Privacy Policy

Last Updated: February 24, 2026 — Version 2.0

1. Controller Identity

The data controller for this platform is:

  • Entity: Crush.lu (en cours de constitution)
  • Address: 10 rue des Bons Malades, L-6462 Echternach, Luxembourg
  • Data Protection Contact: privacy@crush.lu
  • Supervisory Authority: Commission nationale pour la protection des données (CNPD), 15 Boulevard du Jazz, L-4370 Belvaux, Luxembourg

This Privacy Policy applies to Version 2.0 of our terms. Your consent records reference this version number for traceability.

2. Scope

This policy covers all personal data processed through the Crush.lu website, Progressive Web App (PWA), and associated services.

Crush.lu uses a two-tier architecture:

  • PowerUp Account: Your identity layer — email, name, and authentication credentials. This account may be shared with other platforms operated by us.
  • Crush.lu Profile: Your dating profile — photos, bio, interests, event history, and connections. This data is specific to Crush.lu and subject to separate consent.

Each tier requires separate, explicit consent. You may delete your Crush.lu Profile while keeping your PowerUp Account, or delete everything.

3. Data We Collect

3.1 Identity Data

When you create an account, we collect:

  • Email address and username
  • First and last name
  • Date of birth (to verify you are 18+ and for age display)
  • Password (stored as a salted hash — we never store your password in plain text)
3.2 Social Login Data

If you register or log in via Google, Facebook, Microsoft, or LinkedIn, we receive:

  • Your public profile information (name, email, profile picture)
  • Provider-specific user ID
  • Any additional information you authorise the provider to share

During the OAuth flow, we temporarily store an OAuthState record containing your IP address and user agent for security verification. This record auto-expires after 10 minutes.

3.3 Profile Data

When you create your Crush.lu Profile, we collect:

  • Gender — male, female, non-binary, other, or prefer not to say
  • Phone number — verified via Firebase SMS one-time password (OTP)
  • Location — your city or region in Luxembourg
  • Bio — a short description of yourself (up to 500 characters)
  • Interests — your hobbies and interests
  • Looking for — friends, dating, both, or networking
  • Language preferences — preferred interface language and languages spoken at events
  • Photos — up to 3 profile photos, stored in a private Azure Blob Storage container with time-limited access tokens (see Section 13)
  • Privacy flags — your choices for: display full name or first name only, show exact age or age range, blur photos until mutual interest
  • Draft data — if you save a partially completed profile, we temporarily store your progress
3.4 Coach Review Data

All profiles are reviewed by authorised Crush Coaches before approval. During review, the following data is created:

  • Profile submission status (pending, approved, rejected, revision requested, recontact coach)
  • Coach notes (internal, not visible to you)
  • Feedback provided to you
  • Screening call records: whether a call occurred, date, notes, and a structured checklist
  • Call attempt logs: date, result (success, no answer, voicemail, wrong number, user busy, scheduled callback), and notes
  • Coach session records: session type (onboarding, feedback, guidance, follow-up), notes, and scheduling information
3.5 Event Data

When you register for or attend events, we collect:

  • Registration details: event, status (pending, confirmed, waitlist, cancelled, attended, no-show)
  • Accessibility needs and dietary restrictions (if applicable)
  • Guest information: whether you are bringing a guest, guest name
  • Special requests
  • Payment status and date (for paid events)
  • Check-in data: signed QR token and check-in timestamp
  • Event invitations: guest email, name, invitation status, coach approval notes
  • Activity voting and presentation ratings (ratings are anonymous to other users)
  • Speed dating pair assignments and round data
3.6 Connections & Messaging Data

After attending an event, you may request connections with other attendees:

  • Connection requests: who you requested, your note (up to 300 characters), status
  • Bilateral consent flags: both parties must consent before contact information is shared
  • Coach mediation: assigned coach, coach notes, personalised introduction messages
  • Messages: text (up to 500 characters), sender, timestamps, read receipts
  • Coach moderation flags on messages
3.7 Crush Spark Data

Crush Spark is our anonymous admirer feature. If you send or receive a Spark, we process:

  • Anonymous description of the person you liked (text only, reviewed by a coach)
  • Media files: photos (up to 5 slideshow images), video message, audio file
  • Personal message revealed only when the recipient completes Chapter 6 of the journey
  • Identity reveal status and timestamp
  • Coach assignment and notes

The sender's identity remains anonymous until the recipient completes the full journey. Once delivered, a Spark cannot be withdrawn.

