Effective Date: December 7, 2025 | Last Updated: December 7, 2025
Welcome to the Tism Privacy Policy. Tism App LLC, a limited liability company organized and existing under the laws of the State of Florida, United States of America, Planet Earth (“we”, “us”, “our”, or “Tism”) is a specialized dating and social-connection platform designed exclusively for autistic and neurodivergent adults aged 18 and over. We recognize the unique sensitivities and vulnerabilities within our community, including the potential for heightened risks related to data privacy, such as doxxing, harassment, or misuse of sensitive health-related information. This policy is crafted with transparency, clarity, and respect in mind, avoiding dense legalese to ensure it's accessible to all users, including those who may prefer straightforward language.
This Privacy Policy details how we collect, use, store, protect, disclose, and manage your personal data. It ensures full compliance with key global privacy laws, including but not limited to:
We are committed to the principles of data minimization, purpose limitation, accuracy, storage limitation, integrity and confidentiality, and accountability. If you are a resident of California, please refer to our supplemental California Privacy Notice at the end of this policy. For residents of other U.S. states with comprehensive privacy laws (e.g., Virginia, Colorado, Connecticut, Utah), your rights are outlined in Section 8.
Tism operates as a sole proprietorship. Depending on your location, the data controller responsible for your personal data is:
Contact us for any privacy-related inquiries:
If you believe your data rights have been violated, you may lodge a complaint with your local supervisory authority (e.g., CNIL in France, ICO in the UK, or the California Attorney General for CCPA issues).
We collect only the data necessary to provide, improve, and secure our services. Data collection is minimized to respect your privacy, especially given the sensitive nature of neurodivergence-related information. Below is a comprehensive breakdown of data categories, examples, sources, purposes, and whether the data is mandatory or optional.
| Category | Examples (Non-Exhaustive) | Source | Purpose(s) | Mandatory/Optional | Sensitive/Special Category? |
|---|---|---|---|---|---|
| Identifiers | Email address, IP address, device ID, username, hashed passwords | Directly from you (e.g., sign-up form); automatically (e.g., server logs) | Account creation, authentication, waitlist management, communications, fraud prevention, personalized service delivery | Mandatory for core services | No, unless linked to sensitive data |
| Internet/Network Activity | User-Agent string, browser type, timestamps, session duration, pages viewed, referral URLs | Automatically via cookies, pixels, or logs | Security monitoring, abuse prevention, analytics for service improvement, debugging | Automatic (opt-out via cookie settings) | No |
| Geolocation (Approximate) | IP-derived country, region, or city; no precise GPS unless consented | Automatically from IP; device if location services enabled | Fraud detection, regional compliance (e.g., age verification laws), future matching features based on broad location | Optional (can be disabled) | No |
| Future Profile Data (Post-2026 Launch) | Photos, bio, preferences (e.g., interests, relationship goals), neurodivergence details (e.g., autism spectrum level if shared), gender identity, sexual orientation | Voluntarily provided by you during profile setup or updates | Core app functionality like matching, profile display, community building; ensuring neurodivergent-only environment | Optional (basic profile mandatory for use) | Yes (special category under GDPR: health, sexual orientation; sensitive under CCPA) |
| Payment/Financial Data | Transaction IDs, payment method type (no full card details stored), billing address | Directly from you or payment processors | Processing subscriptions or premium features (if implemented), refunds, fraud prevention | Mandatory for paid services | No |
| Customer Support Data | Inquiries, complaints, feedback, attached files | Directly from you via support channels | Resolving issues, improving service, compliance with reports | Optional | Possibly (if includes sensitive details) |
| Inferences | Derived preferences from interactions (e.g., inferred interests from profile views) | Generated from other data | Personalization, matching algorithms | Automatic | Possibly sensitive |
We do not collect or process precise geolocation, audio/video recordings, genetic data, or any data unrelated to our core mission. At the waitlist stage, we limit collection to essentials (email, IP, User-Agent). For future app features, any sensitive data (e.g., neurodivergence specifics) is processed only with explicit consent and for the purpose of community verification and matching. We do not use facial recognition or biometrics at this time but may introduce optional verification in 2026 with separate consent.
