Privacy Policy — Paper Boat

Introduction

Your privacy matters to us. This policy explains what information Paper Boat collects, why we collect it, and how we use it. It is written in plain English, because you deserve to understand what you are agreeing to.

This policy applies to our website at https://paperboat.world and the Paper Boat app on iOS and Android. By using either, you agree to what is described here. If anything is unclear, please contact us at [email protected].

Paper Boat is operated by Paper Boating Ltd, a company registered in England and Wales (company number 17215019). Our registered address is Unit 2, Wayners, Ashton, Leominster, HR6 0DN.

Definitions

The following terms are used throughout this policy:

Term	Meaning
Company / we / us	Paper Boating Ltd, registered in England and Wales (company number 17215019) at Unit 2, Wayners, Ashton, Leominster, HR6 0DN. We make Paper Boat.
Country	The United Kingdom, where Paper Boat is based.
Device	Any internet-connected device — phone, tablet, or computer — used to access Paper Boat.
IP address	A number assigned to your device when it connects to the internet. It can indicate your approximate location.
Personal Data	Any information that can identify you, directly or in combination with other information.
Service	The Paper Boat app (iOS and Android) and website at https://paperboat.world.
Snap grid	A private shared space between two Paper Boat users where images and text messages can be exchanged. Snap grid content is not visible to any other users.
SSO	Single Sign-On. A method of registering or logging in using an existing account with a third-party provider — in Paper Boat's case, Google or Apple.
You	The person using Paper Boat.

What We Collect

Account Data

You may register for Paper Boat in one of three ways: directly with your email address and a password, via Google Sign-In, or via Apple Sign In. In all cases, the following is collected:

Your email address — or, if you choose Apple Sign In and select Hide My Email, an Apple-generated relay address that forwards to your real inbox. In this case Paper Boat never sees your real email address.
Your age — collected at registration to confirm you are 18 or over. Paper Boat is an adult platform. Age is not displayed to other users.
Your password — if you register directly with your email address, you set a Paper Boat password at registration. Passwords are stored using bcrypt one-way hashing and cannot be read by us. If you register via Google Sign-In or Apple Sign In, no Paper Boat password is created — authentication is handled entirely by your chosen provider.
Your IP address — recorded at registration and each time you sign in. Your registration IP address is retained against your account. A rolling 90-day history of login IP addresses is also retained. We use IP addresses for security monitoring and to support content moderation and safety investigations. IP address records are accessible to our administrator and may be included in safety reports where legally required. Login IP history older than 90 days is automatically and permanently deleted.

Where you register via Google Sign-In or Apple Sign In, we also receive and store a unique provider ID from Google or Apple. This is used to verify your identity when you sign in using those services. No other data is requested from those providers beyond what is listed above.

Search Visibility Preferences

Paper Boat does not collect or store your gender as a profile attribute. Instead, you control your own discoverability through search visibility preferences — choosing which groups of users can find you. These preferences are stored server-side against your account and are necessary to provide the search and discovery features of the service.

Because visibility preferences may, in combination, allow inferences about a user's characteristics — including characteristics protected under data protection law, such as sexual orientation — we process these preferences on the basis of your explicit consent under Article 9(2)(a) UK GDPR. Before you set your visibility preferences for the first time, we ask for your explicit consent with a clear explanation of what that processing involves. You may withdraw or change your preferences at any time within the app, and withdrawal does not affect the lawfulness of any processing that took place before withdrawal.

Snap Grid Content

When you use a snap grid with another user, the images and text messages you share are stored on our servers. This content is private between the two users sharing that space — it is not accessible to any other users of Paper Boat.

Profile images are the only images shared more broadly — these are visible to other users as part of your public profile.

When you upload any image to Paper Boat, we automatically capture and store the following forensic metadata alongside the image: a SHA-256 cryptographic hash of the image file; any EXIF metadata embedded in the image (such as camera model or capture timestamp, where present); the IP address from which the upload was made; and the timestamp of the upload. This metadata is used for content safety verification and, where required, for the preparation of reports to law enforcement or safety authorities. It is not visible to other users.

