This Privacy Notice describes how Metatable collects, stores, uses, and shares personal data when you use our services. Please read carefully to understand your privacy rights.

1. What data do we collect?

1.1 Personal Data You Provide

We collect personal data you voluntarily provide when registering, expressing interest in our products, participating in activities, or contacting us.

1.2 Types of Personal Data

Information may include:

  • Name and surname
  • Profession
  • Email and phone number
  • Username
  • Purpose of service use
  • Passwords
  • Avatars and icons
  • Service interactions
  • Settings preferences
  • Organization size
  • Other personal data

1.3 Sensitive Data

We do not intentionally collect sensitive personal data (health, racial/ethnic origin, political opinions, religious beliefs, genetic or biometric data) unless required by law or you provide it voluntarily.

1.4 Payment Data

Payment transactions are handled by Stripe. We do not store complete card numbers on our servers. See Stripe’s Privacy Policy for their data handling practices.

1.5 Third-Party Service Login Data

We may offer registration or login using third-party accounts (Google, GitHub). We receive certain profile information based on your privacy settings with those providers.

1.6 Application Data

Mobile Device Access. We may request access to calendar, camera, contacts, microphone, reminders, and other device features. You can revoke these permissions anytime.

Mobile Device Data. We automatically collect device details including:

  • Mobile device ID, model, manufacturer
  • Operating system and version
  • Device and application identification numbers
  • Browser type and version
  • Hardware model
  • Internet service provider/mobile carrier
  • Internet Protocol (IP) address

Push Notifications. We may request permission to send push notifications. You can disable these in device settings anytime.

1.6.1. This information maintains security, diagnoses technical issues, and improves service performance through analytics.

1.6.2. Accuracy of Personal Data. We rely on you providing true, complete, accurate information. Please notify us of changes to keep your account current.

1.7 Contractor Data

We may request and process personal and professional information from independent contractors for contract fulfillment, including contact details, banking information, tax identification numbers, and work history.

1.8 Employee Data

We may process employee information for managing employment relationships, including contact information, tax identification, bank details for payroll, performance reviews, and training history.

1.9 Information Automatically Collected

We automatically collect data when you visit or use our services, including:

  • Internet Protocol (IP) address
  • Browser and device characteristics
  • Operating system and language preferences
  • Referring URLs and device name
  • Country and location information
  • Usage patterns and timestamps
  • Technical information

This data maintains security, enables troubleshooting, supports analytics, and enhances user experience.

1.10 Cookies and Similar Technologies

We use cookies and tracking technologies (pixel tags, web beacons, scripts) to collect information during your interaction with our website.

Functionality Cookies. Recognize returning users and remember previous choices like language preferences using first-party and third-party cookies.

Advertising Cookies. Collect visit data (pages viewed, links clicked, IP address) to display targeted advertisements and understand business interest in our services. Limited data may be shared with advertising and B2B visitor identification partners after the relevant cookie consent is given.

Analytics Cookies. We use Google Analytics to understand visitor engagement, measure performance, and improve usability. The _ga cookie helps identify unique visitors. Google Analytics may be used with advertising cookies for more relevant ads and measuring ad interactions. View Google Analytics cookie privacy here. Install the Google Analytics Opt-out Browser Add-on here.

B2B Visitor Identification Cookies and Scripts. We may use Snitcher and R! B2B to identify companies or business visitors that interact with our website, measure account-level interest, and support sales and marketing follow-up. These tools may process IP address, device and browser information, pages visited, referrer, timestamps, and business contact or company information where available. We load these tools only after targeting or marketing cookie consent is provided through our cookie consent tool.

1.10.1. Cookie Duration. Session cookies expire when you close your browser. Persistent cookies remain for a set period or until manually deleted.

1.10.2. Managing Cookies. You can control or disable cookies through browser settings. Blocking certain cookies may affect functionality and user experience. Consult your browser’s “Help” section for details.

1.11 Log and Usage Data

We automatically collect service-related, diagnostic, usage, and performance information (“Log and Usage Data”) including:

  • IP address
  • Device information (model, operating system)
  • Browser type and settings
  • Pages and files viewed
  • Searches performed
  • Timestamps
  • Feature interactions
  • Device event information (system activity, error reports, crash dumps, hardware settings)

This data maintains security, troubleshoots issues, and performs internal analytics to enhance performance.

1.12 Device Data

We collect technical details about your computer, phone, tablet, or other device including:

  • IP address or proxy server
  • MAC address
  • Device and application identification numbers
  • Location
  • Browser type
  • Hardware model
  • Internet service provider/mobile carrier
  • Operating system
  • System configuration information

This helps analyze trends, administer services, and optimize platform compatibility.

1.13 Location Data

We may gather imprecise location data from your device using IP address or non-GPS methods to estimate your region. You can opt out by refusing location permissions or disabling location services, though this may limit certain features.

1.14 Google API

Our use of Google API data adheres to the Google API Services User Data Policy, including Limited Use requirements. We only access, use, handle, and share Google API data to provide or improve our services, don’t transfer it to third parties except as allowed, and implement appropriate security measures.

