Privacy Policy

Last updated: April 3, 2026

Set Adrift ("we," "us," or "our") is operated by The Big Fat Dad, LLC. This Privacy Policy explains how we collect, use, share, and protect your personal information when you use the Set Adrift application and related services (the "Service").

Set Adrift is a dating app for the "talking stage" — it helps two people explore compatibility through private questions, AI-powered insights, private journaling, compatibility mapping, and disappearing photos. Each connection is called a "Drift," and every Drift is a private, isolated shared space between exactly two people.

By using Set Adrift, you agree to the collection and use of your information as described in this policy. If you do not agree, please do not use the Service.

1. Information We Collect

Account Information

When you create an account, we collect:

• Email address
• Display name
• Avatar photo (if you upload one)

Onboarding Information

During onboarding, we collect your responses to our personality quiz, including:

• Spice level preference (comfort level for question content)
• Vibe keywords and personality indicators
• Cuisine preferences
• General location (city-level, latitude and longitude)
• Streaming service preferences
• Music mood preferences

Drift Activity

Within each Drift, we collect:

• Question answers — Your responses to daily questions. These are stored privately until both partners have submitted, at which point answers are revealed to each other.
• Compatibility scores and AI-generated insights — Computed from your combined answers and activity within a Drift.
• Moment Button taps — Timestamps of when you signal you are thinking of your partner.
• Flag submissions — When you mark a partner's answer as a green flag, red flag, or interesting.
• Photos (Sparks) — Disappearing photos you send within a Drift, which are stored temporarily and deleted after viewing or expiration.

Journal Entries

Your journal entries are stored at the user level — they are completely private and are never shared with any partner, any other user, or any third party. Journal data is used only for server-side AI analysis that returns abstract insights to you alone. Your actual journal text is never included in any response, notification, or insight delivered to anyone else.

Third-Party Service Connections

• Spotify — If you choose to connect Spotify, we store your OAuth access and refresh tokens encrypted on our server. Tokens are never stored in your browser, device storage, or any client-side location. The refresh token is never returned to the client.

Device and Technical Information

• Push notification tokens — Firebase Cloud Messaging (FCM) tokens to deliver notifications to your device.
• Usage analytics — General usage patterns to improve the Service, including feature usage frequency and session data.

2. How We Use Your Information

We use the information we collect for the following purposes:

• Providing the Service — Creating and managing your account, facilitating Drifts between you and your partners, delivering daily questions, computing compatibility scores, and enabling all core features.
• AI-Powered Insights — Generating personalized question sequences, compatibility analysis, journal-based insights, and Your Pattern (cross-drift private analysis). All AI processing happens on our servers — only abstract, synthesized insights are returned to you.
• Notifications — Sending push notifications for Drift activity, such as when your partner answers a question, when a Moment syncs, or when a new insight is available.
• Improving the Service — Analyzing usage patterns in aggregate to improve features, fix issues, and develop new functionality.
• Safety and Security — Detecting and preventing abuse, enforcing our terms, and protecting users.
• Payment Processing — Managing your subscription and processing payments through our payment provider.

We do not sell your personal information. We do not use your data for advertising. We do not share your data with data brokers.

3. AI Processing and Privacy

Set Adrift uses AI (Google Gemini) to power several features. Here is how we protect your privacy in that process:

• Server-side only — All AI analysis runs on our servers through Cloud Functions. Your data is processed in a controlled environment, not on your device or in a public API call from the client.
• Journal analysis is blind — When AI analyzes journal entries, it extracts only abstract themes on the server. A second pass detects shared patterns from those themes alone. Only a brief insight message is returned — never your journal text, never paraphrased content, never quotes.
• Your Pattern is anonymized — Cross-drift insights never identify any partner by name, Drift color, or any distinguishing detail. Insights use language like "Observed across N connections" and focus entirely on your own patterns.
• No AI training — We do not use your personal data to train AI models. Your content is processed for feature delivery only.

4. Data Sharing and Third-Party Services

We share your information only in the following limited circumstances:

Service Providers

• Firebase (Google Cloud Platform) — We use Firebase for authentication, database (Firestore), file storage, push notifications (FCM), and hosting. Google's privacy policy applies to their infrastructure services. See Firebase Privacy and Security.
• Stripe — We use Stripe to process subscription payments. Stripe receives your payment information directly — we never store your card details on our servers. See Stripe's Privacy Policy.
• Spotify — If you connect Spotify, we interact with Spotify's API to create and manage shared playlists within your Drifts. See Spotify's Privacy Policy.
• Google Gemini AI — We use Google's Gemini models for AI analysis (question generation, compatibility scoring, journal analysis, and pattern insights). Content is sent to Gemini's API for processing and is not retained by Google for model training under our API terms.

Within a Drift

Certain data is shared with your Drift partner by design:

• Your display name and avatar
• Your question answers (only after both partners have submitted)
• Compatibility scores and map data for the shared Drift
• AI-generated insights about the Drift (never journal-derived content)
• Photos you send (Sparks)
• Moment Button sync events
• Flag submissions (during Flag Reveal)

Never Shared

• Journal entries — never shared with any partner, any other user, or any third party
• Your Pattern insights — visible only to you
• Activity or data from one Drift with any other Drift partner
• Spotify tokens or credentials

Legal Requirements

We may disclose your information if required to do so by law, court order, or governmental regulation, or if we believe disclosure is necessary to protect our rights, your safety, or the safety of others.

