Privacy Policy
This Privacy Policy explains how Mattas.net Ltd ("we," "us," or "our") collects, uses, and shares your personal information when you use our services ("Services"), including when you:
- Visit our website at https://www.mattas.net or any website of ours that links to this policy
- Download, install, or use any of our mobile applications (such as Law 18)
- Interact with us in other ways, such as through sales, marketing, or events
Questions or concerns? If you have questions after reading this policy, please contact us at https://www.mattas.net/contact.
SUMMARY OF KEY POINTS
- What we collect: We collect information you give us (like your name and email), information collected automatically (like your IP address and device data), and limited data from third parties like Apple when you purchase our apps. We do not collect sensitive personal information. Learn more →
- How we use it: We use your information to run, improve, and secure our Services, to communicate with you, and to comply with the law. Learn more →
- Who we share it with: We share information with service providers who help us operate (like our hosting provider), and in limited other situations described below. Learn more →
- Your rights: Depending on where you live, you may have the right to access, correct, delete, or download your data — among other rights. Learn more →
- How to exercise your rights: Contact us at https://www.mattas.net/contact.
SERVICES AND DATA PRACTICES AT A GLANCE
| Websites (mattas.net and related sites) | Mobile Applications (e.g., Law 18) | |
|---|---|---|
| Hosting | Google Cloud Platform (US) | Google Cloud Platform (US) + Apple App Store |
| Analytics | Umami (self-hosted) | Apple Developer Analytics, Google Firebase Analytics |
| Advertising | None | Google AdMob |
| Personal info collected | Name, email, contact data (when you provide it) | Same, plus mobile device data (device ID, OS, etc.) |
| Automatically collected | IP address, browser/device info, log data, location data | Same, plus app usage events and crash data |
| Third-party data received | None | Limited purchase data from Apple (country, date, transaction ID) |
| Cookies/tracking | Yes — see our Cookie Policy | Not applicable (mobile SDKs, not cookies) |
As we launch additional services, this table will be updated.
TABLE OF CONTENTS
1. What we collect 2. How we use your information 3. Who we share your information with 4. International transfers 5. How long we keep your information 6. How we protect your information 7. Your privacy rights 8. Children's information 9. Opt-out preference signals and Do-Not-Track 10. Updates to this policy 11. How to contact us
1. WHAT WE COLLECT
Information you give us
We collect personal information you provide voluntarily — for example, when you create an account, fill out a form, or contact us. This may include:
- Names
- Email addresses
- Contact or authentication data
We do not collect sensitive personal information (such as racial or ethnic data, religious beliefs, or sexual orientation).
All personal information you provide must be true, complete, and accurate. Please let us know if anything changes.
Information collected automatically
When you visit or use our Services, we automatically collect certain technical information. This does not directly reveal your identity but may include:
- Log and usage data: Your IP address, browser type, device information, pages viewed, actions taken, and timestamps.
- Location data: General or precise location based on your device settings (e.g., GPS or IP address). You can turn off location access in your device settings, but this may limit some features.
- Mobile device data: When you use our mobile apps, we may collect your device type, unique device ID, IP address, mobile OS, and how you use the app.
Information from our mobile apps
Our mobile apps use third-party services that may collect data about your usage:
- App analytics: Apple Developer Analytics and Google Firebase Analytics help us understand how people use our apps — things like how often the app is used, what features are popular, and any crashes that occur.
- Advertising: Our mobile apps may show ads served by Google AdMob. AdMob may collect device and usage data to serve relevant ads. See Google's privacy policy for details. If you are in the EU, UK, or Switzerland, our app uses a Google-certified Consent Management Platform integrated with the IAB Transparency and Consent Framework (TCF) to request your consent before personalized ads are served. You can change your consent preferences at any time through the app's settings.
- App Store purchase data: When you buy our apps through the Apple App Store, Apple may share limited transaction data with us (your country, purchase date, and a transaction ID). We do not receive your name, payment details, or Apple ID.
