This app is in Beta. Please feed back to us.
← Back

Privacy Policy

Last updated: 2 May 2026

Who we are

Retruvai is a service that introduces students to one another for in-person meetings. It is operated by Retruvai, based in England ("we", "us", "our").

Retruvai is the data controller for the purposes of the UK General Data Protection Regulation (UK GDPR).

What data we collect

When you use Retruvai, we collect:

  • Your first name and last name
  • Your university email address (used to verify you are a current student)
  • Your password (stored as a one-way hash; we cannot read it)
  • Your date of birth (used to verify you are 18 or over)
  • Your profile photo
  • Your three open-text answers: what you are working on, what you can help with, what you want to learn
  • Optional details: programme of study, mobile number, who invited you
  • Match data: who we paired you with and the icebreaker note we wrote about you both
  • Chat messages between you and your matched partner
  • Meeting feedback you submit after the event (Great, Not so great, or Report)
  • An internal reliability score (see below)
  • Standard server logs (your IP address and browser type, captured by our hosting and authentication providers for security)

How we use your data

Your data is used exclusively for:

  • Creating and managing your account
  • Pairing you with another participant we think you might enjoy meeting
  • Showing you your match and enabling you to chat with them
  • Briefly sharing your photo with your match so you can find each other in person
  • Sending you transactional emails (signup confirmation, match reveal, reminder, post-event feedback request)
  • Investigating reports and protecting users from harm
  • Improving the service using aggregated, non-identifying data

We do not use your data for advertising, marketing to third parties, or commercial profiling.

How matches are made

At present, matches are made by hand by our team rather than by an algorithm. As Retruvai grows, we may introduce automated compatibility scoring to help with this. We will update this policy and notify you in advance of any change that involves automated decision-making with legal or significant effects on you.

AI and machine learning

To improve Retruvai, we may use the data you provide on the service, including your profile content, the three open-text answers, match outcomes, post-meeting feedback, and chat patterns (volume and timing, not message content unless reported), to train and refine algorithms and machine-learning models that help us pair people more effectively, detect abuse, and improve the service in other ways consistent with this policy.

Where possible, we use pseudonymised or aggregated data for this purpose. We do not sell your data to anyone for the purpose of training their models, and we do not pass your identifiable personal data to third-party AI services without first removing information that could identify you.

You can object to your data being used to train models at any time by emailing hello@retruvai.com. Doing so will not affect your use of the core service.

What your match can see about you

Before you both accept the match: your matched partner sees your first name and a one-line icebreaker (a short note we write about why we paired you). In this phase, the icebreaker is the most prominent piece of personal information we share with your match.

Once you both accept: your match also sees your programme (if you provided one) and the answers you wrote in the three open-text fields.

Once you both tap "we've agreed time and place": your photo is shown to your match for 10 seconds, once. After that, it is hidden again and cannot be viewed a second time.

Your match never sees your email address, date of birth, password, mobile number, or any other personal data.

Your profile photo

Your photo is stored privately. It is shown to your matched partner once, briefly, when you both tap "we've agreed time and place" in the in-app chat. After ten seconds it is hidden again and cannot be viewed again. It is never made public, never shared with any other user, and never used for any purpose other than helping you and your match find each other.

Chat messages

The messages you send to your matched partner via the in-app chat are visible only to the two of you. We may review chat content if a user reports a concern. We do not share message content with any third party. Messages are retained alongside your match record and are deleted when you delete your account.

Reliability score

We track an internal reliability score for each user, based on whether you accept matches, attend, and provide post-meeting feedback. This score informs future matching decisions. It is not visible to you, your match, or any other user.

Age and special category data

Retruvai is for users aged 18 or over. We do not knowingly collect personal data from anyone under 18. If you believe a user under 18 has signed up, please contact us at hello@retruvai.com.

We do not collect special category data (such as race, religion, health, sexual orientation, or political views). If you choose to disclose any such information in your open-text answers, you do so voluntarily and consent to it being shared with your match in the manner described above.

Marketing communications

We send transactional emails (signup confirmation, match notifications, reminders, post-event feedback). We do not send marketing emails. We will not use your data for marketing without your separate consent. If we introduce marketing in future, we will update this policy and obtain your consent first.

Blocking and reporting

You may report any user at any time via the post-meeting feedback option. Your report is kept confidential and reviewed by our team. We may suspend or remove users whose behaviour violates our Terms.

Legal basis for processing

We process personal data under the following lawful bases in accordance with UK GDPR:

Contract performance (Article 6(1)(b)): to create and manage your account, pair you with another participant, and provide the functionality you request.

Legitimate interests (Article 6(1)(f)): to investigate reports, protect users from harm, and improve Retruvai using pseudonymised, minimised, or aggregated data.

Consent (Article 6(1)(a)): for optional activities. You may withdraw consent at any time without affecting your use of the core service.

Where your data is stored and how we keep it secure

Your data is stored using Supabase infrastructure hosted in the European Union (Frankfurt). Data is encrypted in transit (TLS) and at rest. Access is restricted to the Retruvai team.

If we discover a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify you and the Information Commissioner's Office within 72 hours of becoming aware of it.

Data retention

We retain your personal data until you request deletion, or until your account is no longer needed for the purposes described above. We do not auto-delete inactive accounts.

Encrypted backups of our database are retained for up to 30 days. Personal data deleted from the live system may persist in those backups for that window before being permanently overwritten.

We may retain anonymised, aggregated research data that cannot reasonably identify you.

Third parties

We use the following service providers:

  • Supabase: database, authentication, file storage, and real-time chat (EU-hosted, Frankfurt). Processes your account data, profile, photo, chat messages, and authentication tokens under a Data Processing Agreement.
  • Resend: transactional email delivery. Your email address is shared with Resend solely to deliver emails sent from Retruvai. Resend retains a log of email sends, including recipient address, for up to 30 days. GDPR compliant, processes under a Data Processing Agreement.
  • GitHub Pages: static website hosting.
  • Sentry: error monitoring, configured to exclude personally identifiable information (EU-hosted).
  • Google Fonts: font delivery via cdn.googleapis.com. Your IP address may be logged when fonts load. See Google's privacy policy at policies.google.com.
  • jsDelivr: CDN for delivering the Supabase JavaScript library and related front-end dependencies. Your IP address may be logged when these libraries load.

We do not use analytics trackers, advertising networks, or data resale services. We do not share your identifiable personal data with third parties beyond the service providers listed above, except where required by law.

Cookies

We do not use tracking cookies. Supabase authentication uses browser local storage solely to maintain your login session. No third-party cookies are set.

Your rights

Under UK GDPR, you have the right to:

  • Access: request a copy of your personal data we hold
  • Rectification: ask us to correct inaccurate data
  • Erasure: request that we delete your account and all associated personal data (see "Account deletion" below)
  • Portability: request your data in a machine-readable format
  • Restriction: ask us to limit how we process your data while a complaint or correction is being resolved
  • Object: object to processing based on our legitimate interests, including for research purposes
  • Withdraw consent: at any time, where consent is the legal basis for processing
  • Lodge a complaint: with the Information Commissioner's Office (ICO) at www.ico.org.uk

Account deletion

To delete your account, email hello@retruvai.com with the subject "Delete my account." We will process the request within 30 days and confirm deletion by email. As noted in "Data retention", some data may persist in encrypted backups for up to a further 30 days, after which it is permanently overwritten.

Changes to this policy

We may update this policy from time to time. Material changes will be notified to you by email. The current version is always available at retruvai.com/privacy.html.

Contact

To exercise your rights, request account deletion, or ask any question about this policy, please contact us at: hello@retruvai.com