Introduction

VantarGroup LLC ("Matproof", "we", "our", or "us") respects your privacy and is committed to protecting your personal data. This privacy policy explains how we collect, use, disclose, and safeguard your information when you visit our website or use our compliance automation platform.

ℹ️ Important Notice

Matproof provides compliance automation software and does NOT provide legal advice, tax advice, or regulatory consulting services. Nothing in this Privacy Policy or our Service should be construed as legal advice. You should consult qualified legal and compliance professionals regarding your specific data protection obligations.

Information We Collect

We collect information that you provide directly to us, including:

Account information (name, email address, company name)
Billing information (processed securely through our payment processor)
Communications you send to us (support requests, feedback)
Compliance data you upload to our platform (policies, evidence, controls)

How We Use Your Information

We use the information we collect to:

Provide and maintain our compliance platform
Process your transactions and manage your account
Send you technical notices and support messages
Respond to your comments, questions, and customer service requests
Analyze usage patterns to improve our services (in aggregate, anonymized form)
Send marketing communications (with your consent, where required)

Data Storage and Security

Your data is stored exclusively in EU data centers located in Germany. We implement appropriate technical and organizational measures to protect your personal data against unauthorized or unlawful processing, accidental loss, destruction, or damage. These measures include encryption at rest and in transit, access controls, and regular security assessments.

Your Rights Under GDPR

As a data subject in the European Union, you have the following rights:

Right of access: You can request a copy of your personal data
Right to rectification: You can request correction of inaccurate data
Right to erasure: You can request deletion of your personal data
Right to data portability: You can request your data in a machine-readable format
Right to object: You can object to processing of your personal data
Right to withdraw consent: You can withdraw consent at any time where we rely on consent to process your data

Legal Basis for Processing

We process your personal data on the following legal bases under GDPR Article 6:

Contract performance (Art. 6(1)(b)): Processing necessary to provide our services when you sign up or request a demo.
Legitimate interests (Art. 6(1)(f)): Analytics to improve our website and services, where our interests do not override your rights.
Consent (Art. 6(1)(a)): Marketing communications and contact form submissions, where you have explicitly consented.

Data Retention

We retain personal data only as long as necessary for the purposes described in this policy. Specifically: contact form inquiries are retained for 24 months. Account data and customer compliance data uploaded to the platform are retained for the duration of the contractual relationship; on cancellation a 30-day grace period begins during which the data may be exported (right to data portability), after which automatic hard-deletion occurs. Analytics data is aggregated/anonymised and retained for up to 26 months. Longer retention applies only where statutory rules (e.g. German Commercial Code § 257 for billing-related records, 10 years) require it. You may request deletion at any time.

Cookies and Analytics

On matproof.com (marketing site) we use Umami Analytics for aggregate, cookie-free reach measurement, and — only after your explicit consent via our cookie banner — Google Ads conversion tracking. Both tools are loaded only after consent is granted (§ 25(1) TDDDG, Art. 6(1)(a) GDPR). Inside the logged-in platform app.matproof.com we use PostHog for product analytics (EU Cloud Frankfurt, also consent-based). You can withdraw consent at any time via the banner or by clearing your browser storage. See our Cookie Policy for details.

Sub-Processors

We use the following sub-processors under Art. 28 GDPR. The "Surface" column indicates which providers serve only the public website (matproof.com), only the logged-in platform (app.matproof.com), or both. All providers have data processing agreements in place. For providers headquartered or processing data outside the EU (in particular USA, UK), EU Standard Contractual Clauses (SCC 2021/914) under Art. 46 GDPR plus supplementary technical and organisational measures are in place. Note: data submitted through web forms (contact, tool requests, assessments) is additionally written to our self-hosted Twenty CRM instance (running on our own Hetzner infrastructure in Germany, reachable at crm.klyntos.com) for follow-up tracking. This is not an external sub-processor but an internal tool on the already-listed Hetzner infrastructure.

