MATTR Privacy Policy

Your Privacy Matters

MATTR is built and operated as a privacy-first company. Enhancement of privacy and trust in digital transactions are fundamental to the software we develop. We aim to support entities participating in the growing eco-system of privacy-preserving verifiable data transactions. We do not sell, rent or otherwise monetise personal information that we process on our customers’ behalf.

This Privacy Policy sets out how we collect, use, disclose and protect personal information when:

• we provide Services to our customers through our software-as-a-service platform (e.g., when we issue or verify credentials)
• we provide other Services to our customers (such as training or seminars), or
• we provide access to or use of our Materials, such as apps, SDKs, and the content, materials, software, data, documents (etc.) we make available to allow use of our Services.

(For a full definition of all of our Services and Materials, see our Customer Agreement, which may be updated from time to time).

First and foremost, we use your personal information to provide our customers with requested Services and Materials and to manage our relationship with you and our customers. Where end users’ personal information is provided to us for the purpose of us providing our Services (e.g. when our customer issues a credential using our Services), we use and disclose that end user personal information for service delivery and the other limited purposes set out in this Privacy Policy. We do not use it for purposes like marketing services from us or others to the end user.

If you access or use our website, sign-up to receive MATTR communications or content, or otherwise use Materials without representing or becoming our customer, the MATTR Website Privacy Policy applies.

If you don’t have a relationship with us, but believe your personal information is used by an entity that accesses or uses our Materials or Services, that entity’s privacy policy applies to their collection, use and disclosure of your personal information. In the first instance, we recommend that you contact that entity for any questions you have about your personal information (including where you want to access, correct, amend, or request the deletion of, your personal information).

Who we are

1. When we say “our”, “we”, or “us”, we mean MATTR Limited (MATTR). Our offices are in New Zealand, but we operate globally. We provide easy-to use Services and Materials to improve trust and privacy in digital interactions.
2. We collect, use and share personal information in accordance with applicable law such as the Privacy Act 2020 (NZ) (Privacy Act).
3. If a customer accesses or uses our Services or Materials in the European Economic Area, the United Kingdom (EEA), Switzerland or in relation to any natural person who is identified or identifiable and in the EEA or Switzerland, the MATTR Data Processing Terms apply to how we process that personal data.
4. For clarity, when we refer to “you” or “your” we mean an individual whose personal information is processed using our Services or who accesses the Materials on behalf of a customer.

Our principles of data protection

1. Our approach to privacy and data protection is built around four key principles. They’re at the heart of everything we do relating to personal information.
   1. Transparency: We take a human approach to how we process personal information by being open, honest and transparent.
   2. Security: We champion industry leading approaches to securing the personal information entrusted to us.
   3. Stewardship: We accept the responsibility that comes with processing personal information.
   4. Data minimisation: We are continuously working to minimise the personal information that we collect and develop more privacy preserving features.

Types of personal data we collect

1. When we say “personal information” we mean identifiable information about you that we collect when our customers access or use our Services or Materials. Examples of personal information include name, email address, phone number, bank account details, identifiable support queries and community comments, and so on.
2. You or our customers may disclose some of this personal information to us optionally, or we may need it to provide the Services (for example, payment information).
3. If you can’t be identified (for example, when personal information has been aggregated and anonymised) then this Privacy Policy doesn’t apply.

How we collect personal information

1. We collect personal information that we need to provide our customers with our Services or Materials, and any information you provide to us optionally. The way we collect this personal information can be broadly categorised into the following:
   1. Information you provide to us directly: For example, if you use the Sign-Up feature on our website to get access to our Services for an organisation you represent (including during a trial period or on a preview basis), we may ask you for your name, organisation, payment information, and email so that we can correctly assess your application and discuss your requirements (if applicable). You may also provide us with similar contact information if you contact us for support, participate in community forums, join us on social media, or take part in training and events. If you don’t want to provide us with such personal information, it may mean that we cannot provide you with certain Services or Materials.
   2. Information we collect automatically: We may collect some personal information automatically when our customer accesses or uses our Services and Materials, including through the use of cookies. This can include IP addresses, interactions with our Services, and the user and customer accounts with which interactions are linked. This personal information helps us to operate and provide our Services and Materials, get a better understanding of how our Services and Materials are accessed and used and may be used to improve our Services and Materials. Note that if you’re just using or accessing our website, the Website Privacy Policy applies.
   3. Information we collect from third parties: We usually collect personal information directly from you or from our customer. Our customer may be an agency that you have a direct relationship with (like an educational institution or government department) or its service provider. Sometimes we collect personal information about you from other sources, such as publicly available materials or trusted third parties (such as research partners or the issuer of a credential that you hold and that our Service is being used to verify). We may also collect and use this personal information to better inform, personalise and improve our Services.