Phone Number (Optional)

Paper Boat includes an optional phone number verification step. If you choose to verify your phone number, we collect your phone number and send a one-time verification code (OTP) via SMS. Your phone number and verification status are stored against your account. Phone number verification is optional and does not affect your access to Paper Boat's core features. Your phone number is not displayed to other users and is not used for any purpose other than verification and, where legally required, safety reporting.

Push Notification Tokens

If you grant permission for push notifications, we store your Firebase Cloud Messaging (FCM) token against your account. This token is used solely to send you service notifications — such as new snap grid activity and subscription renewal reminders (sent approximately 5 days before your next renewal date, so you have a fair opportunity to manage or cancel before being charged). We do not use it for advertising or share it with third parties. You may withdraw this permission at any time through your device settings.

Your Connections and Snap Grid Lifecycle

Paper Boat gives you meaningful control over your connections and the content you share. The following explains how different connection states affect your data.

Forget

You may choose to forget a connection. When you do, the snap grid and all shared content is hidden from both users but preserved on our servers. The connection may be restored at any time by either user, at which point the snap grid content reappears exactly as it was. Forgotten content is retained until either user permanently deletes their account, at which point it is deleted immediately.

Remove

You may choose to remove a connection. This is permanent. The connection and all shared snap grid content — images and messages — is immediately and permanently deleted for both users. This action cannot be undone.

Report

When you report another user, the following occurs immediately and automatically:

The connection between you and the reported user is broken.
The shared snap grid content is no longer accessible to either user.
The reported content is submitted for automated scanning (see Content Moderation below).
If the automated scan detects high-risk signals — adult or violent imagery rated LIKELY or VERY_LIKELY, or severely negative text sentiment — the reported user's account is automatically suspended pending human review.
If no high-risk signals are detected, the account remains active but is flagged for administrator review.

Reported snap grid content is retained by us for moderation and legal purposes for up to one year after the reported user's account deletion, then permanently deleted. It is not accessible to either user during this period.

Regardless of the outcome of any review, the reported user will not reappear in your connections or search results. The separation is permanent from your perspective.

Account Deletion

When you delete your account, all of your connections are dissolved immediately. All shared snap grid content — including content in Forgotten connections — is deleted immediately from our servers. Your account and profile data is permanently deleted within 60 days.

Content Moderation

Keeping our users safe is central to what Paper Boat is about. We operate a systematic, evidence-based moderation process.

How Moderation Works

Paper Boat operates two layers of automated content moderation: proactive checking at the point of upload, and scan-gated review triggered by user reports.

Proactive Upload Screening

Every image uploaded to Paper Boat is checked against two independent hash databases of known child sexual abuse material (CSAM) before it is stored on our servers.

IWF Hash List. A SHA-1 cryptographic hash of the image is computed and compared against the Internet Watch Foundation's database of confirmed CSAM hashes. No image data is transmitted to IWF — only the hash. The IWF is a UK-based charity; no international transfer is involved.

NCMEC Hash List. An MD5 cryptographic hash of the image is computed and compared against the National Center for Missing & Exploited Children's hash database. NCMEC is a US-based non-profit organisation; hash transmission is subject to the data transfer safeguards described under International Transfers below. No image data is transmitted — only the hash.

If a match is found in either database, the upload is blocked immediately and the image is never stored. These checks are the first things that happen on every image upload.

Vision SafeSearch screening. After the hash checks pass and the image is stored, every uploaded image is also submitted to Google Cloud Vision AI for automated SafeSearch analysis. This detects novel content — imagery not yet present in any hash database — flagged as likely adult or violent. Where Vision AI returns LIKELY or VERY_LIKELY for adult or violent content, the uploading user's account is automatically suspended pending human administrator review. This constitutes automated decision-making — see the Automated Decision-Making Disclosure below.

