Metatable Privacy Notice

Jan 1, 2025

Privacy Notice

Effective Date: January 1, 2025

This Privacy Notice ("Privacy Notice") describes how and why Metatable ("we," "us," or "our") may collect, store, use, and/or share ("process") your personal data when you use our services ("Services"). This Privacy Notice fully replaces any previous version of our Privacy Notice.

Please read this document carefully to understand your privacy rights and choices. We are responsible for the decisions we make about how your personal data is processed. If you do not agree with our policies and practices, please discontinue your use of our Services. If you have any questions or concerns after reading, feel free to contact us at hello@metatable.ai.

1. WHAT DATA DO WE COLLECT?

1.1. Personal Data You Provide. We collect personal data that you voluntarily provide us when you register on the Services, express an interest in obtaining information about us or our products and services, participate in activities on the Services, subscribe on the Services, or otherwise contact us.

1.2. Types of Personal Data. The personal data you provide will vary depending on the context of your interactions, the choices you make, and the features you use. This may include, but is not limited to:

  • Name and surname;

  • Profession;

  • Email and phone number;

  • Username;

  • Purpose of use of the Services;

  • Passwords;

  • Avatars and Icons;

  • Services interactions;

  • Settings preferences;

  • Size of organization;

  • Other personal data.

We encourage you to provide accurate and up-to-date information so we can offer a seamless user experience.

1.3. Sensitive Data. We do not intentionally collect or process sensitive personal data (e.g., data concerning health, racial or ethnic origin, political opinions, religious beliefs, genetic or biometric data) unless it is required by law, or you provide it to us voluntarily. If you choose to submit such data, you acknowledge that you do so with full understanding of its nature and potential risks.

1.4. Payment Data. If you choose to make purchases through our Services, we may collect the necessary payment details to process the transaction, such as: payment instrument number (e.g., credit or debit card number), date of payment, cardholder's name, country of issue, billing address, and the security code associated with your payment instrument. All payment transactions are handled by Stripe, and we do not store full payment details (e.g., complete card numbers) on our servers. For more information on Stripe's data handling practices, please review their Privacy Policy.

1.5. Third-party Service Login Data. We may offer you the option to register or log in using your existing third-party service account details (e.g., Google, GitHub, or another supported platform). By choosing this method, you allow us to receive certain profile information from the third-party service account. For more details on how we handle such logins, please see the section "How do we handle your third-party service logins?" below.

1.6. Application Data. If you use our mobile or desktop application(s), we may collect certain information and request specific permissions to ensure proper functionality, security, and user experience. These include:

  • Mobile Device Access. We may ask for access or permission to features on your mobile device, such as: mobile device's calendar, camera, contacts, microphone, reminders, and other features. You can change or revoke these permissions at any time in your device's settings.

  • Mobile Device Data. We may automatically collect certain details about your device and usage, such as: your mobile device ID, model, and manufacturer, operating system, version information and system configuration information, device and application identification numbers, browser type and version, hardware model, Internet service provider and/or mobile carrier, and Internet Protocol (IP) address (or proxy server). If you are using our application(s), we may also collect information about the phone network associated with your mobile device, your mobile device's operating system or platform, the type of mobile device you use, your mobile device's unique device ID, and information about the features of our application(s) you accessed. This data is used for security monitoring, troubleshooting, and internal analytics to improve our Services' performance and reliability.

  • Push Notifications. We may request permission to send you push notifications related to your account or certain features. If you prefer not to receive these alerts, you can disable push notifications in your device's settings at any time.

    1.6.1. The information described in this section is primarily needed to maintain the security and stable operation of our application(s), to diagnose technical issues, and to improve user experience via analytics and reporting.

    1.6.2. Accuracy of Personal Data. We rely on you to provide true, complete, and accurate personal information. Please notify us of any changes or updates to your personal data so we can keep your account and settings current.

1.7. Contractor Data. We may request and process certain personal and professional information from independent contractors (e.g., consultants, freelancers) to fulfill our contractual obligations. This may include: contact details, banking information for payments, tax identification numbers, work history, and any other information necessary to carry out the terms of the contract. We handle this data strictly for contract administration, invoicing, and compliance with applicable laws (e.g., tax regulations). If you wish to update or modify your contractor data, please contact us at hello@metatable.ai.

1.8. Employee Data. We may request and process personal information from employees to manage the employment relationship and related obligations. This may include: contact information, tax identification, bank details for payroll, performance reviews, training history, and other employment-related data. This information is used for payroll, benefits administration, performance management, and compliance with labor and other relevant laws. To change or update any of your employee data, please contact us at hello@metatable.ai.

1.9. Information Automatically Collected. We automatically collect certain data when you visit, use, or navigate our Services. While this data does not directly reveal your identity (e.g., name or contact details), it may include: device and usage information, such as your Internet Protocol (IP) address, browser and device characteristics, operating system, language preferences, referring URLs, device name, country, location, information about how and when you use our Services, and other technical information. This data is primarily needed to maintain the security and operation of our Services, enable troubleshooting, and support internal analytics and reporting. It also helps us enhance user experience and identify areas for improvement.

1.10. Cookies and Similar Technologies. We use cookies and other tracking technologies (like pixel tags, web beacons, or scripts) to collect and store information when you interact with our website. Cookies are small text files placed on your device to help us optimize your experience, analyze traffic, and deliver relevant content or advertising. Types of Cookies we use:

  • Functionality Cookies – these cookies recognize you when you return to our website and remember choices you made previously (e.g., language preferences, location). We might store your selected language so you don't have to re-choose it every visit. We may use both first-party (our own) and third-party cookies.

  • Advertising Cookies – these cookies collect data about your visit (pages viewed, links clicked, IP address) to display advertisements based on your browsing patterns. We sometimes share limited data with advertising partners. This may result in you seeing ads on other websites that reflect your activity on ours.

