Privacy Policy

1. Information We Collect

Account Information

When you create a MatchaClub account, we collect:

• Email address
• Display name and username
• Profile photo (if provided)
• Password (stored as a secure hash — we never store plaintext passwords)

If you sign in with Google, we receive your name, email address, and profile photo from Google in accordance with the permissions you grant.

Content You Create

We collect content you voluntarily submit to the service, including:

• Daily matcha check-ins and streak data
• Cafe reviews, ratings, and posts
• Photos you upload
• Votes and saves on community content
• Comments and interactions with other members

Location Information

When you search for or add a cafe, you may choose to share your location to help find nearby venues. We use this only to fulfill your search request and do not store your precise location continuously or in the background.

Device and Usage Information

We automatically collect certain technical information when you use our app, including:

• Device type, operating system, and app version
• IP address (used for security and fraud prevention)
• App usage patterns and feature interactions (anonymized)
• Crash reports and error logs (used to improve reliability)

2. How We Use Your Information

We use the information we collect to:

• Create and manage your account
• Provide, maintain, and improve the MatchaClub service
• Display your content to other users on the community feed and rankings
• Calculate streaks, check-in counts, and other in-app statistics
• Send transactional notifications (e.g., account verification, password reset) with your consent
• Detect and prevent fraud, abuse, or security incidents
• Comply with legal obligations
• Respond to your support requests

We do not use your data to serve targeted advertising. We do not sell, rent, or trade your personal information to third parties for their marketing purposes.

3. Third-Party Services

MatchaClub integrates with the following third-party services. Each is governed by its own privacy policy:

Supabase

We use Supabase for database storage and user authentication. Your account data, content, and app activity are stored on Supabase-managed infrastructure. Supabase is SOC 2 Type II certified. See supabase.com/privacy.

Google Sign-In

If you choose to sign in with Google, Google's OAuth service handles authentication. We receive only the basic profile information you authorize. See policies.google.com/privacy.

Google Maps Platform

We use the Google Maps API to support cafe search and location features. When you perform a cafe search, your query and approximate location may be sent to Google. See policies.google.com/privacy.

Apple App Store / Google Play Store

If you downloaded MatchaClub through the Apple App Store or Google Play Store, those platforms may collect certain device and download information in accordance with their own privacy policies.

4. Data Sharing and Disclosure

We do not sell your personal data. We may share your information only in the following limited circumstances:

• Service providers: With trusted vendors who help us operate the service (e.g., Supabase for database and auth), under strict confidentiality agreements.
• Public content: Content you post publicly (cafe reviews, photos, check-ins) is visible to other MatchaClub members.
• Legal requirements: If required by law, court order, or governmental authority, or to protect the rights, property, or safety of MatchaClub, our users, or the public.
• Business transfers: In connection with a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you before your data is subject to a different privacy policy.

5. Data Retention

We retain your personal information for as long as your account is active or as needed to provide you with services. If you delete your account, we will delete your personal data within 30 days, except where we are required by law to retain it longer or where data has been anonymized and aggregated for analytics purposes.

Community content you have posted (reviews, photos) may remain visible to other users after account deletion unless you explicitly delete that content before closing your account.

6. Your Rights and Choices

Depending on your location, you may have the following rights regarding your personal data:

• Access: Request a copy of the personal data we hold about you.
• Correction: Update or correct inaccurate information in your profile at any time through the app settings.
• Deletion: Request deletion of your account and personal data. You can delete your account directly from the Profile section of the app.
• Portability: Request an export of your data in a machine-readable format.
• Opt-out of communications: Unsubscribe from non-transactional emails at any time using the unsubscribe link in those emails.
• Withdraw consent: Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

For California residents (CCPA): you have the right to know what personal information we collect, disclose, and sell. We do not sell personal information. To exercise your rights, contact us at the address below.

For EEA/UK residents (GDPR): the legal bases for our processing are performance of a contract (providing you the service), our legitimate interests (security, service improvement), and your consent (where applicable). You have the right to lodge a complaint with your local data protection authority.

To exercise any of these rights, contact us at privacy@matchaclub.co.

7. Children's Privacy

MatchaClub is not directed to children under the age of 13 (or 16 in the European Economic Area). We do not knowingly collect personal information from children under these ages. If we become aware that a child under the applicable age has provided us with personal information without parental consent, we will take steps to delete that information. If you believe a child has provided us with their information, please contact us at privacy@matchaclub.co.

8. Security

We take reasonable technical and organizational measures to protect your personal information against unauthorized access, loss, alteration, or disclosure. These include encrypted data transmission (HTTPS/TLS), secure password hashing, and access controls on our database. However, no method of transmission over the internet or electronic storage is 100% secure, and we cannot guarantee absolute security.

9. International Data Transfers

MatchaClub is operated from and our data infrastructure is primarily located in the United States. If you access our service from outside the United States, your information may be transferred to, stored, and processed in the United States or other countries where our service providers operate. We ensure that such transfers are made in compliance with applicable data protection laws.

10. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will revise the "Last updated" date at the top of this page. For material changes, we will notify you through the app or by email before the change takes effect. Your continued use of MatchaClub after any changes constitutes your acceptance of the updated policy.

11. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

• Email: privacy@matchaclub.co
• General inquiries: hello@matchaclub.co

We aim to respond to all privacy-related requests within 30 days.