Privacy Policy

MatchToy (“we”, “us”, “our”) is committed to protecting and respecting your privacy. This Privacy Policy explains how we collect, use, store and share your personal data when you visit our website, create an account, place an order or interact with us in any way.

We are the data controller for the purposes of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. Our registered address is Office 18439, 182-184 High Street North, East Ham, London, E6 2JA.

By using our website you acknowledge that you have read and understood this policy. If you have any questions about your data, please contact us at privacy@matchtoy.com.

We may collect and process the following personal data:

• Identity data: Your email address and an optional display name. We do not store your date of birth — only a timestamp confirming you completed our age verification.

• Contact data: If you place an order (Phase 1.5 and later), your delivery address and telephone number for courier notifications.

• Payment data: Payment card details are processed by Stripe (PCI DSS Level 1 certified) and never stored on our servers. We hold only a payment reference.

• Order data: Details of the products you have purchased, order history and delivery information (Phase 1.5 and later).

• ⚠️ Quiz and preference data (special category): Your answers to our product recommendation quiz constitute “data concerning a natural person's sex life” under UK GDPR Article 9. This is special category data and we process it only with your explicit consent under Article 9(2)(a). You give this consent on a dedicated screen before the quiz starts and can withdraw it any time in your account settings, which permanently deletes all stored answers.

• Cart and wishlist data: Product handles and quantities you have added. No personal information is stored in these rows directly — just references to products in our catalogue.

• Technical data: IP address and user agent, held briefly for abuse prevention (rate limiting, spam filtering, fraud detection) under our legitimate interest.

• Consent audit log: We keep a timestamped record of every consent action you take (terms accepted, privacy policy accepted, marketing opt-in, cookie choices, age verification, quiz consent, etc.). This is required by UK GDPR Article 7 (demonstrable consent) and is retained as long as your account exists.

• Marketing data: Your preferences for receiving marketing communications and any unsubscribe actions.

We use your personal data for the following purposes and on the following legal bases:

• To process and fulfil your orders (legal basis: performance of a contract, Art 6(1)(b)). Taking payment, forwarding the order to our drop-ship partner Xtrader, sending confirmation and tracking updates.

• To provide personalised product recommendations from the quiz (legal basis: explicit consent, Art 9(2)(a)). Quiz answers are special category data under Art 9 and are only processed with your separate, explicit consent, which you can withdraw at any time.

• To manage your account and cart (legal basis: performance of a contract, Art 6(1)(b)). Maintaining your profile, wishlist, cart and settings.

• To send marketing communications (legal basis: consent, Art 6(1)(a)). We only send promotional emails if you have actively opted in. You can withdraw consent any time via the unsubscribe link in any email or via your account settings.

• To prevent abuse (rate limiting, spam, fraud) (legal basis: legitimate interest, Art 6(1)(f)). We hold IP addresses and user-agent strings briefly to throttle and identify abusive traffic.

• To verify your age (legal basis: legal obligation, Art 6(1)(c)). UK consumer protection law and the Online Safety Act 2023 require us to prevent sales of adult products to minors.

• To demonstrate consent for audit (legal basis: legal obligation, Art 6(1)(c)). UK GDPR Art 7(1) requires us to be able to demonstrate that you gave consent; we log each consent action in an append-only audit table.

• To comply with other legal obligations (legal basis: legal obligation, Art 6(1)(c)). Maintaining records for tax, accounting and regulatory purposes.

Our website uses cookies to distinguish you from other users and provide a better browsing experience. A complete list of the cookies we set, their purpose and retention is available on our Cookie Policy page. Summary:

• Essential (strictly necessary): matchtoy_anonymous_id, matchtoy_age_verified, matchtoy_cookie_consent, and Supabase session cookies (when signed in). These keep the site working and exempt from consent under PECR.

• Analytics and marketing cookies: Not currently active. When we add analytics or marketing tracking, we will update the Cookie Policy and re-prompt you for consent via our cookie banner before any non-essential cookies are set.

You can change your cookie preferences at any time by clearing your browser cookies and revisiting the site. See the full details in our Cookie Policy.

We share your personal data only with trusted third parties (subprocessors) who assist us in operating our business. We never sell, rent or trade your personal data. Under UK GDPR Art 28(2) we list each subprocessor below. Some are US-incorporated companies with EU data residency; international transfers are covered by Standard Contractual Clauses and the EU-US Data Privacy Framework where applicable.

• Supabase (database, authentication, storage) — US company, EU data residency in Frankfurt (eu-central-1). Processes profiles, wishlists, carts, quiz submissions, contact messages, consent audit log.

• Railway (application hosting) — US company, runs the Next.js app that you interact with. Processes all requests.

• Resend (transactional email) — US company, sends magic link sign-in emails and (Phase 2+) order confirmations.

• Cloudflare (CDN, bot protection, DNS) — US company, global edge network, serves cdn.matchtoy.com product images and protects the site against abuse.

• Hetzner (image storage) — German company, EU data residency, origin server for product images at cdn.matchtoy.com. No personal data processed.

