Privacy Notice

This Privacy Notice explains how MatchAudit processes personal data when operating its website, account environment, commercial relationships, and SaaS platform. It also explains the distinction between data MatchAudit processes as controller and data processed on behalf of business customers.

Effective date: March 10, 2026

1. Who We Are

MatchAudit UG (haftungsbeschränkt) ("MatchAudit", "we", "us", or "our") provides sanctions screening and related compliance software for business customers.

MatchAudit is a German company. If you interact with MatchAudit through our website, contact forms, commercial processes, account administration, or support channels, MatchAudit is generally the controller of the personal data processed for those purposes.

MatchAudit UG (haftungsbeschränkt) is located at Turmstrasse 7, 65611 Brechen, Germany and is represented by Managing Director Emmi Jose. The company is registered in the commercial register under Amtsgericht Limburg a.d. Lahn, HRB 7665.

2. Important Distinction: Controller vs Processor

MatchAudit provides a SaaS platform that business customers use to upload or submit data for screening. In that context, two different data-protection roles may apply.

Customer-uploaded screening data. Where a customer uploads names, company data, dates of birth, nationality, addresses, KYC records, or similar screening data for use in the Service, the customer generally acts as controller and MatchAudit generally acts as processor on the customer's behalf.
MatchAudit business and platform data. For account setup, authentication, support, billing, security logging, abuse prevention, product operations, and legal compliance, MatchAudit generally acts as controller.

If a customer requires a data processing agreement under Article 28 GDPR, MatchAudit can provide a DPA for the processor activities described above.

3. Categories of Data We Process as Controller

Account and contact data: name, work email, organization name, account role, login metadata, and related contact details.
Commercial and billing data: subscription details, invoices, payment status, tax data, business contact history, and procurement-related communications.
Website and usage data: IP address, browser and device information, pages visited, referring URLs, session events, and similar analytics or security information.
Support and communications data: emails, meeting notes, contact form submissions, issue reports, and related records.
Security and audit data: login events, audit logs, administrative changes, API and webhook usage logs, fraud-prevention signals, and similar operational records.

4. Categories of Data We Process on Behalf of Customers

Customers may use the Service to upload or submit screening-related data. Depending on how the customer uses the platform, this may include:

names of natural persons and legal entities;
aliases and transliterated names;
dates of birth, nationality, and addresses;
customer, counterparty, or vendor records;
KYC or onboarding-related identifiers and notes;
case-management records, analyst comments, and evidence files.

For that category of data, the customer is generally responsible for determining the legal basis, purpose, and scope of processing. MatchAudit processes such data only to provide the Service and in accordance with customer instructions, applicable law, and any agreed DPA.

5. Purposes and Legal Bases

Where MatchAudit acts as controller, we process personal data only where we have an applicable legal basis under the GDPR or other applicable law. Depending on the situation, those legal bases may include:

Performance of a contract, including account creation, customer support, subscription management, and delivery of agreed services.
Compliance with legal obligations, including tax, accounting, anti-abuse, security, and regulatory obligations.
Legitimate interests, such as securing the platform, preventing abuse, operating the service, maintaining logs, improving product performance, responding to business inquiries, and defending legal claims.
Consent, where consent is required by applicable law for a specific activity.

6. Customer Responsibilities for Uploaded Screening Data

Customers using MatchAudit to screen personal data remain responsible for:

ensuring a lawful basis exists for uploading or submitting the data;
providing legally required notices to data subjects;
assessing whether sensitive or restricted categories of data may be processed;
responding to data subject rights requests where the customer acts as controller;
ensuring that its instructions to MatchAudit comply with applicable law.

MatchAudit does not independently determine the lawfulness of each customer screening workflow and does not assume the customer's compliance decision-making responsibilities.

7. Recipients and Service Providers

MatchAudit may disclose or make personal data available to service providers and subprocessors where necessary to operate the Service or fulfill legal obligations. These may include:

cloud infrastructure and hosting providers;
authentication and security providers;
billing and payment service providers;
support, email, analytics, and monitoring providers;
professional advisers such as lawyers, auditors, and accountants;
competent authorities, regulators, courts, or law enforcement where legally required.

8. International Transfers

MatchAudit may process or store data in the European Union and, in some cases, outside the European Economic Area through carefully selected service providers or subprocessors.

Where required by applicable law, MatchAudit implements appropriate safeguards for international transfers, such as adequacy decisions, standard contractual clauses, or other legally recognized transfer mechanisms.

9. Retention

MatchAudit retains personal data only for as long as necessary for the relevant purpose, contractual relationship, legal obligation, dispute handling, or security need.

account, billing, and commercial data may be retained for the duration of the customer relationship and for subsequent statutory retention periods;
security and audit logs may be retained where necessary for service integrity, fraud prevention, recordkeeping, or dispute defense;
customer-uploaded screening data is retained according to the applicable subscription, customer configuration, customer instructions, and legal obligations.

10. Security

MatchAudit implements technical and organizational measures designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or unauthorized access.

These measures may include access controls, role-based permissions, encryption in transit, logging, monitoring, backup procedures, and security review processes. No system can guarantee absolute security, but MatchAudit applies security measures appropriate to the nature of the Service and the risks involved.

11. Data Subject Rights

Where MatchAudit acts as controller, individuals may have rights under applicable data protection law, including the right to request access, rectification, erasure, restriction, objection, or portability, subject to applicable legal limits and exemptions.

Individuals may also have the right to lodge a complaint with a competent supervisory authority, in particular in the Member State of their habitual residence, place of work, or the place of the alleged infringement.

Where MatchAudit acts only as processor for customer-uploaded screening data, requests should generally be directed to the relevant customer acting as controller. MatchAudit will support customer requests to the extent required by applicable law and the relevant DPA.

12. Cookies and Analytics

MatchAudit uses cookies or similar technologies that are necessary for core website and platform operation, security, authentication, and preference management.

MatchAudit uses minimal first-party analytics on public pages to understand aggregate traffic, content performance, campaign effectiveness, and inbound lead sources without interrupting the visitor experience with a consent popup.

This measurement does not use analytics cookies, localStorage, or sessionStorage on public pages. It is limited to page paths, referrer origins, campaign parameters, coarse geolocation from standard edge headers, and short-lived pseudonymous session estimates derived on the server from truncated network information.

When a visitor submits a contact, pilot, quote, or interest form, MatchAudit may also associate the submitting page and campaign parameters with that first-party request so sales can understand which content and acquisition channels generate qualified demand.

Visitors can disable this anonymous public-page measurement below. Where a browser sends a recognized privacy signal such as GPC or DNT, MatchAudit also treats that signal as an objection for this measurement flow.

Website analytics

Anonymous public-page analytics is currently enabled.

This setting only controls anonymous public-site measurement. Core site functions remain available either way.

13. Changes to This Notice

MatchAudit may update this Privacy Notice where required by changes in law, regulation, service design, infrastructure, or internal processes. Material updates will be published on the relevant legal page with an updated effective date.

14. Contact

MatchAudit UG (haftungsbeschränkt)
Turmstrasse 7
65611 Brechen
Germany
Managing Director: Emmi Jose
Commercial register: Amtsgericht Limburg a.d. Lahn, HRB 7665

Privacy-related inquiries may be sent to info@matchaudit.io.