1. Introduction & scope

Matchai LLC ("Matchai," "we," "us," or "our"), a limited liability company organized under the laws of Saint Vincent and the Grenadines, operates the Matchai platform — a software service that provides technology tools for real estate professionals.

This Privacy Policy explains how we collect, use, disclose, retain, and protect your personal information when you access or use the Matchai platform (the "Service"), including the web application at matchai.co, associated subdomains, mobile applications, and APIs.

By using the Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices, please do not use the Service.

This policy applies to all users of the Service, regardless of location. Additional rights and disclosures specific to your jurisdiction are provided in the regional addenda at the end of this policy.

2. Data controller

Matchai LLC is the data controller responsible for your personal information. Our contact details are:

• Entity: Matchai LLC
• Jurisdiction: Saint Vincent and the Grenadines
• Email: privacy@matchai.co

Where required by local law, we have appointed local representatives. See the relevant regional addendum for details.

3. Information we collect

We collect information in three categories:

4. How we use your information

We use your information for the following purposes:

• Providing and operating the Service: creating and managing your account, displaying your profile and listings, enabling messaging and collaboration features, and powering search functionality
• AI-powered features: processing your content and usage data to provide automated lead scoring, property recommendations, message drafting assistance, and other AI-assisted tools. AI features process your data to generate outputs — they do not share your data with other users unless you publish the output.
• Communication: sending you service-related notifications, security alerts, account verification messages, and (with your consent where required) product updates and announcements
• Analytics and improvement: understanding how the Service is used, identifying bugs and performance issues, and improving features and user experience
• Safety and security: detecting and preventing fraud, abuse, security incidents, and violations of our Terms of Service
• Legal compliance: fulfilling legal obligations, responding to lawful requests from authorities, and enforcing our agreements
• Search indexing: indexing your public profile, team, project, and listing information in our search engine to make it discoverable by other users of the platform

5. Legal bases for processing

Depending on your jurisdiction, we process your personal information on one or more of the following legal bases:

• Contract performance: processing necessary to provide the Service you requested when you created your account
• Legitimate interests: processing for our legitimate business interests, such as improving the Service, ensuring security, and preventing fraud, where those interests are not overridden by your rights
• Consent: processing based on your explicit consent, such as optional analytics, marketing communications, or use of specific AI features. You may withdraw consent at any time.
• Legal obligation: processing required to comply with applicable laws and regulations

6. Information sharing & disclosure

We do not sell your personal information. We do not rent or trade your personal information for monetary or other valuable consideration.

We may share your information in the following circumstances:

• With your direction: information you choose to make public (such as your profile, listings, and Professional Site) is visible to other users and visitors
• Service providers: we share information with trusted third-party service providers who assist in operating the Service, including cloud hosting (Vercel, Supabase), search infrastructure (Typesense), caching services (Upstash Redis), analytics (PostHog), and email delivery services. These providers are contractually obligated to use your data only as directed by us.
• Legal requirements: we may disclose information if required by law, regulation, legal process, or governmental request, or to protect our rights, property, or safety, or the rights, property, or safety of others
• Business transfers: if Matchai is involved in a merger, acquisition, reorganization, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any such change.
• With your consent: we may share information for other purposes with your explicit consent

7. International data transfers

Matchai LLC is based in Saint Vincent and the Grenadines, and our Service is hosted on infrastructure located in various countries. Your information may be transferred to and processed in countries other than your country of residence.

When we transfer personal information internationally, we implement appropriate safeguards to ensure your data receives an adequate level of protection, including:

• Standard Contractual Clauses (SCCs) approved by relevant authorities
• Transfers to countries recognized as providing adequate data protection
• Contractual obligations with our service providers that require equivalent data protection standards

For specific transfer mechanisms applicable to your jurisdiction, see the relevant regional addendum below.

8. Data retention

We retain your personal information for as long as your account is active or as needed to provide the Service. Specifically:

• Account data: retained while your account is active and for a reasonable period afterward to allow for reactivation
• Listing and content data: retained while published; deleted content is removed from active systems within 30 days
• Messages: retained while both parties' accounts are active
• Analytics data: aggregated and anonymized analytics are retained indefinitely; identifiable analytics data is retained for up to 24 months
• Backup copies: purged within 90 days of deletion from active systems
• Legal holds: we may retain data longer if required by law, regulation, or legal proceedings

Upon account deletion, we will delete or anonymize your personal information within 30 days from active systems, except where retention is required by law or for legitimate business purposes (such as resolving disputes or enforcing agreements).