Website analytics
For our websites, we use Umami, a privacy-focused analytics tool that we host ourselves at analytics.mattas.net. Umami collects anonymous usage data (page views, referral sources, browser and device information) without using personal identifiers or tracking users across sites. Analytics data is only collected if you consent through our cookie settings.
2. HOW WE USE YOUR INFORMATION
We use your information for the following purposes. The "legal basis" column shows the legal reason we rely on under GDPR and similar laws:
| Purpose | What this means | Legal basis |
|---|---|---|
| Account management | To create and manage your account | Contract performance |
| Delivering our Services | To provide the products and services you request | Contract performance |
| Customer support | To respond to your questions and help resolve issues | Contract performance |
| Administrative messages | To send updates about our products, services, terms, and policies | Contract performance |
| User communication | To enable communication between users where our Services support it | Contract performance |
| Security and fraud prevention | To monitor for and prevent fraud, abuse, and security threats | Legitimate interests |
| Usage analytics | To understand how our Services are used so we can improve them (via Firebase Analytics for mobile, Umami for websites) | Legitimate interests |
| Personalized advertising | To show relevant ads in our mobile apps via Google AdMob | Consent (EU/UK/Switzerland); Legitimate interests (other regions) |
| Email communications | To send you marketing or promotional content (where you've opted in) | Consent |
| Legal compliance | To comply with applicable laws, regulations, or legal processes | Legal obligation |
| Vital interests | To protect someone's life or safety when necessary | Vital interests |
Legal bases explained
- Contract performance — we need to process your data to deliver the Services you asked for.
- Legitimate interests — processing is reasonably necessary for our business, and those interests don't override your rights (for example, analyzing usage to improve our Services, or preventing fraud).
- Consent — you gave us permission (you can withdraw it anytime).
- Legal obligation — we need to comply with the law (for example, responding to a court order).
- Vital interests — to protect someone's life or safety.
If you are in Canada, we may also rely on implied consent where permitted by law. We may process information without consent in limited situations defined by Canadian law (such as fraud prevention, legal proceedings, or where obtaining consent is impractical and collection is in the individual's interest).
3. WHO WE SHARE YOUR INFORMATION WITH
We share your data with third-party service providers who help us operate our Services. These providers are contractually required to protect your data and only use it as we direct. They include:
- Cloud hosting: Google Cloud Platform
- Content delivery network (CDN): Cloudflare (media.mattas.net)
- Mobile analytics: Apple Developer Analytics, Google Firebase Analytics
- Advertising: Google AdMob (mobile apps only)
- App distribution: Apple App Store
We may also share your information in these situations:
- Business transfers: If we merge with, are acquired by, or sell assets to another company, your information may be part of that transaction.
- Public interactions: If you post content publicly through our Services, that content may be visible to other users and the public.
Advertising and "sharing" disclosure
We have not sold personal information to third parties in the past 12 months.
However, under California's CPRA, we share the following categories of personal information with Google AdMob for cross-context behavioral advertising within our mobile applications: device identifiers (advertising ID, device model, OS version), internet and network activity (ad interactions, app usage events), and inferences derived from this data. This sharing enables AdMob to serve personalized ads.
How to opt out of personalized advertising: You can opt out of personalized ads by adjusting your device settings — on iOS, go to Settings → Privacy & Security → Tracking and disable "Allow Apps to Request to Track"; on Android, go to Settings → Privacy → Ads and select "Opt out of Ads Personalization." When you opt out, Google AdMob activates Restricted Data Processing (RDP) mode and will serve only non-personalized ads. Your opt-out will not affect your ability to use our Services.
