1. Introduction
Matcha ("we," "our," or "us") is an AI-native talent matching platform. This Privacy Policy explains how we collect, use, store, and protect your personal data when you use our Service. We are committed to transparency and compliance with applicable privacy laws, including the GDPR (for users in the EU/EEA) and the CCPA/CPRA (for California residents).
2. Data We Collect
We collect data in the following categories: Account and identity data: Name, email address, profile information, and OAuth credentials (e.g., from Google sign-in). We do not store passwords when you sign in with a third-party provider. Profile and career data: Resumes, work history, skills, preferences, job search signals (Yes/No/Maybe), and other information you provide to build your profile or improve matches. Usage and behavioral data: Search queries, filter selections, pages visited, feature usage, session duration, and interaction patterns. We use this to improve the Service and personalize your experience. Technical data: IP address, browser type, device information, and cookies or similar identifiers. We use this for security, analytics, and basic functionality. Communication data: Messages you send through the Service, including intro requests and responses.
3. How We Use Your Data
We use your data to: (a) operate and improve the matching platform; (b) personalize search results and recommendations; (c) facilitate introductions between talent, matchmakers, and employers; (d) send transactional and optional marketing communications; (e) detect and prevent fraud or abuse; (f) comply with legal obligations; and (g) improve our AI and matching models. We do not sell your personal information.
4. AI and Machine Learning
Matcha uses AI and machine learning for matching, search, and insights. Your profile data, search behavior, and preferences may be processed by AI systems to generate match scores, summaries, and recommendations. We may use third-party AI providers (e.g., for language models) under data processing agreements. AI outputs are for informational purposes and may not always be accurate. We do not use your data to train general-purpose AI models for sale to third parties.
5. Third-Party Services
We use third-party services that may receive some of your data: Authentication: Google OAuth for sign-in — we receive your email and basic profile from Google. Analytics: Google Analytics to understand usage patterns. Analytics data may be collected before consent in some regions; we configure analytics to respect privacy preferences where required. Email: Email delivery services (e.g., Postmark) to send transactional and optional notifications. Cloud infrastructure: Our application and data are hosted on cloud providers (e.g., Vercel, Supabase, or similar) that process data on our behalf under data processing agreements. Each provider has its own privacy policy. We select providers that meet our security and privacy standards.
6. Data Retention
We retain your data for as long as your account is active and as needed to provide the Service. If you close your account, we will delete or anonymize your personal data within a reasonable period, except where we must retain it for legal, regulatory, or legitimate business purposes (e.g., resolving disputes, enforcing agreements). Backups may retain data for a limited period before being overwritten.
7. Data Security
We implement technical and organizational measures to protect your data, including encryption in transit (TLS) and at rest, access controls, and secure development practices. No system is completely secure; we will notify you and relevant authorities of data breaches as required by law.
8. Your Rights
Depending on where you live, you may have the following rights: Access: Request a copy of the personal data we hold about you. Rectification: Correct inaccurate or incomplete data. Erasure: Request deletion of your data ("right to be forgotten"). Portability: Receive your data in a structured, machine-readable format. Objection: Object to processing based on legitimate interests. Restriction: Limit how we process your data in certain circumstances. Withdraw consent: Where we rely on consent, you may withdraw it at any time. To exercise these rights, contact us via the contact form on our website. We will respond within the timeframes required by applicable law. You may also have the right to lodge a complaint with a supervisory authority.
9. California Residents (CCPA/CPRA)
If you are a California resident, you have additional rights: the right to know what personal information we collect and why; the right to delete; the right to correct; the right to opt out of the "sale" or "sharing" of personal information (we do not sell personal information); and the right to non-discrimination for exercising your rights. We will not discriminate against you for exercising your privacy rights.
10. International Transfers
Your data may be processed in the United States or other countries where our service providers operate. When we transfer data from the EU/EEA to countries without adequacy decisions, we use appropriate safeguards such as Standard Contractual Clauses.
11. Cookies and Tracking
We use cookies and similar technologies for authentication, security, and analytics. You can control cookies through your browser settings. Some features may not work correctly if you disable cookies.
12. Children
The Service is not intended for users under 18. We do not knowingly collect personal data from children. If you believe we have collected data from a child, please contact us and we will delete it.
13. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes via email or an in-app notice. The "Last updated" date at the top indicates when the policy was last revised. Continued use of the Service after changes constitutes acceptance.
14. Contact
For privacy-related questions or to exercise your rights, contact us via the contact form on our website. We will respond as promptly as required by applicable law.