Report-Triggered Scanning

When a report is submitted, the following occurs automatically and in sequence:

The reported user's wardrobe profile images are submitted to Google Cloud Vision AI for SafeSearch analysis. The worst result across all wardrobe images is used. Shelf images are not re-scanned at report time — they were individually scanned by Vision AI at the moment of upload.
Vision AI returns a likelihood score for adult and violent content categories.
The reported user's combined written content — specifically their toggle items, snap items, and snap grid items — is submitted to Google Cloud Natural Language API using two methods: sentiment analysis (returning a sentiment score and magnitude) and content moderation category analysis (returning confidence scores for harmful content types, including toxic, violent, sexual, harassing, and derogatory content).
All scan scores are stored against the report record in our database.
Where Vision AI returns LIKELY or VERY_LIKELY for adult or violent content, where Natural Language sentiment falls below a defined negative threshold, or where Natural Language content moderation returns a high confidence score for a harmful category, the reported user's account is automatically suspended pending human review.
Where no high-risk signals are detected, the account remains active but is flagged for administrator review.

An administrator reviews every report together with the scan scores and makes one of three decisions: uphold the suspension, reinstate the account, or escalate for further investigation.

Both Google Cloud services process content transiently — images and text are processed in memory and are not stored on Google's servers. Google temporarily logs request metadata (timestamp and request size) for service improvement purposes.

Automatic Law Enforcement Reporting

In certain circumstances Paper Boat automatically files reports with law enforcement and child safety authorities without requiring any human administrator to view the content in question. This occurs in two situations:

Confirmed hash match. If an image matches a hash in either the IWF or NCMEC database of known child sexual abuse material, an automatic report is filed with the National Crime Agency's Child Sexual Exploitation and Abuse Image Reporting Portal (NCA CSEA-IRP) under the Online Safety (CSEA Image Reporting) Regulations 2026 (SI 2026/268). A separate electronic report is also submitted to the NCMEC CyberTipline. A hash match represents a confirmed known image — no probabilistic assessment is involved.

Vision AI HIGH_RISK adult content detection. If Vision AI returns LIKELY or VERY_LIKELY for adult content — whether at upload time or following a user report — an automatic report is filed with the NCA CSEA-IRP. Ages cannot be determined from imagery without viewing the content. The possibility of child sexual abuse material cannot therefore be excluded, and OSA 2023 s.66 "reasonable grounds to suspect" is satisfied by the detection alone. We do not require an administrator to view the content before filing — this is deliberate. Law enforcement agencies have trained professionals and legal authority to assess such content.

These automatic filings include forensic evidence data: the image hash, upload IP address, upload timestamp, EXIF metadata, and account identifiers. They do not include any content from other users or any data beyond that which relates to the detected image and the account that uploaded it.

We are registered with the NCA CSEA-IRP (registered May 2026) and operate this reporting pipeline in compliance with SI 2026/268.

We do not notify individuals who are the subject of a report. Where we have filed or are about to file a report with the NCA, NCMEC, or any other law enforcement or child safety authority, we do not inform the individual concerned. Providing such notification would be likely to prejudice the prevention or detection of crime and the apprehension or prosecution of offenders. We rely on the exemption at Schedule 2, paragraph 2 of the Data Protection Act 2018 to withhold transparency obligations in these circumstances. This is not a blanket exemption — it is applied only where providing notice would, in the specific circumstances, present a real risk of prejudicing an active or prospective law enforcement investigation.

Automated Decision-Making Disclosure

The automatic suspension of a user's account — whether triggered by upload-time Vision SafeSearch scanning or by report-triggered scan signals — constitutes automated decision-making under Articles 22A–22D of UK GDPR (as amended by the Data (Use and Access) Act 2025), as it has a significant effect on that user. We are transparent about this: every suspension triggers an immediate human administrator review by email alert. The automated suspension is a precautionary safety measure; the substantive decision about the account is made by a human administrator with the benefit of the scan evidence. Where scan scores do not reach the high-risk threshold, no automated account action is taken and the matter proceeds directly to human review.

The blocking of an upload via the IWF or NCMEC hash checks also constitutes automated decision-making, as it prevents you from publishing content. Both IWF and NCMEC hashes represent confirmed known CSAM — a hash match is not probabilistic. No human review of a blocked upload is required or offered; the block is final.

Paper Boat's search and discovery features match users based on shared visibility preferences. We do not use automated scoring, ranking, or profiling of users for discovery purposes. No inference about individual users is made or stored beyond the explicit preferences each user sets.

If your account is suspended, you have the right to request human review of that decision by contacting [email protected]. We will respond within one month.

