Privacy Policy

Intentional App LLC · Effective July 2026 · Version 1.2

Threshold is operated by Intentional App LLC (“we,” “us,” “our”), a Florida limited liability company. This policy explains what we collect, what we do with it, and what we do not do with it. Threshold is available to users in the United States, including Puerto Rico and the U.S. Virgin Islands. By using Threshold, you agree to the practices described here.

The short version. We do not sell your data. We do not show ads. We do not track you across other apps. We do not read your location from your phone. We do not use machine learning or behavioral profiling to decide who you see. And when you delete your account, it is deleted immediately and permanently.

1. What we collect

Account and profile

Your name, phone number, email address, date of birth, the city you type in, photos, bio, and the profile attributes you choose to share — which may include occupation, company, and optional self-identified attributes such as ethnicity and religion.

You can create an account with your phone number, with Sign in with Apple, or with Google. From Apple we receive an identifier, your name on first sign-in, and an email address (which may be an Apple private-relay address if you choose to hide yours). From Google we receive an identifier, your name, email, and profile picture. Phone sign-in is verified by SMS code through Twilio.

We never receive or store your payment card details.

Identity and age verification — our biometric data notice

This section is our biometric data notice and retention schedule. It tells you what biometric information is collected, the specific purpose, exactly how long it is kept, and when it is destroyed. You will be asked to consent to this separately, before anything is collected — accepting this policy alone is not consent.

Before you can use Threshold, we verify that you are a real adult. Our verification provider, Didit, collects and processes:

The specific purpose. The facial geometry scan is used for exactly three things and nothing else: to confirm that your ID is authentic and belongs to you; to confirm that you are a real, live person rather than a photo, video, or mask; and to confirm that you are 18 or older. We do not use it to identify you anywhere else, we do not use it for matching, we do not use it for advertising, and we never sell, lease, trade, or otherwise profit from it.

How long it is kept, and when it is destroyed. This is our retention and destruction schedule:

DataHeld byRetentionDestroyed
Facial geometry scan, live selfie, ID imageDidit, our processorNo longer than one month from verificationAt the earliest of: one month from verification; the date you delete your Threshold account; or the date the verification purpose is satisfied
Verification status (pass / fail)ThresholdWhile your account is activeImmediately on account deletion
Over-18 indicator (true / false)ThresholdWhile your account is activeImmediately on account deletion
Record of your consent — a timestamp and the version of the notice you agreed to. Contains no image, selfie, or facial scan.Threshold5 years from consent, including after you delete your account5 years from consent

Why we keep the consent record after you leave. If you ever claimed we scanned your face without asking, this record is the only thing that proves we did ask, and shows exactly what you were told. Deleting it would not protect your privacy — it holds no image and no biometric data — it would only destroy our ability to demonstrate we acted properly. The law permits keeping records needed to defend against legal claims, and five years is the period during which such a claim can be brought. We keep it for exactly that long, and no longer.

Threshold itself never stores your biometric information. We do not store your ID image, your selfie, or your facial geometry scan. Didit performs the processing and returns a result. From that result we keep only two things: a verification status, and a true/false indicator that you are over 18. Your date of birth from the ID is used to compute that indicator and is then discarded. We do not receive or retain document numbers, addresses, or any facial-recognition score.

Your consent. We ask for your consent to this biometric processing before it happens, as a separate and specific step — not bundled into your acceptance of these policies. You may decline. Verification is how Threshold keeps the community real, so you will not be able to use the service without completing it — but the choice is yours to make before anything is collected.

Disclosure. We do not disclose, redisclose, or otherwise disseminate your biometric information to anyone except Didit, which processes it on our behalf, and except where disclosure is required by law, warrant, or subpoena. Didit processes this data outside the United States.

What we do not do. We do not perform one-to-many facial searching. We do not maintain a facial-recognition database of our users. We do not use facial recognition to find you in other photos, to track you, or for any purpose beyond the one-time verification described above.

Location

Threshold does not ask for location permission and does not read GPS or any other location signal from your device. The app has no location permission on iOS or Android. We collect only the city or area that you type into your profile.

