Privacy Policy

Last updated: 7 April 2026

1. Introduction

MatterFile ("we", "us", or "our") operates the MatterFile platform ("Service"), including the MatterFile Outlook Add-in for Microsoft Outlook, the MatterFile web dashboard, and related integrations. MatterFile is an automated email time-tracking and billing tool for law firms.

This Privacy Policy explains what personal information we collect, how we use it, who we share it with, and your rights. We are committed to protecting the privacy and confidentiality of our users and their clients.

This policy applies to all MatterFile products and services, including the Microsoft Outlook Add-in available through Microsoft AppSource.

2. Information We Collect

2.1 Account Information

When you register for the Service, we collect:

  • Your name and email address
  • Your firm or organisation name
  • Billing information (processed by our payment provider; we do not store full card details)

2.2 Email Metadata

When you connect your email account (Gmail or Outlook) or use the MatterFile Outlook Add-in, we access the following metadata from your sent and received emails:

  • Email subject line
  • Sender email address
  • Recipient email addresses (To, CC)
  • Date and time sent
  • Message ID (stored as a SHA-256 hash for deduplication only)

We never access, read, store, or process the body content of any email. We do not access attachments, drafts, email threads, or conversation history. The Outlook Add-in uses the ReadItem permission, which provides access to email metadata only. For Gmail, we request only the metadata scope, which explicitly excludes email body access.

2.3 Practice Management Data

When you connect your practice management software (Clio), we cache the following data to enable email matching:

  • Contact names and email addresses
  • Open matter descriptions and reference numbers
  • Client-matter relationships

This data is cached locally in our database and refreshed periodically. Your PMS remains the source of truth. We do not modify your PMS data except to create communications and time entries that you have approved.

2.4 OAuth Tokens

We store OAuth 2.0 access and refresh tokens to maintain your connections to Gmail, Outlook, and Clio. These tokens are encrypted at rest using AES-256 encryption and are deleted immediately when you disconnect a service.

2.5 Usage Data

We may collect anonymised usage data including:

  • Number of emails processed
  • Match accuracy rates (aggregated, not per-email)
  • Feature usage patterns
  • Error logs (which do not contain email content or client information)

3. How We Use Your Information

We use the information we collect to:

  • Provide, maintain, and improve the Service
  • Match sent emails to clients and matters in your PMS
  • Create billable time entries in your PMS on your behalf
  • Communicate with you about your account, billing, and service updates
  • Monitor and improve the accuracy of our AI matching
  • Detect and prevent fraud, abuse, and security incidents
  • Comply with legal obligations

We do not use your information for advertising. We do not sell your personal information. We do not use your data to train AI models.

4. AI Processing and Data Handling

4.1 Cloud AI (Default)

Email matching is performed using Google Gemini via Google Vertex AI, hosted in the australia-southeast1 (Sydney) region. The following data handling measures are in place:

  • Zero data retention: Vertex AI on the paid tier does not retain prompts or responses beyond the duration of the API call. Your data is not logged or stored by Google.
  • No training: Google contractually guarantees that Vertex AI customer data is not used to train or improve any AI models.
  • Australian data residency: AI inference is processed entirely within the australia-southeast1 (Sydney) region. No AI processing data leaves Australia.

The AI receives only:

  • Email subject line
  • Sender and recipient email addresses
  • Contact names and email addresses from your PMS
  • Matter descriptions from your PMS

The AI never receives email body content, attachments, OAuth tokens, or billing information.

4.2 Private AI (Enterprise)

Enterprise customers may opt for a fully private AI instance running on their own infrastructure using the open-source Qwen3 model. Under this configuration, zero data is sent to any external AI service. All processing occurs within the customer's own network.

5. Data Retention

  • Email metadata (subject, addresses): Automatically purged within 7 days of processing. Users may also trigger an instant purge at any time from their account settings.
  • Message ID hashes: Retained for deduplication. These are one-way SHA-256 hashes and cannot be reversed to recover the original message ID.
  • Cached PMS data (contacts, matters): Refreshed periodically and deleted when you disconnect your PMS or cancel your account.
  • OAuth tokens: Deleted immediately when you disconnect a service or cancel your account.
  • Tracked email records: Retained while your account is active to provide your email history and billing audit trail. Subject line and matching notes are purged within 7 days of processing; only PMS reference IDs are retained thereafter.
  • Account information: Retained while your account is active and for 30 days after cancellation, then deleted.
  • AI processing data: Zero retention. Data exists only for the duration of each API call.

