OnlyReal Privacy Policy Statement and Personal Information Collection Statement

Effective date: 2026-05-21

Last updated: 2026-05-21

Data user: Onlyreal Limited

1. Our Commitment

Onlyreal Limited ("OnlyReal", "we", "us" or "our") respects your personal data privacy. We collect, hold, process, use, disclose and protect your personal data in accordance with the Hong Kong Personal Data (Privacy) Ordinance (Cap. 486) ("PDPO") and applicable laws.

This document is both:

• a Privacy Policy Statement (PPS), describing our policies and practices for handling personal data; and
• a Personal Information Collection Statement (PICS), explaining the purposes of collection, whether provision is mandatory, classes of transferees and your data access and correction rights when we collect personal data from you.

This policy may be provided in English, Traditional Chinese and Simplified Chinese. If there is any inconsistency between language versions, the Traditional Chinese version prevails to the fullest extent permitted by applicable law.

2. Summary

OnlyReal is a social, dating, restaurant activity and recommendation platform for people aged 18 or above. We need to process profile information, photos, chats, rooms, queues, location, preferences, verification, reports, subscriptions and device information to provide matching, activities, chat, safety, real-person verification, Vibe Read, recommendations, notifications and Premium features.

Some information may be shown to other users depending on your settings, such as your profile, photos, room information, certain safety signals and messages you actively send. Some information is used only for operations, safety, support, analytics, payment or legal compliance.

We may use cloud infrastructure, object storage, CDN, push notification, sign-in, payment, analytics, support, review and AI/recommendation-related service providers. These service providers may process relevant information only according to our instructions and contractual requirements, and must take reasonable confidentiality and data protection measures.

You may update certain information in the app, delete photos, manage privacy settings, withdraw certain permissions and request account deletion. You may also request access to and correction of your personal data.

3. Who Controls Your Personal Data

Data user: Onlyreal Limited

Email: onlyreal.app@gmail.com

4. Whether You Must Provide Personal Data

Unless we state otherwise at collection:

• information needed to create and use a core account, confirm age, sign in, maintain safety, create a profile, upload photos, use rooms, queues, chats and subscriptions is mandatory. If you do not provide it, we may be unable to create your account, show your profile or provide matching, chat, subscription or related features;
• profile bios, interests, prompt answers, social accounts, WhatsApp, height, drinking/smoking habits, Vibe Read answers, location, contact syncing, push notifications, real-person verification and marketing consent are usually optional or feature-dependent. If you do not provide them, related features may be unavailable or less effective;
• we do not require your Hong Kong Identity Card number unless a future feature has a clear legal or safety need and we notify you before collection.

5. Personal Data We Collect

5.1 Account and Sign-In Data

• OnlyReal user ID, account status, creation, update and deletion times;
• Apple, Google or other sign-in provider identifiers and emails;
• internal access tokens, refresh token hashes, sessions, device and login records;
• system language, content language, last login time, login region or login location data.

5.2 Profile Data

• display name, birthday/age, gender and whether gender is shown;
• occupation, company, school, bio, region, height;
• drinking habits, smoking habits, lifestyle, dating intention, interaction pace, personality type;
• Instagram ID, WhatsApp phone number, phone region;
• interests, custom interests, profile prompts and answers;
• avatar, personal photos, photo order and photo metadata.

5.3 Content and Interaction Data

• rooms, restaurants, times, activities, queue applications and greeting messages;
• threads, messages, image messages, message payload and read status;
• likes, mutes, reports, contact swaps and contact swap reports;
• reports, messages, accounts and safety leads involving suspected scams, money requests, investment promotions, off-platform payments, suspicious links, gift cards, cryptocurrency, lending, identity misuse or other high-risk interactions;
• reports, messages, accounts, safety leads and information you provide involving real-world dates, offline meetings, post-meeting communication, repeat meetings, harassment, stalking, assault, violence, injury, accidents, property loss or other safety incidents;
• post-meal feedback, no-shows or activity confirmations, survey answers;
• communications with support, admins or safety review processes.

5.4 Location and Restaurant-Related Data

• latitude/longitude, region, nearby searches or geo buckets when you authorise or use location-related features;
• restaurant browsing, saved restaurants, recommendations, preferences, cuisine, region and activity information;
• temporary location data needed for map or nearby features.

