Privacy Policy
Last updated: 1 April 2026
Who we are
Doorstep ("we", "us", "our") is a social and dating application connecting homeowners. We are based in Adelaide, South Australia. By using Doorstep you agree to the collection and use of your information as described in this policy.
We handle your personal information in accordance with the Australian Privacy Act 1988 (Cth), the Australian Privacy Principles (APPs), and where applicable, the EU General Data Protection Regulation (GDPR).
What we collect
We collect the following categories of personal information:
- Identity data — display name, date of birth (used to calculate age only), gender, nationality
- Profile data — bio, profile answers (home type, lifestyle questions), door style preferences
- Photos — images you upload, stored securely in our cloud storage
- Location — your city or suburb only. We never store your precise GPS coordinates. Any coordinates used to show distance are fuzzed to approximately a 1 km radius before being stored
- Match and conversation metadata — the fact that a match exists between two users (so messages can be delivered), but not the content of your messages. Messages are end-to-end encrypted on your device and we cannot read them
- Match and interaction data — swipes, matches, and interaction history
- Account credentials — email address and encrypted password (we never see your plaintext password)
- Usage data — app session information, error logs, and feature interactions used to improve the service
- Payment data — if you subscribe, payment is processed by a third-party provider (RevenueCat / Apple / Google). We do not store card numbers or payment details
Why we collect it
We use your information to:
- Provide and personalise the Doorstep service
- Match you with other users based on your preferences
- Deliver end-to-end encrypted messages between matched users (we act only as a relay — message contents are encrypted on your device and we cannot decrypt them)
- Process subscription payments and manage your plan
- Send important service notifications (we do not send marketing emails without your consent)
- Detect and prevent fraud, abuse, and safety violations
- Comply with legal obligations
- Improve and develop the app using aggregated, anonymised analytics
Legal basis for processing
We process your personal data on the following legal bases:
- Consent — you provide explicit consent when creating an account and agreeing to these terms
- Contract — processing necessary to deliver the service you signed up for
- Legitimate interests — fraud prevention, security, and service improvement
- Legal obligation — where required by Australian law or court order
How we store and protect your data
Your data is stored on Supabase infrastructure (PostgreSQL database and object storage), hosted on secure cloud servers. Supabase is SOC 2 Type II certified and applies encryption at rest and in transit (TLS 1.2+).
Access to your data within our systems is controlled by Row Level Security (RLS) policies — meaning database queries are restricted so users can only access data they are authorised to see.
Photos are stored in a managed object storage bucket. Profile photos are accessible via authenticated URLs. We do not publicly index or share your photos with third parties.
Messages between matched users are end-to-end encrypted using NaCl public-key cryptography (X25519 key exchange with XSalsa20-Poly1305 authenticated encryption). Each user's private key is generated on-device and stored only in your device's secure storage. We never have access to your private key and cannot read your messages — only the recipient's device can decrypt them. The ciphertext that passes through our servers is opaque to us.
Third parties
We share data with the following trusted third parties only as necessary to operate the service:
- Supabase Inc. (USA) — database, authentication, and file storage. Data may be stored in US-based data centres subject to standard contractual clauses
- Apple Inc. / Google LLC — in-app purchase processing on iOS/Android respectively
- RevenueCat Inc. — subscription management and entitlement tracking (no payment card data is shared)
- Expo / EAS — app build and update delivery infrastructure
We do not sell, rent, or trade your personal information to any third party for marketing purposes.
Your rights
Under the Australian Privacy Act and GDPR (where applicable), you have the right to:
- Access — request a copy of the personal data we hold about you
- Correction — ask us to correct inaccurate or incomplete data
- Deletion — request deletion of your account and personal data (see "Delete account" in Settings)
- Portability — request your data in a portable format
- Objection — object to processing based on legitimate interests
- Withdraw consent — you may withdraw consent at any time by deleting your account
To exercise any of these rights, contact us at privacy@doorstepcompany.com. We will respond within 30 days.
Children
Doorstep is not intended for users under 18 years of age. We do not knowingly collect data from anyone under 18. Date of birth is collected at registration and verified to confirm minimum age. If you believe a minor has created an account, contact us immediately at privacy@doorstepcompany.com.
Cookies and tracking
Doorstep is a native mobile application and does not use browser cookies. We may use device identifiers and anonymised session analytics to understand how the app is used. These are not used for advertising profiling.
Changes to this policy
We may update this Privacy Policy from time to time. When we do, we will update the "Last updated" date at the top and notify you via the app if the changes are material. Continued use of the app after changes constitutes acceptance of the updated policy.
Contact us
For any privacy-related questions or requests:
Email: privacy@doorstepcompany.com
Address: Adelaide, South Australia, Australia
If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au, or your local data protection authority if you are based in the EU.