Privacy Policy
Last updated: 15 July 2026
Who we are
Doorstep ("we", "us", "our") is a social and dating application connecting homeowners. We are based in Adelaide, South Australia. By using Doorstep you agree to the collection and use of your information as described in this policy.
We handle your personal information in accordance with the Australian Privacy Act 1988 (Cth), the Australian Privacy Principles (APPs), and where applicable, the EU General Data Protection Regulation (GDPR).
What we collect
We collect the following categories of personal information:
- Identity data — display name, date of birth (used to calculate age only), gender, nationality
- Profile data — bio, profile answers (home type, lifestyle questions), door style preferences
- Photos — images you upload, stored securely in our cloud storage
- Location — the suburb you choose, never your actual location. You pick a home suburb (by searching for it, or by dropping a map pin that we snap to the nearest suburb name). We store only that suburb's name and a single approximate map point based on the suburb's centre, deliberately fuzzed by roughly 1.5 km, so you appear within your chosen suburb on the map. We never read, request, or store your device's GPS position or your home address, and you stay in your chosen suburb until you change it. You can pause your visibility on the People Map at any time via Settings → Privacy → "Show me on the People Map" — visibility is mutual, so while paused you won't appear on the map and won't see it either
- Messages — the content of messages you exchange with your matches, plus match metadata (the fact that a match exists, so messages can be delivered). Messages are stored on our servers and may be accessed for safety and moderation purposes (see below)
- Match and interaction data — swipes, matches, and interaction history
- Suburb board — posts, comments, reactions, poll votes and RSVPs you make on your suburb's community board, which are visible to other members of that suburb
- Safety data — blocks and reports you make, and reports made about you. When you report someone you may attach screenshots as evidence, which are stored in private storage accessible only to our safety team. Blocking a user also automatically creates a report so our safety team is notified and can review the blocked account
- Device and notification data — a push notification token used to deliver alerts, plus basic device and app information used for diagnostics
- Account credentials — email address and encrypted password (we never see your plaintext password)
- Usage data — app session information, error logs, and feature interactions used to improve the service
- Payment data — if you subscribe, payment is processed by a third-party provider (RevenueCat / Apple / Google). We do not store card numbers or payment details
Why we collect it
We use your information to:
- Provide and personalise the Doorstep service
- Match you with other users based on your preferences
- Deliver messages between matched users, and keep conversations safe — we may review reported or flagged message content to investigate abuse, enforce our terms, and meet our legal and safety obligations
- Process subscription payments and manage your plan
- Send important service notifications (we do not send marketing emails without your consent)
- Detect and prevent fraud, abuse, and safety violations
- Comply with legal obligations
- Improve and develop the app using aggregated, anonymised analytics
Legal basis for processing
We process your personal data on the following legal bases:
- Consent — you provide explicit consent when creating an account and agreeing to these terms
- Contract — processing necessary to deliver the service you signed up for
- Legitimate interests — fraud prevention, security, and service improvement
- Legal obligation — where required by Australian law or court order
How we store and protect your data
Your data is stored on Supabase infrastructure (PostgreSQL database and object storage), hosted on secure cloud servers. Supabase is SOC 2 Type II certified and applies encryption at rest and in transit (TLS 1.2+).
Because our infrastructure and service providers operate internationally, your personal data may be stored or processed on servers located outside Australia, including in the United States. Where data is disclosed overseas we take reasonable steps to ensure it is handled in line with the Australian Privacy Principles. By creating an account and using Doorstep, you consent to your data being processed on servers outside Australia.
Access to your data within our systems is controlled by Row Level Security (RLS) policies — meaning database queries are restricted so users can only access data they are authorised to see.
Photos you upload are stored in our cloud object storage and served over encrypted connections (TLS) via unique, hard-to-guess web addresses. These photo links are not individually password-protected: anyone who has a link — or who you share it with — can open the image, and a link may stay reachable until the photo itself is deleted (for example when you remove it, or when your account is permanently purged after deletion). We do not publicly list or index your photos, and we never share them with third parties for advertising or marketing.
Messages between matched users are encrypted in transit (TLS 1.2+) and at rest on our infrastructure, and access is restricted by Row Level Security so users can only see their own conversations. Messages are not end-to-end encrypted: to keep the community safe and to comply with Australian law, authorised personnel may access message content where necessary to investigate reports, detect abuse or illegal content, and respond to lawful requests. Please do not share highly sensitive information (such as financial details or government identifiers) in chat.
Data retention and deletion
We keep your personal information only as long as your account is active or as needed to provide the service, meet legal obligations, or resolve disputes. Profile data, photos, messages, match history, and location are retained while your account is active.
When you delete your account via Settings → Delete Account, your profile is hidden from all other users immediately and you are signed out of all sessions. Your account then enters a recovery window and remains recoverable for 90 days (or 365 days where required for safety or legal reasons, such as a reported or banned account). If you sign back in within that window your account is restored, but your previous matches, conversations, and most profile details are cleared so you start fresh. Once the window passes, an automated process permanently removes your profile, photos, messages, and match history from our active databases.
