Privacy Policy

1. Controller and Contact Information

MysMatch is operated by Sepehr Asgari ("MysMatch", "we", "us", "our"), based in Germany.

For any privacy-related inquiries or to exercise your rights under applicable data protection law, please contact us at:

2. Information We Collect

We collect the following categories of personal data:

a) Information you provide directly:

• Account data: email address, password (hashed), first name, last name, gender, date of birth
• Profile data: university, major, semester, study level, study description, city, profile photo
• Phone number: for identity verification via SMS
• Communications: messages you send to other users through the app
• Event data: events you create or register for
• Reports: information you provide when reporting other users

b) Information collected automatically:

• Device information: device type, operating system, app version, unique device identifiers
• Usage data: app interactions, screens viewed, features used, search and match history, session duration
• Location data: city-level location (only when you grant permission)
• Crash data: technical error logs, stack traces, device state at time of crash
• Analytics data: anonymized interaction patterns, feature usage statistics

c) Information from third parties:

• Google Places API: city and address suggestions based on your search input
• Authentication providers: email verification status from Supabase Auth

3. Legal Basis for Processing (GDPR Art. 6)

We process your personal data on the following legal bases:

• Contract performance (Art. 6(1)(b) GDPR): processing necessary to provide the MysMatch service, including account creation, profile management, matching, messaging, and event features
• Consent (Art. 6(1)(a) GDPR): analytics tracking (Mixpanel), push notifications (OneSignal), location access, and app tracking transparency (iOS). You may withdraw consent at any time
• Legitimate interest (Art. 6(1)(f) GDPR): crash monitoring (Sentry), fraud prevention, security measures, and service improvement
• Legal obligation (Art. 6(1)(c) GDPR): compliance with applicable laws, responding to lawful requests from authorities

4. How We Use Your Information

We use your personal data for the following purposes:

• Providing the service: creating and managing your account, displaying your profile to potential matches, facilitating matching and messaging, enabling event discovery and registration
• Communication: sending push notifications about new matches, messages, and match requests; sending transactional emails (password reset, email verification)
• Safety and security: verifying identities via phone number, processing user reports and blocks, detecting and preventing abuse, enforcing our Terms of Service
• Improvement: analyzing aggregated usage patterns, monitoring app stability and performance, identifying and fixing bugs
• Legal compliance: responding to lawful data requests, maintaining records as required by law

5. Data Sharing and Third-Party Services

We do not sell, rent, or trade your personal data. We share data only in the following circumstances:

a) With other users:

• Your profile information (name, photo, university, major, age, city) is visible to users who may be potential matches
• Your messages are visible to the recipient
• Event creators can see the list of registered attendees

b) With service providers (data processors):

• Supabase (Supabase Inc., USA): database hosting, user authentication, file storage
• OneSignal (OneSignal Inc., USA): push notification delivery. Receives your device token and user ID
• Mixpanel (Mixpanel Inc., USA): analytics and event tracking. Receives anonymized usage data
• Sentry (Functional Software Inc., USA): crash reporting and error monitoring. Receives device and error data
• Twilio (Twilio Inc., USA): SMS verification. Receives your phone number
• Google Places API (Google LLC, USA): address and city autocomplete. Receives search queries
• Firebase Cloud Messaging (Google LLC, USA): push notification infrastructure for Android

c) With authorities:

• When required by law, court order, or governmental regulation
• To protect the safety of our users or the public
• To protect our legal rights

All service providers are contractually bound to process your data only on our behalf and in accordance with this Privacy Policy and applicable data protection law.

6. International Data Transfers

Some of our service providers are based in the United States. When your data is transferred outside the European Economic Area (EEA), we ensure adequate protection through:

• EU Standard Contractual Clauses (SCCs) agreed with each provider
• The provider's certification under applicable data protection frameworks

By using MysMatch, you acknowledge that some data processing occurs outside the EEA under these safeguards.

7. Data Retention

We retain your personal data as follows:

• Active accounts: your data is retained for as long as your account is active
• Deleted accounts: after you delete your account, we retain your data for 30 days to allow account restoration, after which all personal data is permanently and irreversibly deleted from our systems
• Messages: deleted when the associated match or user account is removed
• Crash reports: retained for 90 days, then automatically deleted
• Analytics data: retained in identifiable form for 12 months, then aggregated and anonymized
• Legal holds: data may be retained longer if required by law or ongoing legal proceedings

8. Your Rights Under GDPR

As a user based in the EEA, you have the following rights under the General Data Protection Regulation:

• Right of access (Art. 15): request a copy of all personal data we hold about you
• Right to rectification (Art. 16): correct inaccurate or incomplete data via your profile settings or by contacting us
• Right to erasure (Art. 17): delete your account and all associated data directly from the app (Profile → Delete Account)
• Right to restrict processing (Art. 18): request that we limit how we use your data
• Right to data portability (Art. 20): receive your data in a structured, machine-readable format
• Right to object (Art. 21): object to processing based on legitimate interest
• Right to withdraw consent (Art. 7(3)): withdraw consent for analytics, notifications, or location at any time via your device settings or by contacting us. Withdrawal does not affect the lawfulness of prior processing

To exercise any of these rights, contact us at contact@mys-match.com. We will respond within 30 days.

If you believe your data protection rights have been violated, you have the right to lodge a complaint with your local data protection supervisory authority. In Germany, this is the relevant state data protection authority (Landesdatenschutzbeauftragter) for your federal state.

9. Data Security

We implement appropriate technical and organizational measures to protect your personal data, including:

• All data transmitted between your device and our servers is encrypted using TLS/HTTPS
• Passwords are hashed and never stored in plain text
• Row-level security (RLS) policies on our database ensure users can only access their own data
• Secure token-based authentication with automatic session expiry
• Optional biometric authentication (Face ID, fingerprint) or PIN lock within the app
• Regular security audits of our database policies, functions, and access controls
• Service provider access is limited to the minimum necessary for their function

No system is 100% secure. If you become aware of a security vulnerability, please report it to contact@mys-match.com immediately.

10. Cookies and Tracking Technologies

The MysMatch mobile app does not use browser cookies. However, we use the following technologies:

• Mixpanel SDK: uses local storage to track anonymized usage events and session data. You can opt out via iOS App Tracking Transparency or by contacting us
• OneSignal SDK: stores a device token for push notification delivery. You can disable notifications in your device settings
• Sentry SDK: collects crash data automatically. This is based on our legitimate interest in maintaining app stability

On our website (mys-match.com), we do not use cookies or third-party tracking scripts.

11. Age Requirement

MysMatch is designed for university students. You must be at least 16 years old to create an account and use the service, in accordance with Art. 8 GDPR as implemented by German law (§ 8 TTDSG).

We do not knowingly collect personal data from anyone under 16. If we learn that we have collected data from a user under 16, we will promptly delete the account and associated data. If you believe a person under 16 is using MysMatch, please contact us at contact@mys-match.com.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors.

For significant changes, we will notify you through:

• An in-app notification
• An email to the address associated with your account

The "Last updated" date at the top indicates when the policy was last revised. Continued use of MysMatch after the effective date of changes constitutes your acceptance of the revised policy. If you do not agree with the changes, you may delete your account.

13. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

We aim to respond to all inquiries within 30 days.