Service provider data sharing (US residents)
For transparency under US state privacy laws, the following table shows which categories of personal information we share with each type of service provider:
| Service provider | Categories of PI shared | Purpose |
|---|---|---|
| Google Cloud Platform (hosting) | Identifiers, contact info, internet/network activity, geolocation | Cloud hosting and infrastructure |
| Cloudflare (CDN) | Internet/network activity (IP address, request headers) | Content delivery and bot protection |
| Google Firebase Analytics (mobile analytics) | Device identifiers, internet/network activity, geolocation | App usage analytics |
| Google AdMob (mobile advertising) | Device identifiers, internet/network activity, inferences | Personalized and non-personalized advertising |
| Apple App Store (distribution) | Identifiers, commercial information | App distribution and purchase processing |
| Apple Developer Analytics (mobile analytics) | Device identifiers, internet/network activity | App usage analytics |
4. INTERNATIONAL TRANSFERS
Our Services are hosted on Google Cloud Platform in the United States. If you access our Services from outside the US, your information will be transferred to and processed in the US.
If you are in the European Economic Area (EEA), UK, or Switzerland, we protect international transfers using the European Commission's Standard Contractual Clauses (June 2021 version, Module 2: Controller to Processor). We apply similar safeguards with our third-party providers. You can request copies of these safeguards by contacting us.
If you are in Brazil, Japan, South Korea, or another jurisdiction that restricts cross-border data transfers, we rely on contractual protections with our service providers and, where applicable, your consent to transfer and process your data in the United States.
5. HOW LONG WE KEEP YOUR INFORMATION
We keep your information only as long as necessary for the purposes described in this policy — generally, for as long as you have an account with us, unless a longer period is required by law (for example, for tax or accounting purposes).
When we no longer need your information, we will delete or anonymize it. If deletion isn't immediately possible (for example, because it's in backup storage), we'll securely store and isolate it until deletion is possible.
6. HOW WE PROTECT YOUR INFORMATION
We use reasonable technical and organizational measures to protect your personal information. That said, no system is 100% secure. We cannot guarantee that hackers or other unauthorized parties will never be able to access your data. Transmitting information to and from our Services is at your own risk, and you should access the Services only within a secure environment.
If we become aware of a data breach that may affect your personal data, we will notify the relevant supervisory authorities within 72 hours as required by applicable law, and will notify you directly if the breach poses a high risk to your rights and freedoms.
7. YOUR PRIVACY RIGHTS
Depending on where you live, you have certain rights over your personal information. The table below shows which rights apply in which jurisdictions. Not every right applies everywhere, and some rights may be limited by applicable law.
Rights overview
| Right | What it means | Where it applies |
|---|---|---|
| Access | You can ask us what personal data we hold about you and get a copy. | EU/UK/Switzerland, US states with comprehensive privacy laws, Canada, Brazil, India, Japan, South Korea, Thailand, Singapore, Australia, New Zealand, South Africa |
| Correction | You can ask us to fix inaccurate or incomplete personal data. | EU/UK/Switzerland, US states with comprehensive privacy laws, Canada, Brazil, India, Japan, South Korea, Thailand, Singapore, Australia, New Zealand, South Africa |
| Deletion (erasure) | You can ask us to delete your personal data. | EU/UK/Switzerland, US states with comprehensive privacy laws, Canada, Brazil, India, Japan, South Korea, Thailand |
| Portability | You can ask for your data in a portable, machine-readable format. | EU/UK/Switzerland, US (some states), Brazil, India, Japan, South Korea, Thailand, Singapore |
| Restrict processing | You can ask us to limit how we use your data. | EU/UK/Switzerland, Japan, South Korea, Thailand |
| Object to processing | You can object to our processing of your data in certain circumstances. | EU/UK/Switzerland, Brazil, Japan, South Korea |
| Opt out of targeted advertising | You can opt out of having your data used for targeted ads, profiling, or the sale or sharing of personal data. | US states with comprehensive privacy laws, Brazil |
| Withdraw consent | If we rely on your consent to process data, you can withdraw it at any time. Withdrawal doesn't affect processing that happened before you withdrew. | EU/UK/Switzerland, US states with comprehensive privacy laws, Canada, Brazil, India, Japan, South Korea, Thailand, Singapore |
| Non-discrimination | You won't be treated differently for exercising your rights. | US states with comprehensive privacy laws, Brazil |
| Automated decision-making | If a decision with legal or significant effects is made solely by automated means, you can be informed and request human review. | EU/UK/Switzerland, US (MN), Brazil |
| Complain to a regulator | You can lodge a complaint with a data protection authority. | EU/UK/Switzerland, Brazil, India, Japan, South Korea, Thailand, Singapore, Australia, New Zealand, South Africa |
How to exercise your rights
To exercise any of these rights, contact us at https://www.mattas.net/contact. We will respond in accordance with applicable law.
