Resonate27
Resonate27

Privacy Policy

Last updated: 10 July 2026. The controller for Resonate27 is Changhai Yu, Bilker Allee 210, 40215 Düsseldorf, Germany. Privacy contact: [email protected].

Account and sign-in: we process email address, password hash, email verification status, language, region, the px27_session cookie, and security data so you can create an account, sign in, and use the service. The legal basis is Art. 6(1)(b) GDPR; for security checks we also rely on Art. 6(1)(f) GDPR.

Consents and logs: we store which required notices you accepted, including version, timestamp, optional IP address, and user agent. This supports proof, security, and reliable service operation. The legal bases are Art. 6(1)(b), (c), and (f) GDPR.

PX27 / Resonate27 personality profile: when you submit an AI-generated score, personality line, PX27/Resonate27 vector, or 54-question result, we store the compact 27-dimensional vector, version, upload time, and pool status. We do not store ChatGPT chat logs or full AI export files. The legal basis is Art. 6(1)(b) GDPR; optional public sharing additionally relies on Art. 6(1)(a) GDPR.

Guest mode and local storage: before login, your analyzed PX27/Resonate27 draft can be stored in localStorage under resonate27.guestPx27.v1. It stays in your browser until you import it, clear it, or remove browser data.

Matching and contact: for matching we process region, pool status, PX27/Resonate27 vector, match requests, match history, similarity values, profile summary, greeting, avatar, and compact text chat. Each conversation keeps only the latest three messages per person; older messages are deleted. The legal basis is Art. 6(1)(b) GDPR.

Email visibility and notifications: after a successful match, both people can see the other person's avatar, greeting, profile summary, and chat access. Your email address is shown to the other person only if matchEmailVisible is enabled. Emails already sent cannot be recalled; changes stop only future display or notifications.

Email delivery and SMTP outbox: Resonate27 may send verification, match, unsubscribe, and account deletion emails through an SMTP outbox. Before sending, the system rechecks whether the recipient still exists and allows email notifications. You can disable notifications in your account or through an unsubscribe link.

Public profile sharing: if you enable a public Resonate27 card, your display name, type, description, image, and share link can be publicly accessible. When shareEnabled is disabled or the profile is deleted, the public page no longer returns the profile view.

Payments: the codebase contains a Stripe Checkout integration for Credit top-ups. Current production guidance keeps payments disabled while PAYMENTS_ENABLED=false. If Stripe is enabled later, Stripe processes payment data as the payment provider; Resonate27 stores transaction status, Credits, amount, currency, provider, external payment ID, and minimal metadata. PayPal is not currently enabled as a usable payment method.

Hosting, Cloudflare, logs, and deployment: Resonate27 uses Hetzner Cloud as hosting provider, currently a CX23 server in Nuremberg, Germany, network zone eu-central. PostgreSQL is currently assumed to run on the same server or the same Hetzner environment. The website uses Cloudflare Free with orange-cloud proxy; Web Analytics, client-side security and Bot Fight Mode are enabled, leaked credentials mitigation is not enabled, and Data Localization is not configured / not found on the current Free plan. GitHub Actions is used for code packaging and deployment and should not process production user data. Server logs, IP addresses, request times, technical errors, deployment metadata, Cloudflare Web Analytics and security events may be processed for short periods. The legal basis is Art. 6(1)(f) GDPR.

Retention: account data, PX27/Resonate27 profile, match data, and settings are stored while your account exists or until you delete specific data. Account deletion removes or anonymizes personal account, profile, match, chat, token, and pending outbox data. Required payment or security records may be retained for legal proof and abuse prevention according to applicable periods.

Your rights: subject to the GDPR, you have rights of access, rectification, erasure, restriction of processing, data portability, objection to legitimate-interest processing, withdrawal of consent, and the right to lodge a complaint with a supervisory authority. Contact [email protected].

Supervisory authority in North Rhine-Westphalia: Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen, Kavalleriestraße 2–4, 40213 Düsseldorf, email: [email protected]. You may also complain to the authority of your habitual residence, workplace, or the place of the alleged infringement.