Privacy Policy

Last updated: 25 March 2026

1. Introduction

MatterFile is a product of Vantage Solutions, an Australian registered business. Vantage Solutions ("we", "us", or "our") operates the MatterFile platform ("Service"), an automated email billing tool for Australian law firms.

This Privacy Policy explains what personal information we collect, how we use it, who we share it with, and your rights under the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). We are committed to protecting the privacy and confidentiality of our users and their clients.

2. Information We Collect

2.1 Account Information

When you register for the Service, we collect:

  • Your name and email address
  • Your firm or organisation name
  • Billing information (processed by our payment provider; we do not store full card details)

2.2 Email Metadata

When you connect your email account (Gmail or Outlook), we access the following metadata from your sent emails only:

  • Email subject line
  • Sender email address
  • Recipient email addresses
  • Date and time sent
  • Message ID (stored as a SHA-256 hash for deduplication only)

We never access, read, store, or process the body content of any email. We do not access attachments, drafts, received emails, email threads, or conversation history.

2.3 Practice Management Data

When you connect your PMS (LEAP or Clio), we cache the following data to enable email matching:

  • Contact names and email addresses
  • Open matter descriptions and reference numbers
  • Client-matter relationships

This data is cached locally in our database and refreshed periodically. Your PMS remains the source of truth. We do not modify your PMS data except to create communications and time entries that you have approved.

2.4 OAuth Tokens

We store OAuth 2.0 access and refresh tokens to maintain your connections to Gmail, Outlook, LEAP, and Clio. These tokens are encrypted at rest using AES-256 encryption and are deleted immediately when you disconnect a service.

2.5 Usage Data

We may collect anonymised usage data including:

  • Number of emails processed
  • Match accuracy rates (aggregated, not per-email)
  • Feature usage patterns
  • Error logs (which do not contain email content or client information)

3. How We Use Your Information

We use the information we collect to:

  • Provide, maintain, and improve the Service
  • Match sent emails to clients and matters in your PMS
  • Create billable time entries in your PMS on your behalf
  • Communicate with you about your account, billing, and service updates
  • Monitor and improve the accuracy of our AI matching
  • Detect and prevent fraud, abuse, and security incidents
  • Comply with legal obligations

We do not use your information for advertising. We do not sell your personal information. We do not use your data to train AI models.

4. AI Processing and Data Handling

4.1 Cloud AI (Default)

By default, email matching is performed using Google Gemini via Vertex AI. The AI is hosted in Google Cloud's australia-southeast1 (Sydney) region. The following data handling measures are in place:

  • Zero data retention: We configure Vertex AI with zero data retention at the project level. In-memory caching is disabled. Abuse monitoring prompt logging is opted out. Your data exists only for the duration of the API call.
  • No training: Google contractually guarantees that your data will not be used to train or fine-tune any AI models. This is part of the Google Cloud Platform Terms of Service.
  • Australian data residency: All data at rest is stored in the australia-southeast1 (Sydney) region with contractual data residency guarantees from Google.
  • SOC 2 compliance: Google Cloud maintains SOC 2 Type II certification, inherited by Vertex AI.

The AI receives only:

  • Email subject line
  • Sender and recipient email addresses
  • Contact names and email addresses from your PMS
  • Matter descriptions from your PMS

The AI never receives email body content, attachments, OAuth tokens, or billing information.

4.2 Private AI (Enterprise)

Enterprise customers may opt for a fully private AI instance running on their own infrastructure using the open-source Qwen3 model. Under this configuration, zero data is sent to any external AI service. All processing occurs within the customer's own network.

5. Data Retention

  • Email metadata (subject, addresses): Purged within 7 days of processing.
  • Message ID hashes: Retained for deduplication. These are one-way SHA-256 hashes and cannot be reversed to recover the original message ID.
  • Cached PMS data (contacts, matters): Refreshed periodically and deleted when you disconnect your PMS or cancel your account.
  • OAuth tokens: Deleted immediately when you disconnect a service or cancel your account.
  • Tracked email records: Retained while your account is active to provide your email history and billing audit trail. Subject line and matching notes are purged after 7 days; only PMS reference IDs are retained.
  • Account information: Retained while your account is active and for 30 days after cancellation, then deleted.
  • AI processing data: Zero retention. Data exists only for the duration of each API call.

6. Data Sharing and Third Parties

We share your data only with the following categories of third parties, and only to the extent necessary to provide the Service:

6.1 Service Providers

  • Google Cloud (Vertex AI): Email metadata (subject and addresses only) is sent to Google Gemini for AI matching. Hosted in australia-southeast1 with zero data retention. Google does not train on your data.
  • Amazon Web Services (AWS): Our application infrastructure is hosted on AWS in the ap-southeast-2 (Sydney) region.
  • Payment processor: Billing information is processed by our payment provider. We do not store full payment card details.

6.2 Your Connected Services

  • Gmail / Outlook: We access your sent email metadata via their respective APIs.
  • LEAP / Clio: We read contacts and matters, and create communications and time entries via their APIs.

6.3 Legal Requirements

We may disclose your information if required by law, regulation, legal process, or governmental request, or to protect the rights, property, or safety of MatterFile, our users, or the public.

We do not sell, rent, or trade your personal information to any third party.

7. Data Security

We implement the following security measures to protect your data:

  • All data in transit is encrypted with TLS 1.2+
  • OAuth tokens are encrypted at rest with AES-256
  • Database connections are encrypted and access-controlled
  • All infrastructure is hosted in Australian data centres (GCP australia-southeast1 and AWS ap-southeast-2)
  • Access to production systems is restricted and logged
  • Email metadata is automatically purged within 7 days
  • Message IDs are stored as irreversible SHA-256 hashes

8. Your Rights Under the Australian Privacy Act

Under the Australian Privacy Act 1988 and the Australian Privacy Principles (APPs), you have the right to:

  • Access: Request access to the personal information we hold about you.
  • Correction: Request correction of inaccurate or incomplete personal information.
  • Deletion: Request deletion of your personal information (subject to legal retention requirements).
  • Complaint: Lodge a complaint with us or with the Office of the Australian Information Commissioner (OAIC) if you believe your privacy has been breached.

To exercise any of these rights, contact us at hello@matterfile.xyz.

9. Cross-Border Data Transfers

Our infrastructure is hosted entirely in Australia (GCP Sydney and AWS Sydney). Email metadata sent to Google Gemini for AI matching is processed in the australia-southeast1 (Sydney) region with data-at-rest residency guarantees.

We note that during AI inference, Google may process data outside Australia temporarily. Google provides contractual commitments that data at rest remains in the selected region. No data is stored outside Australia.

For enterprise customers using the Private AI option, all data processing occurs entirely within your own infrastructure with zero external transfers.

10. Children's Privacy

The Service is not directed at individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected information from a child, we will delete it promptly.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via email or through the Service at least 14 days before they take effect. The "Last updated" date at the top of this page indicates when the policy was last revised.

12. Contact Us

If you have questions about this Privacy Policy or our data practices, contact us at:

Vantage Solutions (trading as MatterFile)
Email: hello@matterfile.xyz

If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au.