Privacy Policy
These updated terms will replace the current version on April 20, 2026.
Effective Date: April 20, 2026
This Privacy Policy applies to our websites, applications, services, and other offerings that link to this policy (collectively, the “Services”). It explains how Encore AI Labs, Inc. (“Candle,” “we,” “our,” or “us”) collects, uses, stores, and protects your personal data. Please review it carefully to understand your rights and our commitments regarding your information.
What this Privacy Policy Covers
To offer the Services, Candle may collect Personal Data, including from its prospects and website visitors. By using or accessing our Services, you acknowledge the practices described in this Privacy Policy regarding how we collect, use, and share your information.
This Privacy Policy covers how we treat Personal Data that we gather when you access or use our Services. “Personal Data” means any information that identifies or relates to a particular individual and includes information referred to as “personally identifiable information” or “personal information” under applicable data privacy laws, rules or regulations. This Privacy Policy does not cover the practices of companies we don’t own or control or people we don’t manage.
Personal Data
Categories of Personal Data We Collect
This chart details the categories of Personal Data that we collect and have collected over the past 12 months:
| Category of Personal Data | Examples of Personal Data We Collect |
|---|---|
| Identity and Profile Information | Nickname or display name (real name not required) Email address (optional) Phone number (optional) Profile photo Partner connection information |
| Identity Verification Data | Account information and verification codes used to confirm your identity for support and account recovery purposes We do not collect or store government-issued ID documents |
| Purchase and Transaction Data | Order history Items purchased Payment method (last 4 digits only) Billing address Transaction amounts and dates |
| Marketing Data | Lead Information Information Related to Personal Campaigns Engagement Metrics For clarity, a user’s private messages and photos shared within the Services are not deemed Marketing Data. |
| Social Media Data (if you connect third-party accounts) | If you sign in using Google or Apple, we receive only the authentication credentials needed to verify your identity (e.g., account identifier and email address) We do not auto-populate your name, profile photo, or other profile information from these services Authentication tokens and account identifiers |
| Web Analytics | Usage Statistics Performance Metrics User Behavior |
| Device IP/Data | Device ID Domain server Type of device/operating system/browser used to access the Services Geolocation Data (collected only with your device permission for location-based features) |
| User Uploaded Images | Photos and images you upload may contain biometric information such as facial features. We do not extract or store biometric templates or use facial recognition technology for identification purposes. |
| Cookies | Cookie ID Cookie Types (e.g., Session, Persistent) |
| Customer Support Data | Support inquiries Customer service communications Feedback and reviews |
| Partner and Relationship Data | Partner pairing information Shared photos and content between you and your Partner Responses to questions and prompts Relationship activity and streak data Private conversations and messages |
| Other Identifying Information that You Voluntarily Choose to Provide | Identifying information submitted by you in emails, messages, posts, survey responses or other content you share, post or upload to the Services |
Sensitive Personal Data
Given the personal nature of the Services, we may collect the following types of information:
- Personal photos and images
- Private conversations and messages between Partners
- Personal beliefs, values, and relationship details
- Responses to personal questions and prompts
We recognize the deeply personal nature of this content and treat it with the heightened care described in this Policy.
Categories of Sources of Personal Data
We collect Personal Data about you from the following categories of sources:
You
- When you sign up for our Services or request more information.
- When you provide such information directly to us.
- When you create an account or use our Services.
- When you make a purchase or complete a transaction.
- When you participate in promotions, surveys, or contests.
- When you voluntarily provide information in free-form text boxes through the Services.
- When you send us an email or otherwise contact us.
- When you use the Services and such information is collected automatically.
- Through Cookies (defined in the “Cookies and Tracking Technologies” section below).
Third Parties
- Vendors: We may use analytics providers to analyze how you interact and engage with the Services, or third parties may help us provide you with customer support.
How We Use Your Data
Providing, Customizing and Improving the Services
- Creating and managing your account.
- Processing orders; billing.
- Providing you with the products, services or information you request.
- Assessing your service and product needs and preferences.
- Meeting or fulfilling the reason you provided the information to us.
- Providing support and assistance for the Services.
- Improving our Services, including through research, analytics, and product development.
- Personalizing the Services, website content and communications based on your preferences.