Some records are retained after deletion where the law or safety requires it: subscription and payment transaction records are kept for 7 years to meet Australian taxation requirements; server and access logs are kept for up to 90 days for security and fraud prevention; and aggregated, anonymised analytics that cannot be linked back to you may be retained. A fuller breakdown is available in the Data Retention Policy within the app (Settings → Data retention).
Third parties
We share data with the following trusted third parties only as necessary to operate the service:
- Supabase Inc. (USA) — database, authentication, and file storage. Data may be stored in US-based data centres subject to standard contractual clauses
- Apple Inc. / Google LLC — in-app purchase processing on iOS/Android respectively
- RevenueCat Inc. — subscription management and entitlement tracking (no payment card data is shared). RevenueCat also collects a device identifier (Apple's Identifier for Vendor) and technical device information such as device model and operating system version, to manage your subscription
- Expo (USA) — app build and update delivery, and push notification delivery. Push tokens are transmitted through Expo's push service (and Apple's / Google's push gateways) to deliver alerts; they are never shared for marketing
- Resend (USA) — transactional email delivery (account confirmation, password reset, and security notices). Resend processes your email address only to send these messages
- Cloudflare Turnstile — bot and abuse protection on our website sign-up form. It processes limited technical signals (such as IP address and browser characteristics) to tell humans from bots. This applies to the website only, not the app
We do not sell, rent, or trade your personal information to any third party for marketing purposes.
Your rights
Under the Australian Privacy Act and GDPR (where applicable), you have the right to:
- Access — request a copy of the personal data we hold about you
- Correction — ask us to correct inaccurate or incomplete data
- Deletion — request deletion of your account and personal data (see "Delete account" in Settings). See "Data retention and deletion" above for how the recovery window works
- Portability — request your data in a portable format
- Objection — object to processing based on legitimate interests
- Withdraw consent — you may withdraw consent at any time by deleting your account
To exercise any of these rights, contact us at privacy@doorstepcompany.com. We will respond within 30 days.
Sensitive information
To match you with compatible people, Doorstep collects information that may be considered "sensitive information" under the Australian Privacy Act (and "special category data" under the GDPR), including your gender, the genders you are interested in, and your relationship intentions — which may reveal information about your sexual orientation.
We collect and use this information only to operate the matching service. We rely on your consent, which you give by completing your profile and using the app, and you can withdraw it at any time by editing your profile or deleting your account.
Automated matching and machine learning
Doorstep uses an automated system to suggest potential matches. It draws on your profile details, stated preferences, suburb, and the knocks, rings and waves you and others send, to decide which profiles to show you.
We may also use machine-learning techniques to improve match suggestions and to detect spam, fraud, or behaviour that breaches our terms. These suggestions are recommendations only — they do not make decisions that produce legal or similarly significant effects about you without human involvement.
Communications and notifications
We send two kinds of messages: service messages needed to operate your account (such as new matches, new chat messages, and security or account notices), and optional updates about new features and tips.
You can turn off push notifications at any time in your device settings, and opt out of optional updates without affecting essential service messages. We do not send third-party marketing.
Advertising and sale of data
We do not sell your personal information, and we do not share it with third parties for their own advertising or marketing. Doorstep does not display third-party advertising and does not use advertising trackers or cookies.
Identity and photo verification
We do not currently collect biometric information. If we introduce identity or photo verification in the future (for example, checking that a selfie matches your profile photos), any biometric information will be collected only with your express consent, used solely to verify your identity, and deleted once verification is complete or you delete your account. We will update this policy before launching any such feature.
Users outside Australia
Doorstep is currently offered to users in Australia. If you access Doorstep from outside Australia, additional rights may apply to you.
If you are in the European Economic Area or the United Kingdom, you have the rights of access, rectification, erasure, restriction, portability, objection, and to withdraw consent, and you may lodge a complaint with your local data protection authority. Our legal bases for processing are set out in "Legal basis for processing" above.
If you are a California resident, you may have rights under the CCPA/CPRA, including to know, delete, and correct your personal information and to limit the use of sensitive personal information. We do not "sell" or "share" your personal information as those terms are defined under California law.
To exercise any of these rights, contact us at privacy@doorstepcompany.com.
Children
Doorstep is not intended for users under 18 years of age. We do not knowingly collect data from anyone under 18. Date of birth is collected at registration and verified to confirm minimum age. If you believe a minor has created an account, contact us immediately at privacy@doorstepcompany.com.
Cookies and tracking
Doorstep is a native mobile application and does not use browser cookies. We may use device identifiers and anonymised session analytics to understand how the app is used. These are not used for advertising profiling.
Changes to this policy
We may update this Privacy Policy from time to time. When we do, we will update the "Last updated" date at the top and notify you via the app if the changes are material. Continued use of the app after changes constitutes acceptance of the updated policy.
Contact us
For any privacy-related questions or requests:
Email: privacy@doorstepcompany.com
Address: Adelaide, South Australia, Australia
If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au, or your local data protection authority if you are based in the EU.