This Privacy Policy describes how MatrisAI, LLC ("MatrisAI", "we", "us"), a limited liability company headquartered at 2261 Market Street STE 85635, San Francisco, CA 94114, United States, collects, uses and shares personal data when you use the MatrisAI website (matris.ai), the merchant dashboard, or any related product or service we operate (collectively, the "Service").
We aim to be plain about what we collect and why. If anything here is unclear, write to support@matris.ai and we will explain in more detail.
1. Who is responsible
For personal data of MatrisAI account holders (you, as a merchant or agency), MatrisAI is the data controller.
For personal data of end-customers who place orders or interact with stores and presentation sites you operate on MatrisAI, you are the data controller and MatrisAI acts as your data processor. The Data Processing Terms at the bottom of this policy form the GDPR-required processing agreement between us.
2. What we collect
2.1 Account data
- Name and email address (provided at signup or via OAuth);
- Encrypted password hash, or for SSO the provider's user identifier;
- If you enable two-factor authentication, your TOTP secret (stored encrypted at rest);
- Billing details: company name, tax ID, billing address. Payment card numbers are entered directly into our payment processor and never reach our systems.
2.2 Service-usage data
- Logs of API requests, page views in the dashboard, error traces and performance metrics, used to operate and improve the Service;
- Counters of resources used by your account (stores, sites, requests, transactional emails) for billing and quota enforcement;
- IP address, user-agent, browser and operating-system metadata at the time of request, retained in network logs for security and abuse prevention.
2.3 Content you upload
- Product catalogues, copy, images and other media you upload to your stores and sites;
- Order, customer and inventory records created in your stores;
- Settings, theme customisations, and any other configuration you make.
2.4 End-customer data (we process on your behalf)
When your end-customers place an order or interact with a MatrisAI-hosted site, we process the data you collect from them (name, address, email, phone, order history) on your behalf. Sections 6 and 11 of this policy explain the safeguards.
2.5 Cookies
On matris.ai we use first-party cookies that are strictly necessary to keep you signed in and to remember your language preference. We do not run third-party advertising cookies on our own marketing site. Stores and sites you build with MatrisAI may set additional cookies under your control and your own cookie policy.
3. Why we use this data
- To operate the Service: serve your dashboard, host your stores and sites, sync inventory, process orders, and deliver transactional email such as order confirmations.
- To bill you: charge subscription fees and usage-based overage, generate invoices, and handle payment disputes.
- To secure the platform: detect and stop fraud, abuse, brute-force login attempts and other security threats.
- To support you: reply to your email tickets and investigate issues you report.
- To improve the product: measure aggregated feature usage and error rates so we know what to fix and what to build next. Personal data is not used to train marketing audiences.
- To comply with the law: respond to lawful requests from public authorities, defend our legal rights, and meet our tax and accounting obligations.
4. Legal bases (EU/EEA / UK)
We process personal data under the following GDPR bases:
- Contract: to provide the Service you signed up for;
- Legitimate interests: to keep the Service secure, prevent abuse, and improve product quality, balanced against your rights;
- Legal obligation: tax and accounting recordkeeping, responding to court orders;
- Consent: for any optional processing that requires it (we will ask before relying on this basis).
5. Who we share data with
We share data only as described below.
- Sub-processors: third-party vendors that help us run the Service, including (a) a cloud / edge hosting and CDN provider, (b) a payment processor that handles subscription billing and card data, and (c) a transactional email provider that delivers email on our behalf. All sub-processors are bound by written data processing terms and process data only on our instructions. A complete and up-to-date list of sub-processors is available on request to support@matris.ai.
- Service integrations you enable: when you connect a third-party service (a marketplace, an analytics tool, a custom domain registrar), we forward only the data required for that integration to work, and only after you actively enable it.
- Law enforcement and authorities: when we are legally required to do so, or when disclosure is necessary to protect the rights, property or safety of MatrisAI, our users or others.
- Successors: in a merger, acquisition or sale of all or part of our business, personal data may be transferred to the successor under the same protections.
We do not sell personal data and do not share personal data with advertising networks or data brokers.
6. How long we keep data
- Account data: for as long as your account is active, and up to 30 days after closure to allow recovery. Billing records are retained for the period required by applicable U.S. federal and state tax law (typically up to 7 years).
