Privacy Policy

Last updated: April 20, 2026

1. Introduction

Matcha Alert Club ("we", "us", "our") respects your privacy and is committed to protecting your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our website and service (the "Service").

By using the Service, you consent to the data practices described in this Privacy Policy. If you do not agree with this Policy, please do not use the Service.

2. Information We Collect

2.1 Information You Provide to Us

We collect information you voluntarily provide when using the Service:

Account Registration: Email address, password (stored encrypted), and optional name for personalization
Alert Preferences: Products you track, watchlist items, notification preferences
Communications: Content of messages when you contact customer support or send inquiries
Payment Information (if applicable): When you make a purchase, our payment processor (Stripe or Whop) collects payment card details. We do not store full credit card numbers on our servers.

2.2 Information Automatically Collected

When you access the Service, we automatically collect certain information:

Device & Browser Information: IP address, browser type and version, operating system, device type, screen resolution, language preferences
Usage Data: Pages visited, features used, time spent on pages, clickstream data, referral sources, session duration
Cookies and Tracking Technologies: See our Cookie Policy for details on cookies, web beacons, and similar technologies
Server Logs: HTTP requests, timestamps, response codes, errors

2.3 Information from Third-Party Sources

Social Login (if implemented): If you register via Google or other social providers, we receive your name, email, and profile picture from those services
Analytics Providers: Google Analytics provides aggregated demographic and interest data

3. How We Use Your Information

We use the collected information for the following purposes:

3.1 To Provide and Maintain the Service

Create and manage your account
Monitor product availability and send restock alerts via email and push notifications
Display your watchlist and alert history
Authenticate your identity and maintain account security

3.2 To Process Payments (If Applicable)

Process transactions and send transaction confirmations
Prevent fraudulent transactions and unauthorized access
Maintain billing records for tax and accounting purposes

3.3 To Improve and Analyze the Service

Analyze usage patterns and trends to improve features and user experience
Conduct research and development for new features
Debug technical issues and optimize performance
Test new features and interfaces

3.4 To Communicate with You

Send service-related notifications (e.g., security alerts, account changes)
Respond to customer support requests and inquiries
Send marketing emails about new features or promotions (you can opt out anytime)
Request feedback or conduct surveys

3.5 For Legal and Security Purposes

Comply with applicable laws, regulations, legal processes, or government requests
Enforce our Terms of Service and other policies
Detect, prevent, and address fraud, security issues, or technical problems
Protect the rights, property, and safety of Matcha Alert Club, our users, and the public

4. Legal Basis for Processing (GDPR)

If you are located in the European Economic Area (EEA), UK, or Switzerland, we process your personal data based on the following legal grounds:

Contract Performance (GDPR Art. 6(1)(b)): Processing is necessary to provide the Service you requested (e.g., sending restock alerts, managing your account)
Consent (GDPR Art. 6(1)(a)): You have given explicit consent for specific purposes (e.g., marketing emails, non-essential cookies). You can withdraw consent at any time.
Legitimate Interests (GDPR Art. 6(1)(f)): Processing is necessary for our legitimate business interests (e.g., fraud prevention, service improvement, analytics) that do not override your fundamental rights
Legal Obligation (GDPR Art. 6(1)(c)): Processing is required to comply with applicable laws (e.g., tax records, law enforcement requests)

5. How We Share Your Information

We do not sell, rent, or trade your personal information. We share information only in the following limited circumstances:

5.1 Service Providers and Subprocessors

We share data with third-party service providers who assist in operating the Service:

Provider	Purpose	Data Shared	Location
Supabase (database)	Database hosting & authentication	All account data	AWS (Singapore)
Vercel	Frontend hosting & CDN	IP address, browser info	Global (USA primary)
Google Analytics	Usage analytics	IP (anonymized), pages viewed, device type	USA
Google Ads	Advertising & conversion tracking	IP address, ad interaction data	USA
Stripe (if payments enabled)	Payment processing	Email, billing details, payment card info	USA

Data Processing Agreements: We require all service providers to sign Data Processing Agreements (DPAs) or Business Associate Agreements (BAAs) to ensure they handle your data securely and in compliance with applicable privacy laws.

5.2 Legal Requirements

We may disclose your information if required by law or in response to:

Valid legal processes (subpoenas, court orders, search warrants)
Government or regulatory requests
Law enforcement investigations
Legal claims or disputes

5.3 Business Transfers

If Matcha Alert Club is involved in a merger, acquisition, asset sale, or bankruptcy, your information may be transferred to the successor entity. We will notify you of any such change via email and/or a prominent notice on the Service.

5.4 With Your Consent

We may share information for other purposes with your explicit consent.

6. International Data Transfers

Your information may be transferred to and stored on servers located in various countries, including the United States and Singapore.