We request or use location only when directly related to a feature and only with operating system permission. OnlyReal is not an emergency location or rescue service.

5.5 Contacts and Visibility Data

If you use Contacts Hide or manually add contacts:

• the app may read phone numbers from your device contacts;
• we do not need contact names, addresses, emails, notes or other fields;
• phone numbers are used to compare which users should not see you in certain feed or liked-room scenarios;
• the backend converts standardised phone data into hashes or stores necessary hints, and does not make your full contacts list public to other users.

You may deny contacts permission, use manual entry, delete synced contact data or withdraw permission in device settings.

5.6 Real-Person Verification and Safety Data

• verification sessions, challenge types, submission times and expiry times;
• selfie photos, selfie videos or other verification media;
• media type, storage key, format, size, dimensions and duration;
• possible challenge confidence, liveness score, face match score, spoof flags and manual review decisions;
• verification status, verification level, review queue, review reason, reviewer and trust profile;
• report scores, identity risk signals and safety handling records.

Verification data is used only for authenticity, safety, abuse prevention, review, appeals and legal compliance. Unless separately stated and with required consent, we do not provide your private verification selfies or videos to third parties for training their general AI models.

5.7 Subscription and Payment Data

If you use iOS subscriptions or paid features, we may process:

• Apple product ID, original transaction ID and latest transaction ID;
• appAccountToken, subscription status, start time, expiry time, grace period and renewal status;
• Premium feature unlocks, feature change requests and App Store server notification logs.

Apple App Store handles your Apple ID payment, payment method and refund process. We normally do not collect full credit card numbers.

5.8 Device, Technical and Analytics Data

• device token, push notification token, platform, environment and last seen time;
• IP address, browser/device information, operating system, app version, language, crash and diagnostics data;
• app sessions, open frequency, feature use, exposure, clicks, recommendation and behaviour events;
• server logs, security logs and cache/version logs.

5.9 AI, Vibe Read and Recommendation Data

• AI profile question responses and daily question responses;
• preference vectors, style vectors, AI profile snapshots, AI profile renders and AI profile access;
• Vibe Read articles, recommendation shelves, recommendation items, user insights and activity snapshots;
• recommendation or product experience data inferred from your behaviour, answers, preferences and interactions.

6. How We Collect Data

We may collect data through:

• information you directly enter, upload, send or select;
• information automatically generated when you use the app, website, chat, rooms, queues, subscriptions, verification, contacts, location or support features;
• Apple, Google, Apple App Store, push notification services or other third-party sign-in/payment/platform services you choose;
• interactions from other users, such as messages, reports, contact swap reports or activity feedback;
• our backend, admin portal, safety tools, analytics tools, server logs and cloud services.

7. Purposes of Use

We use personal data to:

1. create, sign in to, maintain, protect and delete accounts;
2. verify age, eligibility, identity and account safety;
3. create, display, rank and manage profiles, photos and avatars;
4. provide feeds, recommendations, rooms, queues, threads, messages, contact swaps, restaurant activities and notifications;
5. provide Public Discovery Hide, Contacts Hide, Matched Users Hide and other privacy controls according to your settings;
6. handle real-person verification, reports, mute/block, moderation, violations, appeals, abuse prevention and safety signals;
7. detect, prevent, investigate and handle scams, fraud, phishing, investment promotions, money transactions, off-platform payments, money laundering, identity misuse, underage risks, real-world date or offline meeting safety incidents, post-meeting harassment, stalking, threats, blackmail, assault, violence, injury, accidents and other safety or platform integrity risks;
8. provide Vibe Read, AI/algorithmic recommendations, preference analysis, restaurant recommendations and product personalisation;
9. process subscriptions, Premium features, Apple App Store server notifications, entitlement syncing, purchase restoration and support requests;
10. send service, safety, transaction, push and marketing messages you consent to receive;
11. improve, test, debug, analyse, monitor, develop and protect the Service;
12. comply with laws, regulations, court orders, law enforcement requests, tax, accounting, audit and dispute needs;
13. enforce the Agreement and protect the rights, property and safety of OnlyReal, users and the public.

We do not use your personal data for a new purpose unrelated to the original collection purpose unless we obtain your express and voluntary consent.

