Skip to main content

Privacy Policy

Last Updated: April 4, 2026

1. Introduction

WinkSocial ("we," "our," or "us") is committed to protecting your privacy and ensuring the security of your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our mobile application, website at joinwink.app, and related services (collectively, the "Service").

By using our Service, you consent to the practices described in this policy. If you do not agree, please do not use the Service.

2. Information We Collect

2.1 Information You Provide

  • Account data: Display name, email address, phone number, age, gender, gender preference, bio, interests, and profile photos
  • Location data: City, neighborhood, or venue information with geocoordinates (latitude and longitude) when you use location-based features
  • Identity verification (KYC): First name, last name, and date of birth submitted through our verification partner Veriff for creator and monetization features
  • Payment information: M-Pesa phone number for mobile payments, cryptocurrency wallet addresses (BTC/ETH), and subscription plan selections. We do not store credit card numbers directly — all card payments are processed by PCI-compliant third-party providers
  • User-generated content: Photos, videos, text posts, comments, captions, and tags you create on experience feeds and your profile
  • Experience and booking data: Events you create or book, attendee information, ticket purchases, and host registrations
  • Promoter applications: Social media links, referral codes, and application details if you join our promoter program
  • Communications: Messages you send to other users, support tickets, and chat interactions
  • Newsletter and marketing preferences: Email address and phone number when you subscribe to updates

2.2 Information Collected Automatically

  • Authentication data: Keycloak user ID, JWT tokens, session identifiers, and login timestamps
  • Usage data: Pages visited, features used, time spent on the Service, interaction patterns (likes, matches, comments, tags)
  • Device information: Browser type, operating system, device model, IP address, and unique device identifiers
  • Analytics data: Session recordings, heatmaps, and behavioral analytics via Microsoft Clarity; error reports via our self-hosted Bugsink instance
  • Cookie data: Essential session cookies (httpOnly, JWT-based), and optional analytics/marketing cookies based on your consent preferences

3. How We Use Your Information

We use the information we collect for the following purposes:

  • Provide and operate the Service: User authentication, profile management, matching, experience booking, content feeds, and messaging
  • Process transactions: M-Pesa payments, cryptocurrency transactions, wallet funding, subscription billing, and creator payouts
  • Verify identity: KYC verification through Veriff for creators and monetization features
  • Personalize your experience: Matching recommendations, content curation, and location-based experience discovery
  • Communicate with you: Booking confirmations with QR code tickets, event notifications, stream alerts, support responses, and marketing communications (with your consent)
  • Improve the Service: Analytics, A/B testing, bug detection, performance monitoring, and feature development
  • Ensure safety and security: Fraud detection, abuse prevention, content moderation, and enforcement of our Terms of Service
  • Comply with legal obligations: Tax reporting, law enforcement requests, and regulatory compliance

4. How We Share Your Information

We do not sell your personal data. We may share your information in the following circumstances:

  • With other users: Your profile information, content, and online status are visible to other users based on your privacy settings (Public, Friends Only, or Private)
  • Service providers: We engage trusted third-party companies to perform services on our behalf:
    • Keycloak — Authentication and identity management
    • Veriff — Identity verification (KYC)
    • M-Pesa (Safaricom) — Mobile payment processing in Kenya
    • AWS SES / SendGrid — Email delivery
    • MinIO — Media and file storage
    • Microsoft Clarity — Behavioral analytics (session recordings, heatmaps)
    • Bugsink — Self-hosted error tracking
  • Legal requirements: When required by law, regulation, legal process, or governmental request
  • Protection of rights: To protect the rights, property, or safety of WinkSocial, our users, or the public
  • Business transfers: In connection with a merger, acquisition, or sale of assets, your data may be transferred as part of that transaction

5. Data Storage and Security

We implement industry-standard security measures to protect your personal information, including:

  • Encryption of data in transit (TLS/HTTPS) and at rest
  • JWT-based authentication with httpOnly, secure cookies
  • Authorization Code + PKCE flow for secure OAuth2 authentication
  • Masked error reports in Bugsink where content is minimized
  • Role-based access controls on all backend systems
  • Regular security audits and vulnerability assessments

Your data is stored in Couchbase and SurrealDB databases, with media files stored on MinIO object storage. Our primary email infrastructure operates on AWS (us-east-1). While we strive to protect your information, no method of transmission over the internet is 100% secure, and we cannot guarantee absolute security.

6. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, including:

  • Active accounts: Data is retained while your account is active
  • Deleted accounts: Personal data is deleted within 30 days of account deletion, except where retention is required by law
  • Transaction records: Payment and subscription records are retained for a minimum of 7 years for tax and audit purposes
  • Analytics data: Aggregated and anonymized analytics data may be retained indefinitely
  • KYC data: Verification records are retained as required by applicable anti-money laundering (AML) regulations

7. Cookies and Tracking Technologies

We use cookies and similar technologies on our Service:

  • Essential cookies: Session cookies (httpOnly, JWT-based) required for authentication and core functionality. These cannot be disabled
  • Analytics cookies: Microsoft Clarity session recordings and heatmaps. Enabled only with your consent
  • Error tracking: Bugsink collects error reports with minimized content. Enabled only with your consent

You can manage your cookie preferences through our cookie consent banner or by clicking the "Cookie preferences" link in the footer. You may also disable cookies in your browser settings, though this may affect Service functionality.

8. Children's Privacy

WinkSocial is not intended for individuals under 18 years of age. We do not knowingly collect personal information from children. If we learn that we have collected personal information from someone under 18, we will delete that information promptly. If you believe a child under 18 has provided us with personal information, please contact us at privacy@joinwink.app.

9. International Data Transfers

Your data may be processed in countries outside your country of residence, including the United States and Kenya. When we transfer your data outside the European Economic Area (EEA), we ensure appropriate safeguards are in place, such as Standard Contractual Clauses approved by the European Commission.

10. Your Rights

Depending on your location, you may have the following rights:

  • Access: Request a copy of your personal data
  • Rectification: Correct inaccurate or incomplete information
  • Erasure: Request deletion of your personal data ("right to be forgotten")
  • Restriction: Limit how we process your data
  • Portability: Receive your data in a structured, machine-readable format
  • Objection: Object to certain processing, including direct marketing
  • Withdraw consent: Withdraw consent at any time where processing is based on consent
  • Non-discrimination: Exercise your rights without receiving discriminatory treatment

To exercise any of these rights, visit your account settings or contact us atprivacy@joinwink.app. We will respond within 30 days.

11. Automated Decision-Making

We use automated systems for matching recommendations and content curation. These systems do not produce legal or similarly significant effects. You can adjust your preferences and opt out of personalized recommendations through your account settings.

12. Data Breach Notification

In the event of a data breach that affects your personal information, we will notify you and the relevant supervisory authority as required by applicable law, without undue delay after becoming aware of the breach.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of material changes by posting the updated policy on this page with a new "Last Updated" date. We encourage you to review this policy periodically.

14. Contact Us

If you have questions or concerns about this Privacy Policy or our data practices, please contact us: