Privacy Policy

Mazel is a matchmaking CRM platform built for Jewish shadchanim, shadchan organizations, and singles seeking matches. We provide software that helps organizations manage singles profiles, suggest and track matches, facilitate communication between parties, and manage team workflows.

Mazel is a professional matchmaking platform. Mazel is operated by [Mazel CRM Ltd.] (the "Company") (legal entity name — update before publication). For privacy inquiries, contact privacy@mazelcrm.com.

For purposes of this Privacy Policy, "Mazel," "we," "us," or "our" refers to the operator of this platform. Our primary contact for privacy matters is privacy@mazelcrm.com.

There are several categories of people who interact with Mazel, each with different relationships to data:

• Shadchanim (matchmakers) — professionals who use the platform to manage their singles and matches
• Organization admins — administrators who manage a shadchan team and their settings
• Singles — individuals whose profiles are created and managed on the platform, who may also have their own accounts
• Super admins — Mazel operators who manage the platform overall

2.1 Account data

When you create an account, we collect:

• First and last name
• Email address
• Password (stored as a one-way hash — we never see or store your actual password)
• Your role on the platform (shadchan, org admin, single, etc.)
• Account creation date and last login date

2.2 Organization data

For shadchan organizations, we collect:

• Organization name
• Organization logo (if uploaded)
• Seat count and subscription tier
• Team member list and their roles

2.3 Singles profile data

This is the most sensitive category of data on our platform. Singles profiles may contain:

• Full name, date of birth, age, gender
• Location (city, state, country)
• Contact information (phone number, email address)
• Photos (profile photos and additional gallery photos)
• Resume / shidduch resume document
• Height
• Religious background and observance level
• Working/learning status and related preferences
• Shlichus interest
• Education history (schools attended, degrees)
• Work history (employers, positions)
• Personal references (names, phone numbers, relationship)
• Matchmaker notes and follow-up records
• Match suggestions, responses, and pipeline status
• Dating history and date tracking entries
• Tags and categories assigned by shadchanim

Singles profiles are created and managed primarily by shadchanim. If you are a single whose profile exists on the platform, you have rights to access, correct, and request deletion of your data. See Section 11.

2.4 Communication data

• Messages sent between users within the platform (text, photos, voice notes)
• Match idea suggestions and responses
• Profile shares and share recipient logs
• In-app notifications and read status

2.5 Booking and scheduling data

• Consultation appointment details
• Service type and notes
• Booking status and history

2.6 Automatically collected data

• IP address and approximate geographic location
• Browser type, operating system, and device type
• Pages visited and features used, with timestamps
• Referring URL (how you arrived at Mazel)
• Error logs and crash reports
• API usage statistics (for billing purposes)

2.7 Push notification subscription data

If you enable browser push notifications, we store:

• Your push subscription endpoint URL (provided by your browser)
• Encryption keys for the push subscription (p256dh and auth keys)
• Your browser/device user agent string

We use your data for the following purposes:

• Platform functionality — to create and manage your account, display your profile, process match suggestions, facilitate messaging, and provide all core platform features
• Authentication and security — to verify your identity when you sign in and protect your account from unauthorized access
• Notifications — to notify you of match ideas, responses, messages, bookings, and other relevant activity, via in-app notifications, email, and browser push (with your permission)
• AI-powered features — to power resume scanning (see Section 6), and to provide the in-app AI help assistant
• Billing and payments — to process subscription payments and manage your plan through Stripe
• Referral tracking — to apply referral credits when users join via a referral link
• Platform improvement — to understand how the platform is used, diagnose errors, and improve the product (using aggregated, anonymized data only)
• Legal compliance — to comply with applicable laws, respond to lawful requests, and protect our legal rights

We do not:

• Sell personal information for monetary consideration or disclose it to third parties for their independent commercial use
• Use personal information to serve targeted or behavioral advertising to you or others
• Share singles profile data with other organizations using the platform
• Use your personal information to train machine learning or AI models for our own or any third party's benefit

If you are located in the European Economic Area (EEA) or the United Kingdom, we process your personal data under the following legal bases:

• Contract performance — processing necessary to provide the service you signed up for (account management, core platform features)
• Legitimate interests — fraud prevention, platform security, product improvement, and sending transactional notifications related to your use of the platform
• Consent — for push notifications and any optional marketing communications (you can withdraw consent at any time)
• Legal obligation — when we are required by law to process or retain data

For sensitive personal data (religious affiliation, etc.), we rely on your explicit consent, which you provide by using the platform and submitting a profile.