2. How do we process your data?

2.1. We process personal data for various reasons depending on your service interaction. Main processing categories include:

2.1.1 Account & Service Management

  • Account Creation and Authentication: Set up, verify, and maintain your account for login and profile management
  • Service Provision: Deliver requested services including managing subscriptions, product functionalities, and platform features
  • Contract Negotiations and Conclusion: Draft, review, amend, and finalize agreements including licensing, service, or partnership contracts while ensuring legal compliance
  • Customer Support: Respond to inquiries, address technical issues, and offer help with requested features or services
  • General Communication: Send administrative notifications, product updates, or policy revisions
  • Feedback Requests: Seek your feedback on our services, user experience, or new features

2.1.2 Marketing & Promotional Activities

  • Marketing and Promotional Communications: Process personal data for marketing campaigns aligned with your marketing preferences. You can opt out anytime
  • Targeting: Process data (interests, location) to offer personalized content and advertising tailored to you
  • Analysis of Marketing Effectiveness: Evaluate campaign performance and refine promotional strategies

2.1.3 Security & Compliance

  • Protecting Our Services: Process data for fraud detection, threat prevention, and platform security
  • Usage Trends & Insights: Identify engagement patterns to enhance performance and user experience
  • Compliance with Legal Obligations: Meet lawful requirements including government requests and audit obligations
  • Saving or Protecting an Individual’s Vital Interest: Process data when necessary to prevent harm or protect life or safety
  • Security Monitoring and Incident Management: Detect, investigate, and respond to security incidents including data breaches and unauthorized access
  • Data Backup and Recovery: Process data for regular backups and disaster recovery ensuring information integrity and availability

2.1.4 Billing & Financial Administration

  • Billing and Invoicing: Issue invoices, process payments, and resolve billing disputes
  • International Data Transfers: Process data for cross-border transactions and international payment regulation compliance

2.1.5 Personalization & Platform Improvement

  • Customization of User Experience: Process data (usage history, preferences) to personalize layout, content, and functionality
  • Third-Party Integrations: Process data to enable integrations with external services you choose to connect

2.1.6 Employee & Contractor Management

  • Contractor Management: Process contractor data for onboarding, assignments, payments, and tax/regulatory compliance
  • Employee Onboarding: Process personal data for recruitment, background verification, and internal system setup
  • Payroll and Benefits Administration: Manage salaries, bonuses, and employee benefits (healthcare, insurance, retirement plans)
  • Performance Management: Process employee data for reviews, promotions, disciplinary actions, or terminations
  • Training and Development: Track participation in professional development, certifications, and training sessions
  • Compliance with Employment Laws: Ensure adherence to labor regulations, health and safety standards, and legal requirements
  • Employee Communication: Send internal updates, policy changes, newsletters, and HR-related notifications
  • Workplace Safety and Incident Reporting: Report and manage workplace incidents, ensure safety protocol compliance, and respond to emergencies
  • IT and Access Management: Grant, monitor, and revoke access to internal networks, email systems, and IT resources
  • Contractor Performance Monitoring: Evaluate deliverables and ensure timely service provision

2.1.7 Processor Role (Acting on Behalf of Clients)

When acting as a Processor, we handle end-user information strictly per our clients’ (Controllers’) instructions and relevant data protection laws:

  • Processing Data on Behalf of the Controller: Use personal data only to provide agreed-upon services
  • Data Processing Purposes: The Controller determines specific purposes; we don’t use end-user data for our own needs unless legally or contractually permitted
  • Confidentiality: All authorized personnel are bound by strict confidentiality and security obligations
  • Sub-processors: Ensure sub-processors uphold the same data protection standards
  • Security Measures: Maintain appropriate technical and organizational measures protecting data from unauthorized access or disclosure
  • Data Breaches: Promptly notify the Controller and assist with legal obligations following any breach affecting end-user data
  • Data Subject Rights: Support clients in responding to end-users exercising data protection law rights (access, rectification, erasure, restriction, etc.)

2.2. If you want more details on personal data processing in these scenarios, contact the Controller (our client) providing our services.

2.3. For additional questions about Metatable’s Processor role, see “How can you contact us about this notice?“

3.1. We only process personal data when we have valid legal reasons under applicable law, including:

  • Your consent (explicit allowance for specific purposes)
  • Compliance with laws (local regulations or court orders)
  • Fulfilling a contract (providing requested services)
  • Protecting your rights or vital interests (preventing harm, defending legal claims)
  • Legitimate business interests (improving services, preventing fraud) not overriding fundamental rights

3.2. Regional specifics apply if you’re located in the EU/UK, Switzerland, Canada, or Brazil. Other regions follow local privacy laws and international standards principles.

3.3 EU or UK Residents

The General Data Protection Regulation (GDPR) and UK GDPR require explaining valid legal bases for processing. We may rely on:

  • Consent: Clear, informed consent for specific purposes. Withdraw anytime
  • Performance of a Contract: Necessary for fulfilling contractual obligations or taking steps before entering a contract
  • Legitimate Interests: Process data pursuing legitimate business interests not overriding your rights and freedoms, including:
    • Sending information about offers or discounts
    • Displaying personalized content or ads
    • Analyzing usage to improve engagement
    • Diagnosing problems or preventing fraud
  • Legal Obligations: Comply with laws, court orders, or regulatory agency requests (cooperating with law enforcement)
  • Vital Interests: Protect your life or safety (or another person’s) such as in emergencies

3.4 Switzerland Residents

Switzerland follows its Federal Act on Data Protection (FADP) and revised FADP (revFADP), closely aligning with GDPR. We rely on similar bases:

  • Consent: Clear, explicit consent for specific purposes. Withdraw anytime unless another legal basis applies
  • Performance of a Contract: Fulfill contractual obligations or take steps before entering a contract
  • Legitimate Interests: Process data for our legitimate interests without overriding fundamental rights, including:
    • Improving services
    • Sending promotional offers related to services
    • Preventing fraudulent activities or enhancing security
  • Compliance with Legal Obligations: Meet Swiss legal requirements (tax, legal proceedings)
  • Protection of Vital Interests: Act when necessary preventing serious harm or protecting someone’s life or health

3.5 Canada Residents

Avis pour les résidents du Québec. En accédant à cette section, vous reconnaissez que vous comprenez l’anglais et que cette description vous permet de bien comprendre vos droits.

