Privacy Policy
Last updated: 12 May 2026
This policy explains what Matins collects, why, how we keep it safe, and the rights you have over it. Plain language first; the legal grounds are listed alongside.
1. Who we are
Matins ("we", "us") is the data controller for the matins.ai website and the Matins applications. Based in London, United Kingdom. Contact for any privacy matter: privacy@matins.ai.
1.1 Scope
This policy applies to the matins.ai website, the Matins iOS and Android apps, our Telegram bot, our WhatsApp bot, and any email, support, or billing interaction connected to those services.
1.2 What we collect
- Account data. Email address, optional first name and last name, optional mobile number, and authentication credentials.
- Dream content. Audio recordings, transcribed text, and structured fields (figures, places, themes) derived from your captures.
- Reflections. The text we generate in response to your dreams, including the frameworks selected and the sources cited.
- Usage data. Device type, language, time zone, app version, and basic interaction events used to improve reliability.
- Billing data. Handled by our payment processors. We store the subscription status and plan, never your full card number.
1.3 Why we collect it (legal bases)
- To provide the service (contract): account, capture, reflection, memory of recurring figures and places.
- To keep the service safe and reliable (legitimate interest): logging, error tracking, abuse prevention, rate limiting.
- To send essential service emails (contract): confirmation, billing receipts, security notices.
- To improve the product (consent or legitimate interest): aggregate, de-identified analytics. You can opt out via the cookie banner.
1.4 What we do not do
We do not sell your data. We do not share your dream content with advertisers. We do not use your dream content to train large language models, ours or anyone else's. We do not read your dreams except where strictly necessary to investigate a reported bug or a safety report, and only with the smallest possible engineering team.
1.5 Sharing with sub-processors
We use a small set of trusted vendors to host data, run AI inference, send email, and process payment. They process your data only on our instructions and under data-processing agreements. The current list is published at matins.ai/sub-processors and is updated when it changes.
1.6 International transfers
Some of our sub-processors are located in the United States. Where that is the case, transfers are protected by Standard Contractual Clauses and the UK International Data Transfer Addendum, as applicable.
1.7 Retention
- Account data: for as long as your account is active.
- Dream captures and reflections: retained until you delete them or delete your account.
- Backups: rolling 30-day encrypted backups; deletions propagate within that window.
- Billing records: retained for 7 years to satisfy UK accounting law.
- Server logs: 30 days, then aggregated or discarded.
1.8 Your rights
Under UK GDPR you have the right to access, correct, export, restrict, object to, and delete your personal data. Email privacy@matins.ai and we will respond within one calendar month. You may complain to the UK Information Commissioner's Office at ico.org.uk.
1.9 Children
Matins is intended for adults. We do not knowingly collect data from anyone under 16. If you believe a minor has created an account, please contact us and we will delete it.
1.10 Marketing
We send a low-volume newsletter only to people who joined the waitlist or explicitly opted in. Every email contains a one-click unsubscribe link. We do not buy or rent email lists.
1.11 Cookies
See our Cookie Policy for the full list and controls.
1.12 Security commitments
- All traffic is encrypted in transit with TLS 1.2 or higher.
- All data is encrypted at rest with AES-256.
- Database access is restricted by row-level security policies.
- Production secrets are stored in a managed secret vault, never in source code.
- Access to production data is limited to a small, named engineering group, requires multi-factor authentication, and is audit-logged.
- Backups are encrypted and stored in a separate region from the primary database.
- We run automated security scans on every code change and address critical findings before deployment.
- We will notify affected users of any personal-data breach within 72 hours of becoming aware of it, as required by UK GDPR.
A non-technical overview is published at matins.ai/security.
1.13 Changes to this policy
When we make material changes we will notify you by email and post the new effective date at the top of this page. The prior version remains available on request.
1.14 Contact
Privacy questions: privacy@matins.ai. General inquiries: hello@matins.ai.