9. Data security

We implement technical and organizational measures designed to protect your personal information, including:

• Encryption in transit using TLS (Transport Layer Security) for all data transmitted between your device and our servers
• Row-Level Security (RLS) policies on our database to ensure users can only access data they are authorized to see
• Secure authentication via OAuth 2.0 with industry-standard providers
• Access controls that limit employee and contractor access to personal information on a need-to-know basis
• Regular security assessments and monitoring of our infrastructure
• Secure deletion procedures for data removed from the platform

No method of electronic transmission or storage is completely secure. While we strive to protect your personal information, we cannot guarantee its absolute security.

10. Cookies & tracking technologies

We use cookies and similar technologies for the following purposes:

• Essential cookies: required for authentication, session management, and core platform functionality. These cannot be disabled.
• Analytics: we use PostHog for product analytics, routed through our own domain infrastructure (not a third-party domain). This provides usage insights while minimizing exposure to third-party tracking.
• Feature flags: we use PostHog feature flags to manage gradual feature rollouts and A/B testing.

We do not use third-party advertising cookies or tracking pixels. We do not participate in cross-site advertising networks.

You can manage cookie preferences through your browser settings. Disabling essential cookies may affect the functionality of the Service.

11. Children's privacy

The Service is designed for real estate professionals and is not intended for individuals under the age of 18. We do not knowingly collect personal information from children under 18.

If you are a parent or guardian and believe your child has provided us with personal information, please contact us at privacy@matchai.co, and we will take steps to delete such information.

12. Changes to this policy & contact

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by posting the updated policy on the platform and updating the "Last updated" date. For significant changes, we will provide at least thirty (30) days' notice before the changes take effect.

Your continued use of the Service after the effective date of the revised policy constitutes acceptance of the changes.

If you have questions about this Privacy Policy or wish to exercise your privacy rights, contact us at privacy@matchai.co.

13. European Economic Area (GDPR)

If you are located in the European Economic Area (EEA), the following additional provisions apply under the General Data Protection Regulation (EU) 2016/679 ("GDPR"):

• Right of access: you may request a copy of the personal data we hold about you
• Right to rectification: you may request correction of inaccurate or incomplete personal data
• Right to erasure: you may request deletion of your personal data where there is no compelling reason for its continued processing
• Right to restrict processing: you may request that we limit how we use your data in certain circumstances
• Right to data portability: you may request your personal data in a structured, commonly used, machine-readable format
• Right to object: you may object to processing based on legitimate interests, including profiling
• Rights related to automated decision-making: you have the right not to be subject to decisions based solely on automated processing that produce legal effects or similarly significantly affect you

To exercise these rights, contact us at privacy@matchai.co. We will respond within 30 days.

You have the right to lodge a complaint with a supervisory authority in the EU member state of your habitual residence, place of work, or place of the alleged infringement.

International transfers from the EEA are governed by Standard Contractual Clauses (SCCs) as approved by the European Commission.

14. United Kingdom (UK GDPR)

If you are located in the United Kingdom, the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 apply. You have the same rights as described in the EEA section above.

International transfers from the UK are governed by the International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses.

You may lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

15. California, USA (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) provides you with additional rights:

• Right to know: you may request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources, the business purposes for collection, and the categories of third parties with whom we share it
• Right to delete: you may request the deletion of your personal information, subject to certain exceptions
• Right to correct: you may request the correction of inaccurate personal information
• Right to opt out of sale or sharing: we do not sell your personal information or share it for cross-context behavioral advertising. No opt-out is necessary.
• Right to limit use of sensitive personal information: we only use sensitive personal information as necessary to provide the Service
• Right to non-discrimination: we will not discriminate against you for exercising your CCPA rights

To exercise these rights, contact us at privacy@matchai.co. We will verify your identity before fulfilling your request.

In the preceding 12 months, we have collected the categories of personal information described in Section 3 of this policy. We do not sell personal information as defined by the CCPA.

16. Other US states

If you reside in Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, Iowa, Delaware, Nebraska, New Hampshire, New Jersey, Tennessee, Minnesota, Maryland, or other states with comprehensive privacy legislation, you may have similar rights including:

• Right to access, correct, and delete your personal data
• Right to data portability
• Right to opt out of targeted advertising (we do not engage in targeted advertising)
• Right to opt out of the sale of personal data (we do not sell personal data)
• Right to opt out of profiling in furtherance of decisions that produce legal or similarly significant effects (we do not engage in such profiling)
• Right to appeal: if we decline your request, you may appeal our decision by contacting us at privacy@matchai.co

We honor universal opt-out preference signals (such as Global Privacy Control) where required by applicable state law.

