1. Introduction
This Privacy Policy describes how Mataki Labs LLC (“Mataki,” “we,” “our,” or “us”) collects, uses, discloses, and protects personal information when you visit our website (mataki.dev and its subdomains), use our cloud-based software services (the “Services”), or otherwise interact with us.
This Privacy Policy applies to Mataki as a data controller — that is, it describes how we handle information we collect about you (our website visitors, account holders, and users). It does not describe how we handle data that our customers submit to the Services for processing on their behalf. That processing is governed by our Data Processing Addendum and the applicable customer agreement, in which Mataki acts as a data processor.
If you are a customer of one of our customers and have questions about how your data is processed through our Services, please contact the Mataki customer whose service you are using.
2. Information We Collect
2.1 Information You Provide
Account Information. When you create a Mataki account, we collect your name, email address, company name, job title, and password (hashed). If you sign up using a third-party authentication provider (GitHub, Google), we receive your name and email address from that provider.
Billing Information. When you subscribe to a paid Service, we collect billing details including payment method, billing address, and company tax identification number. Payment card details are processed directly by our payment processor (Stripe) and are not stored on Mataki’s systems.
Communications. When you contact us via email, support chat, or contact forms, we collect the content of your communications, your email address, and any attachments you provide.
Feedback and Surveys. When you provide feedback, respond to surveys, or participate in research, we collect the information you submit.
2.2 Information We Collect Automatically
Usage Data. When you use the Services, we collect information about your interactions, including: features accessed, actions performed, API calls made (metadata, not payload content), pages viewed, timestamps, and session duration.
Device and Browser Information. We collect device type, operating system, browser type and version, screen resolution, language preference, and time zone.
Network Information. We collect IP address, approximate geolocation (city/region level, derived from IP address), and referring URL.
Cookies and Similar Technologies. We use cookies, web beacons, and similar technologies as described in our Cookie Policy.
2.3 Information We Receive from Third Parties
Authentication Providers. If you authenticate via GitHub, Google, or another third-party provider, we receive your name, email address, and profile information as authorized by you during the authentication flow.
Enrichment Data. For business accounts, we may supplement the information you provide with publicly available business information (company size, industry, funding stage) from third-party data providers for the purpose of tailoring our communications and improving our Services.
Referral Information. If another user invites you to a Mataki team or organization, we receive your email address from the inviting user.
3. How We Use Your Information
We use the information we collect for the following purposes:
Providing and Operating the Services. To create and manage your account, authenticate your identity, process transactions, provide customer support, and deliver the Services you have subscribed to.
Improving the Services. To understand how the Services are used, identify and fix bugs, develop new features, and improve the performance, security, and reliability of the Services. We use aggregated and anonymized Usage Data for this purpose.
Communications. To send you transactional communications (account verification, billing notices, security alerts, service updates) and, with your consent where required, marketing communications (product announcements, newsletters, event invitations). You may opt out of marketing communications at any time.
Security and Fraud Prevention. To detect, investigate, and prevent fraudulent, unauthorized, or illegal activity, and to protect the security and integrity of the Services and our users.
Compliance. To comply with applicable laws, regulations, legal processes, and governmental requests.
Analytics and Business Intelligence. To analyze trends, measure the effectiveness of our marketing, and understand our customer base. We use aggregated and anonymized data for business intelligence purposes.
4. Legal Basis for Processing (EEA/UK/Switzerland)
If you are located in the European Economic Area, the United Kingdom, or Switzerland, our legal basis for processing your personal data depends on the information concerned and the context in which we collect it:
Performance of a contract. We process Account Information, Billing Information, and Usage Data as necessary to perform our contract with you (the Terms of Service or applicable customer agreement).
Legitimate interests. We process information for analytics, security, fraud prevention, service improvement, and business intelligence based on our legitimate interest in operating and improving the Services, provided these interests are not overridden by your data protection rights.
Consent. We process information for marketing communications and non-essential cookies based on your consent. You may withdraw consent at any time.
Legal obligation. We process information as necessary to comply with applicable laws, including tax and accounting obligations.
5. How We Share Your Information
We do not sell your personal information. We share your information only in the following circumstances:
Service Providers (Sub-Processors). We share information with third-party service providers who process data on our behalf to help us operate the Services. These providers are contractually bound to use your information only for the purposes we specify and in accordance with this Privacy Policy. A list of our current sub-processors is available at mataki.dev/legal/sub-processors.
Payment Processors. Billing information is shared with Stripe for payment processing. Stripe’s privacy policy is available at stripe.com/privacy.
Legal Requirements. We may disclose your information if required to do so by law, regulation, legal process, or governmental request, or if we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others.
Business Transfers. In the event of a merger, acquisition, reorganization, or sale of all or substantially all of our assets, your information may be transferred to the acquiring entity. We will notify you of any such transfer and any changes to this Privacy Policy.