What We Store

When a report is made, the following is stored in our database:

The report record — who made the report, who was reported, and which content was reported.
The scan scores returned by Google Vision AI and Google Natural Language API (sentiment score, magnitude, and content moderation category scores).
The moderation decision — upheld, reinstated, or escalated.
A timestamp.

For every image uploaded to Paper Boat, the following forensic metadata is stored permanently against your account:

A SHA-256 cryptographic hash of the image.
The IP address from which the image was uploaded.
EXIF metadata embedded in the image, where present (such as camera model or capture timestamp).
The timestamp of the upload.

This metadata is used for safety verification and law enforcement reporting. It is stored alongside your account data and is permanently deleted when your account is purged under our standard retention schedule.

The reported content itself is referenced from the original snap grid record — it is not duplicated into the moderation record. Moderation records are retained for up to one year after the reported user's account deletion, then permanently deleted.

Lawful Basis for Content Moderation

We process data for content moderation primarily on the basis of legitimate interests — specifically, protecting our users from harmful content and maintaining the safety and integrity of the platform. We also process data for moderation purposes to meet our obligations under the Online Safety Act 2023.

Where we process data on the basis of legitimate interests for safety and moderation purposes, your right to object to that processing may be limited where continued processing is necessary to protect other users or to comply with our legal obligations.

How We Use Your Data

We use the information we collect to:

Run and improve the Paper Boat service.
Verify your identity when you sign in via Google Sign-In or Apple Sign In.
Enable search and discovery features based on your visibility preferences.
Keep the platform safe through content moderation.
Send you service notifications via push notification, with your permission.
Respond to support requests.

We do not sell your personal data. We do not share your data with advertisers. We do not use your data for any purpose beyond what is described in this policy.

We share your data only with the service providers that are strictly necessary to run Paper Boat. We do not share your data with advertisers, data brokers, or any third party for commercial purposes. Our service providers act as data processors — they process data only on our instructions and are bound by data processing agreements.

Digital Ocean LLC (USA)

Our hosting provider. Your account data, snap grid content, and all primary database records are stored on a Digital Ocean server located in the United Kingdom. No international transfer applies to this data.

Google LLC (USA)

Google provides four services to Paper Boat: Google Sign-In (identity verification at login); Cloud Vision AI SafeSearch (proactive image scanning at upload and scanning of reported images); Natural Language API (sentiment analysis and content moderation category analysis of reported text content); and Firebase Cloud Messaging (push notifications). All Google services are governed by the Google Cloud Data Processing Addendum (accepted 2026-05-04). Content moderation data is processed transiently in memory and is not stored by Google. The transfer of data to Google's US infrastructure — including FCM notification token processing — is governed by the UK Addendum to the EU Standard Contractual Clauses, incorporated under the Google Cloud Data Processing Addendum.

Internet Watch Foundation (UK)

The IWF operates the UK's national database of hashes of known child sexual abuse material. When you upload an image, a SHA-1 cryptographic hash of that image is checked against the IWF Hash List API. No image data is transmitted to the IWF — only the hash. The IWF is a UK-based charity; no international transfer is involved.

National Center for Missing & Exploited Children / NCMEC (USA)

NCMEC operates a US national database of hashes of known child sexual abuse material. When you upload an image, an MD5 cryptographic hash of that image is checked against the NCMEC hash matching API. No image data is transmitted to NCMEC — only the hash. NCMEC is a US-based non-profit organisation. The transmission of the hash to NCMEC's US infrastructure is governed by the UK Addendum to the EU Standard Contractual Clauses under a data processing agreement.

Apple Inc. (USA)

Apple provides Apple Sign In for identity verification at login. Apple processes authentication events as an independent data controller — Paper Boat does not direct, instruct, or have access to Apple's processing of that authentication event. Paper Boat receives from Apple only the provider ID and email address or relay address. This is not a transfer of personal data by Paper Boat to Apple; Apple collects authentication data directly in its role as an independent controller. For Apple's privacy practices, see https://www.apple.com/uk/legal/privacy/.

