This Privacy Policy describes how material.codes ("we", "us") collects, uses, and shares personal data when you visit material.codes, join the waitlist, create an account, or use the platform (the "Service").
1. Data we collect
Account and contact data. Email address, display name, hashed password, optional affiliation, and the system role assigned to you.
Waitlist data. Email address and the page or source that referred you. Stored until your account is provisioned or you ask us to remove it.
Usage data. Requests you make to the Service — search queries, prompts, uploaded documents, dataset queries, DFT job parameters, MCP tool invocations — together with operational metadata such as timestamps, IP address, user agent, request latency, and error codes. We use this both to deliver the requested result and to operate, secure, and improve the Service.
Content you upload. Files you ingest into a personal or shared collection (PDFs, text, structured datasets) and any chunks, embeddings, or extracted properties derived from them. Stored in our object storage and indexed in our vector and relational databases.
Billing data. When you purchase a subscription, our Merchant of Record Paddle.com Market Limited and its affiliates ("Paddle") collect your billing information directly. We receive only the data Paddle returns to us: a customer identifier, plan and renewal status, country (for tax purposes), invoice metadata, and the masked card brand and last four digits. We never receive or store your full payment card details.
Cookies and similar. A first-party session cookie issued via alexedwards/scs after you log in. We do not use third-party advertising cookies.
2. Why we use it
- To provide the Service — authenticate you, route requests, deliver answers, persist your collections, enforce plan limits.
- To bill you — through Paddle, for paid plans.
- To operate and secure — investigate abuse, prevent fraud, debug errors, maintain audit trails.
- To communicate — service announcements, invoices, security alerts, and (if you opt in) product news.
- To improve — using anonymised, aggregated metrics. We do not train foundation models on your content.
3. Legal bases (EEA/UK users)
- Contract — to deliver the Service you signed up for.
- Legitimate interests — operating the platform, preventing abuse, debugging, aggregated analytics.
- Legal obligation — tax records, responding to lawful requests.
- Consent — optional marketing emails (you can withdraw consent at any time).
4. Sub-processors and third parties
We share personal data with the following categories of processors strictly to operate the Service:
- Paddle — payment processing, invoicing, tax remittance, fraud screening.
- LLM and embedding providers — the prompts and document text needed to fulfil a request are forwarded to the model provider configured for your plan. Providers are bound by their own no-training-on-customer-data terms.
- Infrastructure providers — hosting, object storage, database, monitoring, and log aggregation under standard data-processing agreements.
- Email delivery — transactional email for account, billing, and security notifications.
We do not sell personal data. We do not share personal data for cross-context behavioural advertising. We disclose data to authorities only where legally required and, where lawful, after notifying you.
5. International transfers
Personal data may be processed in countries other than your own. Where data is transferred out of the EEA or UK, we rely on appropriate safeguards (e.g. EU Standard Contractual Clauses) with our sub-processors.
6. Retention
- Account data: while your account is active and for up to 24 months after deletion, to handle disputes and meet legal obligations.
- Content you upload: until you delete it or close your account; then queued for garbage collection.
- Usage logs: typically 90 days, longer for security-relevant events.
- Billing records: as required by applicable tax law (commonly 7–10 years), held by Paddle.
- Waitlist records: until your access is granted or you ask us to remove them.
7. Your rights
Subject to applicable law (GDPR, UK GDPR, CCPA and similar), you have the right to access, correct, export, delete, restrict, and object to processing of your personal data, and to withdraw consent where processing relies on it. To exercise any of these rights, write to info@material.codes. For billing data held by Paddle, you may also contact Paddle directly via their privacy notice.
You may lodge a complaint with your local supervisory authority if you believe we have not handled your data correctly.
8. Security
We protect passwords with bcrypt, encrypt data in transit with TLS, isolate tenant data at the project and collection level, and limit administrator access on a least-privilege basis. No system is perfectly secure; if you discover a vulnerability, please report it responsibly to info@material.codes.
9. Children
The Service is intended for researchers and professional users and is not directed to children under 16. We do not knowingly collect personal data from children.
10. Changes
We may update this Privacy Policy. Material changes will be announced on this page and, for active accounts, by email. The "Effective date" reflects the current version.
11. Contact
Privacy questions and rights requests: info@material.codes.