We use that city to show other users an approximate distance band — for example, “less than 3 miles” or “more than 60 miles.” We never show or share an exact distance or an exact position. Where we derive any coarse approximation from the city you typed, it is snapped to a wide grid and randomly offset so that a precise location cannot be reconstructed from it.

Images, and how they are moderated

Every image you upload — both your profile photos and any image you send inside a conversation — is automatically scanned before it is shown to anyone. Two independent checks run on every image.

1. Known child sexual abuse material (PhotoDNA). We use Microsoft PhotoDNA to check every image against the National Center for Missing & Exploited Children’s database of known child sexual abuse material. Your image itself is never sent to Microsoft. We compute a mathematical signature (a hash) of the image on our own infrastructure and send only that signature to be compared. The image cannot be reconstructed from it, and no human at Microsoft or at Threshold views your image as part of this check.

2. Content classification (Sightengine). The image is sent to Sightengine, an image-classification service, which checks for nudity and sexual content, weapons, drugs, offensive content, AI-generated or manipulated images (including deepfakes), and the presence of faces — including an automated estimate of whether a face in the image appears to belong to a minor. That last check exists for one reason: to keep child sexual abuse material off Threshold, including material that is new and not yet in any database.

What we keep from these checks. We store only the results — scores and flags such as a nudity score, whether a face was detected, how many faces, a minor-likelihood score, and the reasons an image was flagged. We do not store a facial geometry template or any other biometric identifier from this scanning, and neither Sightengine nor Microsoft retains your images to build one. Neither is a generative-AI service, and your images are not used to train any AI model.

These checks are a gate, not a suggestion. An image becomes visible only if it passes. If a check fails, errors, or cannot be completed, the image is held or rejected rather than published.

If child sexual abuse material is detected. The image is blocked and never delivered, the account is suspended, and a preserved copy of the evidence is stored in encrypted, access-controlled storage at Cloudflare R2 so that it can be reported to the National Center for Missing & Exploited Children (NCMEC) as federal law requires. We are legally obligated to report this material, and we do.

Messages and activity

The content of your messages, and basic activity such as matches and conversation status, so that the service works.

Technical and diagnostics

Device type and model, operating-system version, app version, and crash and error diagnostics through Sentry. We do not attach your name, email address, phone number, IP address, or user ID to error reports, and message and profile content is removed before an error report is transmitted. Identifiers that do appear in error data are scrubbed.

Push notifications

A device push token, used only to deliver notifications through Apple and Google (Firebase Cloud Messaging). Notification content is generic — for example, “You have a new message” — and never contains message text or sender names.

Purchases

Purchase and subscription history through Apple and Google, managed by RevenueCat. Again: we never receive your card details.

2. How we use it

What we do not do. We do not use machine learning or behavioral profiling to decide who you see. We do not score or rank users against one another. We do not build a hidden profile of you from how you behave in the app. Introductions are based on what you and other people have each stated — nothing more.

3. Who we share it with

We do not sell your personal information, and we do not share it for cross-context behavioral advertising. We show no third-party ads, and we do not track you across other companies’ apps or websites. We share data only with the providers needed to run Threshold:

ProviderPurpose
SupabaseDatabase, authentication, and photo storage
DiditGovernment ID and biometric liveness verification (processed outside the US)
Microsoft (PhotoDNA)Matching image signatures against the NCMEC known child-sexual-abuse-material database (signatures only — images are never sent)
SightengineAutomated moderation of profile photos and images sent in messages, including face detection and minor-likelihood estimation
Cloudflare (R2)Encrypted, access-controlled preservation of evidence in child-safety cases, as required by federal law
NCMECRecipient of legally mandated reports of child sexual abuse material
TwilioSMS verification of your phone number
RevenueCatIn-app purchase and subscription management
Firebase Cloud Messaging (Google)Push-notification delivery
SentryCrash and error diagnostics

We may also disclose information where the law requires it, to protect the safety of users or the public, or in connection with a business transfer — in which case we will notify you of the change in ownership.