Twilio Inc. (USA)

Twilio provides SMS messaging services used to send one-time verification codes where you choose to verify your phone number. Your phone number is transmitted to Twilio solely for the purpose of sending the verification SMS. Twilio does not receive any other personal data. The transmission of your phone number to Twilio's US infrastructure is governed by the UK Addendum to the EU Standard Contractual Clauses under Twilio's Data Protection Addendum.

Yoti Ltd (UK)

Yoti provides age verification services. When you complete age verification, you will be asked to take a brief selfie. Yoti's AI analyses the selfie to estimate whether you are 18 or older. Paper Boat receives only a confirmation of whether the age requirement was met — we do not receive your image or any biometric data. Yoti processes the selfie on their own infrastructure and deletes it promptly after the check is complete. Yoti is a UK company regulated under UK GDPR; no international transfer of your data to Yoti is involved. Yoti acts as a data processor in respect of the age check and is bound by a data processing agreement with Paper Boat. Full details of Yoti's data practices are available at yoti.com/privacy.

National Crime Agency — CSEA-IRP (UK)

Where a confirmed CSAM hash match or a Vision AI HIGH_RISK adult content detection occurs, we automatically file a report with the NCA Child Sexual Exploitation and Abuse Image Reporting Portal under SI 2026/268. These reports include forensic evidence data — image hash, upload IP, timestamp, EXIF metadata, and account identifiers. The NCA is a UK law enforcement authority; no international transfer is involved.

NCMEC CyberTipline (USA)

Where a confirmed CSAM hash match occurs, we also submit an electronic report to the NCMEC CyberTipline. NCMEC is a US-based non-profit organisation designated by US federal law as the repository for reports of online child sexual exploitation. These reports include the same forensic evidence data as NCA filings. Transmission to the US is governed by the UK Addendum to the EU Standard Contractual Clauses.

We may also disclose personal data to law enforcement or legal authorities where we are required by law, or where we genuinely believe it is necessary to protect the safety of our users or others.

Payments

Paper Boat does not handle your payment details. All purchases made through the app are processed by Google Play (Google LLC) or the Apple App Store (Apple Inc.). We never see, store, or have access to your card or financial information at any point.

How Long We Keep Your Data

We retain your data only for as long as necessary. The following retention periods apply:

Data category	Retention period	Basis
Active account data	Retained for as long as your account is open.	Contract
Snap grid content (active / Forgotten connections)	Deleted immediately on account deletion by either user.	Contract / erasure obligation
Snap grid content (Removed connections)	Deleted immediately on removal.	Contract / erasure obligation
Snap grid content (Reported connections)	Inaccessible to both users from the point of report. Retained for moderation review and legal purposes; permanently deleted one year after account deletion of the reported user.	Legitimate interests / OSA 2023
Account and profile data (including SSO provider IDs)	Permanently deleted within 60 days of account deletion.	UK GDPR Article 17
Reported user data and moderation records	Retained for up to one year after account deletion where a report has been made. Deleted permanently after one year.	Legitimate interests / OSA 2023
Login IP history	Rolling 90-day retention. Records older than 90 days are automatically and permanently deleted. All records deleted on account purge.	Legitimate interests / Legal obligation (SI 2026/268)
Image upload metadata (SHA-256 hash, upload IP, EXIF, timestamp)	Retained for the duration of the account. Deleted on account purge within 60 days. Where a report has been made, retained for up to one year after account deletion.	Legitimate interests / Legal obligation (OSA 2023 / SI 2026/268)
Phone number and verification status (where provided)	Retained for the duration of the account. Deleted on account purge within 60 days.	Consent
Push notification tokens	Deleted on account deletion or on withdrawal of notification permissions, whichever is earlier.	Contract
Payment data	Not held by Paper Boat. All payment processing is handled by Google Play and the Apple App Store.	N/A

Where a report has been made against an account, we retain the relevant account data, moderation records, and report records for up to one year after account deletion. This allows us to investigate complaints, respond to legal requests, and protect other users. After one year, this data is permanently deleted.

If we discover that a user is under 18, we immediately delete their account and all associated data, including any snap grid content shared with other users.