3.5.1. Under the Personal Information Protection and Electronic Documents Act (PIPEDA) (and Quebec law where applicable):

  • Express or Implied Consent: Process data with express consent or, in certain contexts, implied consent (e.g., providing your email to sign up for updates). Withdraw anytime
  • Exceptional Circumstances: Process data without consent if permitted by law, for example:
    • Investigations or fraud detection/prevention
    • Business transactions under certain conditions
    • Required by subpoena, warrant, or court order
    • Publicly available data specified by regulation
    • Vital interests (identifying injured persons)

3.6 Brazil Residents

Brazil’s General Data Protection Law (LGPD) governs personal data processing. We may rely on:

  • Consent: Explicitly agreed for specific purposes. Withdraw anytime, halting that specific data use (unless another legal basis applies)
  • Performance of a Contract: Process data fulfilling contractual obligations or taking steps before entering a contract
  • Legitimate Interests: Process data for legitimate business needs, like:
    • Improving user experience
    • Sending marketing communications
    • Enhancing engagement through analytics
  • Compliance with Legal Obligations: Meet Brazilian legal requirements (tax, regulatory authorities)
  • Protection of Life and Health: Process data in health-related procedures or emergencies
  • Exercise of Rights in Legal Proceedings: If necessary for defending or exercising rights in judicial, administrative, or arbitration processes

Where we rely on consent as a legal basis, withdraw anytime by contacting us or updating your preferences. This won’t affect processing lawfulness before withdrawal.

3.8 Additional Notes

Other Regions: In unlisted jurisdictions, we comply with applicable local data protection and privacy laws. If local law directly conflicts with this Privacy Notice terms, local law prevails within that region’s scope. For exercising data protection rights details, see “What Are Your Privacy Rights?” or contact us.

4. When and with whom do we share your personal data?

4.1. We may share or disclose personal data in specific circumstances described below. We strive to ensure any third party receiving your data implements appropriate security and confidentiality measures consistent with this Privacy Notice.

4.2 Service Providers (Vendors, Consultants, And Other Third Parties)

We engage third-party service providers (“vendors” or “processors”) performing functions or services on our behalf. These third parties need personal data access only for assigned tasks and are contractually obligated to protect your data without sharing or using it for other purposes.

4.2.1 Service Provider Examples

We may share data with:

  • LLMs and AI Service Providers: OpenAI, Anthropic, LlamaIndex, Groq (for AI-driven features)
  • Analytics: Google Analytics (analyzing site usage and user interactions)
  • B2B Visitor Identification: Snitcher, R! B2B (identifying business website visitors and account-level interest after cookie consent)
  • Invoice and Billing: Stripe (payment processing and billing)
  • Cloud Computing: Google Cloud Platform (GCP) (infrastructure)
  • Third-Party Account Connections: Discord, Google, Stripe accounts (enabling user logins or integrations)
  • Data Backup and Security: Microsoft Azure (backups and security services)
  • Communication Software: SendGrid (messaging, collaboration, email distribution)
  • CRM: Intercom (customer relationship management)
  • Repository: GitHub, GitLab (code hosting and version control)

4.2.2 Vendor Obligations

Under contracts with these providers:

  • Cannot use personal data beyond explicit instructions
  • Must not share your data with other organizations apart from us
  • Commit to safeguarding data on our behalf and retaining it only as instructed

4.3 Business Transfers & Partnerships

  • Mergers and Acquisitions: We may share or transfer personal data if involved in merger, asset sale, financing, or business acquisition
  • Affiliates: We may share your data with our affiliates (parent company, subsidiaries, joint venture partners), requiring them to honor this Privacy Notice
  • Business Partners: We may collaborate with certain partners offering products, services, or promotions, sharing relevant personal data as needed

We may share personal data when required by law, in response to governmental requests, or complying with court orders. This includes sharing with law enforcement agencies, regulatory bodies, or other authorities when necessary for legal obligation compliance, rights enforcement, or interest protection. We may share minimal personal data (first/last name, email, transaction ID) with accountants or legal advisors for tax and legal requirement compliance.

4.5 Other Users (Public Interactions)

When posting content or interacting in public service areas (forums, comment sections), your shared information may be visible to all users and publicly available indefinitely. If registering or logging in through social networks (Facebook), your friends or network contacts may see your name, profile photo, and activity details. Other users can view your profile and public contributions.

5. Do we use cookies and other tracking technologies?

5.1. Yes. We may use cookies and similar tracking technologies (web beacons, pixels, scripts) collecting information during your service interaction. These technologies help us:

  • Maintain service security and account security
  • Prevent crashes and fix bugs
  • Save preferences and assist with basic site functions

5.2. We also allow third parties (analytics and advertising partners) using these tracking technologies on our services. This enables them to:

  • Manage and display advertisements
  • Tailor advertisements to your interests
  • Send abandoned shopping cart reminders (depending on communication preferences)

Third parties and service providers use their technology providing advertising about products and services tailored to your interests, appearing on our services or other websites.