We process data only where we have a valid legal basis. For special category data (e.g., health/neurodivergence info), we require explicit consent. Below is a detailed mapping:
| Processing Activity | Legal Basis | Explanation & Examples |
|---|---|---|
| Account creation and waitlist management | Performance of a contract (Art. 6(1)(b)) | To fulfill our agreement to add you to the waitlist and notify you upon launch. Example: Using your email to send confirmation and updates. |
| Fraud prevention and security | Legitimate interests (Art. 6(1)(f)) | Our interest in maintaining a safe, neurodivergent-only space outweighs risks. We conduct balancing tests and DPIAs for high-risk activities. |
| Processing sensitive data (e.g., neurodivergence details) | Explicit consent (Art. 9(2)(a)) | You must affirmatively opt-in; consent is granular, informed, and revocable without detriment. |
| Marketing communications | Consent (Art. 6(1)(a)) | Optional; you can unsubscribe anytime via email links or settings. |
| Compliance with legal obligations | Legal obligation (Art. 6(1)(c)) | E.g., responding to law enforcement requests or tax audits. |
For CCPA/CPRA, we do not "sell" or "share" data for targeted advertising. Any sharing is for operational purposes only (see Section 5).
We use data to deliver, personalize, and secure our services. Examples:
We employ advanced measures to protect our community:
With consent, we may send promotional emails or conduct anonymized research on community trends. No targeted ads without opt-in.
We retain data only as long as necessary, with strict limits:
| Data Type | Retention Period | Reason | Deletion Process |
|---|---|---|---|
| Waitlist Emails & Identifiers | Until December 31, 2026 or consent withdrawal | Service fulfillment | Secure erasure; backups purged within 90 days |
| Security Logs (IP, User-Agent) | 180 days max | Fraud investigation | Automatic anonymization or deletion |
| Sensitive Profile Data | Until account deletion + 30 days | User control | Irreversible hashing or full wipe |
| Support Tickets | 6 years | Legal defense | Pseudonymized after resolution |
Upon deletion request, we confirm within 10 days and complete within 30 (GDPR) or 45 (CCPA) days.
We share data only with trusted parties under strict contracts (GDPR Art. 28 DPAs). No sales or unrelated sharing.
| Recipient Type | Examples | Purpose | Safeguards | Location |
|---|---|---|---|---|
| Hosting Providers | Contabo GmbH (Germany), AWS (US) | Data storage and processing | EU SCCs (2021/914), encryption, access controls | EU/US |
| Security/CDN | Cloudflare, Inc. | DDoS protection, traffic management | SCCs, BCRs, regular audits | Global |
| Email Services | SendGrid or equivalent | Transactional emails (e.g., waitlist confirmations) | DPA, SCCs, TLS encryption | US |
| Payment Processors | Stripe, PayPal | Future premium features | PCI DSS compliance, pseudonymization | US/EU |
| Legal/Regulatory | Law enforcement, courts | Compliance with subpoenas | Only upon valid legal request; user notification where possible | Varies |
We audit sub-processors annually and ensure they meet GDPR adequacy standards. For CCPA, these are "service providers" not involving sale/sharing.
Data may be transferred outside your jurisdiction. Primary storage: US (with EU mirrors for EEA users).
We conduct TIAs for all non-adequate transfers and make summaries available upon request.
You have extensive rights over your data. Requests are free (unless excessive) and verified via email/IP checks.
How to Exercise: Email chad@cummings.law with your request, including verification details. Response times: 30 days (GDPR), 45 days (CCPA, extendable). Appeals: If denied, appeal within 30 days; we respond within 60 days.
We implement robust technical and organizational measures (TOMs) per GDPR Art. 32 and CCPA requirements:
In case of a breach, we notify affected users and authorities as required.
We do not engage in automated decision-making with legal or significant effects (GDPR Art. 22). Future matching algorithms may involve profiling for recommendations, but:
Tism is exclusively for adults 18+. We do not knowingly collect data from minors. If discovered:
We use age gates and verification to enforce this.
We use cookies for essential functions, analytics, and (with consent) marketing. See our separate Cookie Policy for details:
We may update this policy to reflect changes in practices or laws. Material changes (e.g., new data uses) will be notified via email at least 30 days in advance. Continued use constitutes acceptance. Non-material changes are effective immediately. Archived versions available upon request.
This supplements the main policy for California residents:
Data transfers protected as in Section 7. Supervisory authorities: EDPS (EU), ICO (UK), FDPIC (Switzerland).
Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA): Similar rights to CCPA; no material differences in our practices.
We comply with PIPEDA (Canada), LGPD (Brazil), etc., via equivalent protections.