Privacy & discretion

SurrogateMatch is a matching and coordination platform — not a surrogacy agency, medical provider, law firm, or financial institution. Nothing on this site constitutes medical, legal, or financial advice. All medical, legal, and financial aspects of your surrogacy journey are handled by licensed professionals at your matched agency. You should consult qualified professionals before making decisions about surrogacy, fertility treatment, or related matters.

SurrogateMatch is a matching and coordination platform for surrogacy, operating at surrogatematch.co. SurrogateMatch is a product of Gest LLC, a Wyoming limited liability company. References in this Privacy Policy to "SurrogateMatch," "we," "our," or "us" mean Gest LLC, the legal entity that owns and operates the SurrogateMatch service. For the purposes of EU and UK data protection law, Gest LLC acts as the data controller for information you submit through SurrogateMatch. Our privacy contact email is hello@surrogatematch.co.

We have not appointed an EU representative under Article 27 of the EU General Data Protection Regulation. Our processing is occasional, does not include large-scale processing of special-category data, and is unlikely to result in a risk to the rights and freedoms of individuals — bringing us within the small-scale-processing exemption in Article 27(2)(a). If our processing volume grows beyond that threshold, we will appoint a representative and update this notice. EEA and UK data subjects may exercise all rights described below by emailing hello@surrogatematch.co.

SurrogateMatch is for adults. You must be 18 or older to submit a form, join a waitlist, or use any part of this service. We ask you to confirm your age at the moment of submission — the "I confirm I am 18 or older" checkbox next to the privacy checkbox is part of our compliance record, and the timestamp of your confirmation is stored alongside your other information.

If we learn that someone under 18 has submitted information, we delete it promptly. If we can reach a parent or guardian, we will notify them first.

We comply with the U.S. Children's Online Privacy Protection Act (COPPA). We do not knowingly collect personal information from children under 13. If you believe a child under 13 has submitted information through this site, contact us at hello@surrogatematch.co and we will delete it within 30 days.

We only collect information you give us directly, either by filling out a form or by contacting us. We do not buy or scrape personal data from anywhere.

Providing your name and email address is necessary for us to respond to your inquiry. You are not required by law to provide any data to SurrogateMatch. All other fields (journey stage, clinic status, phone number, etc.) are optional. If you do not provide the required fields, we cannot process your request — but no legal consequences follow.

• ●Intended-parent intake: your name, email, preferred contact language, stage in your journey (e.g. exploring, embryos ready), and how you heard about us.
• ●Agency inquiry: your name, agency name, role, email, phone, number of available surrogates, states of operation, and any free-text context.
• ●Egg or sperm donation waitlist: your name, email, and current clinic status.
• ●Any message you send us at hello@surrogatematch.co or during a consultation call.

Some of our intake forms ask questions that can feel personal — your stage of the surrogacy journey, your clinic status, whether you're currently in treatment. Depending on the jurisdiction, this information may be considered "special category" data (for example, under EU GDPR Article 9 to the extent it touches on health or sexual orientation) or "sensitive personal information" (for example, under the California Consumer Privacy Act as amended by the CPRA). Where it qualifies, this data gets extra legal protection. We treat all of it as sensitive in any event.

Here's how we handle it:

• ●We don't sell it. Ever. Not to advertisers, not to brokers, not to anyone.
• ●We don't share it with authorities in countries where surrogacy is legally restricted, unless we're compelled by a court order in a jurisdiction where we operate.
• ●We share it with our trusted service providers only when strictly necessary to run the site and reply to you. The full list is in "Services that receive your data" below.
• ●Every optional field is actually optional. If a question feels too personal, leave it blank. Your form will still submit, and we'll still reply.

If you'd rather talk through a question in email instead of typing it into a form, reply to any message from us and we'll pick it up personally.

We process your personal data only when we have a lawful reason to do so. Under the EU General Data Protection Regulation (GDPR), our legal bases are:

• ●Consent (GDPR Article 6(1)(a)) — you give us explicit consent when you tick the checkbox on our forms. This is the primary basis for processing your intake data, including responding to your inquiry and scheduling a consultation.
• ●Consent (GDPR Article 6(1)(a)) — to build your preference profile and match you with surrogates from our partner agency network when matching begins.
• ●Legitimate interests (GDPR Article 6(1)(f)) — to understand who we serve, which languages matter most, and where our network needs to grow. We use aggregate, not individual, patterns for this. Our interest is improving the service; the impact on you is minimal because the data is anonymized for this purpose.
• ●Legal obligation (GDPR Article 6(1)(c)) — to comply with legal, tax, and fraud-prevention obligations.
• ●Explicit consent (GDPR Article 9(2)(a)) — for sensitive data such as your surrogacy journey stage or clinic status, which may qualify as health-related or reproductive data under GDPR Article 9. We only process this data because you have given explicit consent via the checkbox on the form. You may withdraw this consent at any time by emailing hello@surrogatematch.co.

We do not use automated decision-making or profiling that produces legal or similarly significant effects on you. Any future matching between intended parents and surrogates will be reviewed by a human before an introduction is made. If this changes, we will update this policy and obtain your explicit consent before using automated processes that could significantly affect you.

