Your data is yours.

MATA was designed so that we cannot betray you, even if we wanted to. The architecture itself enforces these promises — they are not policy choices we could quietly reverse.

• We do not sell your data. Not to advertisers, not to data brokers, not to insurers, not to anyone.
• We do not hold your encryption keys. Your data is encrypted on your devices with keys that never leave them. We have nothing to hand over because we never had it.
• We only use your contact information to communicate with you. That is the entire purpose for which we collect anything.
• The browser extension stays on your device. It stores your encrypted credentials locally, fills them only when you ask, and never transmits page contents or browsing history anywhere.
• We never use your data for creditworthiness, lending, or scoring of any kind. That entire category of use is excluded by design and by policy.

MATA the product runs on your devices. Your wallet, identity, passwords, contacts, files, and any other data you store inside MATA are encrypted locally and synced peer-to-peer. We do not see them, we do not store them on our servers, and we have no technical means to read them.

There is no master key, no recovery vault on our side, no plaintext backup. If you lose access to every device you own, we cannot restore your data — that is the same property that prevents us, or anyone we are compelled to share with, from accessing it without your permission.

We do not collect web browsing history, the contents of pages you visit, keystrokes, mouse movement, clickstream, scroll behavior, precise location, GPS coordinates, IP addresses tied to your identity, health data, financial account information beyond what a payment processor handles for any paid subscription, or the contents of your personal communications. The browser extension's permissions could, in principle, enable some of those collections — its code does not, and this policy commits us to not changing that without disclosing the change here first.

When you sign up, contact us, or subscribe to our newsletter, you may share an email address, a name, or other contact details. We use that information for one purpose: to communicate with you about MATA. Product updates, account-related messages, support replies, and the occasional release announcement.

We do not pass your contact information to advertisers, partners, or any third party for marketing. If you stop wanting to hear from us, every email we send includes a one-click unsubscribe.

Everything you store inside MATA is sealed with AES-256-GCM using keys derived from your master password through Argon2id. Device-to-device communication happens over end-to-end encrypted peer-to-peer channels (Iroh) where keys are negotiated between your devices directly. We are not a party to that exchange.

This is not marketing language — it is a technical property of the system. We could not decrypt your data on demand, under court order, or in response to a breach, because we never possessed the means to do so.

MATA ships a Chromium-compatible browser extension. Its single purpose is to keep the credentials and identity data you save inside MATA available to you across login sessions and immune to cookie deletion, and to deploy those credentials into login forms when you explicitly ask it to. Every promise in this section is enforced in code, not just on paper.

What the extension stores on your device

Credentials — usernames, passwords, identity fields, and anything else you save inside MATA — are encrypted on your device with AES-256-GCM using keys derived from your master password through Argon2id. The encrypted blob is held in browser-managed local storage so that it survives cookie wipes, cache clears, and ordinary browser hygiene. Plaintext credentials never leave your device. We have never seen them and have no technical means to see them.

Permissions the extension requests, and why each is necessary

• storage — to hold the encrypted credential database locally. Without this permission your data would not survive a cookie wipe, which is the entire reason the extension exists.
• activeTab — to interact only with the page you are presently viewing, and only when you explicitly invoke MATA. The extension takes no action on tabs you have not actively engaged.
• scripting — to inject the small piece of code that locates login form fields and writes the credential you selected into them. Injection happens only on the active tab, only at the moment you trigger it, and only against fields you have authorized.
• host permissions — required so the extension can fill credentials on any site you choose to log into. Without broad host permissions the extension would have to ship with a hardcoded allow-list, which would be both fragile and hostile to user choice. Host permission is capability, not behavior — the extension reads or writes page content only at moments you actively trigger it, only on the active tab, and never in the background.
• tabs and contextMenus — declared in the manifest but not currently exercised by the extension. If a future release begins using either, this policy will be updated to describe their use before that release ships.