8. Information Visible to Other Users

Depending on your settings and feature use, the following may be shown to other users:

• profile, photos, avatar, display name, age or age range, gender display, region, bio, interests and prompt answers;
• room, restaurant, time, queue status or activity information;
• messages, images, contact swaps or other chat content you actively send;
• real-person verification badges, certain safety signals or recommendation tags;
• other information you actively make public or share.

You should not share information in public profiles or chats that you do not want others to see, screenshot or forward.

9. Disclosure and Transfer

We may disclose or transfer personal data to:

1. other users, to provide profile browsing, rooms, queues, chat, contact swaps, recommendations, safety signals and social features;
2. cloud and technical service providers, for databases, servers, object storage, CDN, backups, Redis, logs, monitoring, crash reporting and cybersecurity;
3. object storage and media service providers, to store profile photos, avatars, chat images, verification photos/videos and restaurant images;
4. sign-in and platform services, including Apple, Google and Apple Push Notification service;
5. payment and subscription platforms, including Apple App Store, App Store Server API, transaction validation and refund/cancellation flows;
6. support, review, safety and admin portal providers, to handle support, reports, verification, violations, appeals, scam leads and safety incidents;
7. AI, recommendation, analytics or product improvement providers, only as needed for the feature and under contractual restrictions;
8. professional advisers, including lawyers, auditors, insurers, accountants, risk and compliance advisers;
9. law enforcement, courts, regulators, government departments, anti-scam organisations or channels, payment services, cybersecurity or victim support channels, or others legally permitted or required to receive the data;
10. transaction-related parties in a merger, financing, acquisition, restructuring or asset transfer, subject to appropriate confidentiality and data protection arrangements.

We do not sell personal data to third parties. Unless we have notified you and obtained your consent/non-objection as required for direct marketing under the PDPO, we do not use your personal data for direct marketing or provide it to third parties for direct marketing.

10. Cloud Services, Object Storage and Data Processors

We use cloud infrastructure, databases, object storage, CDN, backups, logs, push notifications, analytics, support, review, safety and AI/recommendation service providers to provide and protect the Service. These providers may include Amazon Web Services, Google Cloud, Cloudflare or other providers with comparable security capabilities. Actual providers and configurations may change for operational, security, cost, performance or compliance needs.

Media such as personal photos, avatars, chat images, verification photos/videos and restaurant images may be stored and transmitted through Amazon S3, Cloudflare R2, other S3-compatible object storage, CDN or similar services. Databases, backups, logs and media may be stored, processed or accessed in Hong Kong or outside Hong Kong.

When selecting cloud or data processing providers, we take reasonable contractual, technical and organisational measures, including confidentiality, access controls, retention/deletion requirements, security measures, incident notification and assistance with data subject requests.

11. Cross-Border Transfers

Your personal data may be stored, processed or accessed outside Hong Kong, including where cloud services, backups, support, review, analytics, push, payment or AI/recommendation services are located.

When transferring personal data outside Hong Kong, we take reasonable and practicable steps to ensure protection consistent with the PDPO and this policy. These may include:

• contractual data protection terms with processors;
• limits on processing purposes, onward transfers, retention and deletion;
• access controls, encryption, logs, audit and incident notification;
• reference to PCPD recommended model contractual clauses and cross-border transfer guidance.

12. Security Measures

We take reasonable and practicable technical and organisational measures to protect personal data, including:

• HTTPS/TLS transmission;
• restricted and time-limited presigned upload URLs;
• server-side authentication, JWT, refresh token hashes and session revocation;
• object storage access controls and deletion of storage keys where needed;
• hashed or minimised storage of contacts phone numbers;
• admin portal access controls and review processes;
• security logs, monitoring, anomaly detection and abuse limits;
• allowing access only to personnel, contractors or providers with a need to know;
• contractual or other measures for data processors to prevent unauthorised access, processing, retention, deletion, loss or use.

No network or storage system is completely secure. You should also protect your device, sign-in method and shared content.

13. Retention and Deletion

We retain personal data only for as long as necessary to fulfil the collection purposes, provide the Service, protect safety, comply with law, resolve disputes, enforce agreements or operate the business.