3.8 Journey & Advent Calendar Data

Interactive journeys (Wonderland, Advent Calendars, custom experiences) involve:

  • Progress tracking: current chapter, points earned, time spent
  • Challenge responses: your answers to riddles, quizzes, and open-text prompts
  • Media submissions: photos, video, and audio uploaded as part of challenges
  • Personalisation data: first meeting date, first meeting location (provided by the journey creator)
  • Completion status and final response
  • Advent Calendar progress: doors opened, QR code scans, visit timestamps
3.9 Wallet & Loyalty Data

If you add your Crush.lu pass to Apple Wallet or Google Wallet:

  • Apple Wallet: pass serial number, authentication token, device library identifier, APNS push token
  • Google Wallet: wallet object ID, event ticket object IDs
  • Your choice of whether to display your photo on the wallet pass

If you participate in our referral programme:

  • Referral codes generated for your profile
  • Referral attributions: IP address, user agent, landing page path, session identifier, conversion status
  • Referral points and membership tier (basic, bronze, silver, gold)
3.10 Notification Data

To deliver notifications, we collect:

  • Push notifications: subscription endpoint URL, encryption keys (p256dh, auth), device fingerprint, user agent, device name
  • Email preferences: per-category opt-in/opt-out flags (profile updates, event reminders, connections, messages, newsletter, marketing), unsubscribe token
  • Notification preferences: which types of push notifications you wish to receive (messages, events, connections, profile updates)
3.11 Device & Activity Data
  • Activity tracking: last seen timestamp, last PWA visit, total visit count, first seen timestamp
  • PWA installation: device fingerprint, operating system, form factor (phone, tablet, desktop), browser name, full user agent string, installation and last-used timestamps
  • Re-engagement: last reminder email sent, total reminders sent count
3.12 Consent Records

We maintain detailed records of your consent as required by GDPR:

  • Two-tier consent: separate records for PowerUp Account and Crush.lu Profile, each with IP address, timestamp, and terms version accepted
  • Marketing consent: separate opt-in with timestamp
  • Ban records: if applicable, ban date and reason (user deletion, admin action, terms violation)

4. How We Use Your Data

The following table describes how we use your data and our legal basis under Article 6 GDPR:

Purpose Legal Basis (Art. 6) Data Categories
Account creation & management Contract performance (Art. 6(1)(b)) Identity, authentication
Profile review by coaches Legitimate interest (Art. 6(1)(f)) — user safety Profile, photos, coach notes
Event organisation & registration Contract performance (Art. 6(1)(b)) Event registration, dietary, accessibility
Coach-facilitated connections Contract (Art. 6(1)(b)) + Consent (Art. 6(1)(a)) Connection requests, messages, consent flags
Crush Spark & Journeys Consent (Art. 6(1)(a)) Spark descriptions, media, journey responses
Speed dating pairing algorithm Contract performance (Art. 6(1)(b)) Registration, gender, ratings
Push notifications Consent (Art. 6(1)(a)) Push subscription, device data
Wallet passes Consent (Art. 6(1)(a)) Wallet IDs, device tokens
Transactional emails Legitimate interest (Art. 6(1)(f)) Email, notification preferences
Marketing communications Consent (Art. 6(1)(a)) Email, marketing consent
Analytics & improvement Legitimate interest (Art. 6(1)(f)) Activity data, device data (server-side only)
Fraud prevention & safety Legitimate interest (Art. 6(1)(f)) IP addresses, consent records, ban records
Legal compliance Legal obligation (Art. 6(1)(c)) Consent records, identity data
Referral programme Legitimate interest (Art. 6(1)(f)) Referral codes, attribution data

5. Automated Decision-Making (Art. 22)

Our speed dating pairing algorithm uses registration data (gender, age) to create round pairings and identify top matches based on mutual ratings. This processing does not produce legal effects or similarly significant effects — it only determines conversation pairings within an event you have already chosen to attend.

All profile approvals are made by human coaches, not automated systems. We do not use profiling for marketing or advertising purposes.

6. Data Sharing

6.1 With Crush Coaches

Our authorised Crush Coaches can access:

  • Your profile information, photos, bio, and interests (for review and approval)
  • Your event registrations and attendance history
  • Connection requests involving you (for mediation)
  • Messages exchanged through connections (for moderation)

Coaches cannot see: your password, your raw IP addresses, your device fingerprints, your email preferences, or your push subscription technical data.

6.2 With Other Users

What other users can see is controlled by your privacy settings:

  • Display name: your full name or first name only (controlled by your 'Show Full Name' setting)
  • Age: your exact age or an age range (controlled by your 'Show Exact Age' setting)
  • Photos: clear or blurred (controlled by your 'Blur Photos' setting, cleared on mutual interest)
  • Contact information is only shared after bilateral consent and coach approval through our connection system

Crush Spark descriptions are anonymous. The sender's identity is only revealed when the recipient completes the full journey.

6.3 Sub-Processors

We share data with the following third-party service providers:

Provider Purpose Location
Microsoft Azure (West Europe) Hosting, database, file storage EU (Netherlands)
Microsoft Graph API Email delivery EU
Azure Application Insights Server-side error monitoring (5% sampling, no PII) EU (West Europe)
Firebase (Google) SMS phone verification (OTP) EU + US
Google OAuth Social login US (DPF)
Facebook/Meta OAuth Social login US (DPF)
Microsoft OAuth Social login US (DPF)
LinkedIn OAuth Social login US (DPF)
Apple PassKit (APNS) Apple Wallet pass delivery and updates US (DPF)
Google Wallet API Google Wallet pass delivery US (DPF)
6.4 Legal Requirements

We may disclose your personal data if required by law, court order, or regulatory request, or to protect the rights, property, or safety of Crush.lu, our users, or others.