5.3. Depending on applicable US state laws, certain targeted advertising activities might be classified as a “sale” or “sharing” of personal data. To opt out, see “Do United States residents have specific privacy rights?” for request submission guidance.

5.4 Google Analytics

We may share certain data with Google Analytics tracking and analyzing service usage. Features we might use include Remarketing with Google Analytics, Google Display Network Impressions Reporting, and Google Analytics Demographics and Interests Reporting. To opt out of Google Analytics tracking across services, visit https://tools.google.com/dlpage/gaoptout. Opt out of Google Analytics Advertising Features through Ads Settings and mobile app Ad Settings. Other opt-out options include http://optout.networkadvertising.org/ and http://www.networkadvertising.org/mobile-choice. For Google privacy practices, visit the Google Privacy & Terms page.

5.5 B2B Visitor Identification

We may use B2B visitor identification technologies, including Snitcher and R! B2B, to understand which companies and professional audiences show interest in our services. These tools may collect or receive usage data such as IP address, browser and device information, pages visited, timestamps, referrer, and inferred company or business contact information where available. We use this information for account-level analytics, sales prioritization, marketing attribution, and relevant business outreach. These scripts are loaded only after targeting or marketing cookie consent is provided, and you may withdraw consent or change preferences through the cookie banner or preference center.

5.6. For general cookie information and management, visit allaboutcookies.org.

6. Do we offer artificial intelligence-based products?

6.1. Yes. As part of our services, we provide certain AI-powered features or tools (collectively, “AI Products”) based on artificial intelligence, machine learning, or similar methods technologies. These AI Products aim at enhancing your experience, streamlining your workflow, and offering innovative solutions within the Metatable infrastructure.

6.2 Use of AI Technologies

We partner with third-party service providers (LLMs and related AI Service Providers such as OpenAI, Anthropic, LlamaIndex, Groq) delivering AI functionality. By using our AI Products, you acknowledge:

  • Input and Output Data: Your inputs (prompts) and outputs (generated text, code suggestions) may be sent to these providers for processing
  • Compliance: You must not use AI Products violating applicable laws, our Terms of Service, or AI Service Provider policies
  • Legal Bases: As noted in “What legal bases do we rely on to process your personal data?”, we process AI-related data under valid legal grounds such as consent, contract performance, or legitimate interests

6.3 Our AI Products

Metatable Services is a platform with tools and services supporting the full software development lifecycle. Key AI-driven features may include:

  • Code generation or refactoring (suggesting code snippets)
  • Natural language analysis (generating text from prompts)
  • Intelligent search or recommendations (personalized suggestions)

6.3.1. We continually explore and integrate new AI capabilities delivering a more seamless and advanced user experience.

6.4 How We Process Your Data Using AI

All personal data processed within our AI Products is handled per:

  • This Privacy Notice: Outlining how we collect, store, and protect your data
  • Agreements with Third Parties: We require AI service providers implementing strong security measures and processing data strictly for intended purposes

6.4.1. We apply encryption, access controls, and other safeguards ensuring your personal data remains secure throughout the AI processing flow. While AI can provide powerful results, be mindful of information you submit, especially containing sensitive or confidential details.

7. How do we handle your third-party service logins?

7.1. Our services may allow registering or logging in using your third-party service account details (Google, GitHub, or other supported platforms). This integration simplifies your login process and enhances user experience. The profile data we receive varies depending on the service provider, but often includes your name, email address, and profile picture, plus other publicly available data. Exact details depend on your privacy settings and the provider’s policies. We encourage reviewing and adjusting these settings before using social login.

7.2. We use data we receive only for purposes described in this Privacy Notice or otherwise made clear to you on relevant services. Please note we do not control, and are not responsible for, other uses of your personal data by your third-party service account provider. We recommend reviewing their privacy notice to understand how they collect, use, and share your personal data, and how you can set your privacy preferences on their sites and apps.

8. Is your data transferred internationally?

8.1. Our primary servers and data centers are located in the USA. If accessing our services from countries outside these locations, please note your personal data may be transferred to, stored, and processed by us in any of these facilities, plus by certain third parties with whom we share data (see “When and with whom do we share your personal data?“).

8.2 Transfers to the EEA, UK, or Switzerland

If you’re a European Economic Area (EEA), United Kingdom (UK), or Switzerland resident, be aware data protection laws in some countries where we may process or store your data may not be as comprehensive as yours. To ensure your personal data remains protected per EU/UK and Swiss standards, we take measures such as:

  • Standard Contractual Clauses (SCCs) or Data Privacy Framework: Implementing legally approved mechanisms for cross-border data transfers
  • Additional Safeguards: Encryption, strict access controls, and confidentiality and integrity policies

8.2.1. By using our services, you consent to your personal data transfer to these international locations as described in this Privacy Notice.

8.3 Other Regions

If residing outside the EEA/UK/Switzerland, your data may likewise be transferred to and processed in countries with potentially less robust data protection laws. Nevertheless, we will always handle your data using this Privacy Notice and relevant legal requirements ensuring consistent protection.

9. How long do we keep your data?

9.1. We retain personal data only for as long as necessary fulfilling purposes described in this Privacy Notice, unless longer retention is required or permitted by law (tax, accounting, other legal obligations). Generally, we do not keep personal data longer than 2 years after you stop using our services or close your account. No purpose in this Notice requires retaining your data longer than your active account period, unless legally mandated.