No AI provider receives your content. Threshold does not send your messages, your profile, or your photos to any generative-AI or large-language-model provider. If that ever changes, we will update this policy before it does.

4. Sensitive information

Some things you may choose to share — such as self-identified ethnicity or religion — are treated as “sensitive personal information” under California law.

We do not use ethnicity, religion, or any other protected characteristic to decide who you see or who sees you. These attributes are permanently excluded from how introductions are surfaced. They appear on your profile only if you choose to share them, and they are used for nothing else.

5. Deleting your account, and how long we keep things

You can delete your account at any time in the app: Profile → Settings → Delete Account → Delete permanently. You can also email support@intentionalapp.co from the phone number or email tied to your account.

Deletion is immediate and permanent. There is no grace period and it cannot be undone. When you confirm, your profile, photos, bio, matches, and messages are erased from our live systems right away.

DataWhat happens when you delete your account
Profile, photos, bio, attributesPermanently deleted, immediately
MatchesPermanently deleted, immediately
Message content and previewsPermanently deleted, immediately
Phone number, email, account identifiersPermanently deleted, immediately
Verification status and over-18 indicatorPermanently deleted, immediately
Record that you consented to identity verification (timestamp + notice version; no image or facial scan)Retained for 5 years — see the biometric notice above for why
Image-moderation results (scores and flags)Permanently deleted, immediately
Abuse reports involving youDeleted — unless subject to a legal preservation hold (see below)
Evidence preserved in a child-safety caseRetained. Federal law requires us to preserve this and we cannot delete it on request
Purchase records held by Apple, Google, or RevenueCatHeld by those providers under their own policies; we do not control them
ID image, selfie, and facial geometry held by DiditHeld by Didit under its own retention period and policy
Residual copies in our encrypted backupsAge out within 30 days

Preservation holds. In narrow cases — where the law requires us to preserve records, or where content must be reported to authorities, such as child sexual abuse material — we may be legally required to retain specific records rather than delete them. Where a preservation hold applies, deletion of that record is blocked until the hold is lifted.

While your account is active:

When you delete an individual message, its content is removed from our systems, including any stored preview of it.

6. Your rights

You may access the personal data we hold about you, correct it if it is wrong, and delete your account and data. Most of this you can do directly in the app under Settings. For anything else, email privacy@intentionalapp.co. We respond to requests within 45 days.

California residents have additional rights under the CCPA/CPRA, including the rights to know, delete, correct, and limit the use of sensitive personal information, and the right not to be treated differently for exercising them. We do not sell personal information and we do not share it for cross-context behavioral advertising. We extend these same rights to every Threshold user, regardless of where you live.

7. Security

We protect your information with encryption in transit (TLS), encryption at rest, and strict access controls. Private messages are encrypted in transit and stored on access-controlled infrastructure. Threshold is not end-to-end encrypted.

Things we deliberately do not hold. The most reliable way to protect data is not to have it. We do not collect Social Security numbers. We do not collect home addresses. We do not receive or store payment card details. We do not store your biometric information. We do not read location from your device. Data we never collect cannot be stolen from us.

How we limit access. Every table in our database enforces row-level security, so users can only reach their own records — this is enforced by the database itself, not just by application code. Administrative access requires multi-factor authentication and is logged.

No system is perfectly secure, and any company that tells you otherwise is selling something. But we design on the assumption that a breach is possible, and we minimize what a breach could expose.

If there is a breach. If we learn of a breach affecting your personal information, we will notify you and the appropriate authorities as required by law.

8. Messages and moderation

Your messages are private between you and the person you are talking to. To keep people safe, we may review message content when we need to investigate a report of abuse or harassment, to comply with the law, or to detect and report illegal content such as child sexual abuse material.

9. Children

Threshold is strictly for adults 18 and over. We do not knowingly collect information from anyone under 18, and we use identity and age verification to enforce that. If we learn that we have collected information from a minor, we will delete it promptly and report it as the law requires. If you believe a minor is using Threshold, contact us immediately.

10. Changes, and how to reach us

We may update this policy. If we make a material change, we will tell you in the app or by email before it takes effect.

Privacy questions: privacy@intentionalapp.co