How we use your personal information

1. First and foremost, we use your personal information to provide our customers with requested Services and Materials and to manage our relationship with you and our customers. Where end users’ personal information is provided to us for the purpose of us providing our Services (e.g. when our customer issues a credential using our Services), we use and disclose that end user personal information for service delivery and the other limited purposes set out in this Privacy Policy. We do not use it for purposes like marketing services from us or others to the end user. We may also use your personal information to:

2. Communicate with you. This may include:

   1. providing you with information you’ve requested from us (like training or education materials) or information we are required to send to you;
   2. operational communications, like changes to our Services, security updates, or assistance with using our Services;
   3. marketing communications (about us or another product or Service we think you might be interested in) if you have opted in with your marketing preferences (including by tracking your use of, and interaction with, our website and marketing emails); or
   4. asking you for feedback or to take part in any research we are conducting (which we may engage a third party to assist with).

3. Support you: This may include assisting with the resolution of technical support issues or other issues relating our Services, whether by email, in-app support or otherwise.

4. Enhance our Services and develop new ones: Such as providing new or improved tools and optimising user experiences.

5. Protect our Services and Materials: So that we can detect and prevent any fraudulent or malicious activity, and make sure that everyone is using our Services fairly and in accordance with any applicable terms and conditions.

6. Comply with legal requirements: To comply with applicable laws, regulations or legal processes, demonstrate such compliance, or to exercise, establish or defend our legal rights.

How we minimise the sharing of your personal information

1. Where we collect personal information, we’ll only disclose it as reasonably required:
   1. to provide our customers with our Services and Materials, including to other MATTR group companies and trusted partners and service providers who are involved in the provision of the Services or Materials or are otherwise providing goods or services to MATTR and have agreed to protect your personal information in a manner consistent with this Privacy Policy
   2. to the extent that such disclosure is necessary for us to use the personal information for the purpose it was collected
   3. in accordance with this Privacy Policy and any other applicable data protection and privacy laws (including as set out in the MATTR Customer Agreement and any applicable Service Terms and Service Level Agreement)
   4. to regulators, law enforcement bodies, government agencies, courts or other third parties if required to comply with applicable laws, regulations or legal processes, demonstrate such compliance, or to exercise, establish or defend our legal rights (but we’ll try to notify you about these kinds of disclosures if possible)
   5. to prevent, detect, or investigate security concerns, including fraud
   6. where you are a customer representative, to an actual or potential buyer (and its agents and advisors) in connection with an actual or proposed purchase, merger or acquisition of any part of our business, or
   7. with your consent.

International Transfers of your personal information

1. When we do share your personal information, it may be transferred to, and processed in, a country different to where you a located. These countries may have laws that are different to what you are accustomed to. Where this is the case, we put comparable safeguards in place to ensure your personal information remains protected.
2. For individuals in the European Economic Area (EEA), Switzerland or in relation to any natural person who is identified or identifiable and in the EEA or Switzerland, this means that your data may be transferred outside of the EEA or Switzerland in accordance with the MATTR Data Processing Terms. For further information, please contact us using the details set out in the “How to contact us” section below.

Security

1. Security is a priority for us when it comes to your personal information. We’re committed to protecting your personal information and have appropriate technical, physical and organisational measures in place to protect your personal information. For more information about the security of your personal information, you can contact us.

Retention

1. The length of time we keep your personal information depends on the type of personal information and whether we have an ongoing business need to retain it (for example, to provide a requested Service to our customer or to comply with applicable legal or tax requirements). We’ll retain personal information only for as long as is necessary.
2. Personal information collected by MATTR may be stored and processed in the region in which it is collected and in any other region where we maintain operations, including New Zealand and the EEA.

Your rights

1. It’s your personal information and you have rights, including to:
   1. know what personal information we hold about you;
   2. access the personal information we hold about you; and
   3. request a correction of the personal information.
2. You can exercise these rights, and any other rights you may have under applicable data protection and privacy laws, at any time by making a request to us. If you’re not happy with how we are collecting, using or disclosing your personal information, please let us know by contacting us. Your requests may be subject to certain conditions or grounds for refusal, as set out under applicable data protection and privacy laws. We will review and investigate your complaint and try to get back to you within a reasonable timeframe. You can also request investigation by the privacy regulator with jurisdiction for your matter (e.g. New Zealand Privacy Commissioner) at any time during or after raising a complaint with us.

Changes

1. We may need to update this Privacy Policy from time to time. We will publish the updated version on our website. Where a change is significant, we’ll also endeavour to let our customers know by email. Any such changes will come into effect 30 days after the updated version is published.

How to contact us

1. We’re always keen to hear from you. If you’re curious about what personal information we hold about you or have a question or feedback for us on this Privacy Policy, please contact our Privacy and Data Protection Officer at privacy@mattr.global.
2. As a technology company, we prefer to communicate with you by email – this ensures that you’re put in contact with the right person, in the right location, and in accordance with any regulatory timeframes.