9.2. When we have no ongoing legitimate business need processing your personal data, we will either delete or anonymize such data, or, if impossible (your personal data stored in backup archives), then we will securely store your personal data and isolate it from any further processing until deletion is possible.

We may keep certain records longer if required or allowed by law, for instance:

  • Tax or accounting regulations demanding specific retention periods
  • Compliance with legal, regulatory, or contractual obligations
  • Litigation or dispute resolution purposes

9.3.1. Once these obligations no longer apply, the data will be deleted or anonymized following our standard procedures.

10. How do we keep your data safe?

10.1. We have implemented appropriate and reasonable technical and organizational security measures designed to protect the security of processed personal data. These measures include, but are not limited to:

  • Encryption: We use advanced encryption protocols (such as TLS/SSL) securing data during transmission and storage
  • Access Control: We enforce strict access controls, ensuring only authorized personnel with legitimate business need accessing personal data
  • Network Security: We deploy firewalls, intrusion detection systems (IDS), and regular security monitoring preventing unauthorized access to networks and systems
  • Data Minimization: We limit collecting and storing personal data to what is strictly necessary for processing purposes
  • Data Anonymization / Pseudonymization: Where appropriate, we employ techniques such as anonymization or pseudonymization reducing the risk of identifying individuals from personal data
  • Regular Security Audits: We conduct routine security assessments, penetration testing, and audits identifying potential vulnerabilities and ensuring ongoing protection
  • Incident Response Plan: We maintain a detailed incident response plan promptly detecting, investigating, and mitigating any security breach impact
  • Employee Training: We provide regular cybersecurity and data protection training to all staff ensuring best practices for handling and securing personal data
  • NDA: We require all employees, contractors, and third-party service providers signing Non-Disclosure Agreements (NDAs) before accessing any personal data

10.2. Despite our security measures and data protection efforts, no electronic transmission or storage method can be guaranteed 100% secure. As a result, we cannot ensure hackers, cybercriminals, or other unauthorized parties will never bypass our security measures and gain unauthorized access, collect, steal, or alter your data. While we are committed to safeguarding personal information, you acknowledge any data transmission to and from our services is at your own risk. We strongly recommend accessing our services only through a secure environment.

10.3 Data Breach Notification

In the unlikely event of a data breach compromising your personal data security, confidentiality, or integrity, we will take prompt following actions for notifying the data protection authority and, if applicable, you.

10.3.1. Notification to the Data Protection Authority. In the event of a data breach, we are required notifying the data protection authority within 72 hours of becoming aware of the breach. The notification will include:

  • A description of the data breach nature
  • Contact information for the individual responsible for providing further information
  • An assessment of the data breach potential consequences
  • Measures that have been taken or are proposed to mitigate the breach and its impact

10.3.2. Notification to You. If the data breach poses a high risk to your rights and freedoms, we will notify you without undue delay. The notification will contain:

  • A clear, straightforward explanation of the data breach nature
  • The contact details of the person responsible for addressing any questions or concerns
  • An outline of the breach possible consequences for your personal data
  • The actions we have taken or plan to take addressing and rectifying the breach
  • Practical advice and tips on how you can minimize the impact and protect yourself from potential harm

11. Do we collect data from minors?

11.1. We do not knowingly collect, solicit, or process personal data from children under 18 years of age, nor do we knowingly sell such personal data. In compliance with the Children’s Online Privacy Protection Act (COPPA) for US residents, we take additional precautions ensuring personal data from children under 13 is not collected, as COPPA imposes specific children’s data handling requirements.

11.2. For European Union (EU) and United Kingdom (UK) users, we comply with local regulations stipulating individuals under 16 must have parental consent using our services. By using the services, you represent you are at least 16 years old, or you are the parent or guardian of a minor dependent aged 16 or younger and consent to their service use.

11.3. If we learn personal data from users under 18 has been collected without proper authorization or parental consent, we will immediately deactivate the account and take reasonable measures deleting such data from our records per applicable laws. For EU and UK users, if we become aware we have inadvertently collected personal data from children under 16 without parental consent, we will take steps deleting such data as required by GDPR and other relevant regulations.

11.4. If you become aware of any personal data we may have collected from children under 18 years, or under 13 without parental consent, or under 16 in the EU or UK without parental consent, please contact us immediately at hello@metatable.ai, and we will promptly investigate and address the issue.

12. What are your privacy rights?

12.1. In some regions (such as the EEA, UK, Switzerland), you have certain rights under applicable data protection laws. These rights include:

  • Right to Access: You have the right requesting access to and obtaining a copy of your personal data that we process
  • Right to Rectification: You can request the correction of inaccurate or incomplete personal data
  • Right to Erasure: You may request the deletion of your personal data when it is no longer necessary for collection purposes, or if you withdraw your consent on which the processing is based
  • Right to Restrict Processing: You have the right requesting we limit your personal data processing under certain conditions, such as during its accuracy verification or when you have objected to its processing
  • Right to Data Portability: If applicable, you may request receiving your personal data in a structured, commonly used, and machine-readable format or having it transferred to another data controller
  • Right to Object: You have the right objecting to your personal data processing based on legitimate interests or for direct marketing purposes
  • Right Not to be Subject to Automated Decision-Making: You have the right not being subject to decisions based solely on automated processing, including profiling, that significantly affects you unless explicitly allowed by law

12.2. To exercise any of these rights or if you have questions about your data protection rights, please contact us using the contact details provided in the section “How can you contact us about this notice?” below. We will consider and act upon any request per applicable data protection laws.