  • Analytics Cookies - we use analytics tools (e.g., Google Analytics) to understand how visitors engage with our site, measure performance, and improve usability. Main Cookie: _ga cookie, which helps identify unique visitors without directly revealing their identity. Additional Uses: Google Analytics may also be used alongside advertising cookies to display more relevant ads and measure ad interactions. To view an overview of the privacy of Google Analytics cookies, please go here. You may install a Google Analytics Opt-out Browser Add-on by going here.

    1.10.1. Cookie Duration. Session Cookies expire once you close your browser. Persistent Cookies remain on your device for a set period or until manually deleted.

    1.10.2. Managing Cookies. You can control or disable cookies through your browser settings. Please note that blocking certain cookies may affect the functionality and user experience on our website. For more details, consult your browser's "Help" section or settings panel.

1.11. Log and Usage Data. We collect service-related, diagnostic, usage, and performance information ("Log and Usage Data") automatically when you access or use our Services. This data is recorded in log files and may include details such as: IP address, device information (e.g., model, operating system), browser type and settings, pages and files viewed, searches performed, timestamps (date/time of your usage), feature interactions (which tools or functions you use), device event information (system activity, error reports or "crash dumps," hardware settings). We use Log and Usage Data to maintain the security of our Services, troubleshoot technical issues, and perform internal analytics to enhance performance and user experience.

1.12. Device Data. We collect additional technical details about the computer, phone, tablet, or other device you use to access our Services. Depending on your device and settings, this data may include: IP address (or proxy server), MAC address, device and application identification numbers, location, browser type, hardware model, Internet service provider and/or mobile carrier, operating system, and system configuration information. This information helps us analyze trends, administer the Services, and optimize compatibility across multiple platforms.

1.13. Location Data. We may gather location data from your device, which can be imprecise (e.g., based on IP address) about approximate location - we may use your IP address or other non-GPS methods to estimate your region. You can opt out of location tracking at any time by refusing the relevant permissions or disabling Location services on your device. However, doing so may limit certain features or functionalities of the Services.

1.14. Google API. Our use of data obtained via Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. This means that we only access, use, handle, and share Google API data as necessary to provide or improve our Services; we do not transfer Google API data to third parties except as allowed by the policy; we implement appropriate security measures to protect any information received through Google APIs.

2. HOW DO WE PROCESS YOUR DATA?

2.1. We process personal data for various reasons, depending on how you interact with our Services. Below are the main categories of purposes:

    2.1.1. Account & Service Management

  • Account Creation and Authentication. We may process your data to set up, verify, and maintain your account, enabling you to log in and keep your profile up to date.

  • Service Provision. We may process your data to deliver the Services you request, including managing subscriptions, product functionalities, and platform features.

  • Contract Negotiations and Conclusion. We may process personal data to draft, review, amend, and finalize agreements (e.g., licensing, service, or partnership contracts). This includes ensuring compliance with applicable laws and regulations.

  • Customer Support. We may process your data to respond to inquiries, address technical issues, and offer help with requested features or services.

  • General Communication. We may process your data to send administrative notifications, updates on product changes, or important policy revisions.

  • Feedback Requests. We may process your data when we seek your feedback on our Services, user experience, or new features.

    2.1.2. Marketing & Promotional Activities

  • Marketing and Promotional Communications. We may process personal data you provide for our marketing campaigns, in line with your marketing preferences. You can opt out at any time (see section "What are your privacy rights?" below).

  • Targeting. We may process your data (e.g., interests, location) to offer personalized content and advertising. This helps us tailor promotions that are more relevant to you.

  • Analysis of Marketing Effectiveness. We may process data to evaluate how well our campaigns are performing and to refine our promotional strategies.

    2.1.3. Security & Compliance

  • Protecting Our Services. We may process data for fraud detection, threat prevention, and ensuring the overall security of our platform.

  • Usage Trends & Insights. We may process data to identify patterns in how users engage with our Services so we can enhance performance and user experience.

  • Compliance with Legal Obligations. We may process your data to meet lawful requirements (e.g., responding to government or regulatory requests, fulfilling audit obligations).

  • Saving or Protecting an Individual's Vital Interest. If necessary, we may process your data to prevent harm or protect someone's life or safety.

  • Security Monitoring and Incident Management. We may process your data to detect, investigate, and respond to security incidents (e.g., data breaches, unauthorized access).

  • Data Backup and Recovery. We may process your data for regular backups and disaster recovery operations, ensuring integrity and availability of information.

    2.1.4. Billing & Financial Administration

  • Billing and Invoicing. We may process data to issue invoices, process payments, and resolve billing disputes.

  • International Data Transfers. We may process data when necessary for cross-border transactions or compliance with international payment regulations.

    2.1.5. Personalization & Platform Improvement

  • Customization of User Experience. We may process your data (e.g., usage history, preferences) to personalize the layout, content, and functionality within our Services.

  • Third-Party Integrations. We may process your data to enable integrations with external services or applications you choose to connect to our platform.

    2.1.6. Employee & Contractor Management

  • Contractor Management. We may process contractor data for onboarding, assignments, payments, and compliance with tax and regulatory obligations.

  • Employee Onboarding. We may process personal data to recruit, verify background checks, and set up internal systems for new employees.

  • Payroll and Benefits Administration. We may process HR data to manage salaries, bonuses, and employee benefits (e.g., healthcare, insurance, retirement plans).

  • Performance Management. We may process employee data for reviews, promotions, disciplinary actions, or terminations.

  • Training and Development. We may process employee data to track participation in professional development, certifications, and training sessions.

  • Compliance with Employment Laws. We may process data to ensure adherence to labor regulations, health and safety standards, and other legal requirements.

  • Employee Communication. We may process data to send internal updates, policy changes, newsletters, and other HR-related notifications.

  • Workplace Safety and Incident Reporting. We may process data to report and manage workplace incidents, ensure compliance with safety protocols, and respond to emergencies.

  • IT and Access Management. We may process data to grant, monitor, and revoke access to internal networks, email systems, and IT resources.