- Doing fraud protection, security and debugging.
- Carrying out other business purposes stated when collecting your Personal Data or as otherwise set forth in applicable data privacy laws.
Advertising and Marketing the Services
- Advertising, marketing and selling the Services.
Corresponding with You
- Responding to correspondence that we receive from you, contacting you when necessary or requested, and sending you information about Candle or the Services.
- Sending emails and other communications according to your preferences.
Meeting Legal Requirements and Enforcing Legal Terms
- Fulfilling our legal obligations under applicable law, regulation, court order or other legal process, such as preventing, detecting and investigating security incidents and potentially illegal or prohibited activities.
- Protecting the rights, property or safety of you, Candle or another party.
- Enforcing any agreements with you.
- Responding to claims that any posting or other content violates third-party rights.
- Resolving disputes.
If we collect additional categories of Personal Data or use your Personal Data for materially different purposes, we will update this Privacy Policy accordingly.
Partner Pairing and Shared Content
Candle is designed for paired users (“Partners”). When you pair with another user:
- Mutual Data Sharing: You and your Partner will have mutual access to shared content, including photos, responses to prompts, activity data, and conversations. Content you share with your Partner is visible to them and can be viewed, downloaded, or screenshot by them.
- Unpairing and Data Deletion: If either you or your Partner unpairs your accounts, all Shared Content associated with that pairing will be archived and will no longer be accessible through the Services. Archived data may become permanently deleted in accordance with the Terms. This design protects both partners’ privacy and prevents continued access after a relationship ends.
- Partner Communication: You are solely responsible for communications with your Partner through our Services. We do not monitor communications between paired users except when content is reported for Terms of Service violations.
Legal Basis for Processing
If you are located in the European Economic Area (“EEA”), the United Kingdom, or Switzerland, we process your Personal Data based on the following legal grounds under applicable data protection law:
| Purpose of Processing | Legal Basis | Categories of Data |
|---|---|---|
| Providing and maintaining the Services, including creating your account and enabling core features | Performance of our contract with you | Identity, Profile, Content, Purchase, Usage, Technical |
| Processing payments and transactions | Performance of our contract with you | Identity, Purchase, Payment |
| Responding to your inquiries and providing customer support | Performance of our contract with you; Legitimate interests (providing quality service) | Identity, Customer Support, Usage |
| Personalizing your experience and providing recommendations | Legitimate interests (improving user experience); Consent (where required for sensitive data) | Profile, Usage, Technical, Content |
| Ensuring safety, security, and fraud prevention | Legitimate interests (protecting our users and Services); Compliance with legal obligations | Identity, Usage, Technical |
| Marketing and advertising our Services | Consent (for electronic marketing); Legitimate interests (promoting our Services) | Identity, Marketing, Usage, Technical |
| Complying with legal obligations | Compliance with legal obligations | All categories as required |
| Establishing, exercising, or defending legal claims | Legitimate interests (protecting our legal rights) | All categories as relevant to the claim |
Where we rely on legitimate interests as a legal basis, we have balanced our interests against your fundamental rights and freedoms.
Where we rely on consent, you have the right to withdraw your consent at any time by contacting us or adjusting your settings. Withdrawal of consent does not affect the lawfulness of processing based on consent before withdrawal.
How We Share Your Personal Data
The categories of Personal Data described above may be shared with the following recipients for the purposes described in this Policy. We disclose your Personal Data to the categories of service providers and other parties listed in this section. Depending on state laws that may be applicable to you, some of these disclosures may constitute a “sale” of your Personal Data. For more information, please refer to the state-specific sections below.
- Service Providers. These parties help us provide the Services or perform business functions on our behalf. They include:
- Hosting, technology and communication providers.
- Security and fraud prevention consultants
- Payment processors
- Support and customer service vendors
- Marketing and Advertising Partners. We work with advertising partners to promote Candle on third-party platforms. However, these partners receive only technical identifiers (such as device IDs or hashed email addresses) to measure campaign effectiveness and conduct other similar marketing activities. However, we do not share your private messages, partner conversations, shared photos, or responses to personal prompts with any marketing or advertising partner.
- Analytics Partners. These parties provide analytics on web traffic or usage of the Services. They include:
- Companies that track how users found or were referred to the Services.
