MatchyMatch
Draft — pending legal review. This privacy notice is a starting draft for a UK GDPR / Data Protection Act 2018 compliant policy. It must be reviewed and approved by qualified UK legal counsel before being relied on by users.

Privacy Policy

Last updated: 2026-04-29

Who we are

Thrive Haven Ltd, trading as MatchyMatch ("we", "us", "MatchyMatch"), is the data controller of the personal data described in this notice. We are a company registered in England and Wales (company number 16319387). Our registered office is 22 Waltham Road, Newton Abbot, Devon, TQ12 1LH, United Kingdom.

We operate the UK therapy matching service at https://matchymatch.co.uk/.

For any privacy-related question, contact us at privacy@matchymatch.co.uk.

What this policy covers

This notice explains how MatchyMatch collects, uses, shares and protects your personal data when you use our website and services, in accordance with the UK GDPR and the Data Protection Act 2018. It also explains your rights as a data subject and how to exercise them.

What we collect and why

  • Account data — name, email, phone number, password, role (client / therapist / admin). Used to create and manage your account. Lawful basis: contract performance.
  • Matching questionnaire — your therapy preferences, presenting concerns, scheduling availability, etc. Used to recommend therapists. Lawful basis: contract performance and, for special-category data about your mental health, your explicit consent (Article 9(2)(a)).
  • Therapist profiles — for therapists, your professional registration details (HCPC, BACP, BPS or UKCP number), bio, photo, specialisations, fees, availability. Used to display your profile to prospective clients. Lawful basis: contract performance.
  • Communications — messages you send through our platform (chat, email, WhatsApp). Used to facilitate the client-therapist relationship and provide support. Lawful basis: contract performance.
  • Booking and payment data — sessions booked, dates, fees, payment status. Card details are handled directly by Stripe and we never store full card numbers. Lawful basis: contract performance and legal obligation (tax / accounting).
  • Test results — if you complete a self-test (e.g. PHQ-9, GAD-7), the results are stored only if you sign in and choose to save them. Lawful basis: explicit consent.
  • Usage data and cookies — pages visited, device, IP address (truncated), referrer. Used for analytics and to improve the service. Lawful basis: consent (for non-essential cookies) or legitimate interest (for strictly necessary cookies).

Special category data

Information you share about your mental health is "special category data" under Article 9 UK GDPR. We process this data only with your explicit consent, which you can withdraw at any time without affecting the lawfulness of processing carried out before withdrawal.

How we share data

  • With therapists you choose to engage with (as needed to schedule and conduct therapy).
  • With trusted service providers who process data on our behalf under contract: hosting (Vercel, Firebase), payments (Stripe), email (SendGrid), messaging (Twilio), analytics (Google). Each is bound by a UK GDPR-compliant data processing agreement.
  • With regulators or law enforcement where we are legally required to do so.

International transfers

Some of our service providers are based outside the UK (for example, in the United States). When data is transferred outside the UK, we rely on UK-approved transfer mechanisms such as the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses, plus appropriate supplementary measures.

How long we keep your data

We retain personal data only as long as necessary for the purposes set out in this policy. Account data is retained while your account is active and for a reasonable period after closure for legal and audit purposes. Booking and payment records are retained for at least 6 years to meet UK tax and accounting requirements.

Your rights

Under the UK GDPR you have the right to:

  • Access the personal data we hold about you;
  • Have inaccurate data corrected;
  • Have your data erased (in certain circumstances);
  • Restrict or object to processing;
  • Data portability — receive your data in a structured, machine-readable format;
  • Withdraw consent at any time, where consent is the lawful basis;
  • Lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

To exercise any of these rights, email privacy@matchymatch.co.uk. We'll respond within one month.

Cookies

We use a small number of strictly necessary cookies to keep you signed in and remember your preferences. Other cookies (analytics, marketing) are loaded only after you give consent through our cookie banner. You can change your choices at any time.

Security

We use industry-standard technical and organisational measures to protect your data, including encryption in transit and at rest, access controls, and ongoing monitoring. No system is perfectly secure, so we encourage you to use a strong, unique password.

Changes to this policy

We may update this policy from time to time. Material changes will be communicated by email or in-app notice. The "Last updated" date at the top reflects the most recent revision.

Contact

Questions or complaints about how we handle your data: privacy@matchymatch.co.uk.