When we transfer personal data from the EEA to countries that do not provide an adequate level of data protection (as determined by the European Commission), we rely on the following safeguards:

Standard Contractual Clauses (SCCs): EU-approved contract terms that require service providers to protect your data
Adequacy Decisions: The European Commission has determined certain countries provide adequate data protection
Privacy Shield (if applicable): Some U.S. service providers are certified under the EU-U.S. Data Privacy Framework

By using the Service, you consent to the transfer of your information to these locations.

7. Data Retention

We retain your personal information for as long as necessary to fulfill the purposes outlined in this Policy:

Account Data: Retained while your account is active and for 30 days after account deletion (to allow recovery if deleted by mistake)
Transaction Records: Retained for 7 years to comply with tax law requirements
Server Logs: Retained for 90 days for security and troubleshooting purposes
Marketing Emails: Retained until you unsubscribe or request deletion
Analytics Data: Anonymized usage data may be retained indefinitely for statistical purposes

After the retention period expires, we securely delete or anonymize your information so that it can no longer identify you.

8. Your Privacy Rights

You have the following rights regarding your personal information:

8.1 Rights for All Users

Access: Request a copy of the personal information we hold about you
Rectification: Correct inaccurate or incomplete information
Deletion: Request that we delete your account and associated data ("right to be forgotten")
Portability: Receive your data in a machine-readable format (JSON) to transfer to another service
Opt-Out of Marketing: Unsubscribe from promotional emails at any time

8.2 Additional Rights for EU/EEA Users (GDPR)

Object to Processing: Object to processing based on legitimate interests
Restrict Processing: Request that we temporarily halt processing your data
Withdraw Consent: Withdraw consent for data processing at any time (does not affect processing that occurred before withdrawal)
Lodge a Complaint: File a complaint with your local data protection authority

8.3 Additional Rights for California Residents (CCPA)

Know: Request disclosure of categories and specific pieces of personal information collected
Delete: Request deletion of personal information we collected from you
Opt-Out of Sale: We do not sell your personal information
Non-Discrimination: We will not discriminate against you for exercising your CCPA rights

8.4 How to Exercise Your Rights

To exercise any of these rights, you can:

Email us: legal@matchaalertclub.com
Use Dashboard Settings: Visit your Dashboard to update preferences or delete your account (⚠️ feature to be implemented)
Unsubscribe Link: Click "Unsubscribe" at the bottom of any marketing email

We will respond to your request within 30 days. For security purposes, we may ask you to verify your identity before processing your request.

9. Data Security

We implement appropriate technical and organizational measures to protect your personal information against unauthorized access, alteration, disclosure, or destruction:

Encryption: All data transmitted between your browser and our servers is encrypted using TLS/SSL (HTTPS). Passwords are hashed and salted using industry-standard algorithms.
Access Controls: Access to personal data is restricted to authorized personnel who need it to perform their job functions
Regular Security Audits: We regularly review our security practices and update them as needed
Secure Infrastructure: Our hosting providers (Supabase, Vercel) maintain SOC 2 Type II compliance and other security certifications

Data Breach Notification: In the event of a data breach that affects your personal information, we will notify you and relevant supervisory authorities within 72 hours, as required by GDPR.

However, no method of transmission over the internet or electronic storage is 100% secure. While we strive to protect your information, we cannot guarantee absolute security.

10. Children's Privacy

The Service is not intended for children under the age of 16. We do not knowingly collect personal information from children under 16.

If you are a parent or guardian and believe your child has provided us with personal information, please contact us immediately at legal@matchaalertclub.com. We will take steps to delete such information from our systems within 30 days.

11. Cookies and Tracking Technologies

We use cookies, web beacons, and similar technologies to enhance your experience and collect usage data. For detailed information about the cookies we use and your choices, please see our Cookie Policy.

12. Do Not Track (DNT) Signals

Our Service does not currently respond to Do Not Track (DNT) browser signals. You can disable cookies in your browser settings or use our cookie consent banner to opt out of non-essential cookies.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. If we make material changes, we will notify you by:

Posting the updated Policy on this page with a new "Last Updated" date
Sending an email notification to the address associated with your account
Displaying a prominent notice on the Service

Your continued use of the Service after the effective date of the updated Policy constitutes your acceptance of the changes. We encourage you to review this Policy periodically.

14. Contact Information & Data Protection Officer

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Email: legal@matchaalertclub.com
Website: https://matchaalertclub.com

Data Protection Officer (DPO): If your business processes personal data for more than 10,000 EU residents or handles sensitive data categories, you may be required to appoint a DPO under GDPR. If applicable, add DPO contact information here.

15. Supervisory Authorities

If you are located in the EU/EEA and believe we have not adequately addressed your privacy concerns, you have the right to lodge a complaint with your local data protection authority. Contact information for EU/EEA data protection authorities is available at EDPB.