We share your profile only with partner agencies whose surrogates you choose to be introduced to — never without your explicit approval. We do not sell your data. We do not share your data with advertisers. We do not disclose your use of SurrogateMatch to your home country's authorities. For the specific third-party service providers that touch your data on our behalf (hosting, database, email delivery, analytics, error tracking), see the detailed table in "Services that receive your data" below.

SurrogateMatch uses a small number of trusted third-party services to run the site, store your information, and reply to your messages. Each one has signed a data processing agreement with us.

We do not use Google Analytics, advertising networks, session-replay tools, or any other tracking service. We do not sell, rent, or share your data for marketing purposes.

We maintain an internal compliance register with each service's data processing agreement and SOC 2 or equivalent certification. You can request a current copy at any time by emailing hello@surrogatematch.co.

SurrogateMatch does not set any cookies for tracking, advertising, or profiling. As of this version of the policy, we do not set any first-party or third-party cookies at all. If a future feature (such as user authentication) introduces functional cookies, we will update this section before that feature launches.

We use Plausible Analytics — a privacy-first, cookieless analytics tool based in the European Union — to count page views and understand which parts of the site are most useful. Plausible does not store IP addresses, does not fingerprint your browser, and does not follow you across websites. Because we use no tracking cookies and no persistent client-side identifiers, the ePrivacy Directive does not require us to ask for your consent to analytics, and we do not. If you would prefer to opt out regardless, using a privacy-focused browser, your browser's Do Not Track setting, or a standard ad blocker will prevent the Plausible script from loading.

We measure a small set of conversion events (form opens, form submissions, primary button clicks) so we can tell which parts of the site are working — these are aggregate counts, never tied to you personally. You can read more about how Plausible handles data at plausible.io/data-policy.

Depending on where you live, you have the following rights over your personal data. We honor them regardless of where you live if you ask.

• ●Access — see what data we hold about you.
• ●Correct — fix anything that's wrong.
• ●Delete — remove your data from our systems.
• ●Portability — take your data with you in a portable format.
• ●Restrict — under EU and UK GDPR Article 18, ask us to limit how we process your data while a request is being resolved or while the data's accuracy is being contested.
• ●Object — tell us to stop processing your data.
• ●Withdraw consent — if we rely on consent for a specific use, you can withdraw it at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
• ●Be free from retaliation — if you exercise any of these rights, we will not deny you service, charge a different price, or provide a different level of quality. (This commitment is made expressly to satisfy California Civil Code § 1798.125.)
• ●Lodge a complaint — if you believe we have violated your data protection rights, you have the right to lodge a complaint with the supervisory authority (data protection authority) in your country of residence, your place of work, or where you believe a violation occurred. In the UK, contact the Information Commissioner's Office (ico.org.uk). In the EEA, contact your national data protection authority. In California, you may also contact the California Privacy Protection Agency (cppa.ca.gov) or the California Attorney General (oag.ca.gov).

Email hello@surrogatematch.co with the request. We will respond within 45 days (the shortest of the windows imposed by EU GDPR Article 12, the UK GDPR, the California Consumer Privacy Act, and similar U.S. state laws), or sooner where required. We may need to verify your identity before fulfilling the request — typically by confirming details from your prior submission to us. There is no charge for the first request in any 12-month period.

We keep the information you submit for up to 18 months after your last interaction with us, whichever is more recent: the day you submitted a form, or the day we most recently replied to you. After 18 months your record is marked for deletion. Thirty days later, it's permanently erased — the entire process runs on a daily automated schedule so there's no manual step that can be skipped or forgotten.

If you want us to delete your information sooner, email us at hello@surrogatematch.co and we'll confirm the deletion within 30 days.

SurrogateMatch is hosted in the United States. If you are located in the European Economic Area, the United Kingdom, Israel, or another jurisdiction with data protection law, your data is transferred to and processed in the United States. For transfers from the EEA or UK to the US, we rely on the EU-US Data Privacy Framework where our processors are certified, and on Standard Contractual Clauses (SCCs) approved by the European Commission (Decision 2021/914) where they are not. Specifically: Vercel, Resend, Sentry, and Google Workspace participate in the EU-US Data Privacy Framework and have SCCs incorporated in their Data Processing Agreements. Plausible Analytics processes data entirely within the European Union and does not transfer data outside the EEA. You may request a copy of the relevant SCCs by emailing hello@surrogatematch.co.

Some U.S. states have enacted health data privacy laws that may classify surrogacy, fertility, and reproductive health information as protected consumer health data. These include Washington's My Health My Data Act, Connecticut's Data Privacy Act, Nevada Senate Bill 370, and Oregon's Senate Bill 619. If you are a resident of one of these states, you may have additional rights over your reproductive and fertility-related data beyond those described in the "Your rights" section above, including the right to specific consent before collection, the right to know the specific purpose for collection, the right to deletion, and (in some states) the right to a private cause of action against entities that misuse such data. We honor these rights for all users regardless of state of residence. To exercise any state-specific right, email hello@surrogatematch.co.