You can also designate an authorized agent to make requests on your behalf (where applicable under your local law). We may ask for proof of authorization.
Identity verification
When you make a request, we need to verify your identity. We'll use information we already have about you when possible. If we need more, we'll ask — but only for verification and security purposes.
Appeals (US residents)
If we decline your request, you can appeal by contacting us at https://www.mattas.net/contact. We will respond to your appeal within 60 days and explain our reasoning in writing. If your appeal is denied, you may file a complaint with your state attorney general.
Regulatory complaints
- EU residents: Your Member State data protection authority
- UK residents: The UK Information Commissioner's Office
- Switzerland: The Federal Data Protection and Information Commissioner
- Australia: The Office of the Australian Information Commissioner
- New Zealand: The Office of the Privacy Commissioner
- South Africa: The Information Regulator — general enquiries: enquiries@inforegulator.org.za; complaints: PAIAComplaints@inforegulator.org.za & POPIAComplaints@inforegulator.org.za. South African residents may also submit information requests under the Promotion of Access to Information Act (PAIA).
- Brazil: The Autoridade Nacional de Proteção de Dados (ANPD)
- India: The Data Protection Board of India
- Japan: The Personal Information Protection Commission
- South Korea: The Personal Information Protection Commission (PIPC)
- Thailand: The Personal Data Protection Committee (PDPC)
- Singapore: The Personal Data Protection Commission (PDPC)
Account changes and termination
To review, update, or delete your account information, contact us using the details above. If you ask us to delete your account, we will deactivate it and remove your information from our active databases, though we may retain some data as needed to prevent fraud, resolve issues, enforce our terms, or comply with legal obligations.
Categories of personal information we collect (US residents)
For transparency under US state privacy laws, the following table shows the categories of personal information we have collected in the past 12 months:
| Category | Examples | Collected? |
|---|---|---|
| Identifiers | Name, email, IP address, account name | Yes |
| California Customer Records info | Name, contact information | Yes |
| Protected characteristics | Gender, age, race, etc. | No |
| Commercial information | Purchase history, transaction data | Yes |
| Biometric information | Fingerprints, voiceprints | No |
| Internet/network activity | Browsing history, app interactions | Yes |
| Geolocation | Device location | Yes |
| Audio/visual information | Images, recordings | No |
| Professional information | Job title, work history | No |
| Education information | Student records | No |
| Inferences | Profiles based on collected data | No |
| Sensitive personal information | — | No |
We retain collected data as long as you have an account with us, unless a longer period is required by law.
US states with comprehensive privacy laws
As used in this policy, "US states with comprehensive privacy laws" refers to states that have enacted consumer data protection laws providing the rights listed in the table above. As of March 2026, these include: California (CCPA/CPRA), Colorado (CPA), Connecticut (CTDPA), Delaware (DPDPA), Indiana (ICDPA), Iowa (ICDPA), Kentucky (KCDPA), Maryland (MODPA), Minnesota (MCDPA), Montana (MCDPA), New Hampshire (NHPA), New Jersey (NJDPA), Oregon (OCPA), Rhode Island (RIDTPPA), Tennessee (TIPA), Texas (TDPSA), Utah (UCPA), and Virginia (VCDPA). Additional states may enact similar laws in the future; if you are a US resident and your state provides comparable privacy rights, we will honor those rights as well.
