Privacy Policy
Last updated: February 4, 2026
Introduction
VantarGroup LLC ("Matproof", "we", "our", or "us") respects your privacy and is committed to protecting your personal data. This privacy policy explains how we collect, use, disclose, and safeguard your information when you visit our website or use our compliance automation platform.
ℹ️ Important Notice
Matproof provides compliance automation software and does NOT provide legal advice, tax advice, or regulatory consulting services. Nothing in this Privacy Policy or our Service should be construed as legal advice. You should consult qualified legal and compliance professionals regarding your specific data protection obligations.
Information We Collect
We collect information that you provide directly to us, including:
- Account information (name, email address, company name)
- Billing information (processed securely through our payment processor)
- Communications you send to us (support requests, feedback)
- Compliance data you upload to our platform (policies, evidence, controls)
How We Use Your Information
We use the information we collect to:
- Provide and maintain our compliance platform
- Process your transactions and manage your account
- Send you technical notices and support messages
- Respond to your comments, questions, and customer service requests
- Analyze usage patterns to improve our services (in aggregate, anonymized form)
- Send marketing communications (with your consent, where required)
Data Storage and Security
Your data is stored exclusively in EU data centers located in Germany. We implement appropriate technical and organizational measures to protect your personal data against unauthorized or unlawful processing, accidental loss, destruction, or damage. These measures include encryption at rest and in transit, access controls, and regular security assessments.
Your Rights Under GDPR
As a data subject in the European Union, you have the following rights:
- Right of access: You can request a copy of your personal data
- Right to rectification: You can request correction of inaccurate data
- Right to erasure: You can request deletion of your personal data
- Right to data portability: You can request your data in a machine-readable format
- Right to object: You can object to processing of your personal data
- Right to withdraw consent: You can withdraw consent at any time where we rely on consent to process your data
Legal Basis for Processing
We process your personal data on the following legal bases under GDPR Article 6:
- Contract performance (Art. 6(1)(b)): Processing necessary to provide our services when you sign up or request a demo.
- Legitimate interests (Art. 6(1)(f)): Analytics to improve our website and services, where our interests do not override your rights.
- Consent (Art. 6(1)(a)): Marketing communications and contact form submissions, where you have explicitly consented.
Data Retention
We retain personal data only as long as necessary for the purposes described in this policy: contact form inquiries are retained for 24 months; account data is retained for the duration of the contract plus 12 months; analytics data is anonymous and retained indefinitely. You may request deletion at any time.
Cookies and Analytics
We use Umami Analytics, a privacy-friendly, cookie-free analytics tool that does not collect personally identifiable information. For our paid advertising we use Google Ads conversion tracking; these cookies are only set after you give explicit consent via our cookie banner. You can withdraw consent at any time. See our Cookie Policy for details.
