1. Purpose and Commitment

Matrix Ai, hereinafter referred to as MatrixAI,” “we,” “our,” or “us,” offers a global Software-as-a-Service platform dedicated to conversational commerce, chat automation, and associated analytics. Safeguarding the confidentiality, integrity, and availability of all Personal Data entrusted to us is intrinsic to our corporate mission. This Privacy and Data Protection Policy (“Policy”) therefore explains, in a transparent and exhaustive manner, the principles and procedures through which we collect, process, retain, disclose, and protect information. The Policy reflects the requirements of the General Data Protection Regulation (EU) 2016/679, the California Consumer Privacy Act as amended by the California Privacy Rights Act, ISO/IEC 27001:2022, and all other relevant federal, state, and international privacy statutes and recognised industry standards. By accessing or utilising any component of the Matrix Ai platform, its websites, or its administrator portals (collectively, the “Services”), you acknowledge that you have read, understood, and accepted the practices articulated herein.

2. Definitions

For the purposes of this Policy, the expression “Personal Data” designates any information that directly or indirectly identifies a natural person, as set forth in Article 4(1) of the GDPR or in analogous legislation. The term “Processing” encompasses every conceivable operation performed upon Personal Data, including but not limited to collection, storage, transmission, or erasure. The “Controller” is the natural or legal person that determines the purposes and means of Processing; in our commercial context this role is ordinarily fulfilled by our business-to-business Clients. Matrix AI acts as “Processor” whenever we perform Processing on behalf of such a Controller. A “Sub-processor” is any third-party entity that Matrix AI authorises to process Personal Data under a written agreement. The term “Client” denotes a corporate subscriber to Matrix AI Services, whereas “End User” refers to any individual who interacts with a Client through channels powered by Matrix AI technology.

3. Scope

This Policy governs three principal categories of Processing activity:

• Client-Provided Data: Chat transcripts, customer identifiers, uploaded files, and related metadata transmitted through the Services, where Matrix AI functions as Processor.
• Administrative or Account Data: Collected directly from Clients for billing, authentication, and platform administration, where Matrix AI acts as Controller.
• Visitor Data: Gathered from users of our public web properties, processed in a Controller capacity.

4. Lawful Bases for Processing

When Matrix AI operates as Controller of Administrative or Visitor Data, it relies on one or more lawful bases established by Article 6 of the GDPR:

• Contractual necessity: Processing indispensable to subscription agreement performance (e.g., account provisioning, billing).
• Legitimate interests: Processing necessary for secure and efficient Service operation, without overriding data subject rights.
• Explicit consent: Obtained for optional activities (e.g., marketing communications, non-essential cookies), withdrawable at any time.
• Legal obligations: Processing required to satisfy statutory or regulatory requirements.

For Client-Provided Data, Clients must document the lawful basis in the Data Processing Agreement.

5. Categories of Data Collected

Client-Provided Data includes end-user interactions through channels such as Facebook Messenger, WhatsApp, Instagram Direct, web chat widgets, and SMS, along with metadata:

• Raw message bodies and associated assets (images, documents, videos, audio, stickers).
• Channel-specific metadata (message IDs, conversation IDs, delivery receipts, read-status indicators, timestamps).
• Customer identifiers (names, phone numbers, emails, social handles).
• Device/network characteristics (IP addresses, user-agent strings, locale, time zone, device type).
• Behavioral telemetry (interaction frequency, response latency, typing indicators, sentiment scores).
• Custom data fields defined by the Client (order references, loyalty numbers).

Administrative and Visitor Data include corporate contacts, billing addresses, tax IDs, usernames, hashed passwords, MFA credentials, subscription settings, feature usage metrics, diagnostic logs, performance stats, marketing preferences, and technical identifiers (cookies, pixels, session IDs).

6. Methods of Collection

• Direct submission via online forms, email, support tickets, contracts.
• Automatic collection through server logs, cookies, SDKs, and related technologies.
• Third-party sources (integration marketplaces, public registers, partners, due diligence lists).

7. Purposes of Processing

• Delivering chat automation Services.
• Securing and monitoring infrastructure reliability.
• Administering subscriptions and invoices.
• Product R&D using aggregated, pseudonymised metrics.
• Marketing communications with consent.
• Compliance with legal obligations and law-enforcement requests.

8. Disclosure and Sub-processing

Matrix AI does not sell Personal Data. We disclose information only to:

• Authorized Sub-processors (list at //thematrixai.xyz/subprocessors).
• Professional advisers under confidentiality.
• Government or judicial authorities when compelled by law.
• Successor entities in mergers/acquisitions with equivalent safeguards.

9. International Transfers

Data may be stored in AWS data centres globally. Transfers from the EEA, UK, or Switzerland to third countries use Standard Contractual Clauses, the UK International Data Transfer Agreement, or equivalents. Data-residency options are available per region.

10. Data Security

• ISO/IEC 27001 certified ISMS.
• AES-256 encryption for data at rest; TLS 1.2+ for data in transit.
• Network segmentation, firewalls, zero-trust, RBAC, SSO, MFA.
• Secure SDLC: code reviews, dependency scanning, penetration testing.
• SIEM platform for audit trails and continuous monitoring.
• Incident-response plan: breach notification within 72 hours.

11. Data Retention and Deletion

• Chat transcripts retained for 24 months.
• Billing records retained for 7 years.
• Logs cycled within 90 days; backups within 30 days.
• On-demand deletion via portal or support, subject to holds.

12. Data Subject Rights

Rights of access, rectification, erasure, restriction, portability, objection, and freedom from automated decision-making under GDPR Articles 15–22 and CCPA/CPRA. Requests via privacy@thematrixai.xyz or online form. Responses within 30 days (EEA) or 45 days (CA). Processor-mode requests go to Clients.

13. Children’s Privacy

The Services are not directed at children under 13 years of age (or higher age required by local law). We do not knowingly collect Personal Data from minors and will promptly delete any such data if discovered.

14. Cookies and Similar Technologies

We use strictly necessary cookies for authentication and session management. Optional analytics cookies and advertising pixels are deployed only with user consent. Detailed information and opt-out options are available on our Cookie Policy page.

15. Marketing Communications

Transactional messages (service announcements, operational alerts) are sent irrespective of marketing preferences. Promotional communications are only sent to those who have provided explicit consent and always include an easy opt-out mechanism in compliance with the CAN-SPAM Act and ePrivacy Directive.

16. Data Breach Notification

In the event of a Personal Data breach that risks the rights and freedoms of individuals, we will notify affected Controllers without undue delay and no later than 72 hours after becoming aware of the incident. Notifications will include the nature of the breach, affected data categories and approximate number of individuals, potential consequences, and remedial measures taken.

17. Supervisory Authority and Dispute Resolution

Data subjects in the European Economic Area (EEA) may lodge complaints with their local Data Protection Authority. Individuals in the United States may contact BBB National Programs or their state Attorney General’s office for unresolved privacy issues.

18. Amendments

This Policy is reviewed at least annually. Material changes will be communicated to registered users via email and posted prominently in the dashboard at least 30 days before their effective date. Continued use of our Services after changes become effective signifies acceptance.

19. Contact and Data Protection Officer

Questions or complaints about this Policy or our data practices should be directed to:
Data Protection Officer
thematrixai.xyz
Telephone: +880 1793‑504010
Address: Basundhara R/A, Dhaka 1212, Bangladesh
Email: privacy@thematrixai.xyz

20. Appendices

Appendices are available upon written request and include:
A. Current Sub-processors
B. Summary of Technical and Organizational Measures
C. Record of Processing Activities