With Your Consent. We may share your information for other purposes with your explicit consent.
6. Product-Specific Data Practices
Each Mataki product collects and processes information specific to its functionality. The following table summarizes the primary data categories collected by each product. In all cases, the data described below is collected and processed as described in Sections 2–5 of this Privacy Policy.
| Product | Additional Data Collected | Purpose |
|---|---|---|
| All Products | Account info, usage data, device/browser info, IP address | Account management, service delivery, analytics, security |
| Products with Embeddable Components | Component render events (anonymous, no PII), feature usage | Measuring component adoption, improving component UX |
| Products with API Access | API request metadata (endpoint, timestamp, response code — not request/response payloads) | Rate limiting, usage metering, abuse detection, debugging |
Important distinction: The table above describes data Mataki collects about you as a user of our Services. Data that you (as a Mataki customer) submit to the Services for processing on behalf of your end users — including any personal data of your end users — is Customer Data governed by the DPA, not this Privacy Policy.
7. International Data Transfers
Mataki is based in the United States (Wyoming). If you are located outside the United States, your information will be transferred to and processed in the United States and potentially in other countries where our sub-processors operate.
For transfers from the European Economic Area, the United Kingdom, or Switzerland to countries without an adequacy decision, we rely on:
- Standard Contractual Clauses (SCCs) approved by the European Commission, as supplemented by additional technical and organizational safeguards.
- The UK International Data Transfer Addendum to the EU SCCs for transfers from the United Kingdom.
- The Swiss Federal Data Protection Act amendments to the EU SCCs for transfers from Switzerland.
For transfers from New Zealand, we comply with the New Zealand Privacy Act 2020, including the Information Privacy Principles governing the disclosure of personal information outside New Zealand.
8. Data Retention
We retain your personal information for as long as your account is active or as needed to provide you with the Services. After account closure, we retain information for the following periods:
Account Information. Retained for 90 days after account deletion to support account recovery, then deleted.
Billing Information. Retained for 7 years after the last transaction for tax and accounting compliance.
Usage Data. Aggregated and anonymized within 90 days of collection. Anonymized data may be retained indefinitely.
Communications and Support Records. Retained for 3 years after resolution for quality assurance and legal purposes.
Security Logs. Retained for 1 year for security monitoring and incident investigation.
We may retain information for longer periods if required by applicable law or to establish, exercise, or defend legal claims.
9. Your Rights
Depending on your location, you may have the following rights regarding your personal information:
Access. The right to request a copy of the personal information we hold about you.
Rectification. The right to request correction of inaccurate or incomplete personal information.
Erasure. The right to request deletion of your personal information, subject to legal retention requirements.
Restriction. The right to request that we restrict processing of your personal information in certain circumstances.
Portability. The right to receive your personal information in a structured, commonly used, machine-readable format.
Objection. The right to object to processing of your personal information based on legitimate interests or for direct marketing purposes.
Withdrawal of Consent. Where processing is based on consent, the right to withdraw consent at any time without affecting the lawfulness of prior processing.
Non-Discrimination. We will not discriminate against you for exercising your privacy rights.
To exercise any of these rights, contact us at privacy@mataki.dev. We will respond within 30 days (or within the timeframe required by applicable law). We may request verification of your identity before processing your request.
Jurisdiction-Specific Rights
European Economic Area / United Kingdom. You have the right to lodge a complaint with your local Supervisory Authority.
California (CCPA/CPRA). You have the right to know what personal information we collect, the right to delete, the right to opt out of the sale or sharing of personal information (we do not sell or share personal information), and the right to non-discrimination. To exercise these rights, contact us at privacy@mataki.dev or use the form at mataki.dev/legal/privacy/request.
New Zealand. You have the right to access and request correction of your personal information under the New Zealand Privacy Act 2020. Complaints may be directed to the Office of the Privacy Commissioner at privacy.org.nz.
10. Security
We implement reasonable administrative, technical, and physical safeguards to protect your personal information. For details, see our Security Overview. While we strive to protect your information, no method of transmission over the Internet or method of electronic storage is 100% secure.
11. Children’s Privacy
The Services are not directed to individuals under the age of 16. We do not knowingly collect personal information from children under 16. If we become aware that we have collected personal information from a child under 16, we will take steps to delete such information promptly.
12. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by posting a notice on our website and, if you have an account, by email. Your continued use of the Services after the effective date of the revised Privacy Policy constitutes acceptance of the changes.
13. Contact Us
If you have questions about this Privacy Policy or wish to exercise your privacy rights, contact us at:
Mataki Labs LLC Email: privacy@mataki.dev
If we are required to appoint an EU representative under Article 27 of the GDPR, their details will be published here and on our Legal page.