- Companies that track how users interact with the Services.
- Parties You Authorize, Access or Authenticate
Third-Party Service Providers
We use third-party services to operate Candle, including, without limitation:
- Cloud Hosting Providers: PlanetScale provides database hosting (MySQL/Vitess) with SSL/TLS encryption in transit and encryption at rest.
- Authentication: Clerk (SOC 2 compliant) manages user login and account security. Learn more: Clerk Privacy Policy
- AI Services: OpenAI powers our AI features, including question generation, debate topics, date recommendations, and question rewording. When you use AI features, your prompts may be sent to OpenAI for processing. We do not share your photos or private conversations with OpenAI. Learn more: OpenAI Privacy Policy
- Analytics:
- Amplitude provides product analytics to understand how users interact with our Services. Learn more: Amplitude Privacy Policy
- AppsFlyer provides mobile attribution to measure advertising effectiveness. Learn more: AppsFlyer Privacy Policy
- Advertising Tracking:
- Meta Pixel (Facebook/Instagram) tracks website visits and ad interactions. Learn more: Meta Data Policy
- The TikTok SDK collects app activity and ad interaction data from TikTok campaigns. Learn more: TikTok Privacy Policy
These providers may have their own privacy policies governing their use of your Personal Data.
Legal Obligations
We may share any Personal Data that we collect with third parties in conjunction with any of the activities set forth under “Meeting Legal Requirements and Enforcing Legal Terms” in the “How We Use Your Data” section above.
Government and Law Enforcement Requests
We may disclose Personal Data to government authorities or law enforcement officials when required by law, regulation, or valid legal process (such as a subpoena, court order, or search warrant), or when necessary to protect the safety of any person.
Business Transfers
All of your Personal Data that we collect may be transferred to a third party if we undergo a merger, acquisition, bankruptcy or other transaction in which that third party assumes control of our business (in whole or in part).
No Data Selling
We do not sell your Personal Data. If our privacy practices change materially, we will notify you in accordance with applicable law.
Aggregated and Anonymous Data
We may create aggregated, de-identified or anonymized data from the Personal Data we collect, including by removing information that makes the data personally identifiable to a particular user. We may use such aggregated, de-identified or anonymized data and share it with third parties for our lawful business purposes, including to analyze and improve the Services and promote our business.
Cookies and Tracking Technologies
We use cookies and similar technologies (such as pixels and SDKs) to operate and improve our Services, analyze usage, and measure advertising effectiveness. For details on the types of cookies we use, your choices for managing them, and your opt-out rights, please see our Cookie Policy.
Opt-Out Preferences
You have choices about how we collect and use your data:
Marketing Communications
You can opt out of receiving marketing emails from us by clicking the “unsubscribe” link in any marketing email or by contacting us at support@trycandle.app. Even if you opt out of marketing emails, we may still send you transactional messages about your account or purchases.
Targeted Advertising
You can opt out of targeted advertising by:
- Adjusting your preferences in your account settings
- Using browser-based opt-out tools such as the Digital Advertising Alliance’s opt-out page at https://optout.aboutads.info/
- Enabling the Global Privacy Control (GPC) signal in your browser, which we honor as a valid opt-out request
Cookie Preferences
You can manage your cookie preferences through your browser settings.
AI-Assisted Features
Candle uses AI to power certain content and personalization features within the Services, such as generating conversation prompts and rephrasing custom questions you write to your Partner for clarity or tone. We do not use your photos, intimate content, or private conversations to train AI models, and we do not share this content with third-party AI providers.
Location Services
With your permission, we collect and use your location information to provide personalized recommendations.
Location Data Collection
With your permission, we may collect location information from your device to power location-based features. This allows us to recommend nearby events, activities, and date venues, provide location-specific content and suggestions, and improve our recommendations based on your area.
Controlling Location Access
You can control location permissions through your device settings at any time. If you disable location services, location-based recommendations may not be available, some features may not function properly, and we will no longer collect location information from your device.
We do not share your precise location with third parties except as described in the “How We Share Your Personal Data” section (such as with mapping or venue database providers necessary to deliver the feature).
Data Retention
This section explains how long we retain your Personal Data and the factors that determine retention periods.
