Vitality Index

    Privacy Policy

    Effective Date: January 26, 2026

    Controller: Match Vertical Partners, LLC — 4900 O'Hear Ave, North Charleston, SC 29405 — contact@matchverticals.com

    Short summary: Vitality Index is a B2B SaaS account assessment, scoring, and strategic growth planning platform. This Policy explains what personal data we collect, how we use it, who we share it with, data subject rights, and how we protect data.

    1. Key Commitments

    We treat Customer Data as owned by the Customer. Processing of Customer Data is governed by the DPA at /legal/dpa.

    For personal data we collect directly for our own business purposes (sales, marketing, recruiting, support), we act as an independent controller. For Customer Data uploaded into Vitality Index, Customer is the controller and Match Vertical Partners acts as the processor under the DPA.

    We do not sell personal data. If that changes, we will state it clearly and provide opt-out instructions.

    2. Who This Policy Applies To

    This Policy applies to: (a) individuals who use Vitality Index as part of a business (Customers and Users), (b) individuals who visit our website and use trial offerings, and (c) individuals who interact with our sales and marketing teams. It does not override contractual protections in the DPA between a Customer and Match Vertical Partners.

    3. Data We Collect (Categories)

    A. Business Contact & Identity Data (Controller Activity)

    Name, business email, job title, company, phone, business address, professional profile information.

    B. Customer Data (Controller = Customer; Processor = Company)

    All data uploaded by Customers into Vitality Index: account plans, assessment inputs and outputs, notes, attachments, scoring metadata, and any personal data contained therein (contacts, records of interactions). This is controlled by the Customer and processed under the DPA.

    C. Authentication & Account Data

    Account credentials (hashed passwords), SSO identifiers, administrator assignments, audit logs (who performed what and when).

    D. Usage & Telemetry

    Service usage logs, feature usage, time stamps, IP address, device and browser information, API logs and event telemetry (for security, product improvement and support).

    D1. First-Party Visitor Analytics

    When visitors accept analytics cookies via our cookie consent banner, we collect anonymised page view data using a first-party session identifier (vi_session_id). Data collected includes: page path, referrer URL, UTM parameters, and browser user-agent string. This data is stored in our own database and is never shared with third-party analytics providers. We do not use Google Analytics, Segment, or any similar third-party tracking service.

    E. Device & Cookies

    Cookies, local storage, mobile identifiers, and similar technologies. See Cookie Policy.

    F. Support & Communications Data

    Messages sent to support or sales channels, recordings of calls if any (with notice), and support ticket data.

    G. Billing & Payment Metadata

    Billing contact, invoicing details, and transaction metadata (but not full payment card numbers — those are collected by our payment provider).

    H. Recruitment Data (Company as Controller)

    CVs, interview notes and references for job applicants (if you apply to work with us).

    We avoid collecting special categories of personal data (e.g., health, race) unless Customer instructs otherwise in a narrow, contractually controlled way.

    4. How We Use Personal Data (Purposes)

    • To provide, operate, maintain and secure the Service (Customer Data processing).
    • To authenticate and authorize Users and administer Accounts.
    • To perform billing, invoicing and collections.
    • To provide support, respond to requests and resolve incidents.
    • For product improvement, telemetry and analytics (legitimate interest).
    • For marketing, with consent where required (email newsletters, events).
    • To comply with legal obligations, detect and prevent fraud, and protect rights.

    5. Lawful Bases (EU/UK)

    When we act as a controller (for our own business activities):

    • Performance of contract — to provide the Service and fulfill our Order Form.
    • Legal obligation — to comply with laws and court orders.
    • Legitimate interests — for product improvement, fraud prevention, security, and internal business operations (we perform balancing tests).
    • Consent — for direct marketing and marketing cookies where required. You may withdraw consent for marketing at any time.

    For Customer Data, the Customer is the controller and determines the lawful basis. Our DPA requires us to follow Customer's documented instructions.

    6. Sharing and Recipients

    We share personal data as follows:

    • Service providers / processors: hosting, analytics, identity providers, email/SMS providers, backup providers (see Subprocessors page). We only share what each subprocessor needs.
    • Affiliates: only where necessary and subject to same safeguards.
    • Legal requests & protection of rights: when required by law or to prevent harm.
    • Business transfers: in the event of a sale or reorganization, we will ensure confidentiality and use of data consistent with this Policy.

    We require subprocessors to follow our instructions, implement appropriate security, and not use data for their own commercial purposes.

    6a. Intuit QuickBooks Integration

    We integrate with Intuit QuickBooks Online to process payments and billing information at your direction. When you connect your QuickBooks account, we access and process limited financial and account data solely to provide billing, payment, and subscription services you request.

    Data accessed: Company name, customer information for invoicing purposes, and invoice status.

    Purpose limitation: We do not use Intuit data for analytics, marketing, profiling, or any secondary purpose beyond providing the billing services you authorize.

    Retention: Intuit-derived data is retained only as long as necessary to provide the service or meet legal obligations. OAuth tokens are encrypted at rest and deleted upon disconnection or account termination.

    Disconnection: You may disconnect your QuickBooks account at any time through your billing settings. Upon disconnection, we revoke access tokens with Intuit and delete stored connection data.

    Use of Intuit data is governed by Intuit's terms and our contractual obligations to Intuit.

    6b. OpenAI Integration (AI Assistant)

    Vitality Index includes an AI-powered assistant feature that uses OpenAI's API to answer user questions about the product, Growth Drivers, pricing, and platform features.