12.3. If you are located in the EEA or UK and you believe we are unlawfully processing your personal data, you also have the right complaining to your Member State data protection authority: List of Members or UK data protection authority: ICO.

12.4. If you are located in Switzerland, you may contact the Federal Data Protection and Information Commissioner.

If we are relying on your consent processing your personal data, which may be express and/or implied consent depending on the applicable law, you have the right withdrawing your consent at any time. You can withdraw your consent anytime by contacting us using the contact details provided in the section “How can you contact us about this notice?” below, or updating your preferences.

12.6. However, please note this will not affect the processing lawfulness before its withdrawal nor, when applicable law allows, will it affect your personal data processing conducted in reliance on lawful processing grounds other than consent.

12.7 Opting out of marketing and promotional communications

You can unsubscribe from our marketing and promotional communications anytime by clicking on the unsubscribe link in our emails, replying “STOP” or “UNSUBSCRIBE” to our messages, or by contacting us using the details provided in the section “How can you contact us about this notice?” below. You will then be removed from the marketing lists. However, we may still communicate with you — for example, to send you service-related messages necessary for your account administration and use, to respond to service requests, or for other non-marketing purposes.

12.8 Account Data

If you would like to review or change your account information or terminate your account at any time, you can:

  • Log in to your account settings and update your user account
  • Contact us using the contact information provided

12.8.1. Upon your request terminating your account, we will deactivate or delete your account and information from our active databases. However, we may retain some information in our files preventing fraud, troubleshooting problems, assisting with any investigations, enforcing our legal terms, and/or complying with applicable legal requirements.

12.9 Cookies and Similar Technologies

Most Web browsers are set to accept cookies by default. If you prefer, you can usually choose setting your browser to remove cookies and to reject cookies. If you choose to remove cookies or reject cookies, this could affect certain features or services of our services.

12.10 Data Subjects Access Request (DSAR) Management

We are committed to ensuring that individuals can exercise their rights under applicable data protection laws, including the right of accessing their personal data. If you wish submitting a Data Subject Access Request (DSAR) obtaining information about personal data we hold, or requesting its rectification, erasure, or transfer, you may do so by contacting us at the details provided in the section “How can you contact us about this notice?” below.

12.10.1. To ensure your data integrity and security, we may require you verifying your identity before responding to your request. In some cases, we may also request additional information better understanding your request nature and facilitating our response.

12.10.2. We will acknowledge your DSAR within 30 calendar days and aim responding to your request within the legally required timeframe. However, if your request is complex or involves a large data volume, we may extend the response time by an additional 30 calendar days, per applicable laws. In such cases, we will notify you of the extension and provide delay reasons.

12.10.3. Please note certain requests may be subject to legal exceptions, and we may be unable fulfilling your request in certain circumstances, such as when fulfilling the request would infringe on others’ rights or conflict with legal obligations. In these instances, we will provide a clear explanation of the reasons for our inability complying with your request.

12.10.4. For more information on how we handle Data Subject Access Requests, or if you have any concerns about your personal data processing, you can reach out to us using the contact information provided below.

12.11. If you have questions or comments about your privacy rights, you may email us at hello@metatable.ai.

13. Do US residents have specific privacy rights?

13.1 In Short

If you are a resident of California, Colorado, Connecticut, Delaware, Florida, Indiana, Iowa, Kentucky, Montana, New Hampshire, New Jersey, Oregon, Tennessee, Texas, Utah, or Virginia, you may have the right requesting access to and receiving details about the personal data we maintain and how we have processed it, correct inaccuracies, get a copy of, or delete your personal data. You may also have the right withdrawing your consent to our personal data processing. These rights may be limited in some circumstances by applicable law. More data is provided below.

13.2 Categories of Personal Data We Collect

We have collected the following personal data categories in the past twelve (12) months:

CategoryExamplesCollected
A. IdentifiersContact details, such as real name, alias, postal address, telephone or mobile contact number, unique personal identifier, online identifier, IP address, email address, and account nameYES
B. Personal data as defined in the California Customer Records statuteName, contact data, education, employment, employment history, and financial dataNO
C. Protected classification characteristics under state or federal lawGender, age, date of birth, race and ethnicity, national origin, marital status, and other demographic dataYES
D. Commercial dataTransaction data, purchase history, financial details, and payment dataNO
E. Biometric dataFingerprints and voiceprintsNO
F. Internet or other similar network activityBrowsing history, search history, online behavior, interest data, and interactions with our and other websites, applications, systems, and advertisementsNO
G. Geolocation dataDevice locationYES
H. Audio, electronic, sensory, or similar dataImages and audio, video or call recordings created in connection with our business activitiesNO
I. Professional or employment-related dataBusiness contact details in order to provide you our Services at a business level or job title, work history, and professional qualifications if you apply for a job with usYES
J. Education InformationStudent records and directory informationNO
K. Inferences drawn from collected personal dataInferences drawn from any of the collected personal data listed above to create a profile or summary about, for example, an individual’s preferences and characteristicsNO
L. Sensitive personal dataNO

13.3. We may also collect other personal data outside these categories through instances where you interact with us in person, online, or by phone or mail in the context of:

  • Receiving help through our customer support channels
  • Participation in customer surveys or contests
  • Facilitation in the delivery of our services and to respond to your inquiries

13.4. We will use and retain the collected personal data as needed providing the services or for the periods described below:

Categories A, C, G, and I. As long as the user has an active account with us. Once the account is deleted or closed, we remove or anonymize these categories of data per our standard procedures.