  • Contractor Performance Monitoring. We may process contractor data to evaluate deliverables and ensure timely service provision.

    2.1.7. Processor Role (Acting on Behalf of Clients). When we act as a Processor of personal data, we handle end-users' information strictly according to our clients' (the Controllers') instructions and relevant data protection laws.

  • Processing Data on Behalf of the Controller. We use personal data only to provide the agreed-upon services.

  • Data Processing Purposes. The Controller determines the specific purposes. We do not use or share end-users' data for our own needs unless permitted by law or contract.

  • Confidentiality. All authorized personnel are bound by strict confidentiality and security obligations.

  • Sub-processors. If we engage sub-processors, we ensure they uphold the same data protection standards outlined in our agreements with clients.

  • Security Measures. We maintain appropriate technical and organizational measures to protect data from unauthorized access or disclosure.

  • Data Breaches. In the event of a breach affecting end-users' data, we promptly notify the Controller and assist them in meeting any legal obligations (e.g., notifying affected individuals or regulators).

  • Data Subject Rights. We support our clients in responding to end-users who exercise their rights under data protection laws (access, rectification, erasure, restriction, etc.).

2.2. Note for End-users. If you want more details on how your personal data is processed in these scenarios, please contact the Controller (our client) who provides our Services to you.

2.3. For additional questions about Metatable's role as a Processor, see "How can you contact us about this notice?".

3. WHAT LEGAL BASES DO WE RELY ON TO PROCESS YOUR DATA?

3.1. We only process your personal data when we have a valid legal reason to do so under applicable law. This may include:

  • Your Consent (e.g., you explicitly allow us to use your data for a specific purpose).

  • Compliance with Laws (e.g., if we're required by local regulations or a court order).

  • Fulfilling a Contract (e.g., providing services you request or taking steps before entering into a contract).

  • Protecting Your Rights or Vital Interests (e.g., preventing harm or defending legal claims).

  • Legitimate Business Interests (e.g., improving our services, preventing fraud), so long as these interests don't override your fundamental rights and freedoms.

3.2. Below are the regional specifics if you are located in the EU/UK, Switzerland, Canada, or Brazil. For other regions, we follow the principles outlined in local privacy laws and international standards.

3.3. If you are located in the EU or UK, this section applies to you. The General Data Protection Regulation (GDPR) and UK GDPR require us to explain the valid legal bases we rely on in order to process your personal data. As such, we may rely on the following legal bases to process your personal data:

  • Consent. We may process your personal data if you have given clear and informed consent for a specific purpose. You can withdraw your consent at any time (see "Withdrawing Your Consent").

  • Performance of a Contract. We may process your data if it is necessary to fulfill our contractual obligations to you or to take steps at your request before entering into a contract.

  • Legitimate Interests. We may process data to pursue our legitimate business interests, provided these do not override your rights and freedoms. For example:

    • Sending you information about offers or discounts;

    • Displaying personalized content or ads;

    • Analyzing usage to improve user engagement;

    • Diagnosing problems or preventing fraud.

  • Legal Obligations. We may process your data to comply with laws, court orders, or requests from regulatory agencies (e.g., cooperating with law enforcement).

  • Vital Interests. We may process your data to protect your life or safety (or that of another person), such as in emergencies.

3.4. If you are located in Switzerland, this section applies to you.Switzerland follows its Federal Act on Data Protection (FADP) and the revised FADP (revFADP), which closely aligns with the GDPR. Thus, we rely on similar bases:

  • Consent. Clear, explicit consent for a specific purpose. You can withdraw consent at any time, unless another legal basis applies.

  • Performance of a Contract. Fulfilling contractual obligations or taking steps before entering into a contract.

  • Legitimate Interests. Processing data for our legitimate interests without overriding your fundamental rights. Examples include:

    • Improving services;

    • Sending promotional offers related to services;

    • Preventing fraudulent activities or enhancing security.

  • Compliance with Legal Obligations. Meeting Swiss legal requirements (e.g., tax, legal proceedings).

  • Protection of Vital Interests. Acting when necessary to prevent serious harm or protect someone's life or health.

3.5. If you are located in Canada, this section applies to you. Avis pour les résidents du Québec. En accédant à cette section, vous reconnaissez que vous comprenez l'anglais et que cette description vous permet de bien comprendre vos droits.

    3.5.1. Under the Personal Information Protection and Electronic Documents Act (PIPEDA) (and Quebec law where applicable):

  • Express or Implied Consent. We may process data with your express consent or, in certain contexts, implied consent (e.g., providing your email to sign up for updates). You can withdraw consent anytime.

  • Exceptional Circumstances. We may process data without consent if permitted by law, for example: investigations or fraud detection/prevention; business transactions under certain conditions; required by subpoena, warrant, or court order; publicly available data specified by regulation; vital interests (e.g., identifying injured persons).

3.6. If you are located in Brazil, this section applies to you. Brazil's General Data Protection Law (LGPD) governs how we process your personal data. As such, we may rely on the following legal bases to process your personal data:

  • Consent. You have explicitly agreed for a specific purpose. You can withdraw it any time, halting that specific data use (unless another legal basis applies).

  • Performance of a Contract. We process data to fulfill our contractual obligations or take steps at your request prior to entering a contract.

  • Legitimate Interests. We may process data for legitimate business needs, like:

    • Improving user experience;

    • Sending marketing communications;

    • Enhancing engagement through analytics.

  • Compliance with Legal Obligations. Meeting Brazilian legal requirements (e.g., tax, regulatory authorities).

  • Protection of Life and Health. E.g., processing data in health-related procedures or emergencies.

  • Exercise of Rights in Legal Proceedings. If necessary for defending or exercising rights in judicial, administrative, or arbitration processes.

3.7. Withdrawing Your Consent. Where we rely on consent as a legal basis, you can withdraw it at any time by contacting us or updating your preferences. However, this will not affect the lawfulness of processing before its withdrawal.