17. Canada (PIPEDA & Quebec Law 25)

If you are located in Canada, the Personal Information Protection and Electronic Documents Act (PIPEDA) and, where applicable, provincial privacy legislation apply.

• Consent: we collect, use, and disclose your personal information with your knowledge and consent, except where permitted or required by law
• Access and correction: you may request access to your personal information and request corrections to inaccurate data
• Withdrawal of consent: you may withdraw consent to the collection, use, or disclosure of your personal information, subject to legal or contractual restrictions. We will inform you of the implications of withdrawal.
• Complaints: you may file a complaint with the Office of the Privacy Commissioner of Canada (OPC) at priv.gc.ca

18. Brazil (LGPD)

If you are located in Brazil, the Lei Geral de Proteção de Dados (LGPD, Law No. 13,709/2018) provides you with the following rights:

• Confirmation of the existence of processing
• Access to your personal data
• Correction of incomplete, inaccurate, or outdated data
• Anonymization, blocking, or deletion of unnecessary or excessive data
• Data portability to another service provider
• Information about public and private entities with which your data has been shared
• Information about the possibility of denying consent and the consequences thereof
• Revocation of consent
• Right to petition the Autoridade Nacional de Proteção de Dados (ANPD) regarding your data

Legal bases for processing under LGPD include consent, contract performance, legitimate interest, and compliance with legal obligations.

To exercise your rights, contact us at privacy@matchai.co.

19. Australia (Privacy Act 1988)

If you are located in Australia, the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs) apply to our handling of your personal information.

• You may request access to the personal information we hold about you and request corrections if it is inaccurate, out of date, incomplete, or misleading
• We will take reasonable steps to notify you if we disclose your personal information to overseas recipients
• You may make a complaint about our handling of your personal information to us at privacy@matchai.co
• If you are not satisfied with our response, you may complain to the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au

20. UAE & GCC

If you are located in the United Arab Emirates or other Gulf Cooperation Council member states, the following provisions apply:

21. Singapore (PDPA)

If you are located in Singapore, the Personal Data Protection Act 2012 (PDPA) applies.

• We collect, use, and disclose your personal data with your consent or as permitted under the PDPA
• You may request access to and correction of your personal data held by us
• You may withdraw consent for the collection, use, or disclosure of your personal data, subject to legal or contractual restrictions
• We will inform you of the likely consequences of withdrawing consent
• Complaints may be filed with the Personal Data Protection Commission (PDPC) at pdpc.gov.sg

22. Japan (APPI)

If you are located in Japan, the Act on the Protection of Personal Information (APPI) applies.

• We handle your personal information in accordance with APPI requirements
• You may request disclosure, correction, addition, deletion, cessation of use, or cessation of provision to third parties of your personal information
• Cross-border transfers are conducted in compliance with APPI requirements, including ensuring the recipient country provides equivalent data protection or obtaining your consent
• Complaints and inquiries may be directed to the Personal Information Protection Commission (PPC) at ppc.go.jp

To exercise your rights, contact us at privacy@matchai.co.

23. Mexico (LFPDPPP)

If you are located in Mexico, the Ley Federal de Protección de Datos Personales en Posesión de los Particulares (LFPDPPP) applies.

• You have ARCO rights: Access, Rectification, Cancellation, and Opposition regarding your personal data
• You may limit the use or disclosure of your personal data
• To exercise your ARCO rights, submit a request to privacy@matchai.co with your name, a description of the personal data concerned, and the specific right you wish to exercise
• We will respond within 20 business days of receiving your request
• If you are not satisfied with our response, you may file a complaint with the Instituto Nacional de Transparencia, Acceso a la Información y Protección de Datos Personales (INAI) at home.inai.org.mx

24. South Korea (PIPA)

If you are located in South Korea, the Personal Information Protection Act (PIPA) applies.

• We process your personal information with your consent or as permitted under PIPA
• You have the right to access, correct, delete, and suspend processing of your personal information
• We will notify you of the purpose of collection, items collected, retention period, and your rights at the time of collection
• Cross-border transfers are conducted with your consent or under contractual protections that ensure an equivalent level of protection
• We will destroy personal information without delay when the purpose of processing has been achieved or the retention period has expired
• Complaints may be filed with the Personal Information Protection Commission (PIPC) at pipc.go.kr

To exercise your rights, contact us at privacy@matchai.co.