Legal

Privacy Policy

Last updated: 4 May 2026

This Privacy Policy explains how NestMatch Ltd(“NestMatch”, “we”, “us”) collects, uses, and shares personal data when you use our website and services. It is written for users in the United Kingdom, the European Economic Area, and other regions including the United States, and is designed to comply with the UK GDPR, the EU GDPR, the UK Data Protection Act 2018, the California Consumer Privacy Act / CPRA, and equivalent laws.

1. Who is the controller?

NestMatch Ltd is the controller of your personal data. You can contact us about this policy or your rights at hello@nestmatch.co.uk.

2. What we collect

  • Account data — if you sign in, your name, email address, profile image, and a stable user ID from your authentication provider (e.g. Google).
  • Onboarding answers — your responses to the NestMatch quiz, including life stage, lifestyle preferences, settlement type, budget, commute destinations, and dealbreakers.
  • Search inputs & results — the matches we generate for you and any feedback you give on them.
  • Anonymous device identifier — if you use the Service without signing in, we generate a random ID stored on your device so we can deliver results and remember your consent choices.
  • Consent records — the version of the Terms and Privacy Policy you accepted, the date/time, your IP address, and your user agent.
  • Technical data — IP address, browser type, device type, operating system, referring URL, and access logs, collected automatically when you use the Service.
  • Communications — messages you send us, including any support emails.

We do not knowingly collect special-category personal data (for example health, religion, or political views), and we ask that you do not submit such data through the Service.

3. How we use your data and our lawful bases

  • To deliver the Service (run the matching engine, show results, save your preferences) — lawful basis: performance of a contract; or, where you are not signed in, our legitimate interest in providing the Service you have requested.
  • To generate AI-powered area matches using Google Gemini and similar models — lawful basis: your consent, given at the point you ask us to generate matches.
  • To keep the Service secure and reliable (abuse prevention, debugging, capacity planning) — lawful basis: legitimate interests.
  • To improve the Service (aggregate analytics, model quality reviews) — lawful basis: legitimate interests; we use aggregated or de-identified data wherever possible.
  • To meet legal and regulatory obligations — lawful basis: legal obligation.

4. Who we share data with

We share personal data only with trusted processors who help us run the Service:

  • Google LLC — authentication (Google Sign-In) and AI matching (Gemini).
  • Supabase Inc. — managed PostgreSQL database hosting.
  • Vercel Inc. — web hosting and edge delivery.
  • Mapbox Inc. — mapping and geocoding services shown on results pages.
  • Image and content providers (e.g. Unsplash, YouTube) — only when needed to display media.

We may also share data with professional advisers, regulators, or law enforcement where legally required, and with a successor entity in the event of a corporate restructuring, sale, or merger.

5. International transfers

Some of our processors are located outside the UK and the EEA, including in the United States. Where this is the case, we rely on appropriate safeguards such as the UK International Data Transfer Agreement, the UK Addendum to the EU Standard Contractual Clauses, or the EU Standard Contractual Clauses, together with supplementary measures where required.

6. How long we keep your data

  • Account & onboarding data: while your account is active, plus up to 24 months of inactivity, after which it is deleted or anonymised.
  • Anonymous-user onboarding & search data: up to 12 months from last activity.
  • Consent records: retained for at least the duration of our regulatory record-keeping obligations (typically 6 years).
  • Server logs: typically 90 days.

7. Your rights

Depending on where you live, you have rights including: access to your data; correction; erasure (“right to be forgotten”); restriction of processing; data portability; objection to processing based on legitimate interests; withdrawal of consent at any time; and the right to lodge a complaint with a supervisory authority.

California residents have additional rights under the CCPA / CPRA, including the right to know, the right to delete, the right to correct, and the right to opt out of “sale” or “sharing” of personal information. NestMatch does not sell personal information and does not share it for cross-context behavioural advertising.

To exercise any right, email hello@nestmatch.co.uk from the address associated with your account, or include your anonymous device ID if you used the Service without signing in. We will respond within the timeframe required by the applicable law (typically one month under UK / EU GDPR).

8. Withdrawing consent

Where we rely on your consent (for example, to run AI matching), you can withdraw it at any time by contacting us. Withdrawal does not affect processing carried out before the withdrawal.

9. Cookies

We use only strictly-necessary cookies and similar technologies to keep you signed in and the Service working. See our Cookie Policy for details. We will not place non-essential cookies on your device without your consent.

10. Security

We use industry-standard technical and organisational measures to protect your personal data, including encryption in transit, access controls, and least-privilege practices. No system is 100% secure; if we become aware of a personal data breach affecting you, we will notify you and the relevant authorities as required by law.

11. Children

The Service is not directed to children under 16 (or the age of digital consent in your country, if higher). We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us so we can delete it.

12. Changes to this policy

We may update this Privacy Policy from time to time. If a change is material we will give reasonable notice (for example, in-app or by email) and, where required, ask you to re-confirm your consent.

13. Complaints

If you have a complaint about how we handle your personal data, please contact us first at hello@nestmatch.co.uk. UK users may also complain to the Information Commissioner’s Office (ico.org.uk). EEA users may complain to their local data protection authority.

14. Contact

NestMatch Ltd · hello@nestmatch.co.uk