    Data sent to OpenAI: When you use the AI assistant, your typed questions and the conversation history within that session are sent to OpenAI's API for processing. The assistant also receives static product documentation (FAQ content, Growth Driver descriptions, pricing details, and coaching methodology) to provide accurate answers.

    Data NOT sent to OpenAI: We do not send your account data, assessment scores, account plans, customer records, personal information, or any other Customer Data to OpenAI. The AI assistant has no access to your workspace data.

    OpenAI data usage: We use OpenAI's API, which, per OpenAI's API data usage policy, does not use API inputs or outputs to train their models. OpenAI may retain API data for up to 30 days for abuse and misuse monitoring, after which it is deleted unless required by law.

    Purpose limitation: We use OpenAI solely to power the in-app AI assistant. We do not use OpenAI for profiling, automated decision-making, or any purpose beyond answering user questions about the product and methodology.

    Opt-out: Use of the AI assistant is entirely optional. You are not required to use it, and no platform functionality depends on it.

    7. International Transfers

    We transfer personal data internationally. Where transfers occur from the EEA/UK to countries without an adequacy decision (e.g., the U.S.), we rely on lawful mechanisms: EU Standard Contractual Clauses (SCCs) (or UK Addendum), adequacy, or other approved safeguards. Customers may request executed SCCs, and our DPA includes a clause that we will enter SCCs where required.

    8. Retention

    We retain Customer Data for the duration of the Customer's subscription plus a limited export window (30 days) and then according to the DPA retention schedule and backup policy (backups retained ~90 days). Billing records are retained for 7 years. Audit logs are retained for 12 months (or per Customer request). We will delete or anonymize personal data when no longer needed unless law requires retention.

    9. Security

    We maintain technical and organizational measures appropriate to the risk, including encryption in transit and at rest, RBAC, logging, incident response, secrets management, and regular security testing. We publish security attestation summaries on our Security page and provide SOC2 or similar reports under NDA.

    10. Data Subject Rights (EU/UK + CCPA/CPRA)

    EU/UK (GDPR/UK GDPR) rights: access, rectification, erasure, restriction, portability, objection, withdraw consent, and rights relating to automated decision-making/profiling. To exercise these rights, contact contact@matchverticals.com or use the DSR process described in our DPA. We will respond within statutory timelines.

    California (CCPA/CPRA) rights: California residents have the right to know, access, delete, and opt-out of sale/sharing of personal information. We do not sell personal information. To submit a request under CCPA/CPRA, use contact@matchverticals.com and provide required verification information. We will honor verified requests per law.

    For DSRs related to Customer Data, Customers should use the DPA flow and request that the Customer (controller) exercise rights on behalf of data subjects.

    11. Automated Decision-Making / Profiling

    Vitality Index produces scoring outputs that may influence prioritization. Scores are generated programmatically and may be used internally. Customers must not use scores as the sole basis for legally significant decisions. Where profiling leads to significant effects on individuals, the Customer (as controller) is responsible for disclosing logic, and Company will provide reasonable information to Customer to enable compliance.

    12. Cookies & Similar Technologies — Summary

    We use cookies and similar technologies for:

    • Strictly necessary: session, authentication.
    • Consent: records your cookie consent preference.
    • Analytics/Performance: first-party page view tracking using an anonymous session identifier (consent-gated).
    • Preferences: language, UI settings.

    We do not use third-party analytics or marketing cookies. For full details and management, see our Cookie Policy. You can manage cookie preferences via our cookie banner or browser settings.

    13. Children

    The Service is B2B. We do not knowingly collect personal data from children under 16 (or higher age where required). If we become aware we have collected such data, we will delete it.

    14. Deidentified & Aggregated Data

    We may create aggregated, deidentified or anonymized data from Customer Data and use it to improve the Service. Such aggregated data does not identify individuals and is Company's property, provided it cannot be reidentified. We will not use aggregated or de-identified data to produce Customer-specific benchmarks, performance reports, or other outputs that would reasonably allow re-identification of a single Customer or reveal Customer-identifiable metrics without the Customer's consent.

    14a. Administrator Data Visibility

    Organization Administrators ("Admins") have visibility across all accounts, assessments, strategic growth plans, and revenue data within their organization. This access is provided solely to enable Admins to support their teams, improve internal workflows, and ensure the platform delivers value to their organization.

    Purpose limitation: Admin access to Customer Data is used exclusively to improve the user experience and the application. Data viewed by Admins is never shared with third parties, sold, or used for purposes outside of platform operations, team support, and product improvement.

    Security controls: All Admin data access is subject to the same encryption, role-based access controls, audit logging, and security measures described in this Policy and the Security Overview. Admin visibility is read-only for operational oversight and does not grant the ability to modify individual user accounts or assessment data.

    15. Controller / Processor Roles & DPA

    • Customer = Controller for Customer Data.
    • Company = Processor for Customer Data, except where Company is an independent controller for its own business activities (marketing, recruitment, customer support) — in which case the Privacy Policy and relevant notices apply.

    Processing of Customer Data is governed by our DPA at /legal/dpa.

    16. Subprocessors

    We engage subprocessors to deliver service functionality. We will list subprocessors at /legal/subprocessors and provide 30 days' notice before adding a new subprocessor. Customers may object as set out in the DPA.

    17. Changes to This Policy

    We may update this Policy. For material changes affecting rights, we will provide notice at least 30 days before changes take effect. The Policy version and last updated date will be posted.

    18. Contact & DSRs

    Privacy contact: contact@matchverticals.com
    For data subject requests or other privacy questions: contact@matchverticals.com
    For DPA or procurement inquiries: sales@matchverticals.com
    Company address: 4900 O'Hear Ave, North Charleston, SC 29405