Love Letter

Privacy Policy

Last updated: May 25, 2026.

This Privacy Policy explains what information Love Letter ("we", "us") collects about you, how we use it, who we share it with, and what choices you have. By using Love Letter you agree to this policy.

Who we are

Love Letter is operated by LoveLetter LLC, a New Mexico limited liability company. Our mailing address is 1209 Mountain Road PL NE, Ste N, Albuquerque, NM 87110. Contact us at [email protected].

Information we collect

You give us, directly:

  • Account info: email address, password, phone number (if you use SMS sign-in), date of birth or age, gender, pronouns.
  • Profile content: nickname, city, photos, written prompts, the answers you provide during onboarding, anything you add to your profile later.
  • Messages: text and any attachments you send to other members through the in-app messaging.
  • Dates: who you've asked on a date, when, where you proposed to meet, and your post-date feedback.
  • Identity verification: if you complete ID verification, the result (passed / failed) is stored; the underlying document scan is held by our verification vendor, not by us.
  • Reports: content you report to us about other members.

We collect automatically:

  • Device and connection: IP address, browser type, device type, operating system, language.
  • Usage: pages you visit, features you use, time of sign-in, approximate geographic location derived from your IP.
  • Cookies and similar technologies: session cookies to keep you signed in, and a "trusted device" cookie so you don't have to re-verify every visit. We do not use third-party advertising cookies.

We do not buy lists of personal information. We do not collect information from children under 13. If you are a parent and believe we have collected data from a child under 13, contact us immediately at [email protected] and we will delete it.

How we use your information

  • To operate the service: show your profile to other members in accordance with your settings, deliver your messages, schedule dates, send sign-in codes.
  • To match you with potential partners: our matching system uses the answers you provide and your behavior on the platform to surface profiles you might like.
  • To keep the service safe: detect fraud, scams, and harassment; scan uploaded images for known child sexual abuse material (CSAM); investigate reports.
  • To communicate with you: sign-in codes, security alerts, in-app notifications, and occasional service announcements. We do not send marketing email without your explicit opt-in.
  • To meet legal obligations: respond to lawful requests, file required reports to the National Center for Missing & Exploited Children (NCMEC) if we detect CSAM, comply with court orders.

Who we share it with

We do not sell your personal information. We do not share your data with advertisers, marketers, or data brokers. We share narrowly with these categories of service providers, only to the extent necessary for them to do their job:

  • Hosting and infrastructure: Vercel (application hosting), Supabase (database and file storage), Cloudflare (content delivery network and CSAM scanning).
  • Email delivery: Resend (transactional emails, sign-in codes).
  • SMS delivery: Twilio (if you use SMS sign-in).
  • Identity verification: Didit (if you complete ID verification, they receive the document scan).
  • AI services: Anthropic and other AI providers may receive truncated or redacted text from your profile and messages for matching, content moderation, and safety. Under our agreements with these providers, inputs are not used to train their models.
  • Payment processing: if and when we add paid features, Stripe will receive billing details directly; we never see your full card number.

We also share information in these limited circumstances:

  • With other members, in the ways you've configured (your profile, messages you send, dates you schedule).
  • To respond to legal process: subpoenas, court orders, search warrants, or other lawful requests from law enforcement or government authorities.
  • To protect safety: if we reasonably believe disclosure is necessary to prevent imminent harm, fraud, or violations of our terms.
  • Mandatory CSAM reporting: as required by 18 U.S.C. § 2258A, any apparent child sexual abuse material we discover is reported to NCMEC's CyberTipline along with any associated user information.
  • Business transfers: if Love Letter is acquired, merges with another company, or sells substantially all of its assets, user information may transfer to the successor entity. We would notify you in that event.

How long we keep it

  • Account data: while your account is active, plus 30 days after you delete it.
  • Messages and date records: while your account is active, plus 30 days after deletion. Messages may be retained longer if subject to a legal hold.
  • Safety reports and abuse investigation records: up to 5 years after closure, for our internal record of action taken.
  • CSAM incident records: retained indefinitely as required by federal law.
  • Backups: encrypted backups may take an additional 90 days to purge after deletion of the live record.

Your rights

Depending on where you live, you may have the following rights with respect to your personal information. We honor these rights for all members, regardless of location:

  • Access: ask us what personal information we hold about you.
  • Correction: ask us to correct inaccurate information.
  • Deletion: delete your account from Settings. Some information may be retained as described under "How long we keep it" above.
  • Portability: request a machine-readable copy of the data you've provided.
  • Opt out of "sale": we do not sell personal information. If we ever change that, this policy will be updated and you will have the right to opt out.
  • Non-discrimination: we will not discriminate against you for exercising any of these rights.

To exercise any of these rights, email [email protected]. We may need to verify your identity before responding. We will respond within the timeframe required by applicable law (typically 30 to 45 days).

California residents

Under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), California residents have the rights described in the section above. We do not "sell" or "share" personal information for cross-context behavioral advertising as those terms are defined under California law. In the last 12 months we have collected the categories of personal information described in "Information we collect" above, used them for the purposes described in "How we use your information", and shared them only with the service providers listed under "Who we share it with".

EU and UK residents

If you are in the European Economic Area, United Kingdom, or Switzerland: Love Letter is operated from the United States and your information is processed and stored in the United States. By using Love Letter you consent to this transfer. The legal bases we rely on to process your information are: performance of our agreement with you (to operate the service you signed up for), our legitimate interests in keeping the service safe and improving it, your consent (where required), and compliance with legal obligations.

SMS verification

When you choose to sign in by phone, we send a one-time verification code to the number you provide. SMS messages are sent only at your request, only for verification, and are not used for marketing. Reply STOP to any verification message to opt out; reply HELP for assistance. Phone numbers used for SMS verification are not shared with third parties for marketing or for any purpose other than delivering the verification code via our SMS provider.

Security

We protect your information with industry-standard measures: encryption in transit (HTTPS for all traffic), encrypted database storage, hashed passwords, access controls limiting which personnel can see what. No system is perfectly secure. If we discover a security breach affecting your personal information, we will notify you in accordance with applicable state and federal breach notification laws.

Children's privacy

Love Letter is for adults 18 and older. We do not knowingly collect personal information from children under 13. If you are under 18, do not use this service. If we learn that we have collected personal information from a child under 13, we will delete it promptly.

Cookies

We use a small number of cookies, all functional, to operate the service:

  • Session cookies: keep you signed in across pages.
  • Trusted device cookie: lets you sign in without re-verifying on devices you have used before.
  • Theme preference: remembers your light or dark mode choice.

We do not use third-party advertising cookies, tracking pixels, or analytics cookies that share data with external companies.

Changes to this policy

We may update this policy from time to time. If we make material changes, we will update the "Last updated" date above and may provide additional notice (such as an email or in-app message). Your continued use of the service after the updated policy takes effect constitutes acceptance of the changes.

Contact

Privacy questions: [email protected]
Data request, deletion, access: [email protected]
DMCA: [email protected]
Mailing address: LoveLetter LLC, 1209 Mountain Road PL NE, Ste N, Albuquerque, NM 87110