Privacy Policy
How MatchSense collects, uses, shares, and protects your personal data across Indonesia and the rest of the world — aligned with the EU GDPR and Indonesia’s UU PDP.
Last updated: [set on publish]
Template — review with qualified legal counsel before production use.
1. Introduction and who we are
This Privacy Policy explains how MatchSense collects, uses, discloses, and safeguards your personal data when you use our AI-powered sports-analytics platform for football and basketball (the "Service"). It applies to users in Indonesia and around the world.
For the purposes of the EU General Data Protection Regulation (GDPR) and Indonesia's Personal Data Protection Law (Undang-Undang No. 27 Tahun 2022 tentang Pelindungan Data Pribadi, the "UU PDP"), the data controller responsible for your personal data is [MatchSense legal entity name], of [registered address] ("MatchSense", "we", "us", or "our").
MatchSense is an informational service. It does not accept wagers or facilitate gambling. By using the Service you acknowledge this Policy; where we rely on your consent, we will ask for it separately.
2. Data protection contact / DPO
We have appointed a data protection contact to oversee compliance with this Policy and applicable data-protection law, including the GDPR and the UU PDP. You can reach our data protection contact for any privacy question or to exercise your rights at [dpo@matchsense.online], or by writing to [MatchSense legal entity name] at [registered address], attention: Data Protection Officer.
3. Personal data we collect
Depending on how you use the Service, we collect the following categories of personal data:
- Account data: your name, email address, password hash, and authentication identifiers, including the Google account identifier and profile basics you authorize when you sign in with Google OAuth.
- Subscription and commerce data: your plan, per-match unlocks, credit-pack balance, purchase and renewal history, and transaction references.
- Payment metadata: amount, currency, status, and the transaction identifier returned by our payment providers. We do not collect or store your full card number, CVV, or complete payment credentials — those are handled directly by Midtrans and Stripe.
- Usage data: pages and matches viewed, features used, unlocks, credits spent, and interaction events used to operate and improve the Service.
- AI chat data: the messages you send to the AI chat assistant and the generated responses, retained to provide your conversation history and to improve quality and safety.
- Device and technical data: IP address, browser and device type, device identifiers, language, time zone, and approximate location derived from your IP address.
- Cookies and local storage: session cookies and browser preference keys, as described in our Cookie Policy.
- Communications data: messages you send us through support or contact channels.
4. How and why we use your data (purposes)
We process your personal data to:
- Provide, operate, personalize, and secure the Service and your account.
- Process subscriptions, per-match unlocks, credit packs, renewals, and payments.
- Generate and improve AI analytics, predictions, and chat responses.
- Communicate service, billing, security, and support messages, and — with your consent where required — marketing.
- Detect, prevent, and investigate fraud, abuse, security incidents, and violations of our Terms.
- Maintain accounting records and comply with legal, tax, and regulatory obligations.
- Enforce our Terms and establish, exercise, or defend legal claims.
5. Legal bases for processing
Where the GDPR, the UU PDP, or other applicable law requires a lawful basis, we rely on one or more of the following:
- Performance of a contract — to provide the Service, your account, and the purchases you make.
- Consent — for non-essential cookies and analytics, optional marketing, and any processing of sensitive data; you may withdraw consent at any time without affecting prior processing.
- Legitimate interests — to secure, maintain, and improve the Service, prevent fraud and abuse, and understand aggregate usage, balanced against your rights and interests.
- Legal obligation — to keep financial records and respond to lawful requests.
- Under the UU PDP, we process personal data on comparable lawful bases, including your consent, contractual necessity, our legitimate interests, and compliance with statutory obligations.
6. Third parties and processors
We share personal data only as needed to operate the Service, with providers bound by appropriate confidentiality and data-protection obligations. We do not sell your personal data.
- Midtrans — payment processing for Indonesian Rupiah (IDR) transactions. Card and payment data you enter is handled by Midtrans under its own privacy terms.