General Retention Principles
We retain Personal Data only for as long as necessary to fulfill the purposes for which it was collected, provide our Services, comply with legal obligations, resolve disputes, and enforce our agreements.
Specific Retention Periods
| Data Category | Retention Period | Rationale |
|---|---|---|
| Active Account and Profile Data | Duration of account + 30 days after closure | To provide Services and allow reasonable account recovery period |
| User-Generated Content (photos, messages, posts) | Duration of account; deleted within 30 days of account closure | Core service functionality; privacy protection after departure |
| Purchase and Transaction History | 7 years after transaction | Order history, refund eligibility, and legal compliance |
| Payment Information | Duration of account or as required by payment processor; card details may be retained for 180 days to address chargebacks | To process transactions, refunds, and handle payment disputes |
| Account & Billing Records | 7 years after account closure | Tax, accounting, and legal compliance requirements |
| Customer Service Records | 3 years after resolution | Customer service quality, dispute resolution, and legal claims |
| Consent Records | 3 years after consent given or withdrawn | Demonstrating compliance with consent requirements under applicable law |
| Communication Logs and Metadata | 1 year | Legal data retention obligations; security and fraud investigation |
| Identity Verification Data | Retained as part of account data and support records; verification codes are temporary and expired after use | Account security and support purposes |
| Location Data | 1 year | To customize and improve the Services |
| User Uploaded Images | Retained as part of photos and images you upload; follows User-Generated Content retention | Photos are stored for service functionality; no biometric templates extracted or stored separately |
| Security Logs and Audit Trails | 1 year | Security monitoring, incident investigation, and fraud prevention |
| Marketing Preferences | Until you opt out or close your account; suppression lists retained to honor opt-outs | Honoring your communication preferences |
| Aggregated/De-identified Data | Indefinitely | No longer identifiable; used for analytics, research, and service improvement |
Your Deletion Rights
You can delete your account and request deletion of your Personal Data at any time through your account settings or by contacting support@trycandle.app. We will process deletion requests in accordance with applicable law, except where retention is required (such as for tax or accounting purposes).
Inactive Accounts
If your account is inactive for an extended period, we may automatically close it. After automatic closure, your data will be handled as described below.
After You Close Your Account
Candle uses a two-layer deletion process:
Layer 1 - Active Systems: When you delete content or your account, we immediately remove your access to the data from our active systems so it is no longer accessible.
Layer 2 - Backups: Deleted data may persist in backups, archives, and disaster recovery systems for a reasonable period as necessary for:
- Fraud prevention and abuse detection
- Legal compliance and responding to legal requests
- System integrity and disaster recovery
- Dispute resolution and Terms of Service enforcement
While backup data is not accessible in normal operations, it has not been permanently destroyed.
Complete Deletion Requests: If you require complete destruction of all data including backups (for example, to comply with a legal obligation in your jurisdiction), contact us at support@trycandle.app and we will work with you to accommodate your request to the extent technically feasible and legally permissible.
Safety Retention
To protect the safety and security of our users, we may retain limited data following account closure or termination to investigate unlawful or harmful conduct and to prevent individuals who violate our Terms of Service from creating new accounts.
Data Security
We implement industry standard security measures to protect your Personal Data from unauthorized access, use, disclosure, alteration, and destruction, including employee training, confidentiality obligations, and access controls limiting data access to personnel who need it to perform their job duties.
You can help protect your data by:
- Choosing strong, unique passwords and enabling MFA when available
- Keeping your account credentials confidential
- Logging out after using shared devices
- Promptly reporting any suspected unauthorized access to support@trycandle.app
International Data Transfers
We operate globally, which means your Personal Data may be transferred to, stored, and processed in countries other than your country of residence, including the United States and other countries where we, our affiliates, or our service providers operate.
Transfers from the EEA, UK, and Switzerland
When we transfer Personal Data from the European Economic Area (“EEA”), the United Kingdom, or Switzerland to countries that have not been deemed to provide an adequate level of data protection by the European Commission or other competent authority, we implement appropriate safeguards to protect your Personal Data, including:
- Standard Contractual Clauses: We use standard contractual clauses approved by the European Commission or the UK Information Commissioner’s Office, as applicable, which contractually require the recipient to protect your Personal Data to the same standards required in Europe.
