Privacy Policy
Effective Date: June 1, 2026 | Last Updated: June 1, 2026
Plain-language summary: Cost Per Smash ("CPS") collects personal, relationship, and financial data you provide so we can calculate your CPS score, power the leaderboard, enable matchmaking, and deliver AI coaching. We store data on Google Firebase, process payments through Stripe, and host the platform on Netlify. We never sell your personal data. You can delete your account and all associated data at any time.
This Privacy Policy describes how CPS ("we," "us," or "our"), operated from Ontario, Canada, collects, uses, discloses, and protects the personal information of users ("you" or "your") of the website at costpersmash.com and all related services (collectively, the "Service"). By using the Service, you consent to the practices described in this policy.
1. Information We Collect
1.1 Account Information
- Full name or alias
- Screen name / username
- Email address
- Phone number
- Password (stored as a cryptographic hash by Firebase Authentication; we never see or store your plaintext password)
1.2 Profile and Demographic Information
- Gender
- Relationship status (e.g., single, dating, married, open, polyamorous)
- City or general location
- Social media handles (Instagram, Twitter/X, TikTok) -- provided voluntarily
1.3 Relationship and Intimacy Data
- Sexual activity frequency ("smash count," "bonus rounds")
- Intimacy quality score (self-reported, 1--10 scale)
1.4 Financial and Spending Data
- Spending amounts across eight categories: dinners and dates, gifts, transportation, grooming and appearance, dating apps and subscriptions, home dates, travel, and other
- Contribution data across eight corresponding categories (what your partner contributes)
- Receipt images (captured via your device camera or uploaded from your photo library)
1.5 CPS Score and Ranking Data
- Your calculated CPS score and tier ranking
- TrackHer profiles -- multiple partner profiles, each with its own spending data, scores, and notes
1.6 AI Chat and Coaching Data
- Conversation history with the CPS AI Coach feature
- Prompts, questions, and responses generated during coaching sessions
1.7 Payment Information
- Stripe collects and processes your payment card details, billing address, and transaction records. We do not store your full card number on our servers. We receive from Stripe: subscription status, customer ID, last four digits of your card, and transaction confirmations.
1.8 Automatically Collected Information
- Browser type, device type, and operating system
- IP address (collected by our hosting provider, Netlify)
- Pages visited, time spent, and general usage patterns (via server logs)
2. How We Use Your Information
We use the information we collect for the following purposes:
| Purpose | Data Used |
| CPS Score Calculation -- Computing your personalized Cost Per Smash score and tier ranking | Spending data, intimacy data, contribution data |
| Leaderboard -- Displaying anonymized or screen-name-based rankings to other users | Screen name, CPS score, tier, city |
| Matchmaking -- Connecting users with compatible spending and relationship profiles | Profile information, relationship status, CPS score, city, preferences |
| AI Coaching -- Providing personalized AI-generated insights and conversation | Chat history, profile data, spending data, relationship data |
| TrackHer Feature -- Enabling you to track spending and scores across multiple partners | Per-partner spending data, notes, scores |
| Account Management -- Creating, maintaining, and securing your account | Account information, email, phone |
| Payment Processing -- Managing subscriptions, billing, and refunds | Payment information (via Stripe) |
| Communications -- Sending service updates, security alerts, and (with your consent) promotional messages | Email address, phone number |
| Service Improvement -- Analyzing usage patterns to improve features and fix bugs | Automatically collected information, aggregated usage data |
| Safety and Fraud Prevention -- Detecting and preventing abuse, fake profiles, and fraudulent transactions | Account information, usage patterns, IP address |
3. Legal Basis for Processing
We process your personal information on the following legal grounds:
- Consent: You actively provide sensitive personal data (relationship status, intimacy data, spending data) by entering it into the Service. You may withdraw consent at any time by deleting your data or account.
- Contract Performance: We process account and payment data as necessary to provide the Service you have subscribed to.
- Legitimate Interest: We process usage data and aggregated analytics to improve the Service, prevent fraud, and ensure platform security, where those interests are not overridden by your rights.
- Legal Obligation: We may process data to comply with applicable laws, regulations, or valid legal requests.
4. Data Storage and Security
4.1 Where Your Data Is Stored
| Storage Location | What Is Stored | Provider |
| Firebase Authentication (Google Cloud) | Account credentials (email, password hash), authentication tokens | Google LLC |
| Firebase Firestore (Google Cloud) | User profiles, CPS scores, spending data, leaderboard entries, matchmaking profiles, receipt metadata, waitlist entries, AI chat history | Google LLC |
| Your Device (localStorage) | Local cache of profile data, scores, spending entries, and receipt images for offline access and faster performance | Your browser |
| Stripe | Payment card details, billing address, subscription status, transaction history | Stripe, Inc. |
| Netlify | Server logs (IP addresses, request data), serverless function execution logs | Netlify, Inc. |
4.2 Security Measures
- All data transmitted between your device and our servers is encrypted using TLS (HTTPS).