How We Protect Your Data

All data in transit between your device and our servers is encrypted using SSL/TLS, terminated at DigitalOcean App Platform. Our PostgreSQL database is encrypted at rest by DigitalOcean using AES-256. Our servers are hosted by Digital Ocean in the United Kingdom. Access to personal data is restricted to authorised personnel only. Our content moderation pipeline uses Google Cloud services certified to ISO 27001, SOC 2, and GDPR standards.

No system is entirely secure. We cannot guarantee absolute security, but we take our responsibilities seriously and will act quickly if something goes wrong.

Data Breaches

In the event of a personal data breach that poses a risk to your rights and freedoms, we are required by law to notify the Information Commissioner's Office (ICO) within 72 hours of becoming aware of it. Where the breach is likely to result in a high risk to you personally, we will also notify you directly without undue delay.

Information Stored on Your Device

Under UK law (the Privacy and Electronic Communications Regulations 2003), we are required to tell you about any information we store on or access from your device.

Paper Boat stores only what is strictly necessary to provide the service: your login session token, and your FCM push notification token if you have granted notification permissions. We do not use advertising trackers, behavioural analytics, or third-party tracking technologies on your device.

International Transfers

Paper Boat is based in the United Kingdom. Our primary server infrastructure is hosted by Digital Ocean in the United Kingdom — your account data and snap grid content does not leave the UK.

The only international transfers of personal data are to Google LLC, based in the USA:

Google Cloud — image data processed transiently by Vision AI SafeSearch (at upload and on report); text content processed transiently by Natural Language API (sentiment and moderation categories) on report; push notification tokens transmitted to Firebase FCM. FCM is a global Google service; notification tokens may be processed in the US. All Google services governed by the Google Cloud Data Processing Addendum incorporating the UK Addendum to EU Standard Contractual Clauses.
Google Sign-In — authentication request processed by Google at login. Governed by the Google Cloud Data Processing Addendum incorporating the UK Addendum to EU Standard Contractual Clauses.
NCMEC — an MD5 hash of each uploaded image is transmitted to NCMEC's US infrastructure for hash-list checking. No image data is transmitted. Where a confirmed CSAM hash match occurs, a full CSEA report is also submitted to the NCMEC CyberTipline. Both are governed by the UK Addendum to the EU Standard Contractual Clauses.
Twilio Inc. — where you choose to verify your phone number, your phone number is transmitted to Twilio's US infrastructure to send a one-time verification SMS. Governed by the UK Addendum to the EU Standard Contractual Clauses under Twilio's Data Protection Addendum.

Apple Sign In involves no international transfer by Paper Boat. Apple processes authentication data as an independent data controller, collecting it directly from you under Apple's own terms and privacy policy.

Yoti Ltd is a UK company. Age verification data is processed by Yoti within the UK; no international transfer is involved.

We do not transfer your personal data to any other country or organisation.

Your Rights

You have the following rights over your personal data. To exercise any of them, contact us at [email protected]. We will respond within one month.

Right	What it means
Access	You may ask for a copy of the personal data we hold about you.
Correction	You may ask us to correct inaccurate or incomplete data.
Deletion	You may ask us to delete your data, or do this directly by deleting your account in the app.
Restriction	You may ask us to limit how we use your data in certain circumstances.
Portability	You may ask us to provide your data in a machine-readable format.
Objection	You may object to certain types of processing. Where we process data on the basis of legitimate interests for safety and moderation purposes, your right to object may be limited where continued processing is necessary to protect other users or comply with our legal obligations.
Withdraw consent	Where we rely on your consent — for push notifications and visibility preferences — you may withdraw that consent at any time through the app or by contacting us. Withdrawal does not affect the lawfulness of processing before withdrawal.
Human review of automated decisions	If your account is suspended automatically as a result of a report, you have the right to request human review of that decision by contacting [email protected].

If you believe we have mishandled your data, you have the right to complain to the Information Commissioner's Office (ICO) at ico.org.uk or by calling 0303 123 1113.

Paper Boat operates under the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Data (Use and Access) Act 2025.

We process your personal data on the following lawful bases. A full lawful basis table, mapping each processing activity to its legal basis and retention period, is provided in Annex A of this document.

