This Privacy Policy explains how Lucido LLC, a Florida (USA) company operating the Matterlyt service ("Matterlyt", "we", "us"), processes personal data when you visit our website, contact us, or use the Matterlyt product.
For personal data we process on behalf of our customers inside the product (e.g. the content of security questionnaires and knowledge bases our customers upload), our customer is the controller and we act as processor — that processing is governed by our Data Processing Agreement, not this notice.
1. Controller
Lucido LLC
7901 4th St N, Ste 300, St. Petersburg, FL 33702, USA
Email: privacy@matterlyt.com
Represented by: Sebastian Galonska, Managing Member
2. Data Protection Officer
We are not required to appoint a Data Protection Officer under Art. 37 GDPR or §38 BDSG. For all data-protection matters, contact privacy@matterlyt.com.
3. What we process, why, and on what legal basis
| Context | Data | Purpose | Legal basis (Art. 6(1) GDPR) |
|---|---|---|---|
| Website visit | IP, device/browser data, pages viewed, timestamps | Deliver & secure the site | (f) legitimate interest |
| Contact / demo request | Name, business email, company, message | Respond to your enquiry | (b) pre-contractual; (f) legitimate interest |
| Account / product use | Name, business email, role, login & usage data | Provide the service, authenticate, support | (b) performance of contract |
| Billing | Billing contact, company, transaction data | Invoicing, accounting | (b) contract; (c) legal obligation |
| Marketing / outbound | Business contact data | B2B communications about Matterlyt | (f) legitimate interest (opt-out) |
| Live chat | Name, email (if provided), chat messages, IP, page context | Provide support via the website chat | (b) pre-contractual/support; (f) legitimate interest |
| Cookies | See our Cookie Notice | Site function & analytics | (a) consent for non-essential cookies |
4. Where your data is processed
- Application & customer data: hosted in Germany (EU), with DDoS protection at the infrastructure level. Customer data is stored in the EU. Our hosting provider is named in our sub-processor list and DPA.
- Website & CDN: Cloudflare, Inc. (USA), under EU Standard Contractual Clauses.
- Live chat: Chatwoot Inc. (USA), under EU Standard Contractual Clauses.
- AI processing (bring-your-own-account): to generate questionnaire answers, content is processed by an AI model under each customer's own AI-provider account (their own API key, or an EU-region / self-hosted endpoint). The AI provider processes under the customer's own account and terms and is not our sub-processor; we do not send customer data to any AI provider on our own account.
5. International transfers
Where we transfer personal data outside the EU/EEA (e.g. to the USA), we rely on the EU Standard Contractual Clauses (Commission Decision 2021/914) and, where applicable, additional safeguards. Request a copy at privacy@matterlyt.com.
6. Retention
We keep personal data only as long as necessary for the purposes above or as required by law:
| Data | Retention |
|---|---|
| Account & customer data | Deleted immediately on contract / account termination |
| Database backups | Purged within 5 days |
| Server / website logs | 90 days |
| Invoices / accounting records | 7 years |
| Prospect / marketing data | Until you opt out; a minimal suppression record is kept thereafter to honour your opt-out |
Customer content we process on behalf of our customers is governed by the Data Processing Agreement.
7. Recipients
Service providers acting as our processors (see our sub-processor list), professional advisers, and authorities where legally required. We do not sell personal data. AI processing runs under the customer's own account (bring-your-own-account).
8. Your rights (Art. 15–21 GDPR)
You have the right to access, rectification, erasure, restriction, data portability, and objection, and to withdraw consent at any time (without affecting prior processing). To exercise any right, contact privacy@matterlyt.com. You may also lodge a complaint with a supervisory authority in your EU/EEA member state.
9. Automated decision-making
We do not use solely automated decision-making producing legal or similarly significant effects (Art. 22 GDPR). The service uses AI to assist in drafting answers; outputs are reviewed by humans.
10. Use of data for AI / model training
We do not use your personal data, account data, or customer content to train, fine-tune, or improve AI or machine-learning models. The service operates on a bring-your-own-account model: AI processing runs under each customer's own AI-provider account and terms, which the customer controls (for example, the Anthropic commercial API does not train on submitted data by default). We do not send your content to any AI provider on our own account.
11. Changes
We may update this Policy; the current version is always available on this page. Material changes will be communicated appropriately.