Provider	Headquarters / Legal entity	Processing region	Surface	Purpose	Data categories	Legal basis
Hetzner Online GmbH	Gunzenhausen, Germany	Falkenstein and Nuremberg, DE	Both	Application hosting, compute, cron jobs, self-hosted ancillary systems (incl. internal sales CRM)	Sessions, application logs, all data in transit through the system	Art. 28 GDPR
Neon, Inc.	Delaware, USA	AWS eu-central-1 (Frankfurt, DE)	App (logged-in)	PostgreSQL database hosting	all persistent customer data (accounts, compliance documents, audit trails)	Art. 28 GDPR + EU SCC 2021/914 (Module 3)
Amazon Web Services EMEA SARL	Luxembourg (group parent: AWS Inc., USA)	eu-central-1 (Frankfurt, DE)	App (logged-in)	File storage (S3), AWS Security Hub	File uploads, backups, security-relevant logs	Art. 28 GDPR + AWS GDPR DPA + SCC
Upstash, Inc.	Delaware, USA	EU region (Frankfurt)	App (logged-in)	Redis cache, vector search for AI features	Session tokens, rate-limit counters, embedding vectors	Art. 28 GDPR + SCC
Stripe Payments Europe, Ltd.	Dublin, Ireland (group parent: Stripe, Inc., USA)	EU with global failover	App (logged-in)	Payment processing, subscription management	Name, email, billing address, payment method (tokenised)	Art. 28 GDPR + Stripe DPA + SCC
Resend, Inc.	Delaware, USA	Multi-region with EU routing	Both	Transactional + marketing emails (confirmations, newsletter, nurture)	Email addresses, mail contents	Art. 28 GDPR + SCC
Trigger.dev Ltd.	London, United Kingdom	UK	App (logged-in)	Asynchronous job processing (e.g. long AI tasks, reports)	Job payloads (may contain personal data)	Art. 28 GDPR + EU Commission adequacy decision for the UK
OpenAI Ireland Ltd.	Dublin, Ireland (group parent: OpenAI, Inc., USA)	EU data residency where available, otherwise US region	App (logged-in)	LLM inference for compliance features (e.g. policy generator, AI assistant)	Request contents (typically non-personal compliance text)	Art. 28 GDPR + SCC; no model training (zero-data-retention applied for)
Anthropic, PBC	San Francisco, USA	USA (Anthropic API region)	App (logged-in)	LLM inference for compliance + security features (AI assistant, Sentinel pentest agents)	Request contents (compliance text; with Sentinel: customer source code on opt-in)	Art. 28 GDPR + SCC; no model training (zero-data-retention applied for)
Functional Software, Inc. (Sentry)	San Francisco, USA	EU data residency (Frankfurt)	Both	Error and performance monitoring	Error stack traces, IP addresses, user IDs, browser metadata	Art. 28 GDPR + SCC
PostHog, Inc.	San Francisco, USA	EU Cloud (Frankfurt)	App (logged-in)	Product analytics inside the app (logged-in users), feature usage measurement	Device/browser data, session IDs, clickstream (pseudonymised)	Art. 28 GDPR + SCC + consent under § 25 TDDDG
Umami Software, Inc.	USA	USA (Umami Cloud)	Marketing site	Anonymous website analytics for matproof.com (consent-gated)	Aggregated pageviews, referrer, user-agent (no cookies, IP not persisted)	Consent Art. 6 (1) a GDPR + § 25 TDDDG (only after cookie-banner consent)
Google Ireland Ltd. (Google Ads + GTM)	Dublin, Ireland (group parent: Alphabet Inc., USA)	EU + USA	Marketing site	Conversion measurement for advertising (Google Ads); tag management (loaded only after consent)	Click IDs, IP address, URL path, conversion events (with ads_data_redaction active)	Consent Art. 6 (1) a GDPR + § 25 TDDDG + Google Consent Mode v2 + SCC