- Stripe — payment processing for international transactions, likewise handling your card and payment data directly under its own privacy terms.
- Google — OAuth sign-in and account authentication when you choose to sign in with Google.
- Analytics providers — aggregated, measurement-focused usage analytics to help us improve the Service.
- Email and SMS providers — to send transactional, security, and (where you consent) marketing messages.
- Hosting and infrastructure providers — to store data and run the Service securely.
- Legal and corporate recipients — where required to comply with law, enforce our Terms, protect rights and safety, or in connection with a merger, acquisition, or asset transfer, subject to appropriate safeguards.
7. International data transfers
Because we serve users globally and use international processors such as Stripe and Google, your personal data may be transferred to and processed in countries other than your own, including countries whose data-protection laws may differ from those where you live.
Where we transfer personal data internationally, we apply appropriate safeguards required by applicable law — for example, EU Standard Contractual Clauses for GDPR-governed transfers, and, for transfers of Indonesian personal data under the UU PDP, ensuring the destination provides an adequate level of protection or implementing equivalent contractual safeguards and, where required, obtaining your consent.
8. Data retention
We retain personal data for as long as your account is active and as needed to provide the Service. After that, we retain data only as necessary to comply with legal, tax, and accounting obligations, resolve disputes, prevent fraud, and enforce our agreements — for example, transaction and invoicing records may be kept for the period required by applicable financial-record laws.
AI chat history is retained to provide your conversation history and improve quality, and can be deleted on request subject to legal and security limits. When personal data is no longer needed, we securely delete or irreversibly anonymize it.
9. Your rights
Subject to applicable law, and in particular under the GDPR and the UU PDP, you have rights over your personal data. These may include the right to:
- Access the personal data we hold about you and obtain information about how it is processed.
- Correct or update inaccurate or incomplete data.
- Delete your data (erasure) and close your account, subject to our legal retention obligations.
- Restrict or object to certain processing, including processing based on legitimate interests or for direct marketing.
- Data portability — receive certain data in a structured, commonly used, machine-readable format.
- Withdraw consent at any time where processing is based on consent.
- Lodge a complaint with a competent supervisory or data-protection authority — in the EU/EEA with your local supervisory authority, and in Indonesia with the relevant authority responsible for supervising the UU PDP.
10. How to exercise your rights
To exercise any of your rights, contact our data protection contact at [dpo@matchsense.online] or use our contact page. We may need to verify your identity before acting on a request, and we will respond within the timeframe required by applicable law. Exercising your rights is free unless a request is manifestly unfounded or excessive.
11. Cookies and local storage
We use cookies and browser local storage to keep you signed in, remember preferences such as your theme and language, and understand usage. For a full description — including our preference keys and the httpOnly session cookie — and how to control them, see our Cookie Policy.
12. Security
We apply technical and organizational measures designed to protect your personal data, including encryption in transit, hashed credentials, access controls, httpOnly session cookies, and delegation of sensitive card handling to PCI-compliant payment providers. No method of transmission or storage is completely secure, so we cannot guarantee absolute security, but we work to protect your data and will notify affected users and authorities of any qualifying data breach as required by the GDPR and the UU PDP.
13. Children and age restriction
The Service is intended only for users aged 21 and older, consistent with our responsible-gaming stance. It is not directed to, and must not be used by, anyone under 21 — and in no event by anyone under 18. We do not knowingly collect personal data from anyone under these ages. If we learn that we have collected data from someone under the applicable age, we will delete it. If you believe a minor has provided us data, please contact our data protection contact.
14. Changes to this policy
We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date above and, where required, notify you through the Service. Your continued use of the Service after the changes take effect constitutes acceptance of the updated Policy.
15. Contact
For any privacy question or request, contact our data protection contact at [dpo@matchsense.online], write to [MatchSense legal entity name] at [registered address], or reach us through our contact page. See also our Terms of Service and Cookie Policy.