Summary of Lawful Bases

Contract: To provide the Paper Boat service, including account management, snap grid functionality, search and discovery features, and identity verification via SSO.
Legitimate interests: To improve the service, prevent fraud, and protect users through content moderation — where our interests are not overridden by your rights. We have documented a legitimate interests assessment for each such processing activity, a copy of which is available on request.
Legal obligation: To comply with applicable law, including the Online Safety Act 2023 and UK GDPR requirements around data subject rights and breach notification.
Consent: For push notifications via Firebase Cloud Messaging, and for the processing of search visibility preferences, where you have explicitly granted permission. Consent may be withdrawn at any time.

Note: The Data (Use and Access) Act 2025 introduced a seventh lawful basis — Recognised Legitimate Interest (RLI) — for five specific public interest scenarios. This does not currently apply to Paper Boat's processing activities.

Paper Boat is currently available in the United Kingdom only. EU GDPR does not apply at this time. This section will be updated before Paper Boat becomes available in the European Economic Area.

Cookies and Device Storage

Paper Boat does not use advertising cookies or third-party tracking technologies. The app stores only information that is strictly necessary to provide the service: your login session token and, if you have granted permission, your push notification token.

Adults Only

Paper Boat is an adult platform intended for users aged 18 and over. We do not knowingly collect personal data from anyone under the age of 18. Age is self-declared at registration and verified by SMS phone verification. Yoti Age Verification (selfie-based age estimation) is being introduced and will provide highly effective age assurance in line with Ofcom's requirements under the Online Safety Act 2023.

If you believe someone under 18 has registered, please contact us at [email protected] and we will remove the account and delete all associated data promptly.

Changes to This Policy

We may update this policy from time to time. If we make significant changes, we will notify you through the app before they take effect. Continued use of Paper Boat after changes are posted constitutes acceptance of the updated policy. If you do not agree, you may delete your account.

Get In Touch

Questions about this policy or how we handle your data? We are easy to reach.

Email: [email protected]
Website: https://paperboat.world
Post: Paper Boating Ltd, Unit 2, Wayners, Ashton, Leominster, HR6 0DN

Annex A — Lawful Basis Table

This table maps each processing activity to its lawful basis and retention period under UK GDPR.