What the extension does not do

• It does not transmit page contents, form data, browsing history, or any inference drawn from them — to MATA, or to any third party.
• It does not record which sites you visit, in what order, or for how long. There is no web-history collection of any kind.
• It does not perform user-activity tracking. No clickstream, mouse-position, scroll, or keystroke logging.
• It does not load or execute remote code. Every line of JavaScript and WebAssembly that runs in the extension ships inside the signed extension package reviewed by the Chrome Web Store. There is no eval, no remotely loaded script, and no dynamic code fetched at runtime.
• It does not run analytics or telemetry from inside the extension itself.
• It does not contact MATA's servers as part of its core credential-storage function. Storage and autofill are entirely local. Optional account features that require server contact use the same end-to-end encrypted channels as the rest of MATA, described elsewhere in this policy.

Categories of user data the extension touches

The Chrome Web Store asks operators to disclose, candidly, which categories of user data their extensions handle. For the MATA extension, that disclosure is:

• Authentication information — yes. Storing credentials securely is the extension's purpose. They are encrypted on your device and never leave it in plaintext.
• Personally identifiable information — only what you choose to save inside MATA (for example, a name or address you keep in your identity vault). Encrypted on your device, never read by us.
• Website content — the extension reads form fields on the active tab at the moment you trigger autofill, only well enough to identify where the credential should be written. Page content is not stored, transmitted, or analysed beyond that immediate, on-device step.
• Personal communications, health, financial, location, web history, user activity — none. The extension does not collect, transmit, or process any of these.

Our marketing site (the one you are reading) may use privacy-respecting analytics to understand traffic patterns — page views, referrers, rough geography. Where standard analytics providers like Google Analytics are configured, they are wired through the website's tracker layer with no personally identifying information attached on our side.

We do not use cookies to track you across other websites. We do not run advertising pixels that follow you around the internet. If you would prefer no analytics at all, browser-level Do Not Track signals and standard ad-blockers will fully neutralize anything this site loads.

A small number of third-party providers help us operate. When they are involved, your information is governed by their privacy policies in addition to ours. We pick providers we believe respect user privacy and only share the minimum needed for the service to function:

• Email and newsletter delivery — to send the messages you asked us to send.
• Hosting and content delivery — to serve the site to you.
• Analytics — only the aggregate-traffic providers described above.

We do not share data with advertisers, data brokers, or anyone whose business model is reselling user information.

We make and stand behind the following commitments. They apply with equal force to the website, the desktop and mobile apps, and the browser extension.

• We do not sell or transfer user data to third parties outside the narrow operational uses described in this policy (email delivery, hosting, the privacy-respecting analytics described under "This website"). We do not sell to data brokers, advertisers, marketers, insurers, or anyone whose business model is reselling user information.
• We do not use or transfer user data for any purpose unrelated to the single purpose of MATA — keeping your identity and credentials safe, available, and resistant to cookie deletion. That single purpose defines the entire scope of our data handling.
• We do not use or transfer user data to determine creditworthiness or for lending purposes. Full stop. This applies whether the data was collected by the website, the desktop and mobile apps, or the browser extension.
• We do not load or execute remote code in the browser extension. Every executable line ships inside the signed package reviewed by the Chrome Web Store.
• We minimise by design. Where a feature can be implemented without collecting data, we implement it that way; where it cannot, we collect the smallest amount that makes the feature work and we say so plainly here.

You can ask us at any time what information we have associated with your contact details, request that we correct it, or request that we delete it. Email us using the contact information below and we will respond within a reasonable window.

Because the data inside MATA itself lives on your devices and not on our servers, deleting it is something you do directly — uninstalling the app and wiping local storage removes it. There is no copy of it for us to delete because we never had one.

MATA is not directed at children under 13, and we do not knowingly collect information from them. If you believe a child has shared information with us, contact us and we will remove it.

If this policy changes in any meaningful way, we will update the "last updated" date at the top of this page and, where appropriate, send a notice to anyone we have an email address for. The substance of the three short-version promises above will not change — they are baked into the product, not into a document.

Questions about this policy, or requests about your data, can go to our team via the channels listed in the footer of every page. We read every message.