, chats, events): Art. 6(1)(b) GDPR (contract).
  • Age verification and protection from fake profiles / abuse: Art. 6(1)(c) and (f) GDPR (legal obligation & legitimate interest).
  • Push notifications for matches / events: Art. 6(1)(a) GDPR (consent).
  • Product analytics and crash analysis (pseudonymised): Art. 6(1)(a) GDPR (consent).
  • Marketing attribution (install source): Art. 6(1)(a) GDPR (consent).
  • Enforcing our Terms and safety rules: Art. 6(1)(f) GDPR.
  • Statutory retention (e.g. tax / commercial law for payment records): Art. 6(1)(c) GDPR.

4. Recipients / processors (subprocessors)

We do not sell your data. The following providers process data on our behalf (Art. 28 GDPR) or as independent controllers on third-party platforms:

  • Supabase (Supabase Inc., USA / EU region Frankfurt): backend hosting, database, auth, storage, realtime messaging. Primary data residency: EU.
  • Twilio Inc. (USA / Ireland): delivery of SMS one-time codes (OTP) for phone verification and login.
  • Mixpanel Inc. (USA) — EU data residency: pseudonymised product analytics (consent-gated); data is processed in the EU (EU endpoint, EU project). IPs truncated; tracking is opt-in.
  • Google Firebase / Google Ireland Ltd.: Firebase Cloud Messaging (push) and Crashlytics (crash analysis).
  • Branch.io (Branch Metrics Inc., USA): deep linking and install referrer; processed only with consent.
  • RevenueCat Inc. (USA): management and validation of in-app subscriptions; receives a pseudonymous user ID and purchase events. No payment or card data.
  • Apple Inc. (App Store): app distribution and in-app-purchase processing; independent controller for this purpose.
  • Google LLC / Google Ireland Ltd. (Google Play): app distribution and in-app-purchase processing; independent controller for this purpose.
  • Event and venue partners (only when you redeem a discount / RSVP): first name, booking code, age status at most.
  • Authorities / law enforcement: only where legally required (e.g. §§ 100a, 100g German StPO, DSA / DDG).

A current full list of processors is available on request at support@themalla.app.

5. International transfers

Some of the services above (incl. Twilio, Mixpanel, Branch.io, RevenueCat, Apple, Google) also process data in the United States or other third countries. We rely on:

  • EU standard contractual clauses (Art. 46(2)(c) GDPR);
  • where applicable, certification under the EU-U.S. Data Privacy Framework (Art. 45 GDPR);
  • and additional technical / organisational measures (encryption, pseudonymisation, data minimisation).

6. Push notifications & app permissions

We send push notifications only after your explicit consent in the system prompt. You can turn them off any time in your device settings. The same applies to camera access (profile photos), photo library and location.

7. Analytics & ad tracking

We use no cross-device ad tracking and no advertising identifier (IDFA/AAID). Product analytics (Mixpanel) and crash analysis (Crashlytics) run pseudonymised and only with your consent; if you decline, no analytics take place.

8. Cookies and local storage

In-app we only use strictly necessary local storage (session token, language). Website cookie details: Cookie notice.

9. Retention

  • Account data: until you delete your profile.
  • Inactive accounts (no login for >24 months): anonymised.
  • Chat content: removed when the conversation / account is deleted.
  • Crash and analytics logs: max. 14 months, then aggregated.
  • Moderation records on rule violations: up to 36 months (legitimate interest).
  • Payment / invoice records: 10 years (§ 147 AO / commercial law).

10. Your rights

  • Access (Art. 15 GDPR)
  • Rectification (Art. 16 GDPR)
  • Erasure / right to be forgotten (Art. 17 GDPR)
  • Restriction (Art. 18 GDPR)
  • Data portability (Art. 20 GDPR)
  • Objection (Art. 21 GDPR)
  • Withdrawal of consent with effect for the future (Art. 7(3) GDPR).
  • Lodge a complaint with a supervisory authority, e.g. the Bavarian State Office (BayLDA) or the Spanish AEPD.

You can delete your account directly in the app: Settings → Account → "Delete account". Alternatively email support@themalla.app. Final technical deletion is completed within 30 days.

To exercise access (Art. 15) and portability (Art. 20), email support@themalla.app with the subject "Data request" — we respond within 30 days.

11. Automated decisions / profiling

Our recommendations for profiles and events are based on your inputs (mode, interests, distance, age range). There is no automated decision-making with legal effect within the meaning of Art. 22 GDPR.

12. Data security

Transport encryption (TLS 1.2+), salted-hashed passwords, least-privilege access to production data, regular security reviews and dependency updates. Sensitive records are additionally encrypted in the database.

13. Protection of minors

malla is strictly for people aged 18 and over. We do not knowingly collect data from minors. Reports: support@themalla.app.

14. Safety features & moderation

To protect the community we process certain data to detect and prevent abuse: automated filters against spam / harassment, review of reported content by our safety team, rate limits, device- and IP-based fraud signals, and bans for violating the Terms or Community Guidelines. Legal basis: Art. 6(1)(b) and (f) GDPR.

15. Data breach notification

If a personal-data breach occurs that is likely to result in a risk to your rights, we will notify the competent supervisory authority within 72 hours of becoming aware (Art. 33 GDPR) and inform you without undue delay where the risk is high (Art. 34 GDPR).

16. Changes to this policy

We update this policy when our processing or the legal framework changes. The current version is always available in the app and on this page; material changes are announced separately by email or in-app banner at least 30 days before they take effect.

17. Regional supplements

17.1 EEA / Switzerland

We have appointed an EU representative under Art. 27 GDPR. You may contact them via support@themalla.app (subject: "EU representative / Art. 27 GDPR"). You may complain to your local data protection authority — list at edpb.europa.eu. In Switzerland, the revised Federal Act on Data Protection (revDSG) also applies; regulator: FDPIC.

17.2 United Kingdom

For UK users the UK GDPR and the Data Protection Act 2018 apply in addition. We have appointed a UK representative under Art. 27 UK GDPR, reachable via support@themalla.app (subject: "UK representative"). Complaints: ICO, ico.org.uk.

17.3 California, USA (CCPA / CPRA)

If you are a California resident, the California Consumer Privacy Act (as amended by the CPRA) gives you the rights to know, delete, correct, opt out of "sale" / "share", limit the use of sensitive personal information, non-discrimination and to use an authorized agent. We do not sell personal information and do not share it for cross-context behavioural advertising. We honour Global Privacy Control (GPC) signals on the website. Requests: support@themalla.app (subject: "CCPA / CPRA"). We verify requests to prevent unauthorized disclosure.

Categories of personal information we collect (CCPA): identifiers (name, email, phone), internet / network activity, approximate geolocation, sensitive PI (inferable from profile content such as sexual orientation — only voluntarily), commercial information (purchases / subscriptions via Apple / Google), inferences (interests).

17.4 Brazil (LGPD)

For users in Brazil the Lei Geral de Proteção de Dados (LGPD) applies and grants the data-subject rights listed in Art. 18 LGPD. Supervisor: ANPD, gov.br/anpd.

17.5 Australia

For Australian users the Australian Privacy Principles (APP) apply. Supervisor: OAIC, oaic.gov.au.

18. Contact & complaints

All privacy matters: email support@themalla.app with subject "Privacy". We respond within 30 days (GDPR) / 45 days (CCPA, extendable by 45 more days where allowed).