Document version: 2026-07-07-release-v1

MINDMATRIX Privacy Documentation

Privacy Policy

This Privacy Policy sets out how MINDMATRIX collects, uses, stores, discloses and protects personal data in connection with the operation of the MINDMATRIX platform, including account data, customer enquiry data, lead data, job-related information, support records, media, attachments, usage data, security logs and telemetry data.

This Privacy Policy is intended to support transparency and compliance with applicable data protection legislation, including the UK GDPR and, where applicable, the EU GDPR. It should be read together with the MINDMATRIX Commercial Licence & Platform Terms, Data Processing Addendum, Cookies & Telemetry Notice and any applicable order form, proposal or service agreement.

1. Scope of this Privacy Policy

This Privacy Policy applies to personal data processed through or in connection with the MINDMATRIX platform, including personal data relating to Customers, authorised users, administrators, business contacts, leads, customer enquiries, job records, support interactions, media files, attachments, platform usage, security records and operational telemetry.

For the purposes of this Privacy Policy, "Customer" means the business, organisation or account holder that has been granted access to the MINDMATRIX platform. "Authorised User" means any individual permitted by the Customer to access or use the platform.

2. Controller and Processor Roles

MINDMATRIX may act as a data controller in respect of personal data processed for its own business purposes, including account administration, billing, customer onboarding, support communications, platform account identity, administrator access records, security monitoring, legal compliance, service management and product improvement.

MINDMATRIX may act as a data processor where it processes personal data on behalf of a Customer through the platform, including customer enquiry data, lead data, job-related information, uploaded media, attachments, workflow records and communication data handled in accordance with the Customer's instructions.

The Customer remains responsible for determining the lawful basis, purposes and means of processing personal data relating to its own customers, leads, enquiries, communications, job records and business operations. The Customer is also responsible for providing any required privacy notices, obtaining any required consents, and ensuring that its use of MINDMATRIX complies with applicable data protection laws.

Further controller and processor obligations are set out in the MINDMATRIX Data Processing Addendum.

3. Categories of Personal Data

MINDMATRIX may process the following categories of personal data, depending on the Customer's package, configuration, integrations, workflows and use of the platform:

  • Account and administrator identity data, including names, email addresses, phone numbers, login details, authentication status, user roles, support access records and acceptance records.
  • Customer business data, including organisation profile, package information, platform configuration, branding, communication channels, operational settings, workflow preferences and account administration information.
  • Lead, customer and enquiry data, including names, phone numbers, email addresses, property or site addresses, job descriptions, enquiry details, message history, notes, attachments, media files and linked customer records.
  • Job and workflow data, including estimates, quote history, booking details, scheduling information, deposit or payment workflow records, site-survey notes, operational status updates and aftercare records.
  • Support and communication data, including support requests, service communications, onboarding records, issue reports, feedback, correspondence and customer success interactions.
  • Telemetry, usage and security data, including messaging events, AI usage records, upload sizes, platform usage information, system logs, security logs, diagnostic data, error reports and operational monitoring data.

4. Purposes of Processing

MINDMATRIX may process personal data for the following purposes:

  • to provide, operate, maintain, secure and improve the MINDMATRIX platform;
  • to route enquiries, manage authentication, administer Customer accounts, deliver messages, classify and summarise enquiries, store attachments and support Customer workflows;
  • to support lead capture, enquiry management, estimating workflows, quote preparation, booking, scheduling, job management, customer communication and follow-up processes;
  • to monitor platform usage, service performance, reliability, security, misuse, error events, operational diagnostics and fair-use thresholds;
  • to provide onboarding, technical support, troubleshooting, customer success assistance and service communications;
  • to investigate suspected abuse, misuse, security incidents, unlawful activity or breach of applicable terms;
  • to administer billing, package entitlements, commercial records, contractual obligations and operational reporting;
  • to comply with applicable legal, regulatory, accounting, audit, security and record-keeping obligations.

5. Data Subject Rights and Customer Cooperation

Where MINDMATRIX acts as a data controller, MINDMATRIX shall handle applicable data subject rights requests in accordance with applicable data protection laws. Such rights may include, where applicable, rights of access, rectification, erasure, restriction, portability and objection.