If you are a California resident, the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (collectively, the "CCPA"), gives you additional rights regarding your personal information. This section is our notice to you under California Civil Code §§ 1798.100 et seq.

Categories of personal information we collected from California residents in the preceding 12 months: identifiers (name, email address, phone number); commercial information (information about your inquiry); internet activity (page-view counts via cookieless analytics); inferences drawn from the above for the purpose of matching; and "sensitive personal information" within the meaning of Civil Code § 1798.140(ae) to the limited extent your free-text submissions reveal information about your sexual orientation, family planning, or reproductive health. We do not collect biometric data, geolocation data more precise than country, government identifiers, or financial account information.

We collect this information for the purposes described in "Why we collect it and the legal basis" above. We do not use sensitive personal information for any purpose other than as permitted under Civil Code § 1798.121 (i.e., as reasonably necessary to perform the service the consumer has requested).

We do not "sell" personal information and we do not "share" personal information for cross-context behavioral advertising, as those terms are defined under the CCPA. Because we do not sell or share, we do not need to display a "Do Not Sell or Share My Personal Information" link — but if our practices ever change, we will update this notice and provide that link before the change takes effect.

You have the right to limit the use and disclosure of your sensitive personal information to those uses permitted under Civil Code § 1798.121. We already restrict our use of such information to those purposes; no separate request is necessary.

To exercise any California right, email hello@surrogatematch.co. You may also designate an authorized agent to make a request on your behalf, in which case we will require written authorization signed by you. We will not discriminate against you for exercising any of these rights.

Following the U.S. Supreme Court's 2022 decision in Dobbs v. Jackson Women's Health Organization, several U.S. states have passed or proposed laws restricting reproductive choice, and there is meaningful concern that personal data about reproductive intent or treatment could be used in legal proceedings against the people it describes. SurrogateMatch's service category — connecting intended parents with surrogacy agencies — sits squarely inside this risk envelope. We make the following commitments specifically about that data.

• ●We will not voluntarily disclose your reproductive, fertility, or family-planning data to any law enforcement agency, prosecutor, or government investigator, in any jurisdiction, absent a valid legal process compelling us to do so.
• ●When we receive a subpoena, court order, or other legal process demanding such data, we will (a) review the request for facial validity and proper jurisdiction, (b) assert any applicable privilege or legal objection on your behalf, including First Amendment, Fourth Amendment, and state-shield-law protections, and (c) where legally permissible, notify you before producing the data so you have an opportunity to challenge the request yourself.
• ●We collect the minimum data required to match you with an agency. Free-text fields are optional. If you'd rather discuss sensitive details on a call or in a direct email, that's the path we recommend.
• ●We do not build profiles of your reproductive history. We do not track pregnancy outcomes. We do not infer pregnancy status from your activity on our site or any third-party data source.
• ●If we are ever served with a legal process that we believe is overly broad or improper, and we are not gagged from disclosing it, we will publish a notice on this page within 30 days. This commitment is made by the founder personally.

If you are outside the United States — particularly in a country where surrogacy is legally restricted or socially stigmatized — we extend these same protections. We will not voluntarily disclose your data to your home country's authorities, embassies, or consulates, and we will resist any cross-border request that lacks a valid Mutual Legal Assistance Treaty basis or that targets you for the lawful exercise of reproductive choice.

We may disclose your personal information when required by law, regulation, valid legal process, or governmental request. Specifically, we may disclose data: (a) in response to a subpoena, court order, or similar legal process, subject to the safeguards described in "Reproductive and family-planning data" above; (b) to protect the safety of any person where we have a good-faith belief that disclosure is necessary to prevent imminent harm; (c) to investigate, prevent, or take action against suspected fraud, security breaches, or violations of our Terms of Use; or (d) to enforce or apply our Terms of Use, Privacy Policy, or other agreements. Where the law permits, we will notify the affected individual before complying with any such request and give them an opportunity to challenge it.

We encrypt data in transit (HTTPS) and at rest. We restrict access to your personal data to the small set of people who need it to respond to your inquiry. We use multi-factor authentication on every account that has access to the lead database. Our hosting and database providers are SOC 2 Type II certified.

The U.S. Health Insurance Portability and Accountability Act (HIPAA) does not apply to SurrogateMatch. We are not a "covered entity" (we are not a healthcare provider, health plan, or healthcare clearinghouse) and we are not a "business associate" of one. Our intake forms are not designed to collect protected health information. If you submit medical details in a free-text field, we treat them with the same sensitivity as the rest of your information but do not retain them in any way that would constitute HIPAA-regulated processing.

In the event of a data breach affecting your personal information, we will notify you and any required regulators in accordance with applicable law (including, where applicable, GDPR Article 33/34's 72-hour timeline for notifying the relevant supervisory authority and California Civil Code § 1798.82's notice-without-unreasonable-delay requirement).

For any privacy question, data access request, or correction, email hello@surrogatematch.co. We are a small pre-launch team and we respond to every message personally.

hello@surrogatematch.co