3.8. Additional Notes. Other Regions: In jurisdictions not specifically listed, we comply with the applicable local laws regarding data protection and privacy. If there is a direct conflict between local law and any term in this Privacy Notice, local law prevails within that region's scope. For more details on how you can exercise your data protection rights, please see the section "What Are Your Privacy Rights?" or contact us.

4. WHEN AND WITH WHOM DO WE SHARE YOUR PERSONAL DATA?

4.1. We may share or disclose your personal data in specific circumstances, including the scenarios described below. In all cases, we strive to ensure that any third party receiving your data implements appropriate security and confidentiality measures consistent with this Privacy Notice.

4.2. Service Providers (Vendors, Consultants, And Other Third Parties).We engage certain third-party service providers ("vendors" or "processors") to perform functions or services on our behalf. These third parties need access to personal data only to the extent necessary for their assigned tasks and are contractually obligated to protect your data and not to share or use it for any other purpose.

    4.2.1. Here are some examples of service providers we may share data with:

  • LLMs and AI Service Providers: OpenAI, Anthropic, LlamaIndex, Groq (for AI-driven features)

  • Analytics: Google Analytics (to analyze site usage and user interactions).

  • Invoice and Billing: Stripe (for payment processing and billing).

  • Cloud Computing: Google Cloud Platform (GCP) (for infrastructure).

  • Third-Party Account Connections: Discord, Google, Stripe accounts (to enable user logins or integrations).

  • Data Backup and Security: Microsoft Azure (for backups and security services).

  • Communication Software: SendGrid (for messaging, collaboration, or email distribution).

  • CRM: Intercom (for customer relationship management).

  • Repository: GitHub, GitLab (for code hosting and version control).

    4.2.2. Under our contracts with these providers, they cannot use your personal data for any purpose other than what we explicitly instruct; must not share your data with any organization apart from us; commit to safeguarding the data on our behalf and retaining it only for the period we instruct.

4.3. Business Transfers & Partnerships

  • Mergers and Acquisitions: We may share or transfer personal data if we are involved in a merger, sale of assets, financing, or acquisition of all or part of our business.

  • Affiliates: We may share your data with our affiliates (e.g., parent company, subsidiaries, joint venture partners), requiring them to honor this Privacy Notice.

  • Business Partners: We may collaborate with certain partners to offer products, services, or promotions. In such cases, we may share relevant personal data as needed to provide these offerings.

4.4. Legal and Regulatory Disclosures. We may share your personal data when required by law, in response to a governmental request, or in compliance with a court order. This includes sharing your data with law enforcement agencies, regulatory bodies, or other authorities when necessary to comply with legal obligations, enforce our rights, or protect our interests or those of others.

4.5. Other Users (Public Interactions). When you post content or otherwise interact in public areas of our Services (e.g., forums, comment sections), the information you share may be visible to all users and may become publicly available beyond our Services indefinitely. If you register or log in through a social network (like Facebook), your friends or contacts on that network may see your name, profile photo, and details of your activity. Likewise, other users can view your profile and any public contributions you make.

5. DO WE USE COOKIES AND OTHER TRACKING TECHNOLOGIES?

5.1. Yes. We may use cookies and similar tracking technologies (such as web beacons, pixels, or scripts) to collect information when you interact with our Services. Some of these technologies help us to: maintain the security of our Services and your account, prevent crashes, fix bugs, save your preferences, and assist with basic site functions.

5.2. We also allow third parties (e.g., analytics and advertising partners) to use these tracking technologies on our Services. This enables them to: manage and display advertisements, tailor advertisements to your interests, or send abandoned shopping cart reminders (depending on your communication preferences). The third parties and service providers use their technology to provide advertising about products and services tailored to your interests, which may appear either on our Services or on other websites.

5.3. Depending on applicable US state laws, certain targeted advertising activities might be classified as a "sale" or "sharing" of personal data. If you wish to opt out of such activities, please see "Do United States residents have specific privacy rights?" for guidance on submitting a request.

5.4. Google Analytics. We may share certain data with Google Analytics to track and analyze usage of our Services. Features we might use include: Remarketing with Google Analytics, Google Display Network Impressions Reporting, and Google Analytics Demographics and Interests Reporting. To opt out of being tracked by Google Analytics across the Services, visit https://tools.google.com/dlpage/gaoptout. You can opt out of Google Analytics Advertising Features through Ads Settings and Ad Settings for mobile apps. Other opt-out means include http://optout.networkadvertising.org/ and http://www.networkadvertising.org/mobile-choice. For more information on the privacy practices of Google, please visit the Google Privacy & Terms page.

5.5. For more general information on how cookies work and how to manage them, visit allaboutcookies.org.

6. DO WE OFFER ARTIFICIAL INTELLIGENCE-BASED PRODUCTS?

6.1. Yes. As part of our Services, we provide certain AI-powered features or tools (collectively, "AI Products") based on technologies like artificial intelligence, machine learning, or similar methods. These AI Products aim to enhance your experience, streamline your workflow, and offer innovative solutions within the Metatable infrastructure.

6.2. Use of AI Technologies. We partner with third-party service providers (e.g., LLMs and related AI Service Providers such as OpenAI, Anthropic, LlamaIndex, Groq) to deliver AI functionality. By using our AI Products, you acknowledge that:

  • Input and Output Data: Your inputs (e.g., prompts) and outputs (e.g., generated text, code suggestions) may be sent to these providers for processing;

  • Compliance: You must not use AI Products in ways that violate any applicable laws, our Terms of Service, or the policies of the AI Service Provider;

  • Legal Bases: As noted in "What legal bases do we rely on to process your personal data?", we process AI-related data under valid legal grounds such as consent, contract performance, or legitimate interests.

6.3. Our AI Products. Metatable Services is a platform with tools and services designed to support the full software development lifecycle. Some of our key AI-driven features may include:

  • Code generation or refactoring (suggesting code snippets);

  • Natural language analysis (generating text from prompts);

  • Intelligent search or recommendations (personalized suggestions).

