LEGAL
Privacy Policy
Last updated: 14 June 2026
1. WHO WE ARE
Matchroom is operated by Matchroom, England.
Data controller contact: support@getmatchroom.app
2. WHAT DATA WE COLLECT AND WHY
| DATA | WHY | LEGAL BASIS |
|---|---|---|
| Email address or phone number | To authenticate your account via magic link or OTP | Contract performance |
| Display name | To show you in pool leaderboards and member lists | Contract performance |
| Prediction picks and results | To run the pool and generate results | Contract performance |
| Payment information | Processed by Stripe; we receive only confirmation and a transaction ID, never your card details | Contract performance |
| Device type and browser | Included automatically in error reports you choose to send | Legitimate interests |
| Usage analytics | Aggregated, anonymous analytics via Plausible (no cookies, no personal data) | Legitimate interests |
| Email preferences | To respect your communication opt-outs | Legal obligation / consent |
We do not collect your IP address for tracking purposes. We do not sell your data to any third party. We do not use your data for advertising.
3. WHO WE SHARE DATA WITH
We share your data only with the following processors, solely to operate the service:
- Supabase (Supabase Inc., USA) — database and authentication. Data stored in EU-West region. Supabase DPA: supabase.com/privacy
- Stripe (Stripe Inc., USA) — payment processing. Stripe processes payment data under their own privacy policy: stripe.com/privacy
- Resend (Resend Inc., USA) — transactional email delivery. resend.com/privacy
- Vercel (Vercel Inc., USA) — hosting and content delivery. vercel.com/legal/privacy-policy
- API-Football (RapidAPI) — sports data. We send no personal data to this service; it provides only match fixtures and results.
All processors are contractually bound to process your data only as instructed by us and in compliance with UK GDPR.
4. HOW LONG WE KEEP YOUR DATA
| DATA TYPE | RETENTION PERIOD |
|---|---|
| Account data (email, display name) | Until you request deletion |
| Pool and pick history | Until you request deletion |
| Payment records | 7 years (legal requirement) |
| Error reports | 90 days |
| Anonymous analytics | 12 months rolling |
5. YOUR RIGHTS UNDER UK GDPR
You have the right to:
- Access — request a copy of all data we hold about you
- Rectification — ask us to correct inaccurate data
- Erasure — ask us to delete your account and associated data
- Portability — receive your data in a machine-readable format
- Object — opt out of any processing based on legitimate interests
- Withdraw consent — unsubscribe from marketing emails at any time
To exercise any of these rights, email support@getmatchroom.app with the subject line "Data Request." We will respond within 30 days. You also have the right to lodge a complaint with the Information Commissioner's Office (ico.org.uk).
6. COOKIES
Matchroom uses Plausible Analytics, which is cookieless and collects no personal data. We do not set advertising, tracking, or analytics cookies. We set one functional cookie to maintain your authenticated session; this is strictly necessary for the service to work and does not require your consent.
7. SECURITY
We use industry-standard security measures including encryption in transit (TLS), encryption at rest (Supabase), and Row Level Security policies ensuring users can only access their own data. We enforce authentication on all data access. In the event of a data breach affecting your personal data, we will notify you and the ICO within 72 hours as required by law.
8. CHANGES TO THIS POLICY
We will notify you of material changes by email at least 7 days before they take effect.