7. International Transfers

Your data is primarily processed and stored within the European Union, on Microsoft Azure servers in the West Europe region (Netherlands).

Some data is transferred to the United States through the following mechanisms:

  • OAuth providers (Google, Facebook, Microsoft, LinkedIn): EU-US Data Privacy Framework (DPF) adequacy decision
  • Apple PassKit & Google Wallet: EU-US Data Privacy Framework (DPF) adequacy decision
  • Firebase: DPF adequacy decision + Standard Contractual Clauses (SCCs)

No data is transferred to countries without an adequate level of data protection unless appropriate safeguards are in place.

8. Data Retention

We retain your data for the following periods:

Data Type Retention Period
Active account data Duration of account
Deleted profile data Immediate deletion (photos within 7 days, backups within 90 days)
Coach review notes 1 year after review completion
Event records 2 years after the event
Messages Deleted with account
OAuth state records 10 minutes (auto-expiry)
Push subscriptions Until unsubscribed or 90 days of inactivity
Consent records 5 years after withdrawal
Application Insights telemetry 90 days
Referral attributions 2 years after creation
Profile draft data Until draft expiration date (set at creation)
Anonymised analytics Retained indefinitely

9. Your Rights (Articles 15–22 GDPR)

Under GDPR and Luxembourg data protection law, you have the following rights:

  • Right of Access (Art. 15): Request a copy of your personal data. You can export your data directly from your account settings.
  • Right to Rectification (Art. 16): Correct inaccurate or incomplete information by editing your profile.
  • Right to Erasure (Art. 17): Request deletion of your data. You can delete your Crush.lu Profile only (keeping your PowerUp Account) or delete everything. Use the Data Management page in your account settings.
  • Right to Restriction (Art. 18): Request that we limit how we process your data.
  • Right to Data Portability (Art. 20): Receive your data in a structured, machine-readable JSON format via the data export feature in your account settings.
  • Right to Object (Art. 21): Object to processing based on legitimate interest.
  • Right to Withdraw Consent (Art. 7(3)): Withdraw consent for any consent-based processing at any time, without affecting the lawfulness of processing before withdrawal.

To exercise any of these rights, contact us at privacy@crush.lu or use the in-app data management tools in your account settings.

If you believe your rights have been violated, you have the right to lodge a complaint with the CNPD:

  • Commission nationale pour la protection des données
  • 15 Boulevard du Jazz, L-4370 Belvaux, Luxembourg
  • Website: https://cnpd.public.lu

10. Cookies & Local Storage

We use the following cookies and browser storage:

Name Type Purpose Category
sessionid Cookie Authentication session Essential
csrftoken Cookie Cross-site request forgery protection Essential
django_language Cookie Language preference Preference
theme localStorage Dark/light mode preference Preference

We do not use any third-party tracking cookies. We do not use Google Analytics. Our server-side monitoring (Application Insights) operates at a 5% sampling rate and does not collect personally identifiable information from your browser.

You can control cookies through your browser settings. Disabling essential cookies will prevent you from logging in.

11. Children's Privacy

Crush.lu is strictly intended for users aged 18 and over. We verify your age through your date of birth at registration. We do not knowingly collect personal data from anyone under 18.

If we discover that a user is under 18, we will immediately delete their account and all associated data. If you become aware that a minor has created an account, please contact us immediately at privacy@crush.lu.

12. Data Breach Notification

In the event of a personal data breach, we will:

  • Notify the CNPD within 72 hours of becoming aware of the breach (Article 33 GDPR)
  • Notify affected users without undue delay if the breach is likely to result in a high risk to your rights and freedoms (Article 34 GDPR)
  • Document the breach, its effects, and remedial actions taken

13. Photo Security

Your profile photos receive enhanced protection:

  • Photos are stored in a private Azure Blob Storage container — they are not publicly accessible
  • Access is granted via time-limited Shared Access Signature (SAS) tokens that expire after 30 minutes
  • Each photo is stored under a user-specific path with a randomised filename
  • The blur feature allows you to obscure your photos until mutual interest is established
  • Journey and Crush Spark media files receive the same private storage treatment

14. Changes to This Policy

We may update this Privacy Policy from time to time. For material changes, we will:

  • Provide at least 30 days' notice before the changes take effect
  • Require you to re-confirm your consent via our consent middleware before continuing to use the platform
  • Update the version number and 'Last Updated' date at the top of this page

Your continued use of Crush.lu after re-consenting constitutes acceptance of the updated policy.

15. Contact

If you have questions about this Privacy Policy or wish to exercise your data protection rights:

  • Data Protection Contact: privacy@crush.lu
  • General Support: support@crush.lu
  • Address: Crush.lu, 10 rue des Bons Malades, L-6462 Echternach, Luxembourg

Supervisory authority:

  • Commission nationale pour la protection des données (CNPD)
  • 15 Boulevard du Jazz, L-4370 Belvaux, Luxembourg
  • Website: https://cnpd.public.lu

By using Crush.lu, you agree to this Privacy Policy and our Terms of Service.

Back to Home