    6.3.1. We continually explore and integrate new AI capabilities to deliver a more seamless and advanced user experience.

6.4. How We Process Your Data Using AI. All personal data processed within our AI Products is handled in accordance with:

  • This Privacy Notice: Which outlines how we collect, store, and protect your data;

  • Agreements with Third Parties: We require our AI service providers to implement strong security measures and to process data strictly for the intended purposes.

    6.4.1. We apply encryption, access controls, and other safeguards to ensure your personal data remains secure throughout the AI processing flow. While AI can provide powerful results, please be mindful of the information you choose to submit, especially if it contains sensitive or confidential details.

7. HOW DO WE HANDLE YOUR THIRD-PARTY SERVICE LOGINS?

7.1. Our Services may allow you to register or log in using your third-party service account details (e.g., Google or GitHub account details or other supported platforms). This integration is designed to simplify your login process and enhance your user experience. The profile data we receive may vary depending on the service provider concerned, but will often include your name, email address, and profile picture, as well as other data you choose to make public on such a service. The exact details we receive depend on your privacy settings and the provider's policies. We encourage you to review and adjust these settings before using social login.

7.2. We will use the data we receive only for the purposes that are described in this Privacy Notice or that are otherwise made clear to you on the relevant Services. Please note that we do not control, and are not responsible for, other uses of your personal data by your third-party service account provider. We recommend that you review their privacy notice to understand how they collect, use, and share your personal data, and how you can set your privacy preferences on their sites and apps.

8. IS YOUR DATA TRANSFERRED INTERNATIONALLY?

8.1. Our primary servers and data centers are located in the USA. If you access our Services from a country outside these locations, please note that your personal data may be transferred to, stored, and processed by us in any of these facilities, as well as by certain third parties with whom we share data (see "When and with whom do we share your personal data?").

8.2. Transfers to the EEA, UK, or Switzerland. If you are a resident of the European Economic Area (EEA), the United Kingdom (UK), or Switzerland, be aware that the data protection laws of some of the countries where we may process or store your data may not be as comprehensive as those in your region. To ensure your personal data remains protected in line with EU/UK and Swiss standards, we take measures such as:

  • Standard Contractual Clauses (SCCs) or Data Privacy Framework:Implementing legally approved mechanisms for cross-border data transfers.

  • Additional Safeguards: Encryption, strict access controls, and policies to maintain the confidentiality and integrity of your data.

    8.2.1. By using our Services, you consent to the transfer of your personal data to these international locations as described in this Privacy Notice.

8.3. Other Regions. If you reside outside the EEA/UK/Switzerland, your data may likewise be transferred to and processed in countries that may not have data protection laws as robust as those in your region. Nevertheless, we will always handle your data using this Privacy Notice and any relevant legal requirements to ensure a consistent level of protection.

9. HOW LONG DO WE KEEP YOUR DATA?

9.1. We retain personal data only for as long as necessary to fulfill the purposes described in this Privacy Notice, unless a longer retention period is required or permitted by law (e.g., tax, accounting, or other legal obligations). In general, we do not keep personal data for more than 2 years after you stop using our Services or close your account. No purpose in this Notice requires us to retain your data longer than the active period of your account, unless legally mandated.

9.2. When we have no ongoing legitimate business need to process your personal data, we will either delete or anonymize such data, or, if this is not possible (for example, because your personal data has been stored in backup archives), then we will securely store your personal data and isolate it from any further processing until deletion is possible.

9.3. Legal Requirements and Exceptions. We may keep certain records for a longer period if required or allowed by law, for instance:

  • Tax or accounting regulations demanding specific retention periods;

  • Compliance with legal, regulatory, or contractual obligations;

  • Litigation or dispute resolution purposes.

    9.3.1. Once these obligations no longer apply, the data will be deleted or anonymized following our standard procedures.

10. HOW DO WE KEEP YOUR DATA SAFE?

10.1. We have implemented appropriate and reasonable technical and organizational security measures designed to protect the security of any personal data information we process. These measures include, but are not limited to:

  • Encryption. We use advanced encryption protocols (such as TLS/SSL) to secure data during transmission and storage.

  • Access Control. We enforce strict access controls, ensuring that only authorized personnel with a legitimate business need can access personal data.

  • Network Security. We deploy firewalls, intrusion detection systems (IDS), and regular security monitoring to prevent unauthorized access to our networks and systems.

  • Data Minimization. We limit the collection and storage of personal data to what is strictly necessary for the purposes for which it is processed.

  • Data Anonymization / Pseudonymization. Where appropriate, we employ techniques such as anonymization or pseudonymization to reduce the risk of identifying individuals from personal data.

  • Regular Security Audits. We conduct routine security assessments, penetration testing, and audits to identify potential vulnerabilities and ensure ongoing protection.

  • Incident Response Plan. We maintain a detailed incident response plan to promptly detect, investigate, and mitigate the impact of any security breach.

  • Employee Training. We provide regular cybersecurity and data protection training to all staff to ensure they follow best practices for handling and securing personal data.

  • NDA. We require that all employees, contractors, and third-party service providers sign Non-Disclosure Agreements (NDAs) before accessing any personal data.

10.2. Despite our security measures and efforts to protect your data, no method of electronic transmission or storage can be guaranteed to be 100% secure. As a result, we cannot ensure that hackers, cybercriminals, or other unauthorized parties will never be able to bypass our security measures and gain unauthorized access to, collect, steal, or alter your data. While we are committed to safeguarding your personal information, you acknowledge that any transmission of data to and from our Services is at your own risk. We strongly recommend accessing our Services only through a secure environment.

10.3. Data Breach Notification. In the unlikely event of a data breach that compromises the security, confidentiality, or integrity of your personal data, we will take the prompt following actions for notifying data protection authority and, if applicable, you.