- Passwords are hashed using industry-standard algorithms by Firebase Authentication; we never store or have access to plaintext passwords.
- Payment data is handled entirely by Stripe, which is PCI DSS Level 1 certified.
- Access to Firebase databases is restricted by security rules and requires authenticated access.
- We conduct periodic reviews of our security practices.
No method of electronic storage or transmission is 100% secure. While we use commercially reasonable measures to protect your data, we cannot guarantee absolute security.
5. Third-Party Data Processors
We share personal information with the following third-party service providers, solely for the purposes described:
| Provider | Purpose | Data Shared | Privacy Policy |
| Google / Firebase | Authentication, database, hosting infrastructure | Account credentials, all user-submitted profile and scoring data, chat history | Firebase Privacy |
| Stripe | Payment processing and subscription management | Payment card details, billing address, email, transaction amounts | Stripe Privacy |
| Netlify | Web hosting and serverless function execution | IP addresses, request metadata, server logs | Netlify Privacy |
We do not sell, rent, or trade your personal information to any third party for their own marketing purposes.
6. Data Retention
- Active account data: We retain your personal data for as long as your account is active and you continue to use the Service.
- After account deletion: When you delete your account, we will delete or anonymize your personal data within 30 days, except where we are required by law to retain certain records (e.g., transaction records for tax or accounting purposes, which may be retained for up to 7 years).
- Leaderboard and matchmaking data: Your screen name and score are removed from public views within 30 days of account deletion.
- AI chat history: Deleted with your account. We do not retain conversation logs after account deletion.
- localStorage data: Data stored in your browser's localStorage persists until you clear it manually or delete your account through the Service (which triggers a local data wipe).
- Server logs: Netlify server logs containing IP addresses and request data are retained according to Netlify's standard retention schedule (typically 30 days).
- Payment records: Stripe retains transaction records according to their own retention policy and applicable financial regulations.
7. Publicly Visible Data
Certain information you provide may be visible to other users of the Service:
- Leaderboard: Your screen name, CPS score, tier ranking, and city may appear on the public leaderboard.
- Matchmaking profiles: If you opt into matchmaking, other matched users may see your screen name, city, relationship status, CPS tier, and any profile information you choose to share.
- CPS Verified badge: If you subscribe to CPS Verified, a verification badge will be displayed alongside your screen name on leaderboard and matchmaking profiles.
Your real name, email address, phone number, detailed spending data, intimacy data, receipt images, and TrackHer partner profiles are never visible to other users.
8. Cookies and Local Storage
CPS uses browser localStorage (not traditional cookies) to store data on your device. This includes:
- Session data: Authentication state so you remain logged in between visits.
- Cached profile and score data: A local copy of your profile, spending entries, CPS score, and tier for faster loading and offline access.
- Receipt images: Uploaded receipt images are stored locally so you can review them without re-downloading.
- User preferences: Display settings and feature preferences.
Firebase and Netlify may set their own cookies for authentication and analytics purposes. Stripe sets cookies necessary for secure payment processing. You can manage cookies and localStorage through your browser settings. Clearing localStorage will remove your locally cached data but will not delete your server-side account.
9. International Data Transfers
CPS is operated from Ontario, Canada. However, our third-party service providers (Google/Firebase, Stripe, Netlify) may store and process data in the United States and other countries. By using the Service, you acknowledge that your data may be transferred to and processed in jurisdictions outside your country of residence, including the United States, where data protection laws may differ from those in your jurisdiction.
Where required by applicable law, we ensure that appropriate safeguards are in place for such transfers, including standard contractual clauses or reliance on the service provider's compliance certifications.
10. Your Privacy Rights
10.1 All Users
Regardless of where you are located, you may:
- Access your personal data by viewing your profile and data within the Service.
- Correct inaccurate data by editing your profile at any time.
- Delete your account and all associated data (see Section 14).
- Withdraw consent to data processing at any time by deleting your account.
10.2 European Economic Area, United Kingdom, and Switzerland (GDPR)
If you are located in the EEA, UK, or Switzerland, you have additional rights under the General Data Protection Regulation ("GDPR"):
- Right of Access: Request a copy of all personal data we hold about you.