6. Data Sharing and Third Parties

We share your data only with the following categories of third parties, and only to the extent necessary to provide the Service:

6.1 Service Providers

  • Google Vertex AI: Email metadata (subject and addresses only) is sent to Google Gemini via Google Vertex AI in the australia-southeast1 (Sydney) region for AI-powered matter matching. Zero data retention. Google does not train on your data.
  • Vercel: Our web application and backend functions are hosted on Vercel. Vercel may serve requests from global edge locations.
  • Amazon Web Services (AWS RDS): Our PostgreSQL database is hosted on AWS RDS in the ap-southeast-2 (Sydney) region. All persistent user data, email metadata, and encrypted tokens are stored in Australia.
  • Amazon Web Services (AWS EC2): Our background job worker runs on AWS EC2 in the ap-southeast-2 (Sydney) region, processing email queue jobs.
  • Upstash: We use Upstash for transient job queue management (Redis). Queue data is short-lived and contains only job metadata, not email content.
  • Clio: We integrate with Clio practice management software to read contacts and matters, and to create time entries on your behalf via the Clio API.
  • Stripe: Subscription billing is processed by Stripe, Inc. Payment card details are stored and processed entirely by Stripe. We do not store, see, or have access to your full card number. Stripe is PCI DSS Level 1 certified.

6.2 Your Connected Services

  • Gmail / Microsoft Outlook: We access your email metadata via their respective APIs. The MatterFile Outlook Add-in operates within Microsoft Outlook and accesses email metadata using the ReadItem permission.
  • Clio: We read contacts and matters, and create time entries via the Clio API.

6.3 Legal Requirements

We may disclose your information if required by law, regulation, legal process, or governmental request, or to protect the rights, property, or safety of MatterFile, our users, or the public.

We do not sell, rent, or trade your personal information to any third party.

7. Data Security

We implement the following security measures to protect your data:

  • All data in transit is encrypted with TLS 1.2+
  • OAuth tokens are encrypted at rest using AES-256-GCM authenticated encryption
  • Database connections are encrypted and access-controlled
  • Persistent data is stored in AWS RDS (Sydney). The web application is served via Vercel
  • Access to production systems is restricted and logged
  • Email metadata is automatically purged within 7 days of processing
  • Message IDs are stored as irreversible SHA-256 hashes

8. Your Rights Under the Australian Privacy Act

Under the Australian Privacy Act 1988 and the Australian Privacy Principles (APPs), you have the right to:

  • Access: Request access to the personal information we hold about you.
  • Correction: Request correction of inaccurate or incomplete personal information.
  • Deletion: Request deletion of your personal information (subject to legal retention requirements).
  • Complaint: Lodge a complaint with us or with the Office of the Australian Information Commissioner (OAIC) if you believe your privacy has been breached.

To exercise any of these rights, contact us at hello@matterfile.xyz.

9. Cross-Border Data Transfers

Persistent data (database, encrypted tokens, email metadata) is stored on AWS RDS in the ap-southeast-2 (Sydney) region. The web application is served via Vercel, which may process requests at edge locations globally.

AI processing via Google Vertex AI occurs entirely within the australia-southeast1 (Sydney) region. No AI processing data leaves Australia, and no data is retained by Google.

The MatterFile Outlook Add-in communicates with the MatterFile backend over HTTPS. No email data is stored locally in the add-in; all data is transmitted to and stored on our servers as described in this policy.

10. Children's Privacy

The Service is not directed at individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected information from a child, we will delete it promptly.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via email or through the Service at least 14 days before they take effect. The "Last updated" date at the top of this page indicates when the policy was last revised.

12. Contact Us

If you have questions about this Privacy Policy or our data practices, contact us at:

Vantage Thinking (trading as MatterFile)
Email: hello@matterfile.xyz
Support: https://matterfile.xyz/support

If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au.