    10.3.1. Notification to the Data Protection Authority. In the event of a data breach, we are required to notify the data protection authority within 72 hours of becoming aware of the breach. The notification will include the following details:

  • a description of the nature of the data breach;

  • contact information for the individual responsible for providing further information;

  • an assessment of the potential consequences of the data breach;

  • the measures that have been taken or are proposed to mitigate the breach and its impact.

    10.3.2. Notification to You. If the data breach poses a high risk to your rights and freedoms, we will notify you without undue delay. The notification will contain:

  • a clear, straightforward explanation of the nature of the data breach;

  • the contact details of the person responsible for addressing any questions or concerns;

  • an outline of the possible consequences of the breach for your personal data;

  • the actions we have taken or plan to take to address and rectify the breach;

  • practical advice and tips on how you can minimize the impact and protect yourself from potential harm.

11. DO WE COLLECT DATA FROM MINORS?

11.1. We do not knowingly collect, solicit, or process personal data from children under 18 years of age, nor do we knowingly sell such personal data. In compliance with the Children's Online Privacy Protection Act (COPPA) for US residents, we take additional precautions to ensure that personal data from children under the age of 13 is not collected, as COPPA imposes specific requirements for handling children's data.

11.2. For users in the European Union (EU) and the United Kingdom (UK), we comply with local regulations, which stipulate that individuals under the age of 16 must have parental consent to use our Services. By using the Services, you represent that you are at least 16 years old, or that you are the parent or guardian of a minor dependent aged 16 or younger and consent to their use of the Services.

11.3. If we learn that personal data from users under the age of 18 has been collected without proper authorization or parental consent, we will immediately deactivate the account and take reasonable measures to delete such data from our records in accordance with applicable laws. For users in the EU and UK, if we become aware that we have inadvertently collected personal data from children under the age of 16 without parental consent, we will take steps to delete such data as required by GDPR and other relevant regulations.

11.4. If you become aware of any personal data we may have collected from children under 18 years of age, or under 13 without parental consent, or under 16 in the EU or UK without parental consent, please contact us immediately at hello@metatable.ai, and we will promptly investigate and address the issue.

12. WHAT ARE YOUR PRIVACY RIGHTS?

12.1. In some regions (such as the EEA, UK, Switzerland), you have certain rights under applicable data protection laws. These rights include:

  • Right to Access: You have the right to request access to and obtain a copy of your personal data that we process.

  • Right to Rectification: You can request the correction of inaccurate or incomplete personal data.

  • Right to Erasure: You may request the deletion of your personal data when it is no longer necessary for the purposes for which it was collected, or if you withdraw your consent on which the processing is based.

  • Right to Restrict Processing: You have the right to request that we limit the processing of your personal data under certain conditions, such as during the verification of its accuracy or when you have objected to its processing.

  • Right to Data Portability: If applicable, you may request to receive your personal data in a structured, commonly used, and machine-readable format or to have it transferred to another data controller.

  • Right to Object: You have the right to object to the processing of your personal data based on legitimate interests or for direct marketing purposes.

  • Right Not to be Subject to Automated Decision-Making: You have the right not to be subject to decisions based solely on automated processing, including profiling, that significantly affects you unless explicitly allowed by law.

12.2. To exercise any of these rights or if you have questions about your data protection rights, please contact us using the contact details provided in the section "How can you contact us about this notice?" below. We will consider and act upon any request in accordance with applicable data protection laws.

12.3. If you are located in the EEA or UK and you believe we are unlawfully processing your personal data, you also have the right to complain to your Member State data protection authority: List of Members or UK data protection authority: ICO.

12.4. If you are located in Switzerland, you may contact the Federal Data Protection and Information Commissioner: Swiss FDPIC.

12.5. Withdrawing Your Consent. If we are relying on your consent to process your personal data, which may be express and/or implied consent depending on the applicable law, you have the right to withdraw your consent at any time. You can withdraw your consent at any time by contacting us by using the contact details provided in the section "How can you contact us about this notice?" below, or updating your preferences.

12.6. However, please note that this will not affect the lawfulness of the processing before its withdrawal nor, when applicable law allows, will it affect the processing of your personal data conducted in reliance on lawful processing grounds other than consent.

12.7. Opting out of marketing and promotional communications. You can unsubscribe from our marketing and promotional communications at any time by clicking on the unsubscribe link in the emails that we send, replying "STOP" or "UNSUBSCRIBE" to the messages that we send, or by contacting us using the details provided in the section "How can you contact us about this notice?" below. You will then be removed from the marketing lists. However, we may still communicate with you - for example, to send you service-related messages that are necessary for the administration and use of your account, to respond to service requests, or for other non-marketing purposes.

12.8. Account Data. If you would at any time like to review or change the information in your account or terminate your account, you can:

  • Log in to your account settings and update your user account.

  • Contact us using the contact information provided.

    12.8.1. Upon your request to terminate your account, we will deactivate or delete your account and information from our active databases. However, we may retain some information in our files to prevent fraud, troubleshoot problems, assist with any investigations, enforce our legal terms, and/or comply with applicable legal requirements.

12.9. Cookies and Similar Technologies. Most Web browsers are set to accept cookies by default. If you prefer, you can usually choose to set your browser to remove cookies and to reject cookies. If you choose to remove cookies or reject cookies, this could affect certain features or services of our Services.

12.10. Data Subjects Access Request (DSAR) Management. We are committed to ensuring that individuals can exercise their rights under applicable data protection laws, including the right to access their personal data. If you wish to submit a Data Subject Access Request (DSAR) to obtain information about the personal data we hold about you, or to request its rectification, erasure, or transfer, you may do so by contacting us at the details provided in the section "How can you contact us about this notice?" below.

    12.10.1. To ensure the integrity and security of your data, we may require you to verify your identity before responding to your request. In some cases, we may also request additional information to better understand the nature of your request and facilitate our response.