5. Data Retention

• Active account data — Retained for as long as your account is active.
• Disappearing photos (Sparks) — Deleted from our servers after they are viewed by the recipient or after their expiration time, whichever comes first.
• Ended or archived Drifts — Shared Drift data is retained for 90 days after a Drift ends so that both partners can access the shared history. After 90 days, it is permanently deleted.
• Invite tokens — Expire after 7 days and are cleaned up automatically.
• Account deletion — When you delete your account, we immediately and permanently delete your journal entries, pattern insights, uploaded photos, Spotify tokens, FCM tokens, and user profile. Active Drifts are archived (not deleted) so your partner retains access to shared history for 90 days, after which that data is purged. Your Stripe subscription is cancelled.

6. Children's Privacy

Set Adrift is intended for users who are at least 18 years old. We do not knowingly collect personal information from anyone under the age of 18. If you are under 18, please do not use the Service and do not provide any personal information.

If we learn that we have collected personal information from a user under 18, we will delete that information and terminate the associated account as quickly as possible. If you believe a user under 18 has provided us with personal information, please contact us at drift@setadrift.com.

7. Cookies and Local Storage

Set Adrift uses minimal browser storage:

• Authentication state — Firebase Authentication uses local storage and cookies to maintain your signed-in session.
• Pending invite tokens — If you open an invite link before signing in, the token is temporarily stored in localStorage so it can be recovered after authentication.
• App preferences — Basic UI preferences may be stored locally on your device.

We do not use tracking cookies. We do not use cookies for advertising. We do not use third-party analytics cookies.

8. Security

We take the security of your data seriously and implement multiple layers of protection:

• Encryption in transit — All data transmitted between your device and our servers is encrypted using TLS/HTTPS.
• Encryption at rest — Data stored in Firebase/Google Cloud is encrypted at rest using Google's infrastructure encryption.
• Server-side validation — All sensitive operations (answer submission, Drift creation, invite validation, AI processing) are handled through authenticated Cloud Functions with server-side validation. Direct client writes to sensitive collections are blocked by Firestore security rules.
• Spotify tokens — OAuth tokens are stored encrypted on the server and never exposed to the client.
• Screenshot protection — On Android, OS-level screenshot prevention is enabled during photo viewing. On iOS, screenshot detection notifies the sender immediately and marks the photo accordingly.
• App Check — Firebase App Check is enforced on invite and onboarding callable functions to verify that requests originate from the genuine Set Adrift app.
• Consent-based intimacy — The effective spice level in any Drift is always the lower of the two partners' chosen levels, ensuring that content boundaries are set by the more conservative preference.

While we implement industry-standard security measures, no method of electronic storage or transmission is 100% secure. We cannot guarantee absolute security, but we are committed to protecting your data to the best of our ability.

9. Your Rights

Depending on your location, you may have some or all of the following rights regarding your personal information:

For All Users

• Access — You can view your profile information, journal entries, and Drift data at any time within the app.
• Correction — You can update your display name, avatar, and onboarding preferences through the app.
• Deletion — You can delete your account at any time from your profile settings. Deletion is immediate for personal data (journal, pattern insights, photos, tokens). Shared Drift data is retained for your partner for 90 days.
• Portability — You can request a copy of your personal data by contacting us.

California Residents (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act and the California Privacy Rights Act:

• Right to Know — You can request details about the categories and specific pieces of personal information we have collected about you, the sources of that information, our purposes for collecting it, and the categories of third parties with whom we share it.
• Right to Delete — You can request deletion of your personal information, subject to certain exceptions.
• Right to Opt-Out of Sale — We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising.
• Right to Non-Discrimination — We will not discriminate against you for exercising any of your privacy rights.

To exercise your CCPA/CPRA rights, contact us at drift@setadrift.com. We will verify your identity before processing your request.

European Economic Area, United Kingdom, and Switzerland (GDPR/UK GDPR)

If you are located in the EEA, UK, or Switzerland, you have the following rights under the General Data Protection Regulation:

• Right of Access — You can request a copy of the personal data we hold about you.
• Right to Rectification — You can request that we correct inaccurate or incomplete personal data.
• Right to Erasure — You can request that we delete your personal data, subject to legal obligations.
• Right to Restrict Processing — You can request that we limit how we use your data in certain circumstances.
• Right to Data Portability — You can request your data in a structured, commonly used, and machine-readable format.
• Right to Object — You can object to our processing of your personal data in certain circumstances.
• Right to Withdraw Consent — Where processing is based on consent, you can withdraw it at any time.

Our legal basis for processing personal data includes: performance of a contract (providing the Service), legitimate interests (improving the Service and ensuring security), and consent (where applicable). To exercise your GDPR rights, contact us at drift@setadrift.com.

Do Not Track

Set Adrift does not track users across third-party websites or services and does not respond to Do Not Track signals, as there is no industry-standard interpretation of such signals. We do not engage in cross-site tracking.

10. International Data Transfers

Set Adrift is operated from the United States. If you are accessing the Service from outside the United States, your information will be transferred to and processed in the United States, where data protection laws may differ from those in your jurisdiction. By using the Service, you consent to this transfer. We rely on Google Cloud's infrastructure and compliance certifications (including Standard Contractual Clauses where applicable) to facilitate lawful international data transfers.

11. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you through the app or by email before the changes take effect. The "Last updated" date at the top of this page indicates when the policy was most recently revised.

Your continued use of Set Adrift after changes are posted constitutes your acceptance of the revised policy.

12. Contact Us

If you have questions about this Privacy Policy, want to exercise your privacy rights, or have concerns about how your data is handled, please contact us:

The Big Fat Dad, LLC
2976 E. State St #120-2914
Eagle, ID 83616
Email: drift@setadrift.com