California "Shine The Light"
California residents can request, once per year, information about personal data we shared with third parties for direct marketing purposes. Contact us using the details in Section 11.
Additional information for Brazil residents (LGPD)
If you are in Brazil, the Lei Geral de Proteção de Dados (LGPD) provides you with specific rights over your personal data. In addition to the rights in the table above, you have the right to: obtain information about the public and private entities with which we have shared your data, be informed about the possibility of not providing consent and the consequences of refusing, and request the anonymization, blocking, or deletion of unnecessary or excessive data. We process your data based on consent, contract performance, legitimate interests, or legal obligation as described in Section 2. To exercise your rights, contact us at https://www.mattas.net/contact.
Additional information for India residents (DPDPA)
If you are in India, the Digital Personal Data Protection Act, 2023 (DPDPA) provides you with rights over your personal data, including the right to access, correction, and erasure as listed in the table above. We process your data based on consent or for legitimate uses as defined by the DPDPA. You may withdraw consent at any time, and we will cease processing your data unless another legal basis applies. You have the right to nominate another person to exercise your rights on your behalf. To exercise your rights, contact us at https://www.mattas.net/contact.
Additional information for Japan residents (APPI)
If you are in Japan, the Act on the Protection of Personal Information (APPI) provides you with rights over your personal data, including the rights listed in the table above. We will not provide your personal data to third parties without your consent, except as permitted by law. For cross-border transfers, we rely on contractual safeguards with our service providers. To exercise your rights, contact us at https://www.mattas.net/contact.
Additional information for South Korea residents (PIPA)
If you are in South Korea, the Personal Information Protection Act (PIPA) provides you with rights over your personal data, including the rights listed in the table above. We will obtain your consent before collecting or processing your personal data, except where permitted by law. You have the right to request suspension of processing of your personal data. To exercise your rights, contact us at https://www.mattas.net/contact.
Additional information for Southeast Asia residents
If you are in Thailand (PDPA), Singapore (PDPA), or other Southeast Asian countries with data protection laws, you have the rights listed in the table above as applicable under your local law. We process your data based on consent or other lawful bases recognized by your local law. To exercise your rights, contact us at https://www.mattas.net/contact.
8. CHILDREN'S INFORMATION
We do not knowingly collect information from children under 18 (or the minimum age set by your jurisdiction). If you are under 18, do not use our Services unless a parent or guardian consents on your behalf. If we learn that we have collected data from a child under 18, we will deactivate the account and delete the data promptly. If you believe we may have collected data from a child, please contact us at https://www.mattas.net/contact.
9. OPT-OUT PREFERENCE SIGNALS AND DO-NOT-TRACK
Global Privacy Control (GPC) and opt-out preference signals
Several US state privacy laws (including California's CCPA/CPRA) require businesses to honor opt-out preference signals such as the Global Privacy Control (GPC). Our website uses CookieConsent as our consent manager, which detects and honors GPC signals. When we receive a valid GPC signal, we treat it as a request to opt out of the sale or sharing of personal information as required by applicable law. You will see confirmation of your opt-out status through the consent manager interface.
For our mobile apps, you can opt out of personalized advertising through your device settings as described in Section 3.
Do Not Track (DNT)
Some browsers also send a separate "Do Not Track" (DNT) signal. DNT is a different standard from GPC and there is no universal requirement for how websites should respond to it. We do not currently take action based on DNT signals, but we do honor GPC as described above.
10. UPDATES TO THIS POLICY
We may update this policy from time to time. The "Last updated" date at the top will reflect the most recent version. If we make significant changes, we may notify you directly or post a prominent notice. We encourage you to review this policy periodically.
11. HOW TO CONTACT US
If you have questions or comments about this policy, or want to exercise any of your privacy rights, please contact us at https://www.mattas.net/contact.
To submit a data subject access request, please use the same contact form: https://www.mattas.net/contact.
We are not required to appoint a Data Protection Officer under applicable law. For all privacy inquiries, please use the contact form above.