Where MINDMATRIX acts as a data processor on behalf of a Customer, MINDMATRIX shall provide reasonable assistance to the Customer in responding to data subject requests relating to personal data processed through the platform, subject to applicable law, technical feasibility and the Customer's cooperation.

The Customer remains responsible for handling data subject requests relating to its own customers, leads, enquiries, communications, job records and business operations where the Customer determines the purposes and means of processing.

The Customer shall cooperate promptly with MINDMATRIX where a data subject request, regulatory enquiry, complaint, correction request, deletion request, export request or objection relates to Customer-controlled data processed through the platform.

MINDMATRIX may refuse, restrict or delay action on a request where permitted by applicable law, where the request cannot be verified, where the request relates to data controlled by the Customer, or where retention is required for legal, security, contractual, accounting, dispute-resolution or legitimate business purposes.

6. International Transfers and Subprocessors

MINDMATRIX may use third-party service providers, subprocessors and infrastructure providers to support the delivery, security, hosting, communication, authentication, billing, analytics, AI-assisted functionality and operation of the MINDMATRIX platform.

Such third-party providers may process or store personal data in the United Kingdom, the European Economic Area, the United States or other jurisdictions, depending on the relevant provider, service configuration, infrastructure location and operational requirements.

Where personal data is transferred outside the United Kingdom or European Economic Area, MINDMATRIX shall take reasonable steps to ensure that such transfer is carried out in accordance with applicable data protection laws and, where required, is supported by appropriate safeguards such as adequacy regulations, the UK International Data Transfer Agreement, the UK Addendum to EU Standard Contractual Clauses, EU Standard Contractual Clauses, transfer risk assessments or equivalent lawful transfer mechanisms.

MINDMATRIX shall remain responsible for appointing subprocessors that are reasonably appropriate for the provision of the platform and shall require subprocessors to process personal data only in accordance with applicable contractual, confidentiality, security and data protection obligations.

The Customer acknowledges that certain platform functions may depend on third-party services, including authentication providers, messaging providers, email providers, hosting providers, AI model providers, analytics providers, payment or billing providers and support tools.

A current list of material subprocessors may be made available through the MINDMATRIX legal documentation, platform notice, onboarding materials, service agreement or other written notice.

7. Security and Personal Data Incidents

MINDMATRIX shall apply appropriate technical and organisational measures designed to protect personal data against unauthorised access, accidental or unlawful destruction, loss, alteration, disclosure, misuse or unlawful processing.

Such measures may include, where appropriate, access controls, authentication controls, role-based permissions, system monitoring, security logging, data backup controls, provider security controls, operational procedures and staff or contractor confidentiality obligations.

MINDMATRIX shall take reasonable steps to investigate any suspected or actual personal data breach affecting the platform and shall notify affected Customers where required by applicable law, contract or data processing terms.

Where MINDMATRIX acts as a data processor, MINDMATRIX shall notify the relevant Customer without undue delay after becoming aware of a personal data breach affecting Customer-controlled personal data, to enable the Customer to assess and comply with any applicable notification obligations.

Where MINDMATRIX acts as a data controller, MINDMATRIX shall assess whether any personal data breach is notifiable to the relevant supervisory authority and/or affected individuals in accordance with applicable data protection laws.

8. Retention and Deletion

MINDMATRIX shall retain personal data only for as long as reasonably necessary for the purposes for which it was collected or processed, including service delivery, account administration, security, support, billing, legal compliance, audit, dispute resolution, fraud prevention and legitimate business operations.

Retention periods may vary depending on the type of personal data, the Customer's package, platform configuration, legal requirements, contractual obligations, operational needs, backup processes and the nature of the relevant records.

Where MINDMATRIX acts as a processor, Customer-controlled personal data shall be retained, returned, deleted or anonymised in accordance with the applicable Data Processing Addendum, Customer instructions, platform functionality and any legal or technical limitations.

MINDMATRIX may retain certain records where necessary to comply with legal, accounting, tax, regulatory, security, audit, contractual, dispute-resolution or legitimate business requirements.

Following account closure, termination or expiry of the applicable service, MINDMATRIX may delete, archive, anonymise or restrict access to personal data in accordance with its retention procedures and applicable law.