- Service usage logs: 30 to 90 days for operational logs; up to 13 months for aggregated metrics.
- Content and end-customer data: for as long as your account is active. On termination it is deleted within 30 days unless you ask us to export it first or unless we are legally required to keep it longer.
7. Your rights
Under the GDPR and equivalent laws you have the right to:
- access the personal data we hold about you,
- correct inaccurate data and complete incomplete data,
- delete your data ("right to be forgotten"), subject to retention requirements above,
- restrict or object to certain processing, including any processing based on our legitimate interests,
- port your data to another provider in a structured, machine-readable format,
- withdraw any consent you have given, without affecting past processing,
- lodge a complaint with your local data-protection authority (in Romania, ANSPDCP - dataprotection.ro).
To exercise any of these rights, email support@matris.ai. We will respond within 30 days.
8. International transfers
MatrisAI is operated from the United States by MatrisAI, LLC, and uses sub-processors that may store and process data in the United States, the European Union and other regions where they operate. Where personal data of EU/EEA, UK or Swiss data subjects is transferred outside its country of origin, the transfer is protected by the European Commission's Standard Contractual Clauses (or the UK equivalent), the EU-U.S. Data Privacy Framework where applicable, or another approved transfer mechanism.
9. Security
We protect personal data with technical and organisational measures appropriate to the risk, including encryption in transit (TLS 1.2+) and at rest, isolated per-shop runtimes, scoped database access, mandatory two-factor authentication for operator accounts, an append-only audit log of privileged operations, and regular review of access rights.
No system is perfectly secure. If you become aware of a vulnerability or potential breach, please report it responsibly to support@matris.ai with the subject line "Security report".
10. Children
MatrisAI is not directed at children under 16 and we do not knowingly collect personal data from children under 16. If you believe a child has provided personal data to us, contact support@matris.ai and we will delete it.
11. Data Processing Terms (DPA)
These Data Processing Terms apply when MatrisAI processes personal data on behalf of an account holder (the "Controller") who provides storefronts, presentation sites or other services to its end-customers using MatrisAI.
11.1 Roles
Controller is the data controller of end-customer personal data. MatrisAI is the data processor and acts only on documented instructions from the Controller. Those instructions are reflected by the configuration the Controller makes in the dashboard (which features are enabled, which integrations, which retention settings) and by use of the Service consistent with these Terms.
11.2 Categories of data and data subjects
Categories of data subjects: end-customers and visitors of the Controller's stores and sites. Categories of personal data: name, contact details, billing and shipping address, order and inventory records, IP address and device metadata of visitors.
11.3 Confidentiality and security
MatrisAI ensures that personnel authorised to process personal data are bound by confidentiality obligations and applies the security measures described in Section 9.
11.4 Sub-processors
Controller authorises MatrisAI to engage sub-processors as described in Section 5. MatrisAI imposes data-protection obligations on each sub-processor that are no less protective than those in these Terms and remains responsible for their acts and omissions.
11.5 Data subject rights and assistance
MatrisAI will provide reasonable assistance to the Controller in responding to requests from data subjects, in conducting impact assessments, and in handling breach notifications. Where MatrisAI receives a request from a data subject relating to Controller's data, MatrisAI will forward it to the Controller and not respond directly.
11.6 Breach notification
MatrisAI will notify the Controller without undue delay (and in any case within 72 hours where feasible) after becoming aware of a personal data breach affecting Controller's data, along with the information needed for the Controller to meet its notification obligations.
11.7 Return or deletion on termination
On termination of the Service, MatrisAI will, at the Controller's choice, return or delete all personal data, unless law requires further retention. Default behaviour is deletion within 30 days of termination if no other choice is communicated.
11.8 Audits
MatrisAI will make available to the Controller information reasonably necessary to demonstrate compliance with these Terms and will allow audits on reasonable notice and during business hours, subject to confidentiality safeguards.
12. Changes to this policy
We may update this Privacy Policy from time to time. Material changes will be announced at least 30 days in advance via email to the address on file or via a notice in the dashboard.
13. Contact
For any privacy question, including DPA requests and data subject rights, write to support@matris.ai or send post to:
MatrisAI, LLC
Attn: Privacy
2261 Market Street STE 85635
San Francisco, CA 94114
United States
Billing records that contain personal data are also kept in line with U.S. federal and California state tax-record retention requirements.