Processing activity	Data processed	Lawful basis	Retention period	Notes
Account creation and management	Email address or relay address, age, password hash, SSO provider ID	Contract (Art. 6(1)(b))	Active: indefinite. Post-deletion: SSO IDs nulled immediately; full purge within 60 days.	No name or username collected at registration.
Identity verification via SSO (Google / Apple)	SSO provider ID, email or relay address	Contract (Art. 6(1)(b))	60 days post account deletion	SSO provider IDs nulled immediately on account deletion; full purge within 60 days.
Registration IP address capture	IP address at registration	Legitimate interests (Art. 6(1)(f)) / Legal obligation (SI 2026/268)	Retained for the duration of the account; deleted on account purge within 60 days.	Used for security monitoring and law enforcement reporting where required.
Login IP address history	IP address at each login	Legitimate interests (Art. 6(1)(f)) / Legal obligation (SI 2026/268)	Rolling 90-day retention. Automatically purged beyond 90 days. All records deleted on account purge.	Used for security monitoring and to support moderation and safety investigations. 90-day window required by SI 2026/268 Schedule 1.
Search and discovery — visibility preferences	Visibility toggle preferences	Art. 9(2)(a) explicit consent (and Art. 6(1)(a) consent)	Active: until changed or account deleted. Post-deletion: 60 days.	Consent requested at the point visibility preferences are first set. May be withdrawn at any time in the app.
Snap grid — content storage (active / Forgotten connections)	Images and text messages	Contract (Art. 6(1)(b))	Deleted immediately on account deletion by either user.
Snap grid — content storage (Removed connections)	Images and text messages	Contract / erasure obligation	Deleted immediately on removal.
Snap grid — content storage (Reported connections)	Images and text messages	Legitimate interests (Art. 6(1)(f)) / Legal obligation (OSA 2023)	Inaccessible to both users from point of report. Retained for moderation review; permanently deleted one year after account deletion of the reported user.	Content is referenced from the original snap grid record for moderation and legal purposes.
Phone number verification (optional)	Phone number, verification status	Consent (Art. 6(1)(a))	Retained for the duration of the account; deleted on account purge within 60 days.	Optional. Phone number transmitted to Twilio (US) for OTP SMS delivery only. Not displayed to other users.
Age verification	Age verification result (pass/fail); no image or biometric data retained by Paper Boat	Legal obligation — Online Safety Act 2023 / Ofcom age assurance requirement (Art. 6(1)(c))	Verification result retained for the duration of the account.	Selfie captured and processed solely by Yoti Ltd (UK). Paper Boat receives only the pass/fail outcome. Yoti deletes the selfie promptly after the check. No biometric data is held by Paper Boat.
Push notifications	FCM token	Consent (Art. 6(1)(a))	Until account deletion or permission withdrawal.
Image upload metadata capture	SHA-256 hash, upload IP address, EXIF metadata, upload timestamp	Legitimate interests (Art. 6(1)(f)) / Legal obligation (OSA 2023 / SI 2026/268)	Retained for the duration of the account; deleted on account purge within 60 days. Where a report has been made, retained for up to one year after account deletion.	Captured on every image upload for safety verification and law enforcement reporting. Not visible to other users.
IWF hash check — proactive upload screening	SHA-1 hash derived from uploaded image (hash only — no image data transmitted)	Legitimate interests (Art. 6(1)(f)) / Legal obligation (OSA 2023)	Hash transmitted transiently for comparison only — not stored by IWF or Paper Boat against this activity.	Occurs on every image upload before storage. UK-based — no international transfer.
NCMEC hash check — proactive upload screening	MD5 hash derived from uploaded image (hash only — no image data transmitted)	Legitimate interests (Art. 6(1)(f)) / Legal obligation (OSA 2023)	Hash transmitted transiently for comparison only — not stored by NCMEC or Paper Boat against this activity.	Occurs on every image upload before storage. US-based — transfer governed by UK Addendum to EU SCCs.
Vision SafeSearch — proactive upload screening	Uploaded image (transient — processed in memory by Google, not stored)	Legitimate interests (Art. 6(1)(f)) / Legal obligation (OSA 2023)	Transient — not stored by Google. Suspension outcome stored as account status.	Fires asynchronously on every image upload. Suspension triggered where LIKELY or VERY_LIKELY adult or violent content detected. Constitutes ADM under Arts. 22A–22D. Human review follows every suspension.
Content moderation — report-triggered automated scanning	Reported images (transient) and reported user's text content (transient)	Legitimate interests (Art. 6(1)(f)) / Legal obligation (OSA 2023)	Transient — not stored by Google. Scan scores stored in PostgreSQL for 1 year post account deletion.	Google Cloud Vision AI and Natural Language API (sentiment + moderateText categories). Suspension triggered only where high-risk signals detected; otherwise flagged for human review.
Content moderation — report records	Report record, scan scores, moderation decision, timestamp	Legitimate interests (Art. 6(1)(f)) / Legal obligation (OSA 2023)	1 year post account deletion of reported user.
Automated account suspension	Account status	Legitimate interests (Art. 6(1)(f))	Until human admin review completes.	Constitutes ADM under Arts. 22A–22D (Data (Use and Access) Act 2025). Human review follows every suspension.
Account deletion — data purge	All account and profile data	Legal obligation (UK GDPR Art. 17)	Within 60 days of deletion trigger.	SSO provider IDs nulled immediately on account deletion. Full purge within 60 days.
NCA CSEA-IRP automatic reporting	Image hash, upload IP, timestamp, EXIF metadata, account identifiers	Legal obligation (Art. 6(1)(c)) / OSA 2023 s.66 / SI 2026/268	As required by law.	Fires automatically on confirmed CSAM hash match or Vision AI HIGH_RISK adult detection. No administrator content review required before filing.
NCMEC CyberTipline automatic reporting	Image hash, upload IP, timestamp, EXIF metadata, account identifiers	Legal obligation (Art. 6(1)(c)) / OSA 2023	As required by law.	Fires automatically on confirmed CSAM hash match. US-based — transfer governed by UK Addendum to EU SCCs.
Law enforcement disclosure (ad hoc)	Variable — depends on request	Legal obligation (Art. 6(1)(c))	As required by law.