Privacy is the product. Here's how we keep it that way: what we encrypt, who can touch it, and what happens if something goes wrong.
Data is encrypted in transit and at rest using industry-standard protocols. The same approach applies to our managed database and object storage layers.
Role-based access with least-privilege defaults, single sign-on, multi-factor authentication, and audit logging on production systems.
We collect the minimum needed to make the product work and keep it for no longer than we need to. Match data is short-lived by design and never sold to third parties.
We follow a documented incident response playbook covering detection, triage, containment, and notification. Affected users and customers are informed within the timelines required by applicable law.
We follow industry best practices for data protection and privacy, and operate under UK GDPR and the Data Protection Act 2018.
We work with a small number of trusted infrastructure providers and review them regularly. A current sub-processor list is available on request.
We welcome reports from security researchers and the broader community. If you believe you've found a vulnerability in FirstMove, please submit details through our help centre and give us a reasonable window to fix things before public disclosure.
We won't take legal action against good-faith researchers who follow this policy, avoid privacy violations, and don't degrade our service.
Report a vulnerability
support.firstmove.liveWe're happy to walk security and compliance teams through our setup, share our latest DPA, and answer specific questions.
Talk to our team