data protection impact assessment summary

1. purpose of processing

larry match uses artificial intelligence to analyze users' x (twitter) activity and in-app conversations to create personality profiles and find compatible matches. this processing is the core function of the service.

the specific processing activities assessed are:

• personality analysis: ai analyzes x activity (tweets, likes, bio) to generate a personality profile.
• conversational profiling: ai powers larry, the matchmaker, which refines user preferences through natural conversation.
• compatibility matching: ai generates mathematical representations used to calculate compatibility between users.
• attraction inference: larry may optionally infer attraction preferences and sexuality from conversation and x activity. this constitutes special category data under gdpr article 9.
• selfie verification:ai compares a user's selfie against their profile photos to verify identity. facial geometry is processed in real-time and discarded immediately. this may constitute biometric data under illinois bipa, texas cubi, and washington state biometric law.

2. data processed

• x profile data (bio, tweets, likes, followers)
• chat messages with larry ai
• ai-generated personality profiles
• mathematical representations of personality
• relationship intent
• special category: attraction preferences and sexuality (optional, requires explicit consent)

3. legal basis

• personality matching (non-special category): legitimate interest (gdpr article 6(1)(f)). users sign up specifically for ai-powered personality matching. the processing is necessary to deliver the core service and is proportionate to the purpose.
• attraction and sexuality data (special category): explicit consent (gdpr article 9(2)(a)). users are asked for clear, affirmative consent before any attraction data is processed. consent is optional, granular, and freely given. users can use the matching service without providing attraction data.

4. identified risks

risk 1: re-identification from behavioral patterns

personality profiles derived from x activity could theoretically be used to re-identify individuals, even without directly sharing x handles. the profile is a detailed behavioral fingerprint.

severity: high. likelihood: low.

risk 2: inference accuracy

ai-inferred personality traits and attraction preferences may be inaccurate. incorrect inferences about sexuality or attraction could cause distress or lead to inappropriate matches.

severity: medium. likelihood: medium.

risk 3: data breach exposing special category data

a breach exposing attraction preferences, sexuality data, or detailed personality profiles could cause significant harm to affected users.

severity: high. likelihood: low.

risk 4: purpose creep

personality data collected for matching could theoretically be repurposed for profiling, advertising, or other purposes beyond the original intent.

severity: high. likelihood: low (mitigated by policy and architecture).

risk 5: biometric data processing (selfie verification)

facial comparison during selfie verification processes biometric identifiers. illinois bipa provides a private right of action with statutory damages ($1,000-$5,000 per violation). texas and washington have ag-enforced biometric laws.

severity: high (bipa statutory damages). likelihood: low (selfie discarded immediately, no biometric template stored, explicit consent obtained before capture).

5. mitigations

consent and control

• attraction data consent is optional and granular. users are never required to provide it. the matching system works without it.
• users can withdraw consent for special category processing at any time without losing their account.
• profile updates only happen through explicit conversation with larry. no silent background inference.

data minimization and isolation

• the ai-generated personality bio is never shown to other users. it exists only as an internal matching input.
• x handles are hidden until mutual match. users cannot browse or search for specific x accounts.
• x data is refreshed weekly and previous snapshots are replaced, not accumulated. we don't build a historical archive of x activity.
• we only collect data necessary for matching. no scraping of followers' content, dm contents, or private x data.

security

• all ai processing happens server-side. personality data and mathematical representations are never sent to the client.
• data encrypted at rest (google cloud encryption) and in transit (tls).
• access controls via google cloud iam. no direct database access from client applications.
• secret management through google cloud secret manager (no hardcoded credentials).

biometric data (selfie verification)

• explicit written consent obtained before selfie capture via in-app notice explaining what data is collected, why, and how long it is retained.
• selfie images are processed in real-time and immediately discarded. no biometric templates are stored.
• only cryptographic hashes of verified photos are retained (not biometric data) for change detection purposes.
• selfie verification is optional. users may skip without losing core functionality.
• re-verification after photo changes uses photo-to-photo comparison, not stored biometric templates.

deletion and portability

• 24-hour deletion of all x-sourced data when oauth access is revoked.
• full data deletion on account deletion (profile, chat history, ai data, photos, ai bio).
• users can request a full data export at any time.

6. data minimization practices

• we analyze public x activity only. no access to dms, private lists, or non-public data.
• personality profiles are stored as structured dimensions, not raw analysis transcripts. the ai analysis output is processed into structured fields and the raw output is not retained long-term.
• compatibility data is stored as mathematical representations, not human-readable profiles.
• location data, when shared, is stored at city level, not precise coordinates.

7. third-party processors

• ai analysis service provider: processes x data for personality analysis. data is sent for analysis and the result is stored in our database. the provider does not retain user data after processing.
• google cloud platform:hosts all data and ai processing. subject to google cloud's data processing agreement and gdpr compliance.
• clerk: handles authentication. stores minimal session data.
• stripe: processes payments. does not receive personality or matching data.

8. review schedule

this dpia is reviewed annually, or sooner when any of the following occur:

• changes to ai models or processing methods
• new categories of personal data collected
• changes to third-party processors
• security incidents affecting personal data
• significant changes to user base size or demographics

next scheduled review: april 2027

9. conclusion

the primary risks stem from the processing of behavioral data and optional special category data. these risks are mitigated through granular consent, data minimization, architectural isolation (ai-generated data is never exposed to other users), server-side processing, and strong deletion guarantees.

the residual risk level is assessed as acceptable given the mitigations in place and the optional nature of special category data processing.

contact

questions about this assessment? contact us at privacy@larrymatch.com.