Sub-Processors
We use the following third-party service providers (sub-processors) to operate our business. All have data processing agreements in place:
| Provider | Headquarters / Legal entity | Processing region | Purpose | Data categories | Legal basis |
|---|---|---|---|---|---|
| Hetzner Online GmbH | Gunzenhausen, Germany | Falkenstein and Nuremberg, DE | Application hosting, compute, cron jobs, self-hosted ancillary systems | Sessions, application logs, all data in transit through the system | Art. 28 GDPR |
| Neon, Inc. | Delaware, USA | AWS eu-central-1 (Frankfurt, DE) | PostgreSQL database hosting | all persistent customer data (accounts, compliance documents, audit trails) | Art. 28 GDPR + EU SCC 2021/914 (Module 3) |
| Amazon Web Services EMEA SARL | Luxembourg (group parent: AWS Inc., USA) | eu-central-1 (Frankfurt, DE) | File storage (S3), AWS Security Hub | File uploads, backups, security-relevant logs | Art. 28 GDPR + AWS GDPR DPA + SCC |
| Upstash, Inc. | Delaware, USA | EU region (Frankfurt) | Redis cache, vector search for AI features | Session tokens, rate-limit counters, embedding vectors | Art. 28 GDPR + SCC |
| Stripe Payments Europe, Ltd. | Dublin, Ireland (group parent: Stripe, Inc., USA) | EU with global failover | Payment processing, subscription management | Name, email, billing address, payment method (tokenised) | Art. 28 GDPR + Stripe DPA + SCC |
| Resend, Inc. | Delaware, USA | Multi-region with EU routing | Transactional emails (confirmations, notifications) | Email addresses, mail contents | Art. 28 GDPR + SCC |
| Trigger.dev Ltd. | London, United Kingdom | UK | Asynchronous job processing (e.g. long AI tasks, reports) | Job payloads (may contain personal data) | Art. 28 GDPR + EU Commission adequacy decision for the UK |
| OpenAI Ireland Ltd. | Dublin, Ireland (group parent: OpenAI, Inc., USA) | EU data residency where available, otherwise US region | LLM inference for compliance features (e.g. policy generator, AI assistant) | Request contents (typically non-personal compliance text) | Art. 28 GDPR + SCC + zero-data-retention API (no model training) |
| Functional Software, Inc. (Sentry) | San Francisco, USA | EU data residency (Frankfurt) | Error and performance monitoring | Error stack traces, IP addresses, user IDs, browser metadata | Art. 28 GDPR + SCC |
| PostHog, Inc. | San Francisco, USA | EU Cloud (Frankfurt) | Product analytics, feature usage measurement | Device/browser data, session IDs, clickstream (pseudonymised) | Art. 28 GDPR + SCC + cookie consent under § 25 TTDSG |
| Firecrawl, Inc. | San Francisco, USA | USA | Web scraping for vendor research (TPRM, DORA Art. 28 register) | Publicly accessible URLs of customer-maintained vendors (no personal data) | Legitimate interest Art. 6 (1) f GDPR |
| Logokit, Inc. (logo.dev) | USA | USA / CDN edge | Logo and favicon API for vendor display | Domain strings (no personal data) | Legitimate interest Art. 6 (1) f GDPR |
| NIST National Vulnerability Database | Federal agency, USA | USA | Querying public CVE data for vulnerability monitoring | No personal data (CVE IDs and version strings only) | Public source |
| Google Ireland Ltd. | Dublin, Ireland (group parent: Alphabet Inc., USA) | EU + USA | Google login (OAuth, optional per customer) | Email, name, profile picture (only when login is actively used) | Consent Art. 6 (1) a GDPR + SCC |
| Cloudflare, Inc. | San Francisco, USA | Multi-region edge (EU routing preferred) | DNS, CDN, DDoS protection, WAF | IP addresses, HTTP request metadata, TLS handshake data | Art. 28 GDPR + Cloudflare DPA + SCC |
Last list update: 14 May 2026. We give existing customers at least 30 days' advance notice of changes.
International data transfers
Where we engage subprocessors based or processing data outside the EU/EEA (in particular USA, UK, and EU subsidiaries of US-parent groups), transfers rely on the following safeguards under Articles 44 et seq. GDPR: (1) for the UK: the EU adequacy decision of 28 June 2021; (2) for the USA and other third countries: EU Standard Contractual Clauses (Implementing Decision 2021/914, Module 2 or 3 as applicable); (3) supplementary technical and organisational measures including encryption, pseudonymisation where possible, zero-data-retention arrangements with AI providers, and contractual purpose limitation. We maintain an internal Transfer Impact Assessment (TIA) for each third-country subprocessor.
Contact & Data Protection
For questions about this Privacy Policy, to exercise your GDPR rights, or to reach our data protection contact, please write to:
VantarGroup LLC
Data Protection Contact
Email: privacy@matproof.com
30 N Gould St Ste R, Sheridan, WY 82801, USA
You also have the right to lodge a complaint with your local supervisory authority. In Germany: Berliner Beauftragte für Datenschutz und Informationsfreiheit (BlnBDI), Berlin.