Category B — Bookkeeping Records. After account deletion, we remove or anonymize most of your personal data. However, we retain a limited set of information required for bookkeeping or legal obligation compliance:

  • first name, last name, email;
  • transaction ID (if any) with Stripe;
  • financial transaction details in Stripe (date, amount).

We store these Category B details only as long as needed for tax, accounting, or other lawful obligations. After fulfilling such obligations, we securely delete or anonymize these records.

13.5 Sources of Personal Data

Learn more about the sources of personal data we collect in “What data do we collect?“.

13.6 How We Use and Share Personal Data

Learn about how we use your personal data in the section, “How do we process your data?“.

13.7 Will Your Data Be Shared with Anyone Else?

We may disclose your personal data to our service providers pursuant to a written contract between us and each service provider. Learn more about how we disclose personal information in the section, “When and with whom do we share your personal information?”.

13.8. We may use your personal information for our own business purposes, such as for undertaking internal research for technological development and demonstration. This is not considered to be a “selling” of your personal information.

13.9. We have not sold or shared any personal information to third parties for a business or commercial purpose in the preceding twelve (12) months. We have disclosed the following categories of personal information to third parties for a business or commercial purpose in the preceding twelve (12) months: The categories of third parties to whom we disclosed personal information for a business or commercial purpose can be found under “When and with whom do we share your personal information?“.

13.10 Your Rights

You have rights under certain US state data protection laws. However, these rights are not absolute, and in certain cases, we may decline your request as permitted by law. These rights include:

  • Right to know whether or not we are processing your personal data
  • Right to access your personal data
  • Right to correct inaccuracies in your personal data
  • Right to request the deletion of your personal data
  • Right to obtain a copy of the personal data you previously shared with us
  • Right to non-discrimination for exercising your rights
  • Right to opt out of the processing of your personal data if it is used for targeted advertising (or sharing as defined under California’s privacy law), the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects (“profiling”)

13.11 Depending upon the state where you live, you may also have the following rights

  • Right to obtain a list of the categories of third parties to which we have disclosed personal data (as permitted by applicable law, including California’s and Delaware’s privacy law)
  • Right to obtain a list of specific third parties to which we have disclosed personal data (as permitted by applicable law, including Oregon’s privacy law)
  • Right to limit use and disclosure of sensitive personal data (as permitted by applicable law, including California’s privacy law)
  • Right to opt out of the collection of sensitive data and personal data collected through the operation of a voice or facial recognition feature (as permitted by applicable law, including Florida’s privacy law)

13.12 How to Exercise Your Rights

To exercise these rights, you can contact us by emailing us at hello@metatable.ai.

13.12.1. Under certain US state data protection laws, you can designate an authorized agent making a request on your behalf. We may deny a request from an authorized agent that does not submit proof that they have been validly authorized to act on your behalf per applicable laws.

13.13 Request Verification

Upon receiving your request, we will need verifying your identity determining you are the same person about whom we have information in our system. We will only use personal information provided in your request verifying your identity or authority making the request. However, if we cannot verify your identity from the information already maintained by us, we may request that you provide additional information verifying your identity and for security or fraud-prevention purposes.

13.13.1. If you submit the request through an authorized agent, we may need collecting additional information verifying your identity before processing your request and the agent will need providing a written and signed permission from you submitting such request on your behalf.

13.14 Appeals

Under certain US state data protection laws, if we decline taking action regarding your request, you may appeal our decision by emailing us at hello@metatable.ai. We will inform you in writing of any action taken or not taken in response to the appeal, including a written explanation of the decisions reasons. If your appeal is denied, you may submit a complaint to your state attorney general.

13.15 California “Shine The Light” Law

California Civil Code Section 1798.83, also known as the “Shine The Light” law, permits our users who are California residents requesting and obtaining from us, once a year and free of charge, information about categories of personal information (if any) we disclosed to third parties for direct marketing purposes and the names and addresses of all third parties with which we shared personal information in the immediately preceding calendar year. If you are a California resident and would like making such a request, please submit your request in writing to us by using the contact details provided in the section “How can you contact us about this notice?“.

14. Data Protection Framework Program Notice

14.1. Metatable complies with the EU‑US Data Privacy Framework (EU‑US DPF), the UK Extension to the EU‑US DPF, and the Swiss‑US Data Privacy Framework (Swiss‑US DPF) as established by the U.S. Department of Commerce. Metatable has certified to the U.S. Department of Commerce that it adheres to the EU‑US DPF Principles regarding personal data processing received from the European Union (and, where applicable, from the United Kingdom and Gibraltar in reliance on the UK Extension) and to the Swiss‑US DPF Principles with respect to personal data received from Switzerland. In the event of any conflict between this Privacy Policy and the applicable DPF Principles, the DPF Principles shall govern. To learn more about the Data Privacy Framework program and to view our certification, please visit Data Privacy Framework.

14.2 Information Disclosure Requirements

In accordance with the DPF notification principles, this Privacy Notice provides the following information:

Participation in the EU‑US DPF. Metatable participates in the EU‑US DPF, the UK Extension to the EU‑US DPF, and the Swiss‑US DPF. You can view the complete list of participating organizations at the Data Privacy Framework website.

Types of Personal Data Collected. We collect various types of personal data from you, learn more about in the section above “What data do we collect?”.

Commitment to EU‑US DPF Compliance. Metatable is committed processing all personal data received from the European Union (and, where applicable, from the United Kingdom, Gibraltar, and Switzerland) in strict adherence to the corresponding parts of the DPF.