lempire SAS (lemlist)	Paris, France	EU (France) with AWS subprocessor	Marketing site	Visitor attribution for outbound email campaigns on matproof.com (consent-gated) — links website visits to lemlist campaign recipients	Visitor-ID cookie, IP address, user-agent, page paths, UTM/campaign tokens	Consent Art. 6 (1) a GDPR + § 25 TDDDG (only after cookie-banner consent) + SCC
Google Ireland Ltd. (OAuth Login)	Dublin, Ireland (group parent: Alphabet Inc., USA)	EU + USA	App (logged-in)	Google login (OAuth, optional per customer)	Email, name, profile picture (only when login is actively used)	Consent Art. 6 (1) a GDPR + SCC
Cloudflare, Inc.	San Francisco, USA	Multi-region edge (EU routing preferred)	Both	DNS, CDN, DDoS protection, WAF, email routing	IP addresses, HTTP request metadata, TLS handshake data	Art. 28 GDPR + Cloudflare DPA + SCC
Dub, Inc.	Delaware, USA	USA	App (logged-in)	Partner / referral program (click attribution, sale attribution for 6-month commissions)	Click IDs, email address, Stripe customer ID, UTM parameters	Art. 28 GDPR + SCC
Novu, Inc.	Delaware, USA	USA	App (logged-in)	In-app + email notification orchestration	User IDs, email addresses, notification payloads (compliance events)	Art. 28 GDPR + SCC
Vercel, Inc.	San Francisco, USA	Multi-region (EU preferred)	App (logged-in)	Hosting of customer-owned Trust Portal subdomains; sandbox execution; Web Analytics for Trust Portal	HTTP requests, Trust Portal contents (published by the customer)	Art. 28 GDPR + Vercel DPA + SCC
GitHub, Inc.	San Francisco, USA (group parent: Microsoft Corp.)	USA	App (logged-in)	Sentinel penetration testing: optional access to customer source-code repositories via the Matproof-Sentinel GitHub App	Repository contents (source code), issue postings (findings)	Art. 28 GDPR + SCC; only with active customer install of the GitHub App
Firecrawl, Inc.	San Francisco, USA	USA	App (logged-in)	Web scraping for vendor research (TPRM, DORA Art. 28 register)	Publicly accessible URLs of customer-maintained vendors (no personal data)	Legitimate interest Art. 6 (1) f GDPR
Logokit, Inc. (logo.dev)	USA	USA / CDN edge	App (logged-in)	Logo and favicon API for vendor display	Domain strings (no personal data)	Legitimate interest Art. 6 (1) f GDPR
NIST National Vulnerability Database	Federal agency, USA	USA	App (logged-in)	Querying public CVE data for vulnerability monitoring	No personal data (CVE IDs and version strings only)	Public source

Last list update: 20 May 2026. We give existing customers at least 30 days' advance notice of changes.

International data transfers

Where we engage subprocessors based or processing data outside the EU/EEA (in particular USA, UK, and EU subsidiaries of US-parent groups), transfers rely on the following safeguards under Articles 44 et seq. GDPR: (1) for the UK: the EU adequacy decision of 28 June 2021; (2) for the USA and other third countries: EU Standard Contractual Clauses (Implementing Decision 2021/914, Module 2 or 3 as applicable); (3) supplementary technical and organisational measures including encryption, pseudonymisation where possible, zero-data-retention arrangements with AI providers, and contractual purpose limitation. We maintain an internal Transfer Impact Assessment (TIA) for each third-country subprocessor.

Contact & Data Protection

For questions about this Privacy Policy, to exercise your GDPR rights, or to reach our data protection contact, please write to:

VantarGroup LLC
Data Protection Contact
Email: privacy@matproof.com
30 N Gould St Ste R, Sheridan, WY 82801, USA

You also have the right to lodge a complaint with your local supervisory authority. In Germany: Berliner Beauftragte für Datenschutz und Informationsfreiheit (BlnBDI), Berlin.