Privacy Policy
Last updated: 7 March 2026
Jabalna ("we", "us", "our") operates the Jabalna platform (the "Service"), an invitation-only dating service for the Druze community. We are committed to protecting your privacy and handling your personal data responsibly.
This Privacy Policy explains what information we collect, how we use and protect it, who we share it with, and your rights regarding your personal data. It applies to all users worldwide and is designed to comply with applicable privacy laws including the Australian Privacy Act 1988, the EU General Data Protection Regulation (GDPR), the UK Data Protection Act 2018, the California Consumer Privacy Act (CCPA), and other relevant legislation.
By using the Service, you acknowledge that you have read and understood this Privacy Policy.
1. Information We Collect
1.1 Information You Provide
- Account information: First name, last name, email address, and password.
- Profile information: Display name, date of birth, gender, partner preferences, location (city and country), education, occupation, height, languages spoken, "about me" text, tradition level preference, and whether you have or want children.
- Photos: Profile photos you upload (maximum six).
- Compatibility questionnaire answers: Your responses to questions about values, intentions, lifestyle, communication style, and diaspora experience. These may include free-text responses.
- Verification documents: If you choose to verify your identity, you may submit a photo or identification document.
- Messages: The content of messages you send to other users through the Service.
- Reports and feedback: Information you provide when reporting another user or contacting support.
1.2 Information Generated by the Service
- Compatibility vectors: Mathematical representations of your questionnaire answers, generated entirely on our servers using a deterministic algorithm. These vectors are used to calculate compatibility scores between users. No external artificial intelligence services are used for this purpose.
- Interaction records: Records of likes, passes, matches, and blocks between users.
- Activity timestamps: When you last signed in and when you last read a conversation.
1.3 Information Collected Automatically
- Session data: We use encrypted cookies to maintain your login session. Cookies contain a session identifier and are set with secure, HTTP-only, and same-site flags. No third-party tracking cookies are used.
- Server logs: Our servers record request metadata (page visited, timestamp, and a randomly generated request identifier) for operational and security purposes. Logs do not contain your personal information beyond your internal user identifier.
- Analytics: We may use Plausible Analytics, a privacy-focused analytics service that does not use cookies, does not collect personal data, and does not track users across sites. No data is shared with advertising networks.
1.4 Information We Do Not Collect
- We do not collect or store your IP address in our database.
- We do not collect precise geolocation data. Your location is based only on the city and country you provide.
- We do not collect financial or payment information.
- We do not access your device contacts, camera, microphone, or other device sensors.
2. How We Use Your Information
We use your information for the following purposes:
| Purpose | Legal basis (GDPR) |
|---|---|
| Providing the Service: creating your account, displaying your profile to potential matches, calculating compatibility scores, and enabling messaging. | Performance of contract |
| Communicating with you: sending email verification, password reset links, match notifications, and invitation links. | Performance of contract |
| Safety and moderation: reviewing reports, enforcing our community guidelines, detecting abuse, and preventing fraud. | Legitimate interest |
| Security: protecting your account through password hashing, session management, rate limiting, and CSRF protection. | Legitimate interest |
| Improving the Service: understanding usage patterns through aggregated, non-identifying analytics. | Legitimate interest |
We do not use your personal data for automated decision-making or profiling that produces legal or similarly significant effects. Compatibility scores are mathematical calculations based on your questionnaire answers and are provided as suggestions only.
3. How We Protect Your Information
3.1 Encryption
- Messages: All message content is encrypted at rest using AES-256-GCM, an industry-standard authenticated encryption algorithm. Messages are encrypted before being written to the database and decrypted only when retrieved by an authorised participant in the conversation.
- Data in transit: All connections to the Service are encrypted using TLS (HTTPS). HTTP requests are automatically redirected to HTTPS in production.
- Sessions: Session cookies are cryptographically signed and encrypted, transmitted only over HTTPS, and not accessible to client-side scripts.
3.2 Password Security
- Passwords are never stored in plaintext. We store only a one-way hash using the bcrypt algorithm with a high computational cost factor.
- Minimum password length is enforced.
- Accounts are temporarily locked after repeated failed login attempts.
3.3 Token Security
- All sensitive tokens (email verification, password reset, invitations) are cryptographically hashed before storage. The raw token is sent to you once and is never stored by us.
- Password reset tokens expire after 2 hours. Invitation tokens expire after 3 days.
3.4 Application Security
- Cross-site request forgery (CSRF) protection on all state-changing requests.
- Strict Content Security Policy (CSP) headers to prevent cross-site scripting.
- Rate limiting to prevent brute-force attacks and abuse.
- Input sanitisation to prevent injection attacks.
- Security headers including X-Frame-Options, X-Content-Type-Options, and Referrer-Policy.
