MatchMind

Privacy Policy

How MatchMind collects, uses, and protects your data. Last updated: May 2026

1. Data We Collect

  • Account data: email address, full name, hashed password, phone number (optional), and subscription tier.
  • Usage data: page views, API requests, and session metadata used for analytics, security monitoring, and abuse prevention.
  • Billing data: subscription status, renewal dates, and payment method brand (e.g. Visa). Card numbers, CVV, and bank details are processed exclusively by Stripe and never transmitted to or stored on our servers.

2. How We Use Your Data

  • To authenticate your account and enforce role-based access controls.
  • To deliver predictions, analytics, and subscription entitlements.
  • To send subscription confirmation emails and billing notifications via Resend.
  • To detect and prevent abuse, fraud, and unauthorized access.
  • To improve model quality using aggregated, anonymized performance data.

3. Data Retention

  • Account data is retained for the duration of your account plus 30 days after deletion to allow recovery from accidental deletion.
  • Billing event logs are retained for 7 years to comply with Dutch tax and accounting obligations.
  • Security logs (access attempts, rate-limit events) are retained for 90 days.
  • Prediction data (model outputs, evaluation results) is retained indefinitely as part of the analytical dataset and does not contain personal identifiers beyond a user ID reference.

4. Data Security

  • Passwords are stored as bcrypt hashes. We never store or log plaintext credentials.
  • All traffic is transmitted over TLS. HTTP requests are redirected to HTTPS.
  • Refresh tokens are stored in HttpOnly, Secure cookies โ€” not in JavaScript-accessible storage.
  • Operational logs redact sensitive values (tokens, passwords, connection strings) by policy.
  • Database access is restricted to a least-privilege application user. Privileged credentials are blocked at the application layer in production environments.

5. Third-Party Services

  • Stripe โ€” payment processing. Stripe processes card data directly under their PCI DSS compliance program. MatchMind is PCI SAQ A scoped (no card data touches our servers).
  • Resend โ€” transactional email delivery. Your email address is transmitted to Resend solely to deliver subscription confirmation emails.
  • Sportmonks โ€” football data provider. No personal data is shared with Sportmonks.
  • Neon / AWS โ€” database and cloud infrastructure. Data is stored in EU-based data centers (eu-central-1).

6. Your GDPR Rights

MatchMind is operated from the Netherlands and processes personal data in accordance with the General Data Protection Regulation (GDPR โ€” Regulation EU 2016/679).

  • Right of access: You may request a copy of the personal data we hold about you at any time.
  • Right to erasure: You may request deletion of your account and all associated personal data ("right to be forgotten").
  • Right to portability: You may request your personal data in a structured, machine-readable format (JSON).
  • Right to rectification: You may correct inaccurate personal data via your account profile page.
  • Right to object: You may object to processing of your data for direct marketing purposes at any time.
  • Contact: For any privacy enquiry or to exercise a GDPR right, email the MatchMind data protection contact at privacy@matchmind.io. We respond within 30 days.
  • We do not sell your personal data to any third party.