• Xtrader (drop-ship fulfilment, Phase 1.5 onward) — UK company. When we add order fulfilment, we will share name, delivery address and product references with Xtrader to ship your order.

• Stripe (payment processing, Phase 1.5 onward) — US/Irish company, PCI DSS Level 1 certified. Processes card payments on our behalf.

All subprocessors are under Data Processing Agreements that oblige them to process your data only in accordance with our instructions and applicable data protection law.

We retain your personal data only for as long as necessary. Specific retention periods:

• Guest cart, wishlist, and in-progress quiz: 30 days of inactivity, then automatically deleted.

• Account data (profile, saved quiz, wishlist, cart): Until you delete your account via account settings.

• Order and transaction data: 6 years from the date of the transaction, as required by HMRC for tax and accounting purposes. This overrides account deletion for the specific rows required by law.

• Contact form submissions: 2 years from submission date, then automatically deleted. If you delete your account before then, the message is disassociated from your identity but retained for business continuity.

• Waitlist sign-ups: Until you unsubscribe, or 3 years of inactivity, whichever comes first.

• Consent audit log: Retained for the lifetime of your account to demonstrate compliance under UK GDPR Art 7(1). Cascade-deleted when you delete your account.

• Rate-limit counters and IP addresses: Purged nightly, never retained beyond 24 hours.

Automated cleanup runs nightly via scheduled jobs. When data is no longer required, it is permanently deleted from our database.

Under the UK General Data Protection Regulation, you have the following rights. Where possible, we have built self-service tools so you can exercise these rights immediately from your account, without contacting us. For authed users:

• Right of access (Art 15) and data portability (Art 20): Download a machine-readable JSON export of everything we hold on you at /account/data.

• Right to rectification (Art 16): Edit your profile at /account.

• Right to erasure (Art 17): Permanently delete your account and all associated data at /account/delete. This cascades through every table and is irreversible. (Note: we retain order records required by HMRC separately — see Retention.)

• Right to object (Art 21): Withdraw marketing consent via the toggle at /account or by clicking the unsubscribe link in any marketing email.

• Right to withdraw consent (Art 7(3)): Withdraw quiz data consent in /account — this deletes all stored quiz submissions immediately.

• Right to restrict processing (Art 18): Contact us below.

If you prefer not to use the self-service tools, you can email us at privacy@matchtoy.com. We will respond to all legitimate requests within one month. We may ask you to verify your identity before processing your request.

Automated decision-making: Our quiz recommends products based on your answers, but these are suggestions only and do not constitute automated decision-making with legal or similarly significant effects under Article 22. You remain free to buy any product you choose.

We understand that discretion is important to our customers. We take the following measures to protect your privacy beyond the digital realm:

• Plain packaging: All orders are shipped in plain, unmarked packaging with no logos, product names or any indication of the contents. The return address shows a neutral business name with no reference to MatchToy or the nature of the products.

• Discreet billing: Charges on your bank or credit card statement will appear under a neutral trading name. The name “MatchToy” and any description of adult products will never appear on your financial statements.

• Confidential communications: Any emails we send to you will use neutral subject lines and will not contain explicit imagery or product descriptions visible in email previews.

We take the security of your personal data seriously. We have implemented appropriate technical and organisational measures to protect your data against unauthorised access, alteration, disclosure or destruction. These measures include:

• TLS (HTTPS) encryption on every page and all API traffic.

• HTTP Strict Transport Security (HSTS), strict Content Security Policy with per-request nonces, X-Frame-Options and other security headers.

• Encrypted storage of personal data at rest (Supabase default).

• Row-Level Security (RLS) enforced at the database layer on every table, so even a bug in our application code cannot expose one user's data to another.

• Passwordless magic-link authentication — we never store passwords, removing an entire category of breach risk.

• HMAC-signed age verification cookie; httponly session cookies; CSRF protection on all form submissions.

• Per-IP and per-email rate limiting on authentication and contact endpoints.

• PCI DSS Level 1 certified payment processing (Stripe, Phase 1.5+) — we never touch or store your card details.

• Cloudflare Turnstile CAPTCHA on auth and contact forms to prevent automated abuse.

• Automated daily backups (Supabase infrastructure) with point-in-time recovery.

While we strive to protect your personal data, no method of transmission over the internet or electronic storage is completely secure. We cannot guarantee absolute security but are committed to taking all reasonable steps to safeguard your information.

If you have any questions, concerns or requests regarding this Privacy Policy or our handling of your personal data, please contact us:

We aim to resolve any concerns directly. However, if you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK's supervisory authority for data protection:

We would appreciate the opportunity to address your concerns before you approach the ICO, so please contact us in the first instance.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology or legal requirements. When we make material changes, we will notify you by posting a prominent notice on our website and, where appropriate, by sending you an email notification.

We encourage you to review this page periodically to stay informed about how we are protecting your data. The “last updated” date at the top of this policy indicates when it was most recently revised.

Your continued use of our website after any changes to this policy constitutes your acceptance of the updated terms.