Privacy Policy
This document has two parts: Part 1 applies to every user everywhere. Part 2 adds country-specific data protection terms where MatchyTouch actively operates.
Part 1 — Global Base Policy
1. Overview
This Policy explains what personal data we collect, why, how long we keep it, and what choices you have. It applies to Hosts, Sellers, and Buyers alike.
A core design principle of this Platform is that Buyers are anonymous by default. You do not need to create an account or provide a name or email to scan a product, browse Discover, or complete a purchase through the standard flow. Any exception is always optional and initiated by your own choice.
2. Data We Collect, by Role
Hosts and Sellers: name, business name, email, and information required to connect a Stripe account (handled directly by Stripe), plus content you provide such as location details, product listings, images, and descriptions.
Buyers — standard flow: no name or account required. We generate a temporary, anonymous session identifier (cookie) used only to connect a discovery event (QR scan or web click) to a possible purchase within a limited time window.
Buyers — optional discount code: if a Seller enables this feature, you may choose to provide an email in exchange for a discount code. It is stored, linked to your session and the specific product, for up to 10 days or until the code is used. It is used to issue that code, and is not sold or shared with any third party. If you later complete a purchase through Hosted Checkout — whether or not you used a discount code — the Seller may see your email as part of standard order details, the same way any online seller sees a customer's email after a sale. Providing this is entirely optional, and standard Discover browsing and purchasing never requires an email at all.
Payment information: we do not collect or store card details. All payment processing is handled directly by Stripe.
Location data: Hosts provide their venue's address and coordinates, shown publicly so Buyers can find them. We do not collect a Buyer's precise device location unless you separately grant permission to a feature that explicitly requests it.
Automatically collected technical data: our infrastructure providers automatically log information such as IP address and request timestamps, primarily for security and fraud prevention.
3. How We Use Data
We use this data to operate the Platform (attribution, payouts, listings), prevent fraud and enforce our Terms of Service, communicate with Hosts and Sellers about their account and sales, and improve reliability. We do not use Buyer data for advertising or marketing beyond the specific transaction it was collected for, unless you separately opt in.
4. Cookies
We use a minimal set of cookies necessary for the Platform to function, primarily the anonymous session cookie described above. We do not use third-party advertising trackers.
5. Third-Party Processors
We share data with service providers solely to operate the Platform: Stripe (payments and payouts), Supabase (database and backend), Vercel (application hosting), and Resend (transactional email). Each processes data under their own privacy policies. We do not sell personal data.
6. Data Retention
Anonymous Buyer session data is retained only as long as necessary for attribution (typically hours to a few days). Discount-code emails are retained for up to 10 days or until redeemed, whichever is sooner. Host and Seller account data is retained while the account is active, and afterward as required for financial and legal recordkeeping.
7. Data Security
We use reasonable technical and organizational measures to protect personal data, including database access controls and encrypted connections. No system is completely secure.
8. Your Rights
Depending on your location, you may have rights to access, correct, or delete personal data we hold about you, or to object to certain processing. Where a Country-Specific Addendum grants additional rights, those apply on top of this section. Contact us using the details in Section 11 to exercise these rights.
9. Children's Privacy
The Platform is not directed at children, and we do not knowingly collect personal data from anyone under 18. If you believe a child has provided us personal data, contact us and we will delete it.
10. Changes to This Policy
We may update this Policy from time to time. For material changes, we will make reasonable efforts to provide notice before the change takes effect.
11. Contact
Questions about this Policy, or requests to exercise your data rights, can be directed to matchytouch.team@gmail.com.
Part 2 — Country-Specific Addenda
United Arab Emirates
MatchyTouch's current launch market is the United Arab Emirates. We are finalizing UAE-specific data protection details for this section — including applicable law, cross-border transfer disclosures, and local regulatory contacts — and will publish them here once complete. Until then, Part 1 above applies in full to UAE users.
Last updated: this document is under active development as MatchyTouch launches in new markets. See also our Terms of Service.