Privacy Policy

Partmatch is operated by Sisto's AS, a company incorporated in Norway. We run an industrial parts cross-reference engine that helps engineers, maintenance teams, and procurement professionals identify equivalent bearings, belts, sheaves, and related components across manufacturers.

For the purposes of the EU General Data Protection Regulation (GDPR), Sisto's AS is the data controller for personal data processed via partmatch.io.

Information you provide directly:

• Email address — when you subscribe to notifications, request a PDF export, submit a part request, or contact us.
• Optional company name — if you choose to share it on the part-request form.
• Search queries, part numbers, and any free-text equipment context you submit.

Information collected automatically:

• Your IP address — hashed (one-way) for deduplication and abuse prevention. We do not store the raw IP.
• Browser type, operating system, and device characteristics reported by your browser.
• Pages viewed, search results clicked, and approximate session duration.
• Country (derived from your IP via our hosting provider's geolocation header) and referrer URL.

Cookies:we use a minimal set of cookies — session cookies required for the site to function and Google Analytics 4 cookies for traffic analytics. We do not use advertising or cross-site tracking cookies.

We process personal data under one of the following lawful bases under Article 6 GDPR:

• Consent (Article 6(1)(a)): email subscriptions, PDF exports delivered to your inbox, and any future sharing of your inquiry with industrial distributors. Consent is given via an explicit opt-in checkbox or by submitting a form whose label clearly states the purpose.
• Legitimate interest (Article 6(1)(f)): site analytics, abuse prevention, product improvement based on aggregate demand signals, and the operational security of the service. We balance this against your privacy interests and do not use this basis for marketing-shaped purposes.
• Legal obligation (Article 6(1)(c)): if we are required by law to retain or disclose specific records.

• To send notifications you have subscribed to.
• To generate and deliver PDF exports or other materials you have requested.
• To connect you with verified industrial distributors who can help source the parts you are looking for — only when you have explicitly opted in.
• To improve search accuracy and prioritise adding new part data based on what users are actually searching for (aggregate demand signals).
• To detect, investigate, and prevent abusive automated traffic and spam.
• To respond to your support, legal, or data-rights requests.

Verified industrial distributors— only when you have explicitly opted in via a consent checkbox on the relevant form. In that case we may share: the part you requested, the equipment context you provided, your email address, and your optional company name. We do not share: your browsing history, your IP address (raw or hashed), or data from other forms you submitted under a different consent.

Service providers (processors) who process data on our behalf under appropriate data-processing agreements:

• Vercel Inc.— hosting and content delivery for the website.
• Railway Corp.— hosting for our backend API and database.
• Resend— transactional and notification email delivery.
• Google LLC— Google Analytics 4 aggregate traffic measurement.

Legal requirements: we may disclose information when we are required to do so by law, court order, or other valid legal process, or to protect the rights, property, or safety of Partmatch, our users, or the public.

We do not sell personal data, and we do not share data with advertising networks.

• Email subscriptions: until you unsubscribe, then deleted within 30 days.
• Part requests: retained as anonymised demand-signal data; identifying fields (email, company) are deleted on your request or 12 months after the request, whichever is sooner.
• Search and page-view logs: 12 months in identifiable form (hashed IP + session attributes), then aggregated and de-identified for product analytics.
• Support correspondence: 24 months from last contact.
• Records we are required to retain by law (e.g. tax records for API customers): for the period required by Norwegian and EU law.

You have the right to:

• Access— request a copy of the personal data we hold about you.
• Rectification— correct inaccurate or incomplete data.
• Erasure— request that we delete your data, subject to any legal retention obligations.
• Restriction— ask us to limit how we process your data.
• Portability— receive your data in a structured, commonly used, machine-readable format.
• Withdraw consent— at any time, with no effect on processing carried out before withdrawal. Every marketing-shaped email we send includes a one-click unsubscribe link.
• Object— to processing carried out under legitimate interest.
• Lodge a complaint— with the Norwegian Data Protection Authority (Datatilsynet, datatilsynet.no), or your local EU/EEA supervisory authority.

To exercise any of these rights, email privacy@partmatch.io. We will respond within 30 days.

Some of our service providers (Vercel, Railway, Resend, Google Analytics) are located outside the EU/EEA, primarily in the United States. Where personal data is transferred outside the EU/EEA, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission, on adequacy decisions where available, or on other safeguards permitted by GDPR, to ensure your data continues to receive an equivalent level of protection.

We apply industry-standard technical and organisational measures to protect personal data: TLS in transit, encryption at rest for the database, hashed IP addresses, principle of least privilege for staff access, and continuous monitoring of our infrastructure. No internet service is perfectly secure; if we become aware of a personal-data breach affecting you, we will notify you and the relevant supervisory authority as required by GDPR Articles 33–34.

Partmatch is intended for industrial professionals. We do not knowingly collect personal data from anyone under 16. If you believe a child has provided us with personal data, contact us and we will delete it.

We may update this Privacy Policy from time to time. The “Last updated” date at the top of the page reflects the most recent revision. Material changes — for example, adding a new category of processing or a new class of third-party recipient — will be communicated to current subscribers by email and announced on the website before they take effect.

Privacy questions and data-rights requests: privacy@partmatch.io.

General contact: see our Contact page.

Postal address: Sisto's AS, Norway. (Full registered address available on request — please use the email above first.)