Mazel necessarily handles categories of personal data that are considered sensitive under privacy laws, including:

• Religious beliefs and practice level
• Ethnic and cultural background (where relevant to matchmaking)
• Relationship status and history

We apply the following additional protections to sensitive data:

• Sensitive profile fields are only accessible to members of the individual's organization
• Sensitive data is not used for any purpose outside of facilitating matchmaking within your organization
• We do not aggregate or analyze sensitive data across organizations or profiles for any purpose other than direct service delivery
• Row-level security policies in our database ensure data is strictly siloed by organization

6.1 AI resume scanning (OpenAI)

When a shadchan uploads a resume or profile document, its content is sent to the OpenAI API (GPT-4o-mini) to automatically extract profile fields (name, contact info, education, work history, references, etc.). This is an opt-in action triggered manually by the user.

OpenAI's enterprise API terms state that data submitted via API is not used to train OpenAI's models. See openai.com/enterprise-privacy.

6.2 AI help assistant (Anthropic / Claude)

The in-app help chat uses the Anthropic API (Claude). When you use the help assistant, your messages and your user role are sent to Anthropic's API. Anthropic's API usage policies apply. Anthropic does not use API data to train models.

6.3 Categories of third-party service providers

We use the following categories of third-party service providers. These providers access personal data only as necessary to perform services on our behalf and are contractually prohibited from using it for other purposes. Our current service providers include:

• Cloud infrastructure and database hosting — to store and process application data
• Authentication providers — to manage account credentials and sign-in
• AI processing providers — to power AI-assisted resume scanning and help features when used
• Payment processors — to handle subscription billing and payments
• Transactional email providers — for account notifications and communications
• Communications infrastructure — for audio/video calling features (where available)

A current list of our service providers is available upon request at privacy@mazelcrm.com. We will update this section when we add or change material service providers.

We do not sell, rent, or trade your personal information. We share data only in the following limited circumstances:

• With your organization — Singles profile data is visible to shadchanim and admins within your specific organization. It is not shared with other organizations on the platform.
• With service providers — The third-party infrastructure providers listed in Section 6 receive data only as necessary to provide their services. They are bound by data processing agreements.
• With profile share recipients — When a shadchan generates a profile share link, the profile data (name, photo, basic info) becomes viewable to anyone with that link. Shadchanim control who receives these links.
• For legal reasons — We may disclose data if required by law, court order, or to protect the rights, property, or safety of Mazel, our users, or the public.
• In a business transfer — If Mazel is acquired or merges with another company, your data may be transferred as part of that transaction. We will notify you before your data is subject to a different privacy policy.

We retain your data for as long as your account or your organization's account is active, or as needed to provide services. Specifically:

• Active accounts — Data is retained indefinitely while the account is active
• Canceled or terminated accounts — Upon written request to privacy@mazelcrm.com, we will initiate deletion of your personal data and complete deletion within 30 days of receiving the verified request, subject to the exceptions noted below. Account data may be retained for up to 90 days following cancellation to allow for account recovery.
• Singles profiles — When a single's profile is deleted, all associated photos, resumes, notes, and match history are also deleted
• Messages — Conversation messages are retained while the associated accounts are active. You may request deletion of specific messages.
• Payment records — Billing records may be retained for up to 7 years as required by tax and accounting laws
• Push subscriptions — Automatically removed when a subscription expires or is revoked by your browser; you can also manually remove them from your browser settings

Exceptions: We may retain data longer when required by applicable law, necessary for pending legal proceedings or disputes, required for billing dispute resolution, or during standard backup retention cycles.

You may request a full export of your data before deletion. To do so, contact privacy@mazelcrm.com.

Cookies

We use cookies for the following purposes:

• Authentication session cookie — set by Supabase Auth to keep you logged in. This is a strictly necessary cookie required to use the platform.
• Organization preference cookie — remembers which organization you were viewing if you have access to multiple organizations. This is a functional cookie.

We do not use advertising cookies or third-party tracking cookies.