    12.10.2. We will acknowledge your DSAR within 30 calendar days and aim to respond to your request within the legally required timeframe. However, if your request is complex or involves a large volume of data, we may extend the response time by an additional 30 calendar days, in accordance with applicable laws. In such cases, we will notify you of the extension and provide reasons for the delay.

    12.10.3. Please note that certain requests may be subject to legal exceptions, and we may be unable to fulfill your request in certain circumstances, such as when fulfilling the request would infringe on the rights of others or conflict with legal obligations. In these instances, we will provide a clear explanation of the reasons for our inability to comply with your request.

    12.10.4. For more information on how we handle Data Subject Access Requests, or if you have any concerns about the processing of your personal data, you can reach out to us using the contact information provided below.

12.11. If you have questions or comments about your privacy rights, you may email us at hello@metatable.ai.

13. DO US RESIDENTS HAVE SPECIFIC PRIVACY RIGHTS?

13.1. In Short: If you are a resident of California, Colorado, Connecticut, Delaware, Florida, Indiana, Iowa, Kentucky, Montana, New Hampshire, New Jersey, Oregon, Tennessee, Texas, Utah, or Virginia, you may have the right to request access to and receive details about the personal data we maintain about you and how we have processed it, correct inaccuracies, get a copy of, or delete your personal data. You may also have the right to withdraw your consent to our processing of your personal data. These rights may be limited in some circumstances by applicable law. More data is provided below.

13.2. Categories of Personal Data We Collect. We have collected the following categories of personal data in the past twelve (12) months:

Category

Examples

Collected

A. Identifiers

Contact details, such as real name, alias,
postal address,
telephone or
mobile contact number,
unique personal identifier, online identifier, Internet Protocol address,
email address, and account name

YES

B. Personal data as
defined in
the California Customer
Records statute

Name, contact data, education, employment,
employment history, and financial data

NO

C. Protected classification
characteristics under
state or federal law

Gender, age,
date of birth, race and ethnicity,
national origin,
marital status, and other demographic data

YES

D. Commercial data

Transaction data, purchase history, financial details, and payment data

NO

E. Biometric data

Fingerprints and voiceprints

NO

F. Internet or other
similar network activity

Browsing history, search history, online behavior,
interest data,
and interactions with our and
other websites, applications, systems,
and advertisements

NO

G. Geolocation data

Device location

YES

H. Audio, electronic,
sensory, or similar data

Images and audio, video or call recordings
created in connection with our business activities

NO

I. Professional or
employment-related data

Business contact details in order to provide you our Services at a business level or job title,
work history, and professional qualifications if you apply for a job with us

YES

J. Education Information

Student records and directory information

NO

K. Inferences drawn
from collected
personal data

Inferences drawn from any of the collected persona
l data listed above to create a profile or summary about,
for example, an individual's preferences and characteristics

NO

L. Sensitive
personal data


NO

13.3. We may also collect other personal data outside these categories through instances where you interact with us in person, online, or by phone or mail in the context of:

  • Receiving help through our customer support channels;

  • Participation in customer surveys or contests; and

  • Facilitation in the delivery of our Services and to respond to your inquiries.

13.4. We will use and retain the collected personal data as needed to provide the Services or for:

  • Category A - As long as the user has an account with us;

  • Category C - As long as the user has an account with us;

  • Category G - As long as the user has an account with us;

  • Category I - As long as the user has an account with us.

13.5. Sources of Personal Data. Learn more about the sources of personal data we collect in "What data do we collect?".

13.6. How We Use and Share Personal Data. Learn about how we use your personal data in the section, "How do we process your data?".

13.7. Will Your Data Be Shared with Anyone Else? We may disclose your personal data to our service providers pursuant to a written contract between us and each service provider. Learn more about how we disclose personal information in the section, "When and with whom do we share your personal information?".

13.8. We may use your personal information for our own business purposes, such as for undertaking internal research for technological development and demonstration. This is not considered to be a "selling" of your personal information.

13.9. We have not sold or shared any personal information to third parties for a business or commercial purpose in the preceding twelve (12) months. We have disclosed the following categories of personal information to third parties for a business or commercial purpose in the preceding twelve (12) months: The categories of third parties to whom we disclosed personal information for a business or commercial purpose can be found under "When and with whom do we share your personal information?".

13.10. Your Rights. You have rights under certain US state data protection laws. However, these rights are not absolute, and in certain cases, we may decline your request as permitted by law. These rights include:

  • Right to know whether or not we are processing your personal data;

  • Right to access your personal data;

  • Right to correct inaccuracies in your personal data;

  • Right to request the deletion of your personal data;

  • Right to obtain a copy of the personal data you previously shared with us;

  • Right to non-discrimination for exercising your rights;

  • Right to opt out of the processing of your personal data if it is used for targeted advertising (or sharing as defined under California's privacy law), the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects ("profiling").

13.11. Depending upon the state where you live, you may also have the following rights:

  • Right to obtain a list of the categories of third parties to which we have disclosed personal data (as permitted by applicable law, including California's and Delaware's privacy law);

  • Right to obtain a list of specific third parties to which we have disclosed personal data (as permitted by applicable law, including Oregon's privacy law);

  • Right to limit use and disclosure of sensitive personal data (as permitted by applicable law, including California's privacy law);

  • Right to opt out of the collection of sensitive data and personal data collected through the operation of a voice or facial recognition feature (as permitted by applicable law, including Florida's privacy law).

13.12. How to Exercise Your Rights? To exercise these rights, you can contact us by emailing us at hello@metatable.ai.

    13.12.1. Under certain US state data protection laws, you can designate an authorized agent to make a request on your behalf. We may deny a request from an authorized agent that does not submit proof that they have been validly authorized to act on your behalf in accordance with applicable laws.

13.13. Request Verification. Upon receiving your request, we will need to verify your identity to determine you are the same person about whom we have the information in our system. We will only use personal information provided in your request to verify your identity or authority to make the request. However, if we cannot verify your identity from the information already maintained by us, we may request that you provide additional information for the purposes of verifying your identity and for security or fraud-prevention purposes.