4. Who We Share Your Information With
4.1 Other Users
Your profile information (display name, age, location, photos, about me, and compatibility answers) is visible to other authenticated users of the Service for the purpose of matching. Your email address, last name, and account details are never shared with other users.
4.2 Service Providers
We use the following third-party service providers who process data on our behalf:
| Provider | Purpose | Data shared |
|---|---|---|
| Postmark (ActiveCampaign) | Transactional email delivery | Email address, first name, and email content (verification links, notifications) |
| Render | Application and database hosting | All data stored by the Service (encrypted at rest where noted) |
| Plausible Analytics | Privacy-focused website analytics | Aggregated page view data only. No personal data, no cookies, no cross-site tracking |
4.3 Who We Do Not Share With
- We do not sell, rent, or trade your personal data to any third party.
- We do not share data with advertising networks or data brokers.
- We do not send your data to any external artificial intelligence or machine learning service.
4.4 Legal Requirements
We may disclose your information if required to do so by law, regulation, legal process, or enforceable governmental request. We will notify you of such disclosure where legally permitted.
5. Data Retention
| Data type | Retention period |
|---|---|
| Account and profile data | Retained while your account is active. Deleted when you delete your account. |
| Messages | Retained (encrypted) while the conversation exists. Deleted when either participant deletes their account or blocks the other user. |
| Compatibility vectors | Deleted with your profile when you delete your account. |
| Photos and verification documents | Deleted when you delete your account. |
| Interaction records (likes, matches, blocks) | Deleted when you delete your account. |
| Reports you have filed | May be retained after account deletion for safety and legal purposes. |
| Server logs | Retained according to our hosting provider's default retention period. |
| Session cookies | Expire after 24 hours, or 30 days if you select "Keep me signed in". |
When you delete your account, your profile, photos, answers, compatibility vectors, messages, conversations, and interaction records are permanently destroyed. We do not retain copies of this data after deletion, except where we are legally required to do so.
6. Your Rights
Depending on your location, you may have some or all of the following rights regarding your personal data:
| Right | Description |
|---|---|
| Access | Request a copy of the personal data we hold about you. |
| Rectification | Correct inaccurate or incomplete personal data. You can update most information directly through your profile settings. |
| Erasure | Request deletion of your personal data. You can delete your account at any time through the Service. |
| Restriction | Request that we limit processing of your data in certain circumstances. |
| Portability | Receive your personal data in a structured, commonly used, and machine-readable format. |
| Objection | Object to processing based on legitimate interests. |
| Withdrawal of consent | Where processing is based on consent, withdraw that consent at any time. |
6.1 For EU/UK Residents
Under the GDPR and UK Data Protection Act, you have all of the rights listed above. If you believe your rights have been infringed, you have the right to lodge a complaint with your local data protection authority.
6.2 For California Residents
Under the CCPA, you have the right to know what personal information we collect, the right to delete your personal information, and the right to opt out of the sale of personal information. We do not sell your personal information. You will not receive discriminatory treatment for exercising your rights.
6.3 For Australian Residents
Under the Australian Privacy Act, you have the right to access and correct your personal information. If you believe we have breached the Australian Privacy Principles, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC).
To exercise any of these rights, please contact us using the details in Section 11 below. We will respond to your request within 30 days.
7. Cookies
We use only essential cookies that are strictly necessary for the Service to function:
| Cookie | Purpose | Duration |
|---|---|---|
| Session cookie | Maintains your authenticated session and CSRF protection | 24 hours (or 30 days with "Keep me signed in") |
We do not use advertising cookies, tracking cookies, or any third-party cookies. No consent banner is required because we use only essential cookies as defined under applicable cookie legislation.
8. International Data Transfers
The Service is hosted on Render servers located in Frankfurt, Germany, within the European Union. Your data is stored and processed within the EU.
Certain third-party service providers (such as our email delivery provider) may process limited data outside the EU. Where this occurs, we ensure appropriate safeguards are in place, including:
- Encryption of data in transit and at rest.
- Contractual protections with our service providers.
- Standard Contractual Clauses where required under Chapter V of the GDPR.
- Minimisation of data shared with third parties.
9. Children's Privacy
The Service is intended for adults aged 18 and over. We do not knowingly collect personal data from anyone under the age of 18. If we become aware that we have collected data from a person under 18, we will delete that data promptly.
10. Changes to This Policy
We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or by displaying a prominent notice within the Service before the changes take effect. Your continued use of the Service after the effective date constitutes your acceptance of the updated policy.
We encourage you to review this page periodically for the latest information on our privacy practices.
11. Contact Us
If you have any questions about this Privacy Policy, wish to exercise your data rights, or have a privacy concern, please contact us:
- Email: privacy@jabalna.app
- Support: jabalna.app/support
We aim to respond to all privacy enquiries within 30 days.