General retention principles:

• account, profile, photos, chats, rooms, queues, recommendations and subscription data: retained while the account is active and the Service needs it;
• unconfirmed temporary photo uploads: usually cleaned after expiry or when no longer needed;
• presigned upload URLs: usually valid only for a short time;
• reports, violations, safety, verification, contact swap reports, scam leads, money requests, off-platform payments, real-world date or offline meeting safety incidents, post-meeting harassment, abuse prevention and audit records: retained as needed for safety, appeals, legal, anti-scam or abuse prevention purposes;
• Apple subscription, transaction, tax, accounting and audit records: retained as needed for platform, legal, accounting and dispute handling;
• server logs, backups and security records: retained according to rotation, security and operational needs;
• anonymised or aggregated data: if it cannot reasonably identify an individual, retained for statistics, product improvement or research.

Account Deletion

You may request account deletion in the app:

1. the account immediately enters pending deletion and normal use is restricted;
2. you have a 7-day recovery period and may restore the account through the process we provide;
3. after the recovery period ends, we delete or anonymise personal data and media no longer needed;
4. we may retain sent messages, transaction records, safety/report records, legal records, backup data pending rotation, and post-deletion identity hashes or lineage records for preventing abuse or repeat violations, only for necessary periods and purposes.

Deleting your OnlyReal account does not automatically cancel Apple subscriptions. You must manage or cancel subscriptions in Apple ID settings.

14. Direct Marketing

If we intend to use your name, email, phone number, push token, product usage data or other personal data to send direct marketing messages, or provide your personal data to third parties for direct marketing, we will first comply with PDPO requirements by:

• informing you of the kinds of personal data to be used or provided;
• informing you of the classes of products/services to be marketed;
• informing you of the classes of third parties that may receive the data;
• providing a free and easy response channel;
• obtaining your consent or indication of no objection.

You may withdraw direct marketing consent at any time. Once we receive it, we will stop using your personal data for the relevant direct marketing.

Service notices, safety notices, transaction notices, subscription notices and important account notices are not ordinary direct marketing and may still be sent.

15. Push Notifications and Permissions

You may choose whether to allow push notifications, location, camera, photo library or contacts permissions. You may withdraw permissions in the app or device settings. Withdrawing permissions may make some features unavailable, such as photo upload, verification selfies, nearby restaurants, Contacts Hide or notification reminders.

16. Children and Minors

OnlyReal is for people aged 18 or above. We do not knowingly collect personal data from anyone under 18. If we reasonably believe an account is used by someone under 18, we may restrict or delete the account and related data.

If we need to verify age or handle a minor safety incident, we process relevant information only to the extent reasonably necessary, such as account data, report content, chat records, photos, login records, device or safety records. Unless legally required or necessary for safety, law enforcement, disputes, abuse prevention or audit, we delete or anonymise minor data no longer needed.

If you are a parent or guardian and believe a minor provided us with personal data, contact us. We may ask for reasonable information to verify your identity, your relationship with the minor and the account that needs handling.

Users must not upload, share or induce minors to provide personal data, photos, intimate content, contact details or location data.

17. Your Rights

Under the PDPO, you have the right to:

• ask whether we hold your personal data;
• request access to personal data we hold about you;
• request correction if the data is inaccurate;
• ask us to explain a refusal to provide access or correction;
• withdraw direct marketing consent;
• update your profile in the app, manage certain settings, delete photos, delete synced contact data or request account deletion.

Data access requests are generally handled within 40 days after receipt. We may charge a fee not exceeding processing cost as permitted by the PDPO and may ask for reasonable information to verify identity and locate the relevant data.

To the extent permitted by the PDPO or other applicable law, we may refuse, limit or redact access or correction requests where disclosure would affect safety investigation, law enforcement, dispute handling, anti-scam, abuse prevention, our or others' rights and freedoms, or involves other users, employees, contractors, trade secrets, legal privilege or internal risk assessment materials. We will explain the reason as required by law.

Please send data access or correction requests to:

Email: onlyreal.app@gmail.com

18. Third-Party Services and Links

The Service may contain third-party services, sign-in, payment, maps, restaurant information, websites or links. Those third parties have their own terms and privacy policies. We do not control how third parties process information you provide directly to them.

19. Policy Updates

We may update this policy from time to time. Material changes will be notified by in-app notice, email, updated date or other reasonable means. Unless law requires otherwise, your continued use after the update takes effect means you accept the updated policy.

20. Contact Us

If you have questions about this policy, personal data, direct marketing, access/correction, deletion or safety incidents, contact:

Company: Onlyreal Limited

Email: onlyreal.app@gmail.com