- Right to Rectification: Request correction of inaccurate or incomplete personal data.
- Right to Erasure ("Right to Be Forgotten"): Request deletion of your personal data, subject to legal retention requirements.
- Right to Data Portability: Request a machine-readable copy of your personal data.
- Right to Restriction of Processing: Request that we limit how we use your data.
- Right to Object: Object to processing based on legitimate interest.
- Right to Withdraw Consent: Where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing.
- Right to Lodge a Complaint: File a complaint with your local data protection authority.
To exercise these rights, contact us at support@costpersmash.com. We will respond within 30 days.
10.3 California Residents (CCPA / CPRA)
If you are a California resident, you have the following rights under the California Consumer Privacy Act and the California Privacy Rights Act:
- Right to Know: Request disclosure of the categories and specific pieces of personal information we have collected about you, the sources of collection, the purposes, and the categories of third parties with whom we share it.
- Right to Delete: Request deletion of personal information we have collected from you, subject to certain exceptions.
- Right to Opt-Out of Sale: We do not sell your personal information. If this ever changes, we will provide a "Do Not Sell My Personal Information" link.
- Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA rights.
- Right to Correct: Request correction of inaccurate personal information.
- Right to Limit Use of Sensitive Personal Information: You may request that we limit the use of sensitive personal information (including relationship and intimacy data) to purposes necessary for providing the Service.
To exercise these rights, contact us at support@costpersmash.com or submit a request through your account settings. We will verify your identity before processing your request and respond within 45 days.
10.4 Canadian Residents (PIPEDA)
If you are a Canadian resident, you have the following rights under the Personal Information Protection and Electronic Documents Act ("PIPEDA"):
- Right of Access: Request access to the personal information we hold about you and how it has been used.
- Right to Correction: Request correction of any inaccurate or incomplete personal information.
- Right to Withdraw Consent: Withdraw your consent to the collection, use, or disclosure of your personal information, subject to legal or contractual restrictions.
- Right to Complain: File a complaint with the Office of the Privacy Commissioner of Canada if you believe your privacy rights have been violated.
To exercise these rights, contact us at support@costpersmash.com. We will respond within 30 days.
11. Children's Privacy
CPS is intended for users who are 18 years of age or older. We do not knowingly collect personal information from anyone under the age of 18. If we become aware that we have collected personal information from a person under 18, we will take immediate steps to delete that information. If you are a parent or guardian and believe your child has provided us with personal information, please contact us at support@costpersmash.com.
12. Data Breach Notification
In the event of a data breach that affects your personal information, we will:
- Investigate the breach promptly and take steps to contain and mitigate any harm.
- Notify affected users by email within 72 hours of becoming aware of the breach, where feasible.
- Notify the relevant data protection authorities as required by applicable law (including the Office of the Privacy Commissioner of Canada, EU supervisory authorities, or the California Attorney General, as applicable).
- Provide a description of the nature of the breach, the data affected, the measures taken, and recommended steps you can take to protect yourself.
13. Sensitive Data Notice
CPS collects data that may be considered sensitive under various privacy laws, including information about sexual activity, intimacy, and relationship status. We want to be transparent about this:
- This data is collected only because you voluntarily enter it into the Service to use its core features (CPS score calculation, AI coaching, matchmaking).
- We process this data solely for the purposes described in this policy.
- This data is never shared with third parties for their own purposes.
- This data is never used for targeted advertising.
- You can delete this data at any time by editing your profile or deleting your account.
14. How to Delete Your Account
You may delete your account and all associated personal data at any time by:
- Going to your account settings within the Service and selecting "Delete Account"; or
- Sending a request to support@costpersmash.com from the email address associated with your account.
Upon receiving a deletion request, we will:
- Delete your account and personal data from Firebase within 30 days.
- Remove your screen name and score from the leaderboard and matchmaking within 30 days.
- Clear your locally cached data (localStorage) if you initiate deletion from the Service.
- Request deletion of your customer record from Stripe (subject to Stripe's legal retention requirements).
Certain data may be retained where required by law (e.g., financial transaction records for tax compliance).
15. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. When we make material changes, we will:
- Update the "Last Updated" date at the top of this page.
- Notify you by email or by a prominent notice within the Service at least 14 days before the changes take effect.
- Where required by law, obtain your consent before applying material changes to how we process sensitive personal data.
Your continued use of the Service after the effective date of a revised policy constitutes acceptance of the changes.
16. Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or your personal data, contact us at:
Cost Per Smash
Email: support@costpersmash.com
Ontario, Canada
For PIPEDA complaints, you may also contact the Office of the Privacy Commissioner of Canada.