Skip to main content

Privacy Policy

Last updated: April 10, 2026

This Privacy Policy describes how Matchcast (matchcast.app) collects, uses, and protects your personal data in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation — GDPR) and applicable national data protection laws.

1. Data Controller

The data controller is the operator of Matchcast (matchcast.app). For data protection inquiries, please contact us at: privacy@matchcast.app.

2. Data We Collect

We collect the following categories of personal data:

  • Registration data — name or pseudonym (display name), email address, password (stored exclusively in encrypted form).
  • Profile data — language preference, account plan (Free/Premium), registration date.
  • Activity data — match predictions, Group memberships, ranking positions, Event history.
  • Technical data — IP address, browser type, operating system — collected exclusively in anonymized form through Plausible Analytics (cookieless, no individual tracking).
  • Payment data — for Premium Plan users — transaction data processed by payment provider Stripe. The Operator does not store payment card numbers.

3. Purposes of Data Processing

We process personal data for the following purposes:

  • Service provision — Account management, prediction processing, and rankings (Art. 6(1)(b) GDPR — contract performance).
  • Transactional messages — registration confirmation, email verification, password reset, Terms change notifications (Art. 6(1)(b) GDPR).
  • Optional notifications — emails about Group and Event activities (Art. 6(1)(a) GDPR — consent, withdrawable at any time).
  • Security — detecting abuse, protecting against attacks (Art. 6(1)(f) GDPR — legitimate interest).
  • Analytics — anonymized statistical analysis of Platform traffic (Art. 6(1)(f) GDPR).
  • Payments — processing transactions for the Premium Plan (Art. 6(1)(b) GDPR).

4. Legal Basis for Processing

Personal data processing is based on the following legal grounds: Art. 6(1)(a) GDPR — User consent (email notifications, Terms acceptance); Art. 6(1)(b) GDPR — necessity for the performance of a contract for electronic service provision; Art. 6(1)(c) GDPR — compliance with legal obligations (e.g., tax obligations for payments); Art. 6(1)(f) GDPR — legitimate interest of the Controller (security, analytics, legal claims). Where processing is based on consent, the User may withdraw consent at any time, without affecting the lawfulness of processing carried out prior to withdrawal.

5. Data Recipients

Personal data may be disclosed to the following categories of recipients:

  • Technical service providers — hosting, error monitoring, transactional email — only to the extent necessary for service provision.
  • Payment processor (Stripe) — Premium Plan transaction processing.
  • Other Platform Users — public data: display name, predictions, ranking positions.
  • Public authorities — only pursuant to applicable law, upon request from authorized bodies.

The Operator does not sell personal data and does not share it with third parties for marketing purposes.

6. Data Retention Periods

We retain personal data for the following periods:

  • Account data — for the duration of Account activity and up to 30 days after deletion.
  • Transaction data — for the period required by tax legislation (5 years from the end of the tax year).
  • Statistical data — anonymized predictions and rankings (without identifying data) — indefinitely.
  • Technical logs — maximum 90 days.
  • Backups — maximum 30 days after data removal from the production system.

7. Your Rights

Under GDPR, you have the following rights:

  • Right of access (Art. 15) — obtain information about your processed personal data.
  • Right to rectification (Art. 16) — correct inaccurate or incomplete data.
  • Right to erasure (Art. 17) — request deletion of your data ("right to be forgotten").
  • Right to restriction (Art. 18) — restrict processing in certain situations.
  • Right to data portability (Art. 20) — receive your data in a structured format (JSON).
  • Right to object (Art. 21) — object to processing based on legitimate interest.
  • Withdraw consent (Art. 7(3)) — at any time, without affecting prior processing.
  • Complaint to supervisory authority — President of UODO, ul. Stawki 2, 00-193 Warsaw, Poland.

To exercise these rights, contact us at: privacy@matchcast.app. We will respond to your request within 30 days.

8. Automated Decision-Making

The Platform does not make decisions based solely on automated data processing, including profiling, that produce legal effects or similarly significantly affect Users. Ranking and scoring calculations are performed automatically but are purely informational and recreational in nature.

9. Cookies and Tracking Technologies

The Platform uses only essential technical cookies necessary for proper operation: a session cookie (User authentication, expires on browser close or session timeout) and a language preference cookie (storing the selected interface language). We do not use advertising, marketing, or tracking cookies. Our analytics tool (Plausible Analytics) operates without cookies and does not collect personal data — it gathers only anonymized traffic statistics.

10. Third-Party Service Providers

We use the following external services:

  • Plausible Analytics (Plausible Insights OU, Estonia, EU) — anonymized traffic analytics, cookieless, GDPR-compliant.
  • Sentry (Functional Software Inc., USA) — application error monitoring — technical error data may contain anonymized diagnostic information.
  • Resend (Resend Inc., USA) — transactional email delivery (verification, password reset, notifications) — processes recipient email addresses.
  • Stripe (Stripe Inc., USA) — Premium Plan payment processing — handles transaction data in compliance with PCI DSS.

11. International Data Transfers

Some external service providers (Sentry, Resend, Stripe) are based in the United States. Data transfers to the US are carried out on the basis of Standard Contractual Clauses (SCCs) pursuant to Art. 46(2)(c) GDPR or an adequacy decision (EU-US Data Privacy Framework), where the entity is certified. The Controller endeavors to ensure an appropriate level of personal data protection consistent with GDPR requirements.

12. Children's Data

The Platform is intended for individuals aged 16 and older. We do not knowingly collect personal data from children under 16 years of age. If we become aware that personal data has been collected from a person under 16 without parental or guardian consent, we will promptly delete such data.

13. Changes to This Privacy Policy

We reserve the right to update this Privacy Policy. Users will be notified of significant changes at least 14 days in advance via email or in-Platform notification. The current version is always available at matchcast.app/privacy.

14. Contact

For data protection inquiries, to exercise your rights, or for any questions regarding this Privacy Policy, please contact us at: privacy@matchcast.app. We respond to inquiries within 30 days of receipt.

This document requires review by a qualified legal professional before production deployment.