Local storage

We use your browser's local storage (not cookies) to remember small preferences, such as whether you have dismissed certain in-app prompts (e.g., push notification permission request). This data never leaves your device.

We take security seriously and implement the following protections:

• All data is encrypted in transit via HTTPS/TLS
• All data is encrypted at rest in Supabase's infrastructure
• Passwords are hashed using industry-standard algorithms (bcrypt via Supabase Auth) — we never store or see plain-text passwords
• Row-level security (RLS) policies in PostgreSQL ensure each user can only query data they are authorized to access
• Authentication uses industry-standard JWT tokens with short expiry windows and automatic refresh
• Service-level API keys are stored only in server-side environment variables and never exposed to the browser
• File uploads (photos, resumes) are stored in cloud storage with access controlled at the application layer; only authorized members of the same organization can access profile images through the platform

No digital system is 100% secure. If we become aware of a security breach that affects your personal data, we will notify affected individuals in accordance with applicable law. We will make commercially reasonable efforts to provide notification without unreasonable delay, and take all necessary steps to contain and remediate it.

If you discover a security vulnerability, please report it to privacy@mazelcrm.com before making it public.

Depending on your location, you may have the following rights regarding your personal data:

• Right to access — You can request a complete copy of all personal data we hold about you.
• Right to correction — You can request correction of inaccurate or incomplete personal data.
• Right to deletion — You can request that we delete your personal data. We will do so within 30 days, except where we are required by law to retain it.
• Right to restriction — You can request that we restrict how we process your data while a dispute is being resolved.
• Right to portability — You can request your personal data in a structured, machine-readable format, upon written request to privacy@mazelcrm.com. We will fulfill verified portability requests within 30 days.
• Right to object — You can object to processing based on legitimate interests. We will stop unless we have compelling grounds.
• Right to withdraw consent — Where processing is based on consent (e.g., push notifications), you can withdraw consent at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, email privacy@mazelcrm.com with your request. We will respond within 30 days. We may need to verify your identity before fulfilling the request.

If you are in the EEA and believe we are not handling your data correctly, you have the right to lodge a complaint with your local supervisory authority (your country's data protection regulator).

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

• Right to know — You can request disclosure of the categories and specific pieces of personal information we have collected about you, the sources from which it was collected, the business purposes for which it was used, and the categories of third parties with whom it was shared.
• Right to delete — You can request deletion of your personal information, subject to certain exceptions.
• Right to opt out of sale — We do not sell personal information. You therefore do not need to opt out of any sale.
• Right to non-discrimination — We will not discriminate against you for exercising your CCPA rights.

To submit a CCPA request, email privacy@mazelcrm.com. We will respond within 45 days.

California Privacy Rights Act (CPRA): We limit our use of sensitive personal information (including religious beliefs, racial or ethnic origin, and relationship history) to purposes necessary to provide the matchmaking services you have requested. We do not use sensitive personal information for any secondary commercial purpose.

Residents of Virginia, Colorado, Connecticut, Texas, and other states with applicable privacy laws have rights similar to those described above, including rights to access, correct, delete, and obtain a copy of personal information. To exercise these rights, contact privacy@mazelcrm.com. We will respond within the timeframe required by applicable law.

Mazel is a professional matchmaking platform intended for adults. We do not knowingly collect personal information from anyone under the age of 18. Users are required to confirm they are 18 or older at the time of account creation. If we learn that a user is under 18, we will terminate the account and delete associated data promptly upon notification. Matchmaking services facilitated through the platform are intended only for adults of marriageable age.

If you believe a minor has submitted data through our platform, please contact us at privacy@mazelcrm.com and we will promptly delete it.

Mazel is operated from the United States. If you are located outside the United States, your data will be transferred to and processed in the United States, where data protection laws may differ from those in your country.

We maintain data processing agreements with our infrastructure providers as required by applicable law. For transfers of personal data from the European Economic Area, we rely on appropriate transfer mechanisms including Standard Contractual Clauses where applicable.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other reasons. When we make material changes, we will:

• Update the "Last updated" date at the top of this page
• Notify you via in-app notice at least 7 days before material changes take effect, and will also attempt email notification where feasible

Continued use of the platform after the effective date constitutes acceptance of the updated policy. If you disagree with the changes, please stop using the platform and contact us to request data deletion.

For any privacy-related questions, requests, or concerns, please contact us: