Privacy Policy
Last updated: 3 March 2026
BridgeMatch ("we", "us", "our") is operated by Monlam Ltd. We are committed to protecting your privacy and handling your data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
1. Who We Are
Monlam Ltd is the data controller for information processed through bridgematch.co.uk and auctions.bridgematch.co.uk. For data protection queries, contact us at hello@bridgematch.co.uk.
2. What Data We Collect
We collect the following personal data:
- Email address — when you sign up or sign in via magic link authentication
- IP address — recorded with activity events for security and rate limiting
- Activity data — actions you take within the tools (searches, filter usage, AI chat queries, lender contact clicks). This does not include the content of AI conversations after your session ends.
- Payment data — if you subscribe, Stripe processes your payment details. We store only your Stripe customer ID and subscription status, never your card details.
3. Why We Collect It (Legal Basis)
- Contract performance — to provide the service you signed up for (account management, matching, AI features)
- Legitimate interests — to improve the service, monitor usage patterns, prevent abuse, and maintain security
- Consent — for any marketing communications (you can opt out at any time)
4. Third-Party Processors
We use the following third-party services to operate BridgeMatch:
- Supabase (authentication, database) — processes your email and session tokens. Data stored in EU/UK region. Supabase Privacy Policy
- Stripe (payments) — processes subscription payments. Stripe Privacy Policy
- Resend (email delivery) — sends magic link and notification emails. Resend Privacy Policy
- Anthropic (AI) — powers the AI chat feature. Chat messages are sent to Anthropic's API for processing. Anthropic does not use API inputs to train models. Anthropic Privacy Policy
- Railway (hosting) — hosts our application infrastructure. Railway Privacy Policy
5. How Long We Keep Your Data
- Account data — retained while your account is active, deleted within 30 days of account closure
- Activity logs — retained for 12 months for analytics and security, then automatically purged
- AI chat history — session-based, retained for 30 days then deleted
- Payment records — retained for 6 years as required by HMRC
6. Cookies and Local Storage
We do not use tracking cookies. We use browser localStorage to maintain your authentication session (via Supabase). This is essential for the service to function and cannot be disabled while using the tool. No third-party advertising or analytics cookies are used.
7. Your Rights
Under UK GDPR, you have the right to:
- Access — request a copy of your personal data
- Rectification — correct inaccurate data
- Erasure — request deletion of your data ("right to be forgotten")
- Restriction — limit how we process your data
- Portability — receive your data in a machine-readable format
- Object — object to processing based on legitimate interests
To exercise any of these rights, email hello@bridgematch.co.uk. We will respond within 30 days.
8. Data Security
We protect your data with: HTTPS encryption in transit, secure authentication via Supabase (no passwords stored), timing-safe token verification, rate limiting, CORS and CSRF protections, and security headers on all responses.
9. International Transfers
Some of our processors (Anthropic, Railway) are based in the United States. Transfers are protected by Standard Contractual Clauses (SCCs) or equivalent safeguards as required by UK GDPR.
10. Changes to This Policy
We may update this policy from time to time. Material changes will be communicated via email to registered users. The "last updated" date at the top reflects the most recent revision.
11. Complaints
If you are not satisfied with how we handle your data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.
12. Contact
Monlam Ltd
Email: hello@bridgematch.co.uk