Purposes of Data Collection and Use. We collect and use your personal data for purposes such as providing our services, enhancing user experience, conducting analytics, and fulfilling legal obligations.

How to Contact Us. For any questions or complaints regarding our data practices, including those related to your rights under the DPF, please contact us at:

  • Email: hello@metatable.ai

  • Mailing address:

    Metatable Inc. Data Protection Specialist 1111B S Governors Ave STE 3291 Dover, DE 19904, USA.

Additionally, you may contact the relevant supervisory authorities in the EU, United Kingdom, or Switzerland as applicable.

Third-Party Disclosures. We may disclose your personal data to certain third parties, including service providers and partners, for specific purposes as set out in section “When and with whom do we share your personal data?”.

Opt-Out Options. You may choose restricting further disclosure or use of your personal data for purposes different from those for which it was originally collected. To opt-out, please email us at: hello@metatable.ai.

14.3 Dispute Resolution

In compliance with the EU-U.S. DPF, and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF Metatable is committed cooperating and complying respectively with the advice of the panel established by the EU data protection authorities (DPAs), and the UK Information Commissioner’s Office (ICO) and the Gibraltar Regulatory Authority (GRA), and the Swiss Federal Data Protection and Information Commissioner (FDPIC) with regard to unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF, and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF. Under certain conditions, you may also invoke binding arbitration for unresolved disputes. For more details, please refer to Annex I.

14.4 Enforcement and Oversight

Metatable’s compliance with the DPF is subject to investigation and enforcement by the U.S. Federal Trade Commission (FTC), the U.S. Department of Transportation, or any other applicable U.S. statutory authority.

14.5 Mandatory Disclosure in Response to Government Requests

In accordance with applicable laws and the DPF Principles, Metatable may be required disclosing your personal data in response to lawful requests from government agencies for national security, law enforcement, or other purposes. We will comply with such requests as mandated by law.

14.6 Onward Transfers to Third Parties

If Metatable transfers your personal data to a third party acting as its agent, Metatable shall remain liable under the DPF Principles if such an agent processes your data in a manner inconsistent with those Principles, unless Metatable can demonstrate that it is not responsible for the incident giving rise to any damages.

15. Do we make updates to this notice?

15.1. We may update this Privacy Notice from time to time. The updated version will be indicated by an updated “Revised” date at the top of this Privacy Notice. If we make material changes to this Privacy Notice, we may notify you either by prominently posting a notice of such changes or by directly sending you a notification. We encourage you reviewing this Privacy Notice frequently to be informed of how we are protecting your information.

16. How can you contact us about this notice?

16.1. If you have questions or comments about this notice, you may contact our Data Protection Specialist by email at hello@metatable.ai or contact us by post at:

Metatable Inc. Data Protection Specialist 16192, Coastal Highway, Lewes, DE 19958, USA.

17. How can you review, update, or delete the data we collect from you?

17.1. Based on the applicable laws of your country or state of residence in the US, you may have the right requesting access to the personal information we collect from you, details about how we have processed it, correct inaccuracies, or delete your personal information. You may also have the right withdrawing your consent to our personal information processing. These rights may be limited in some circumstances by applicable law. To request to review, update, or delete your personal information, please contact us: hello@metatable.ai.

Annex to the Privacy Notice

Third Party Sub-processors:

Entity namePurpose of processingData categories sharedLocation of processing
OpenAI, L.L.C.AI-driven featuresUser ‘Inputs’ & ‘Outputs’ (prompts, AI-generated content)USA
Anthropic PBCAI-driven featuresUser ‘Inputs’ & ‘Outputs’ (prompts, AI-generated content)USA
LlamaIndex Inc.AI-driven featuresIndexed text data for AI-assisted searchUSA
Groq, Inc.AI-driven featuresUser ‘Inputs’ & ‘Outputs’ processed via accelerated AI modelsUSA
Google LLCGoogle Analytics: to analyze site usage and user interactionsUsage data (IP address, device info, pages visited, timestamps)USA / Various (global data centers)
Snitcher B.V.B2B visitor identification and account-level website analyticsUsage data (IP address, device info, pages visited, referrer, timestamps), inferred company information where availableEU / Various
GetEmails, LLC d/b/a R! B2BB2B visitor identification, marketing attribution, and business outreach supportUsage data (IP address, device info, pages visited, referrer, timestamps), business contact or company information where availableUSA
Stripe, Inc.Payment processing & billingTransaction ID, user ID, email, payment detailsUSA
Google LLCGoogle Cloud Platform: cloud computing & infrastructure hostingUser project data, ‘Inputs’ & ‘Outputs’, minimal user account infoUS/EU (region-based data centers)
Discord Inc.Enable user logins or integrationsUser authentication details (OAuth tokens, IDs)Various (depending on user region)
Google LLCEnable user logins or integrationsUser authentication details (OAuth tokens, IDs)USA / Various (depending on user region)
Microsoft CorporationMicrosoft Azure: data backup & security servicesBackup copies of customer data, infrastructure logsUS/EU (regional backups)
Twilio Inc.SendGrid: email messaging, notifications, collaborationEmail address, email content (for service notifications)Typically USA
Intercom, Inc.Customer relationship management & supportUser name, email, usage data for support contextTypically USA
GitHub, Inc.Code repository & version controlCode repositories, project configurations (if integrated)US/EU
GitLab Inc.Code repository & version controlCode repositories, project configurations (if integrated)US/EU