- Adequacy Decisions: Where available, we transfer data to countries that have been recognized as providing adequate data protection.
- Other Safeguards: We may rely on other transfer mechanisms permitted under applicable law, such as binding corporate rules or derogations for specific situations.
Data Controller Information
The entity responsible for your Personal Data under this Privacy Policy is Encore AI Labs, Inc., located at 650 California St, San Francisco, CA 94108.
Children’s Privacy
Our Services are not intended for children under 18 years of age. We do not knowingly collect Personal Data from children under 18. If you are a parent or guardian and believe your child has provided us with Personal Data, please contact us at support@trycandle.app so we can delete that information. If we learn that we have collected Personal Data from a child under 18, we will take steps to delete that information promptly.
Your Privacy Rights
Depending on where you live, you may have certain rights regarding your Personal Data. The table below summarizes these rights and how to exercise them:
| Your Right | How to Exercise It |
|---|---|
| Access or Know Right to confirm whether we process your Personal Data and to receive a copy of it | You can access some data directly by logging into your account. For a complete copy, submit a request at support@trycandle.app. |
| Correction or Rectification Right to correct inaccurate or incomplete Personal Data | You can update most data directly in your account settings. For other corrections, contact us at support@trycandle.app. |
| Deletion or Erasure Right to request deletion of your Personal Data | You can delete some data in your account settings. To close your account and request full deletion, visit your account settings or contact support@trycandle.app. |
| Portability Right to receive your data in a structured, commonly used format | Submit a request at support@trycandle.app to receive a portable copy of your data. Your data export will include your profile information, photos, responses, and activity data. Note: Exports include only YOUR contributions to Shared Content; your Partner’s data is not included. After unpairing, Shared Content is deleted and cannot be exported. |
| Opt-Out Right to opt out of targeted advertising, “sales,” or “sharing” of your Personal Data | Visit “Your Privacy Choices” in your account settings or the footer of our website. You can also enable Global Privacy Control (GPC) in your browser. |
| Restrict or Object Right to object to or restrict certain processing | Contact us at support@trycandle.app to object to specific processing activities described in this Privacy Policy. |
| Withdraw Consent Right to withdraw consent previously given | Update your account settings, adjust device permissions, or contact us at support@trycandle.app. Withdrawal does not affect prior lawful processing. |
| Non-Discrimination Right not to be discriminated against for exercising your rights | We will not deny you services, charge different prices, or provide different quality for exercising your privacy rights. |
For information about rights specific to your state or country, see the sections below.
State Law Privacy Rights
California Resident Rights
If you are a California resident, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) provide you with specific rights regarding your Personal Data:
- Right to Know: You have the right to request information about the categories and specific pieces of Personal Data we have collected about you, the sources of that data, the purposes for collecting it, and the third parties with whom we share it.
- Right to Delete: You have the right to request that we delete your Personal Data, subject to certain exceptions (such as data needed to complete a transaction or comply with legal obligations).
- Right to Correct: You have the right to request that we correct inaccurate Personal Data we maintain about you.
- Right to Opt-Out of Sale/Sharing: You have the right to opt out of the “sale” or “sharing” of your Personal Data for cross-context behavioral advertising. We do not sell your Personal Data to third parties for monetary consideration. However, our use of certain analytics and advertising services (including Meta Pixel, TikTok SDK, AppsFlyer, and Amplitude) may constitute “sharing” under California law. You can opt out by adjusting your privacy settings in your account or by enabling Global Privacy Control (GPC) in your browser.
- Right to Limit Use of Sensitive Personal Information: If we collect sensitive personal information, you have the right to limit its use to what is necessary to provide the Services.
- Right to Non-Discrimination: We will not discriminate against you for exercising any of your privacy rights.
To exercise these rights, please contact us at support@trycandle.app. We will respond to verifiable requests within the timeframes required by applicable law.
Nevada Resident Rights
If you are a resident of Nevada, you have the right to opt-out of the sale of certain Personal Data to third parties who intend to license or sell that Personal Data. You can exercise this right by contacting us at support@trycandle.app with the subject line “Nevada Do Not Sell Request” and providing us with your name and the email address associated with your account.
