Privacy Notice

• Account data — your name, email address, password (stored hashed), firm or organisation details, and preferences.
• Billing data — handled by our payment processor, Paddle. We receive limited billing details (such as plan, country, and the last four digits / card type) but we do not store your full card number.
• Customer Content — the matters, documents, notes, and other content you upload or create in the Service.
• Usage and device data — log data, IP address, browser/device information, and actions taken in the Service, used for security and to operate the product.
• Cookies — strictly necessary cookies/local storage for sign-in, security, and your preferences (see “Cookies” below).

We process personal data to:

• provide, maintain, and secure the Service and your account;
• process documents and generate work product (including via AI features you invoke);
• take payments and manage subscriptions (through Paddle);
• provide customer support and respond to your requests;
• detect, prevent, and address fraud, abuse, and security incidents;
• comply with legal obligations and enforce our terms.

Under the DPDP Act, we process personal data based on your consent or other legitimate uses permitted by law. For GDPR users, our legal bases are performance of our contract with you, our legitimate interests in operating and securing the Service, your consent (where required), and compliance with legal obligations.

We share personal data only with service providers (sub-processors) that help us run the Service, under contracts that require them to protect it:

• Supabase — cloud database, authentication, and file storage (hosting of your account data and Customer Content).
• Lovable AI Gateway — routing of AI requests to underlying model providers (e.g., OpenAI and Google models) to power AI features.
• Paddle.com Market Limited — our Merchant of Record, which processes payments, billing, invoicing, and applicable taxes.

We may also disclose personal data where required by law or legal process, to protect rights and safety, or as part of a merger, acquisition, or sale of assets (with notice as required by law).

Some of our sub-processors operate outside India (for example, in the United States or the European Union). Where personal data is transferred internationally, we rely on appropriate safeguards and transfer mechanisms as permitted by applicable law.

We keep personal data for as long as your account is active and as needed to provide the Service. After account closure, we delete or anonymise Customer Content within a reasonable period, except where we must retain certain records to comply with legal, tax, or accounting obligations or to resolve disputes. You may request deletion at any time.

We use technical and organisational measures to protect personal data, including encryption in transit and at rest, access controls, and tenant isolation. No system is perfectly secure, but we work to protect your data and to notify you of incidents as required by law. See our Security page for more.

Subject to applicable law, you have the right to:

• access the personal data we hold about you, and request a copy;
• correct or update inaccurate or incomplete data;
• request erasure of your personal data;
• withdraw consent where processing is based on consent;
• nominate another person to exercise your rights in the event of death or incapacity (DPDP Act);
• data portability and, for GDPR users, to object to or restrict certain processing;
• for California residents, to know, delete, and opt out of any “sale”/“sharing” (note: we do not sell personal data) without discrimination.

To exercise any right, email privacy@thematteros.com. You also have the right to lodge a complaint with the Data Protection Board of India or your local supervisory authority.

We use strictly necessary cookies and local storage to keep you signed in, to maintain security, and to remember preferences such as theme and time zone. We do not use these for advertising. If we add analytics or non-essential cookies in future, we will update this notice and obtain consent where required.

The Service is intended for professional use by adults and is not directed to anyone under 18. We do not knowingly collect personal data from children.

For privacy questions, requests, or complaints, contact our Grievance Officer at privacy@thematteros.com. We will respond within the timelines required by applicable law.

We may update this Privacy Notice from time to time. If we make material changes, we will provide notice (for example, by email or in the Service). The “Last updated” date above reflects the latest version.