    13.13.1. If you submit the request through an authorized agent, we may need to collect additional information to verify your identity before processing your request and the agent will need to provide a written and signed permission from you to submit such request on your behalf.

13.14. Appeals. Under certain US state data protection laws, if we decline to take action regarding your request, you may appeal our decision by emailing us at hello@metatable.ai. We will inform you in writing of any action taken or not taken in response to the appeal, including a written explanation of the reasons for the decisions. If your appeal is denied, you may submit a complaint to your state attorney general.

13.15. California "Shine The Light" Law. California Civil Code Section 1798.83, also known as the "Shine The Light" law, permits our users who are California residents to request and obtain from us, once a year and free of charge, information about categories of personal information (if any) we disclosed to third parties for direct marketing purposes and the names and addresses of all third parties with which we shared personal information in the immediately preceding calendar year. If you are a California resident and would like to make such a request, please submit your request in writing to us by using the contact details provided in the section "How can you contact us about this notice?".

14. DATA PROTECTION FRAMEWORK PROGRAM NOTICE

14.1. Metatable complies with the EU‑US Data Privacy Framework (EU‑US DPF), the UK Extension to the EU‑US DPF, and the Swiss‑US Data Privacy Framework (Swiss‑US DPF) as established by the U.S. Department of Commerce. Metatable has certified to the U.S. Department of Commerce that it adheres to the EU‑US DPF Principles with regard to the processing of personal data received from the European Union (and, where applicable, from the United Kingdom and Gibraltar in reliance on the UK Extension) and to the Swiss‑US DPF Principles with respect to personal data received from Switzerland. In the event of any conflict between this Privacy Policy and the applicable DPF Principles, the DPF Principles shall govern. To learn more about the Data Privacy Framework program and to view our certification, please visit Data Privacy Framework.

14.2. Information Disclosure Requirements. In accordance with the DPF notification principles, this Privacy Notice provides the following information:

  • Participation in the EU‑US DPF - Metatable participates in the EU‑US DPF, the UK Extension to the EU‑US DPF, and the Swiss‑US DPF. You can view the complete list of participating organizations at the Data Privacy Framework website.

  • Types of Personal Data Collected - We collect various types of personal data from you, learn more about in the section above "What data do we collect?".

  • Commitment to EU‑US DPF Compliance - Metatable is committed to processing all personal data received from the European Union (and, where applicable, from the United Kingdom, Gibraltar, and Switzerland) in strict adherence to the corresponding parts of the DPF.

  • Purposes of Data Collection and Use - We collect and use your personal data for purposes such as providing our services, enhancing user experience, conducting analytics, and fulfilling legal obligations.

  • How to Contact Us - For any questions or complaints regarding our data practices, including those related to your rights under the DPF, please contact us at:

    • Email: hello@metatable.ai;

    • Mailing address:
      Metatable Inc.
      Data Protection Specialist
      1111B S Governors Ave STE 3291
      Dover, DE 19904, USA.

    Additionally, you may contact the relevant supervisory authorities in the EU, United Kingdom, or Switzerland as applicable.

  • Third-Party Disclosures - We may disclose your personal data to certain third parties, including service providers and partners, for specific purposes as set out in section "When and with whom do we share your personal data?".

  • Opt-Out Options - You may choose to restrict further disclosure or use of your personal data for purposes different from those for which it was originally collected. To opt-out, please use our opt-out form available at Opt-Out Form or email hello@metatable.ai.

14.3. Dispute Resolution. In compliance with the EU-U.S. DPF, and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF Metatable is committed to cooperate and comply respectively with the advice of the panel established by the EU data protection authorities (DPAs), and the UK Information Commissioner's Office (ICO) and the Gibraltar Regulatory Authority (GRA), and the Swiss Federal Data Protection and Information Commissioner (FDPIC) with regard to unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF, and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF. Under certain conditions, you may also invoke binding arbitration for unresolved disputes. For more details, please refer to Annex I.

14.4. Enforcement and Oversight. Metatable's compliance with the DPF is subject to investigation and enforcement by the U.S. Federal Trade Commission (FTC), the U.S. Department of Transportation, or any other applicable U.S. statutory authority.

14.5. Mandatory Disclosure in Response to Government Requests. In accordance with applicable laws and the DPF Principles, Metatable may be required to disclose your personal data in response to lawful requests from government agencies for national security, law enforcement, or other purposes. We will comply with such requests as mandated by law.

14.6. Onward Transfers to Third Parties. If Metatable transfers your personal data to a third party acting as its agent, Metatable shall remain liable under the DPF Principles if such an agent processes your data in a manner inconsistent with those Principles, unless Metatable can demonstrate that it is not responsible for the incident giving rise to any damages.

15. DO WE MAKE UPDATES TO THIS NOTICE?

15.1. We may update this Privacy Notice from time to time. The updated version will be indicated by an updated "Revised" date at the top of this Privacy Notice. If we make material changes to this Privacy Notice, we may notify you either by prominently posting a notice of such changes or by directly sending you a notification. We encourage you to review this Privacy Notice frequently to be informed of how we are protecting your information.

16. HOW CAN YOU CONTACT US ABOUT THIS NOTICE?

16.1. If you have questions or comments about this notice, you may contact our Data Protection Specialist by email at hello@metatable.ai or contact us by post at:

Metatable Inc.
Data Protection Specialist
1111B S Governors Ave STE 3291
Dover, DE 19904, USA.

17. HOW CAN YOU REVIEW, UPDATE, OR DELETE THE DATA WE COLLECT FROM YOU?

17.1. Based on the applicable laws of your country or state of residence in the US, you may have the right to request access to the personal information we collect from you, details about how we have processed it, correct inaccuracies, or delete your personal information. You may also have the right to withdraw your consent to our processing of your personal information. These rights may be limited in some circumstances by applicable law. To request to review, update, or delete your personal information, please contact us: hello@metatable.ai.