Consumer Health Data
If you are a resident of Washington or Nevada, please review our Consumer Health Data Privacy Policy, which supplements this Privacy Policy and provides information about how we handle data that may be considered “consumer health data” under the Washington My Health My Data Act or Nevada SB 370.
Other U.S. State Privacy Rights
If you are a resident of Colorado, Connecticut, Montana, Oregon, Texas, Utah, or Virginia, you may have additional rights under your state’s privacy laws, including:
- Right to Access: You have the right to confirm whether we are processing your Personal Data and to access that data.
- Right to Correction: You have the right to correct inaccuracies in your Personal Data.
- Right to Deletion: You have the right to delete Personal Data you have provided to us or that we have collected about you.
- Right to Data Portability: You have the right to obtain a copy of your Personal Data in a portable, readily usable format.
- Right to Opt-Out: You have the right to opt out of:
- Targeted advertising
- The sale of your Personal Data (if applicable)
- Profiling in furtherance of decisions that produce legal or similarly significant effects
To exercise these rights, please contact us at support@trycandle.app. If we deny your request, you may have the right to appeal our decision by contacting us.
Right to Appeal (Certain States)
If you are a resident of Colorado, Connecticut, Delaware, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, or Virginia, and we deny your privacy request, you have the right to appeal our decision. To appeal, contact us at support@trycandle.app with “Privacy Request Appeal” in the subject line, and include:
- Your original request and our response
- The reason you believe we should reconsider
We will respond to your appeal within the timeframe required by applicable law. If you are not satisfied with our response to your appeal, you may contact your state’s attorney general to file a complaint.
EEA, UK, and Switzerland Resident Rights
If you are located in the European Economic Area, the United Kingdom, or Switzerland, you have additional rights under the General Data Protection Regulation (GDPR) or equivalent laws, including the rights described above as well as the right to lodge a complaint with your local data protection authority if you believe we have not complied with applicable data protection laws.
You can find your local data protection authority:
- EEA residents: https://edpb.europa.eu/about-edpb/about-edpb/members_en
- UK residents: Information Commissioner’s Office (ICO) at https://ico.org.uk/
- Switzerland residents: Federal Data Protection and Information Commissioner (FDPIC) at https://www.edoeb.admin.ch/
The data protection authority you may contact is typically that of your habitual residence, your place of work, or the location where the alleged infringement occurred.
Brazil Resident Rights (LGPD)
If you are located in Brazil, you have rights under the Lei Geral de Proteção de Dados (LGPD), including the rights to access, correct, delete, and port your Personal Data, as well as the right to information about sharing of your data and the right to revoke consent.
To exercise your rights under the LGPD or for any privacy-related inquiries specific to Brazil, please contact us at: support@trycandle.app
You also have the right to file a complaint with the Autoridade Nacional de Proteção de Dados (ANPD) if you believe we have not complied with the LGPD.
How to Exercise Your Rights
To exercise any of your privacy rights, you may:
- Email us at support@trycandle.app with “Privacy Request” in the subject line
- Submit a request through our online form at support@trycandle.app
Verification
To protect your privacy, we will verify your identity before fulfilling your request. We may ask you to provide information that matches what we have on file, such as your email address or account information.
Authorized Agents
You may designate an authorized agent to submit requests on your behalf. We may require the agent to provide proof of authorization and may still verify your identity directly.
Response Time
We will respond to your request within the timeframes required by applicable law.
Changes to this Privacy Policy
We’re constantly trying to improve our Services, so we may need to change this Privacy Policy from time to time, but we will alert you to any such changes by placing a notice on the www.trycandle.app website, by sending you an email and/or by other means. Please note that if you’ve opted not to receive legal notice emails from us (or you haven’t provided us with your email address), those legal notices will still govern your use of the Services, and you are still responsible for reading and understanding them. If you use the Services after any changes to the Privacy Policy have been posted, that means you agree to all the changes. Use of information we collect is subject to the Privacy Policy in effect at the time such information is collected.
Related Policies
Contact Information
If you have any questions or comments about this Privacy Policy, the ways in which we collect and use your Personal Data or your choices and rights regarding such collection and use, please do not hesitate to contact us.