Privacy Policy

• MessyMatch by APFerrer
• Santa Cruz de Tenerife, Spain
• hello@messymatch.com

Full identifying details (tax ID, postal address) are available on legitimate request to the contact email above.

For normal Compare, Split and Merge operations, MessyMatch processes your files inside your browser using a Web Worker. The file contents do not transit our servers during normal browser-first processing.

We do operate server-side endpoints for authentication, payments, rate limits, abuse prevention and account features. Those endpoints process the data described in this policy, but not your file contents during normal operations.

Depending on how you use the service, we may process:

• Your email address, if you create an account or contact us.
• Authentication identifiers, if you sign in by email or Google.
• Payment metadata, if you pay through Stripe — Stripe checkout session ID, operation ID, amount, currency, status, timestamp, refund status when applicable.
• An anonymous usage identifier (mm_usage_id) stored as a signed cookie for rate-limit and abuse-prevention purposes.
• A SHA-256 hash of your IP address and a SHA-256 hash of a coarse browser fingerprint (user agent, language, platform). Hashes use a server-side salt and the database never sees the plaintext values.
• Technical metadata about each operation: kind (compare, split, merge), status, file size in bytes, row count, format name (csv, xlsx, etc.), elapsed processing time, number of partials produced.
• Support messages you send to us by email, and account preferences if applicable.
• Right-of-withdrawal waiver timestamp for paid operations, as required by article 103.m TRLGDCU.

We do not intentionally collect, transmit or store the contents of files processed in normal Compare, Split or Merge operations. That data stays inside your browser. Please do not send file contents through support channels unless we explicitly request a specific sample for debugging.

• Provide access to MessyMatch and run its features.
• Apply free and paid usage limits.
• Process payments and reconcile them with the corresponding operation.
• Prevent abuse and automated misuse of the free quota.
• Provide account features (history, unlimited flag, sign-in).
• Respond to support requests.
• Maintain technical reliability and security.
• Comply with applicable legal obligations (accounting, tax, regulatory).

• Performance of a contract or pre-contractual measures, when providing the service or paid operations.
• Legitimate interest, for security, abuse prevention, technical reliability and reasonable improvements to the service.
• Legal obligation, where we must retain billing or accounting records.
• Consent, where legally required for non-essential cookies or similar technologies.

Indicative retention periods:

• Account data: while the account is active.
• Payment and billing metadata: for the accounting and tax period required by Spanish law (typically 6 years).
• Anonymous rate-limit identifiers: 90 days from last activity.
• Operation metadata (no file contents): up to 12 months, then aggregated.
• Support messages: as long as needed to handle the request and maintain a reasonable support history.
• Terms-acceptance and right-of-withdrawal-waiver timestamps: while the account exists or, for paid operations, while the payment record is retained for legal reasons.

We use the following third-party providers, each processing only the data needed for its specific function:

• Stripe Payments Europe, Ltd. — embedded Checkout for paid operations. Receives operation ID, price, row counts and a hashed reference; never file contents.
• Google OAuth — only if you sign in with Google.
• IONOS (SMTP) — delivery of magic-link sign-in emails and transactional email.
• Vercel Inc. — hosting, edge network and Functions runtime for messymatch.com.
• Neon Inc. — managed Postgres database for users, anonymous identities, operations, payments and audit events.
• Upstash Inc. — managed Redis for rate-limit counters and short-lived operation locks.
• Vercel Analytics — aggregate, cookie-less page-view counts. IP-anonymised, no personal data leaves your browser beyond the page path and a coarse geography signal.

Some providers may process data outside the European Economic Area (notably the United States). Where applicable, transfers rely on the legal safeguards offered by each provider (adequacy decisions, Standard Contractual Clauses or equivalent mechanisms).

Under the GDPR you may exercise the following rights:

• Access — request a copy of the personal data we hold about you.
• Rectification — ask us to correct inaccurate data.
• Erasure — ask us to delete your account and associated data.
• Restriction — ask us to stop certain processing.
• Objection — object to processing based on legitimate interest.
• Portability — receive your data in a structured, machine-readable format.
• Withdrawal of consent, where processing is based on consent.

To exercise these rights, write to hello@messymatch.com. We may ask you to identify yourself sufficiently so we can handle the request securely.

You have the right to lodge a complaint with the Spanish Data Protection Authority (Agencia Española de Protección de Datos, www.aepd.es) if you believe your data has not been handled correctly.

Details about every cookie and similar identifier we use are in our dedicated Cookie Policy.

MessyMatch is not directed at children. You must be of legal age in your jurisdiction to enter into the Terms and use the paid features.

We may update this policy when necessary. The latest version is always available on this page, with the date at the top.

Questions about this policy or about how we handle your data: hello@messymatch.com.